conjur-debify 3.0.3.pre.145 → 3.0.3.pre.248

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 749d66a8a64cbc22abc88af81e4f1851ee888d178c875d8c384da86e9c84a472
-  data.tar.gz: 7d0713e5b38339ce6ac39d4c6714593d00ace8f6515e8c8d3f5b0914a2a14d48
+  metadata.gz: dee5ebc68d4c02c548b5f419b373ade1fbfcaf0270333df348ba8ca3df15b1ea
+  data.tar.gz: cf726fa0b7bc1d818f8fac867fbdbdf0f23820f8c812065f283ab84a4f5ca9fe
 SHA512:
-  metadata.gz: '07198fe9a64df0947c30bf59ec95af4c63ca81abbfc7dff9d46188b480f21e373bbcccdd84ff3be97b0c37d41db7dd4f05f34ed82376de62f28206c23423c2b0'
-  data.tar.gz: 2ac3dc9e0bbda1d32a046fcd376f5b8aabf24df4b1a09695a3300e935e3d4ed8ab301e0cf6ae8a1af12c8de84554375b9971d92deec45011fc1e67f357e41314
+  metadata.gz: c942a9241ea475dc79bc7d89e3b66f0ab9d8d7f21a4d610b142869852328dadfe6bf008ff11666ca9a2d9a38961c1de77a1ed0326523ad06e08569d96b93ae65
+  data.tar.gz: 589b532b54bd9a5639d85f88da084e39e24affd765b6dfe9fe02907364c836d4f4a90cf1f513b5fdb048680af83ddac212e40ad2ac819039bfd40d866a0c7801

data/Dockerfile

@@ -2,7 +2,7 @@ FROM ruby:3.2
 
 RUN apt-get update -qq && \
     apt-get upgrade -qqy && \
-    apt-get install -qqy \
+    apt-get install --no-install-recommends -qqy \
     apt-transport-https \
     ca-certificates \
     curl && \
@@ -10,7 +10,7 @@ RUN apt-get update -qq && \
     rm -rf /var/lib/apt/lists/*
 
 # Install Docker client tools
-ENV DOCKERVERSION=27.0.3
+ENV DOCKERVERSION=27.2.1
 RUN curl -fsSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKERVERSION}.tgz \
   && tar xzvf docker-${DOCKERVERSION}.tgz --strip 1 \
                  -C /usr/local/bin docker/docker \

data/Jenkinsfile

@@ -1,5 +1,10 @@
 #!/usr/bin/env groovy
 
+@Library("product-pipelines-shared-library") _
+
+def productName = 'Debify'
+def productTypeName = 'Conjur Internal'
+
 // Automated release, promotion and dependencies
 properties([
   // Include the automated release parameters for the build
@@ -16,6 +21,33 @@ if (params.MODE == "PROMOTE") {
     // Any publishing of targetVersion artifacts occur here
     // Anything added to assetDirectory will be attached to the Github Release
 
+    env.INFRAPOOL_PRODUCT_NAME = "${productName}"
+    env.INFRAPOOL_DD_PRODUCT_TYPE_NAME = "${productTypeName}"
+
+    def scans = [:]
+
+    scans["AMD64"] = {
+      stage("Scan Docker image (AMD64 based)") {
+        runSecurityScans(infrapool,
+          image: "registry.tld/conjurinc/debify:${sourceVersion}-amd64",
+          buildMode: params.MODE,
+          branch: env.BRANCH_NAME,
+          architecure: 'linux/amd64')
+      }
+    }
+
+    scans["ARM64"] = {
+      stage("Scan Docker image (ARM64 based)") {
+        runSecurityScans(infrapool,
+          image: "registry.tld/conjurinc/debify:${sourceVersion}-arm64",
+          buildMode: params.MODE,
+          branch: env.BRANCH_NAME,
+          architecure: 'linux/arm64')
+      }
+    }
+
+    parallel(scans)
+
     //Note: assetDirectory is on the infrapool agent, not the local Jenkins agent.
     infrapool.agentSh './publish-rubygem.sh'
   }
@@ -38,6 +70,10 @@ pipeline {
   environment {
     // Sets the MODE to the specified or autocalculated value as appropriate
     MODE = release.canonicalizeMode()
+
+    // Values to direct scan results to the right place in DefectDojo
+    INFRAPOOL_PRODUCT_NAME = "${productName}"
+    INFRAPOOL_DD_PRODUCT_TYPE_NAME = "${productTypeName}"
   }
 
   stages {
@@ -103,82 +139,77 @@ pipeline {
         }
       }
     }
-    stage('Scan Docker image') {
+    stage('Push Docker image') {
       parallel {
-        stage('Scan Docker image for fixable issues (AMD64 based)') {
-          steps{
-            script {
-              VERSION = INFRAPOOL_EXECUTORV2_AGENT_0.agentSh(returnStdout: true, script: 'cat VERSION')
-            }
-            scanAndReport(INFRAPOOL_EXECUTORV2_AGENT_0, "debify:${VERSION}", "HIGH", false)
-          }
-        }
-        stage('Scan Docker image for all issues (AMD64 based)') {
-          steps{
-            script {
-              VERSION = INFRAPOOL_EXECUTORV2_AGENT_0.agentSh(returnStdout: true, script: 'cat VERSION')
-            }
-            scanAndReport(INFRAPOOL_EXECUTORV2_AGENT_0, "debify:${VERSION}", "NONE", true)
-          }
-        }
-        stage('Scan Docker image for fixable issues (ARM64 based)') {
-          steps{
+        stage('Push AMD64 image') {
+          steps {
             script {
-              VERSION = INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh(returnStdout: true, script: 'cat VERSION')
+              INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './push-image.sh amd64'
             }
-            scanAndReport(INFRAPOOL_EXECUTORV2ARM_AGENT_0, "debify:${VERSION}", "HIGH", false)
           }
         }
-        stage('Scan Docker image for all issues (ARM64 based)') {
-          steps{
+
+        stage('Push ARM64 image') {
+          steps {
             script {
-              VERSION = INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh(returnStdout: true, script: 'cat VERSION')
+              INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh './push-image.sh arm64'
             }
-            scanAndReport(INFRAPOOL_EXECUTORV2ARM_AGENT_0, "debify:${VERSION}", "NONE", true)
           }
         }
       }
     }
 
-    stage('Run feature tests') {
+    stage('Push Docker manifest with multi-arch') {
       steps {
         script {
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './test.sh'
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentStash name: 'test-results', includes: 'features/reports/*.xml'
+          INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './push-manifest.sh'
         }
       }
-      post { always {
-        unstash 'test-results'
-        junit 'features/reports/*.xml'
-      }}
     }
-
-    stage('Push Docker image') {
+    stage('Scan Docker image') {
       parallel {
-        stage('Push AMD64 image') {
-          steps {
+        stage('Scan Docker image (AMD64 based)') {
+          steps{
             script {
-              INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './push-image.sh amd64'
+              // Take the first value of the image-tags output
+              VERSION = INFRAPOOL_EXECUTORV2_AGENT_0.agentSh(returnStdout: true, script: './image-tags | cut -d" " -f1')
             }
+            runSecurityScans(INFRAPOOL_EXECUTORV2_AGENT_0,
+              image: "registry.tld/conjurinc/debify:${VERSION}",
+              buildMode: MODE,
+              branch: env.BRANCH_NAME,
+              arch: "linux/amd64"
+            )
           }
         }
-
-        stage('Push ARM64 image') {
-          steps {
+        stage('Scan Docker image (ARM64 based)') {
+          steps{
             script {
-              INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh './push-image.sh arm64'
+              // Take the first value of the image-tags output
+              VERSION = INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh(returnStdout: true, script: './image-tags | cut -d" " -f1')
             }
+            runSecurityScans(INFRAPOOL_EXECUTORV2ARM_AGENT_0,
+              image: "registry.tld/conjurinc/debify:${VERSION}",
+              buildMode: MODE,
+              branch: env.BRANCH_NAME,
+              arch: "linux/arm64"
+            )
           }
         }
       }
     }
 
-    stage('Push Docker manifest with multi-arch') {
+    stage('Run feature tests') {
       steps {
         script {
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './push-manifest.sh'
+          INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './test.sh'
+          INFRAPOOL_EXECUTORV2_AGENT_0.agentStash name: 'test-results', includes: 'features/reports/*.xml'
         }
       }
+      post { always {
+        unstash 'test-results'
+        junit 'features/reports/*.xml'
+      }}
     }
 
     stage('Release') {
@@ -216,4 +247,4 @@ pipeline {
       releaseInfraPoolAgent()
     }
   }
-}
+}

data/VERSION

@@ -1 +1 @@
-3.0.3-145
+3.0.3-248

data/distrib/secrets.yml

@@ -1,2 +1,4 @@
+# This are used by summon, these are not hardcoded credentials
+#kics-scan disable=487f4be7-3fd9-4506-a07a-eae252180c08
 ARTIFACTORY_USER: !var ci/artifactory/users/jenkins/username
 ARTIFACTORY_PASSWORD: !var ci/artifactory/users/jenkins/password

data/kics.config

@@ -0,0 +1,10 @@
+exclude-queries:
+- b03a748a-542d-44f4-bb86-9199ab4fd2d5 # Healthcheck Instruction Missing - it is just a tool, not a container that needs to be healthy
+- 698ed579-b239-4f8f-a388-baa4bcb13ef8 # Healthcheck Not Set - it is just a tool, not a container that needs to be healthy
+- fd54f200-402c-4333-a5a4-36ef6709af2f # Missing User Instruction
+- f45ea400-6bbe-4501-9fc7-1c3d75c32067 # Image Version Using 'latest'
+- 965a08d7-ef86-4f14-8792-4a3b2098937e # Apt Get Install Pin Version Not Defined
+# The following files are used in CI or present as an example only.
+exclude-paths:
+- "debify/example/docker-compose.yml"
+- "debify/lib/conjur/publish/Dockerfile" # Only used for publishing the image in pipeline

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-debify
 version: !ruby/object:Gem::Version
-  version: 3.0.3.pre.145
+  version: 3.0.3.pre.248
 platform: ruby
 authors:
 - CyberArk Software, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-07-17 00:00:00.000000000 Z
+date: 2024-12-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli
@@ -212,6 +212,7 @@ files:
 - features/support/world.rb
 - features/test.feature
 - image-tags
+- kics.config
 - lib/conjur/debify.rb
 - lib/conjur/debify/Dockerfile.fpm
 - lib/conjur/debify/action/publish.rb
@@ -251,7 +252,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.19
 signing_key: 
 specification_version: 4
 summary: Utility commands to build and package Conjur services as Debian packages