From 253ad2076552c33a779e13447a2395b0ca3d150b Mon Sep 17 00:00:00 2001 From: Nelson Wang Date: Thu, 17 Jun 2021 18:13:42 -0700 Subject: [PATCH 1/3] Pinning ansible version --- py23-image/centos-7/Dockerfile | 2 +- py23-image/centos-8/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/py23-image/centos-7/Dockerfile b/py23-image/centos-7/Dockerfile index 4e907aff..39f03c03 100644 --- a/py23-image/centos-7/Dockerfile +++ b/py23-image/centos-7/Dockerfile @@ -22,4 +22,4 @@ RUN wget https://www.python.org/ftp/python/3.7.4/Python-3.7.4.tgz \ RUN yum remove -y --setopt=tsflags=noscripts gcc openssl-devel bzip2-devel libffi-devel \ && yum autoremove -y \ && yum clean all -RUN pip3 --no-cache-dir install ansible requests \ No newline at end of file +RUN pip3 --no-cache-dir install ansible==3.4.0 requests \ No newline at end of file diff --git a/py23-image/centos-8/Dockerfile b/py23-image/centos-8/Dockerfile index afacd7d9..b7534cf4 100644 --- a/py23-image/centos-8/Dockerfile +++ b/py23-image/centos-8/Dockerfile @@ -26,5 +26,5 @@ RUN wget https://www.python.org/ftp/python/3.7.4/Python-3.7.4.tgz \ RUN yum remove -y --setopt=tsflags=noscripts gcc openssl-devel bzip2-devel libffi-devel \ && yum autoremove -y \ && yum clean all -RUN pip3 --no-cache-dir install ansible requests \ +RUN pip3 --no-cache-dir install ansible==3.4.0 requests \ && pip --no-cache-dir install pyyaml requests \ No newline at end of file From 2ee0a0d681c8def207b13f44ae05e7ef87d8896e Mon Sep 17 00:00:00 2001 From: Nelson Wang Date: Mon, 21 Jun 2021 10:02:12 -0700 Subject: [PATCH 2/3] Updating redhat to 8.4-200.1622548483, adding --skip-dirs to trivy --- .circleci/config.yml | 2 +- .trivyignore | 6 ------ base/debian-10/install.sh | 6 +++--- base/debian-9/install.sh | 2 +- base/redhat-8/Dockerfile | 2 +- base/redhat-8/install.sh | 2 +- py23-image/debian-10/Dockerfile | 5 +++-- py23-image/debian-9/Dockerfile | 5 +++-- py23-image/redhat-8/Dockerfile | 5 +++-- 9 files changed, 16 insertions(+), 19 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8609c23e..48aacbfa 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -86,7 +86,7 @@ jobs: mkdir -p trivy-results for image in ./workspace_cache/*.tar; do [ -e "$image" ] || continue - ./trivy image --exit-code 1 --format template --template "@contrib/junit.tpl" -o trivy-results/`basename $image`.xml --ignore-unfixed --severity "HIGH,CRITICAL" --no-progress -i "$image" + ./trivy image --exit-code 1 --format template --skip-dirs "/usr/lib/python3.7/site-packages/ansible_collections" --template "@contrib/junit.tpl" -o trivy-results/`basename $image`.xml --ignore-unfixed --severity "HIGH,CRITICAL" --no-progress -i "$image" done - store_test_results: path: trivy-results diff --git a/.trivyignore b/.trivyignore index 19d7a228..7ab1600c 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,9 +1,3 @@ -# These are coming from the file below, but it's not actually installed in the container -# /usr/lib/python3.7/site-packages/ansible_collections/netbox/netbox/poetry.lock -CVE-2020-36242 -CVE-2020-14343 -CVE-2021-29510 - # Downgraded to LOW severity by the Product Security team as the packages are not actually # shipped with the release. # SPL-203200 diff --git a/base/debian-10/install.sh b/base/debian-10/install.sh index abe40351..22c374a1 100755 --- a/base/debian-10/install.sh +++ b/base/debian-10/install.sh @@ -32,8 +32,8 @@ ln -sf /usr/share/zoneinfo/UTC /etc/localtime # Install utility packages apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc make \ libffi-dev libssl-dev make build-essential libbz2-dev \ - wget xz-utils ca-certificates zlib1g-dev python3-apt \ - p11-kit lz4 + wget xz-utils ca-certificates zlib1g-dev python3-apt p11-kit lz4 \ + libhogweed4=3.4.1-1+deb10u1 libgnutls30=3.6.7-4+deb10u7 libgcrypt20=1.8.4-5+deb10u1 # Install Python and necessary packages PY_SHORT=${PYTHON_VERSION%.*} @@ -65,7 +65,7 @@ cp apt_inst.cpython-37m-${ARCH}-linux-gnu.so apt_inst.so rm -rf /tmp/python3-apt # Install splunk-ansible dependencies cd / -pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible jmespath --upgrade +pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 urllib3==1.26.5 jmespath --upgrade # Remove tests packaged in python libs find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \; find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \; diff --git a/base/debian-9/install.sh b/base/debian-9/install.sh index 1ecfd4aa..245c237b 100755 --- a/base/debian-9/install.sh +++ b/base/debian-9/install.sh @@ -65,7 +65,7 @@ cp apt_inst.cpython-35m-x86_64-linux-gnu.so apt_inst.so rm -rf /tmp/python3-apt # Install splunk-ansible dependencies cd / -pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible jmespath --upgrade +pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 urllib3==1.26.5 jmespath --upgrade # Remove tests packaged in python libs find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \; find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \; diff --git a/base/redhat-8/Dockerfile b/base/redhat-8/Dockerfile index d2f52ea6..249c695f 100644 --- a/base/redhat-8/Dockerfile +++ b/base/redhat-8/Dockerfile @@ -16,7 +16,7 @@ # the container catalog moved from registry.access.redhat.com to registry.redhat.io # So at some point before they deprecate the old registry we have to make sure that # we have access to the new registry and change where we pull the ubi image from. -FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3-291 +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4-200.1622548483 LABEL name="splunk" \ maintainer="support@splunk.com" \ diff --git a/base/redhat-8/install.sh b/base/redhat-8/install.sh index c5e8e2a2..5e8ff0a2 100755 --- a/base/redhat-8/install.sh +++ b/base/redhat-8/install.sh @@ -51,7 +51,7 @@ ln -sf /usr/bin/python${PY_SHORT} /usr/bin/python ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip # Install splunk-ansible dependencies cd / -pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 jmespath --upgrade +pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 urllib3==1.26.5 jmespath --upgrade # Remove tests packaged in python libs find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \; find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \; diff --git a/py23-image/debian-10/Dockerfile b/py23-image/debian-10/Dockerfile index baf3d4f2..83d9aa47 100644 --- a/py23-image/debian-10/Dockerfile +++ b/py23-image/debian-10/Dockerfile @@ -3,8 +3,9 @@ FROM ${SPLUNK_PRODUCT}-debian-10:latest USER root RUN apt-get update -y \ - && apt-get install -y --no-install-recommends libpython-dev ansible python-pip python-requests python-jmespath python-yaml \ + && apt-get install -y --no-install-recommends libpython-dev python-pip python-requests python-jmespath python-yaml \ && ln -sf /usr/bin/python3.7 /usr/bin/python3 \ && ln -sf /usr/bin/pip3.7 /usr/bin/pip3 \ && ln -sf /usr/bin/python3.7 /usr/bin/python \ - && ln -sf /usr/bin/pip3.7 /usr/bin/pip + && ln -sf /usr/bin/pip3.7 /usr/bin/pip \ + && pip3 install --upgrade ansible==3.4.0 diff --git a/py23-image/debian-9/Dockerfile b/py23-image/debian-9/Dockerfile index 2fe9baa4..2a26b31d 100644 --- a/py23-image/debian-9/Dockerfile +++ b/py23-image/debian-9/Dockerfile @@ -3,8 +3,9 @@ FROM ${SPLUNK_PRODUCT}-debian-9:latest USER root RUN apt-get update -y \ - && apt-get install -y --no-install-recommends libpython-dev ansible python-pip python-requests python-jmespath python-yaml \ + && apt-get install -y --no-install-recommends libpython-dev python-pip python-requests python-jmespath python-yaml \ && ln -sf /usr/bin/python3.7 /usr/bin/python3 \ && ln -sf /usr/bin/pip3.7 /usr/bin/pip3 \ && ln -sf /usr/bin/python3.7 /usr/bin/python \ - && ln -sf /usr/bin/pip3.7 /usr/bin/pip + && ln -sf /usr/bin/pip3.7 /usr/bin/pip \ + && pip3 install --upgrade ansible==3.4.0 diff --git a/py23-image/redhat-8/Dockerfile b/py23-image/redhat-8/Dockerfile index 504a1df5..e84faf68 100644 --- a/py23-image/redhat-8/Dockerfile +++ b/py23-image/redhat-8/Dockerfile @@ -4,8 +4,9 @@ USER root RUN microdnf -y --nodocs update \ && microdnf -y --nodocs install python2-pip python2-devel \ - && pip2 --no-cache-dir install requests ansible jmespath \ + && pip2 --no-cache-dir install requests jmespath \ && ln -sf /usr/bin/python3.7 /usr/bin/python3 \ && ln -sf /usr/bin/pip3.7 /usr/bin/pip3 \ && ln -sf /usr/bin/python3.7 /usr/bin/python \ - && ln -sf /usr/bin/pip3.7 /usr/bin/pip + && ln -sf /usr/bin/pip3.7 /usr/bin/pip \ + && pip3 install --upgrade ansible==3.4.0 From bcd198b9b9210755221307a6b7541786bdc48b25 Mon Sep 17 00:00:00 2001 From: Nelson Wang Date: Mon, 21 Jun 2021 10:41:05 -0700 Subject: [PATCH 3/3] Adding keys.openpgp.org keyserver --- .circleci/config.yml | 2 +- base/debian-9/install.sh | 3 ++- base/redhat-8/install.sh | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 48aacbfa..79ec6a5c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -86,7 +86,7 @@ jobs: mkdir -p trivy-results for image in ./workspace_cache/*.tar; do [ -e "$image" ] || continue - ./trivy image --exit-code 1 --format template --skip-dirs "/usr/lib/python3.7/site-packages/ansible_collections" --template "@contrib/junit.tpl" -o trivy-results/`basename $image`.xml --ignore-unfixed --severity "HIGH,CRITICAL" --no-progress -i "$image" + ./trivy image --exit-code 1 --format template --vuln-type os --template "@contrib/junit.tpl" -o trivy-results/`basename $image`.xml --ignore-unfixed --severity "HIGH,CRITICAL" --no-progress -i "$image" done - store_test_results: path: trivy-results diff --git a/base/debian-9/install.sh b/base/debian-9/install.sh index 245c237b..7c074cc8 100755 --- a/base/debian-9/install.sh +++ b/base/debian-9/install.sh @@ -39,7 +39,8 @@ PY_SHORT=${PYTHON_VERSION%.*} wget -O /tmp/python.tgz https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz wget -O /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz.asc apt-get install dirmngr -y -gpg --keyserver pool.sks-keyservers.net --recv-keys $PYTHON_GPG_KEY_ID \ +gpg --keyserver keys.openpgp.org --recv-keys $PYTHON_GPG_KEY_ID \ + || gpg --keyserver pool.sks-keyservers.net --recv-keys $PYTHON_GPG_KEY_ID \ || gpg --keyserver pgp.mit.edu --recv-keys $PYTHON_GPG_KEY_ID \ || gpg --keyserver keyserver.pgp.com --recv-keys $PYTHON_GPG_KEY_ID gpg --verify /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc /tmp/python.tgz diff --git a/base/redhat-8/install.sh b/base/redhat-8/install.sh index 5e8ff0a2..a07494d2 100755 --- a/base/redhat-8/install.sh +++ b/base/redhat-8/install.sh @@ -35,7 +35,8 @@ microdnf -y --nodocs update gnutls kernel-headers librepo libnghttp2 tzdata nett PY_SHORT=${PYTHON_VERSION%.*} wget -O /tmp/python.tgz https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz wget -O /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz.asc -gpg --keyserver pool.sks-keyservers.net --recv-keys $PYTHON_GPG_KEY_ID \ +gpg --keyserver keys.openpgp.org --recv-keys $PYTHON_GPG_KEY_ID \ + || gpg --keyserver pool.sks-keyservers.net --recv-keys $PYTHON_GPG_KEY_ID \ || gpg --keyserver pgp.mit.edu --recv-keys $PYTHON_GPG_KEY_ID \ || gpg --keyserver keyserver.pgp.com --recv-keys $PYTHON_GPG_KEY_ID gpg --verify /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc /tmp/python.tgz