diff options
| author |   Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-08-07 11:53:39 +0200 |
|---|---|---|
| committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-08-28 15:51:33 +0200 |
| commit | 66eefb845990d01c0296074eabdad3a5ad86281a (patch) | |
| tree | 545106229cb08e857ef3e6b302c63c07b7d18a73 /security/docker | |
| parent | 6cfab47316074ff18faf94d25432ea320b280e04 (diff) | |
Add SECCOM-recommended version check in security tests
Issue-ID: INT-1571
Change-Id: Icd215ad5b49dcbf34eb46b973676f5141b589f83
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'security/docker')
| -rw-r--r-- | security/docker/Dockerfile | 15 | ||||
| -rw-r--r-- | security/docker/testcases.yaml | 10 |
2 files changed, 24 insertions, 1 deletions
diff --git a/security/docker/Dockerfile b/security/docker/Dockerfile index e38f565..a31ab64 100644 --- a/security/docker/Dockerfile +++ b/security/docker/Dockerfile @@ -1,3 +1,9 @@ +FROM golang:1.13 AS build_yq +WORKDIR /go/src/github.com/mikefarah/ +RUN git clone https://github.com/mikefarah/yq.git --depth 1 +WORKDIR /go/src/github.com/mikefarah/yq +RUN CGO_ENABLED=0 go install -a -ldflags '-w -s -extldflags "-static"' + FROM golang:1.13 AS build_aqua WORKDIR /go/src/github.com/aquasecurity/ RUN git clone https://github.com/aquasecurity/kube-bench.git --depth 1 @@ -27,23 +33,29 @@ COPY scripts/check_security_root.sh /check_security_root.sh COPY scripts/root_pods_xfail.txt /root_pods_xfail.txt COPY scripts/check_unlimitted_pods.sh /check_unlimitted_pods.sh COPY scripts/check_cis_kubernetes.sh /check_cis_kubernetes.sh +COPY scripts/check_versions.sh /check_versions.sh +COPY --from=build_yq /go/bin/yq /usr/local/bin/yq COPY --from=build_aqua /go/bin/kube-bench /usr/local/bin/kube-bench COPY --from=build_aqua /go/src/github.com/aquasecurity/kube-bench/cfg/ /cfg/ COPY --from=build_onap /go/bin/sslendpoints /usr/local/bin/sslendpoints RUN set -x && \ apk --no-cache add --update curl ca-certificates openssl procps util-linux \ - nmap nmap-scripts && \ + nmap nmap-scripts jq && \ apk --no-cache add --virtual .build-deps --update \ python3-dev linux-headers gcc musl-dev && \ chmod +x /usr/local/bin/kubectl && \ git clone --depth 1 https://github.com/aquasecurity/kube-hunter.git /kube-hunter && \ + mkdir /check_versions && \ adduser kubectl -Du 2342 -h /config && \ wget https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz -O - | tar -xzO linux-amd64/helm > /usr/local/bin/helm && \ wget -O /check_for_nonssl_endpoints.sh https://git.onap.org/integration/plain/test/security/check_for_nonssl_endpoints.sh?h=$ONAP_TAG &&\ wget -O /check_for_jdwp.sh https://git.onap.org/integration/plain/test/security/check_for_jdwp.sh?h=$ONAP_TAG &&\ wget -O /jdwp_xfail.txt https://git.onap.org/integration/plain/test/security/jdwp_xfail.txt?h=$ONAP_TAG &&\ wget -O /nonssl_xfail.txt https://git.onap.org/integration/plain/test/security/nonssl_xfail.txt?h=$ONAP_TAG &&\ + wget -O /check_versions/k8s_bin_versions_inspector.py https://git.onap.org/integration/plain/test/security/check_versions/src/k8s_bin_versions_inspector.py?h=$ONAP_TAG &&\ + wget -O /check_versions/requirements.txt https://git.onap.org/integration/plain/test/security/check_versions/env/requirements.txt?h=$ONAP_TAG &&\ + wget -O /check_versions/recommended_versions.yaml https://git.onap.org/integration/seccom/plain/recommended_versions.yaml?h=$ONAP_TAG &&\ chmod +x /usr/local/bin/helm && \ chmod +x /usr/local/bin/kube-bench && \ chmod +x /usr/local/bin/sslendpoints && \ @@ -52,6 +64,7 @@ RUN set -x && \ pip3 install --no-cache-dir \ git+https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting.git@$ONAP_TESTS_TAG#subdirectory=security && \ cd /kube-hunter && pip3 install -r /kube-hunter/requirements.txt && \ + pip3 install -r /check_versions/requirements.txt && \ apk del .build-deps COPY docker/testcases.yaml /usr/lib/python3.8/site-packages/xtesting/ci/testcases.yaml diff --git a/security/docker/testcases.yaml b/security/docker/testcases.yaml index 6b9d482..92b270d 100644 --- a/security/docker/testcases.yaml +++ b/security/docker/testcases.yaml @@ -72,3 +72,13 @@ tiers: Check k8s CVE. run: name: 'kube_hunter' + - + case_name: versions + project_name: security + criteria: 100 + blocking: false + description: >- + Check that Java and Python are available only in versions + recommended by SECCOM + run: + name: 'versions' |