From b6ed93c6d5cecf3de26a81348723424709f8b3e5 Mon Sep 17 00:00:00 2001 From: Joyce Quach Date: Fri, 22 Nov 2024 13:56:34 -0500 Subject: [PATCH] Update NeuVector mapper expected output JSON files Signed-off-by: Joyce Quach --- .../neuvector-hdf-mitre-caldera.json | 100 +++++++++++++++++- .../neuvector-hdf-mitre-heimdall.json | 73 ++++++++++++- .../neuvector-hdf-mitre-heimdall2.json | 71 ++++++++++++- .../neuvector/neuvector-hdf-mitre-vulcan.json | 71 ++++++++++++- .../neuvector-hdf-withraw-mitre-caldera.json | 100 +++++++++++++++++- .../neuvector-hdf-withraw-mitre-heimdall.json | 73 ++++++++++++- ...neuvector-hdf-withraw-mitre-heimdall2.json | 71 ++++++++++++- .../neuvector-hdf-withraw-mitre-vulcan.json | 71 ++++++++++++- 8 files changed, 598 insertions(+), 32 deletions(-) diff --git a/test/sample_data/neuvector/neuvector-hdf-mitre-caldera.json b/test/sample_data/neuvector/neuvector-hdf-mitre-caldera.json index d62680736..1bdc883e7 100644 --- a/test/sample_data/neuvector/neuvector-hdf-mitre-caldera.json +++ b/test/sample_data/neuvector/neuvector-hdf-mitre-caldera.json @@ -1,15 +1,20 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.10.18" + "release": "2.10.19" }, - "version": "2.10.18", + "version": "2.10.19", "statistics": {}, "profiles": [ { "name": "NeuVector Scan", "title": "https://registry.hub.docker.com/mitre/caldera:latest - Digest: sha256:7dea2536cb13b2f316dad50d74dadc979d812520a7234ddbdfd84e81ef06901d - Image ID: 62532e388bdaa6d918c2c2d5c970157795a246a12784103f08289e29a2285e94", - "supports": [], + "supports": [ + { + "platform-name": "ubuntu", + "release": "20" + } + ], "attributes": [], "groups": [], "status": "loaded", @@ -125065,9 +125070,96 @@ "start_time": "" } ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "true", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "ENTRYPOINT [\"python3\" \"server.py\"]\nEXPOSE map[7012/tcp:{}]\nEXPOSE map[7011/udp:{}]\nEXPOSE map[7010/tcp:{}]\nEXPOSE map[8888/tcp:{}]\nADD . . # buildkit\nRUN pip3 install --no-cache-dir -r requirements.txt # buildkit\nADD requirements.txt . # buildkit\nRUN if [ \"$WIN_BUILD\" = \"true\" ] ; then apt-get -y install mingw-w64; fi # buildkit\nARG WIN_BUILD=false\nRUN apt-get update && apt-get -y install python3 python3-pip golang git # buildkit\nWORKDIR /usr/src/app\nRUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone # buildkit\nARG TZ=UTC\nCMD [\"bash\"]\nADD file:524e8d93ad65f08a0cb0d144268350186e36f508006b05b8faf2e1289499b59f in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.1", + "id": "I.4.1", + "desc": "Ensure a user for the container has been created", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "ENTRYPOINT [\"python3\" \"server.py\"]\nEXPOSE map[7012/tcp:{}]\nEXPOSE map[7011/udp:{}]\nEXPOSE map[7010/tcp:{}]\nEXPOSE map[8888/tcp:{}]\nADD . . # buildkit\nRUN pip3 install --no-cache-dir -r requirements.txt # buildkit\nADD requirements.txt . # buildkit\nRUN if [ \"$WIN_BUILD\" = \"true\" ] ; then apt-get -y install mingw-w64; fi # buildkit\nARG WIN_BUILD=false\nRUN apt-get update && apt-get -y install python3 python3-pip golang git # buildkit\nWORKDIR /usr/src/app\nRUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone # buildkit\nARG TZ=UTC\nCMD [\"bash\"]\nADD file:524e8d93ad65f08a0cb0d144268350186e36f508006b05b8faf2e1289499b59f in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.9", + "id": "I.4.9", + "desc": "Ensure that COPY is used instead of ADD in Dockerfiles", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "ENTRYPOINT [\"python3\" \"server.py\"]\nEXPOSE map[7012/tcp:{}]\nEXPOSE map[7011/udp:{}]\nEXPOSE map[7010/tcp:{}]\nEXPOSE map[8888/tcp:{}]\nADD . . # buildkit\nRUN pip3 install --no-cache-dir -r requirements.txt # buildkit\nADD requirements.txt . # buildkit\nRUN if [ \"$WIN_BUILD\" = \"true\" ] ; then apt-get -y install mingw-w64; fi # buildkit\nARG WIN_BUILD=false\nRUN apt-get update && apt-get -y install python3 python3-pip golang git # buildkit\nWORKDIR /usr/src/app\nRUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone # buildkit\nARG TZ=UTC\nCMD [\"bash\"]\nADD file:524e8d93ad65f08a0cb0d144268350186e36f508006b05b8faf2e1289499b59f in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.6", + "id": "I.4.6", + "desc": "Ensure that HEALTHCHECK instructions have been added to container images", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] } ], - "sha256": "264d58a989a677f58bd4ffe2e26f63e8b359f479604829a844f0f5ae250a2518" + "sha256": "e1e8e80ae599892ef15a27b95c6e0fb9c8b78848c25dcdac31812054d32b5b41" } ], "passthrough": { diff --git a/test/sample_data/neuvector/neuvector-hdf-mitre-heimdall.json b/test/sample_data/neuvector/neuvector-hdf-mitre-heimdall.json index 48b18e4f0..927ee4e2f 100644 --- a/test/sample_data/neuvector/neuvector-hdf-mitre-heimdall.json +++ b/test/sample_data/neuvector/neuvector-hdf-mitre-heimdall.json @@ -1,15 +1,20 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.10.18" + "release": "2.10.19" }, - "version": "2.10.18", + "version": "2.10.19", "statistics": {}, "profiles": [ { "name": "NeuVector Scan", "title": "https://registry.hub.docker.com/mitre/heimdall:latest - Digest: sha256:54cbfb34a9a8fe00c9a60d722aa1c12f25bec825c505139cfffaeabc91fb10e6 - Image ID: 65785cbf46647c77caf8d7c40485900b013fca1290d1a7ab06c9039c3b29761c", - "supports": [], + "supports": [ + { + "platform-name": "alpine", + "release": "3" + } + ], "attributes": [], "groups": [], "status": "loaded", @@ -8201,9 +8206,69 @@ "start_time": "" } ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "true", + "automated": "false", + "remediation": "", + "level": "WARN", + "envs": "PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nLANG=C.UTF-8\nRUBY_MAJOR=2.6\nRUBY_VERSION=2.6.6\nRUBY_DOWNLOAD_SHA256=5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f\nGEM_HOME=/usr/local/bundle\nBUNDLE_SILENCE_ROOT_WARNING=1\nBUNDLE_APP_CONFIG=/usr/local/bundle\nRAILS_ROOT=/var/www/heimdall", + "cmds": "CMD [\"rails\" \"server\" \"-p\" \"3000\" \"-b\" \"0.0.0.0\"]\nENTRYPOINT [\"bundle\" \"exec\"]\nEXPOSE 3000\nRUN apk --no-cache --update add nodejs imagemagick6 postgresql-dev tzdata && gem install bundler && bundle install --deployment --without development test\nCOPY dir:cfd6c107e9db5e6d3eb7fdfdc1d993d14c924a53fcb20069ea23e383c8c2967d in /var/www/heimdall\nWORKDIR /var/www/heimdall\nRUN mkdir -p $RAILS_ROOT\nENV RAILS_ROOT=/var/www/heimdall\nCMD [\"irb\"]\nRUN mkdir -p \"$GEM_HOME\" && chmod 777 \"$GEM_HOME\"\nENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle\nENV GEM_HOME=/usr/local/bundle\nRUN set -eux; \t\tapk add --no-cache --virtual .ruby-builddeps \t\tautoconf \t\tbison \t\tbzip2 \t\tbzip2-dev \t\tca-certificates \t\tcoreutils \t\tdpkg-dev dpkg \t\tgcc \t\tgdbm-dev \t\tglib-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl \t\topenssl-dev \t\tpatch \t\tprocps \t\treadline-dev \t\truby \t\ttar \t\txz \t\tyaml-dev \t\tzlib-dev \t; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\twget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \techo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \tpatch -p1 -i thread-stack-fix.patch; \trm thread-stack-fix.patch; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} > file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \texport ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\trunDeps=\"$( \t\tscanelf --needed --nobanner --format '%n#p' --recursive /usr/local \t\t\t| tr ',' '\\n' \t\t\t| sort -u \t\t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t)\"; \tapk add --no-network --virtual .ruby-rundeps \t\t$runDeps \t\tbzip2 \t\tca-certificates \t\tlibffi-dev \t\tprocps \t\tyaml-dev \t\tzlib-dev \t; \tapk del --no-network .ruby-builddeps; \t\tcd /; \trm -r /usr/src/ruby; \t! apk --no-network list --installed \t\t| grep -v '^[.]ruby-rundeps' \t\t| grep -i ruby \t; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version\nENV RUBY_DOWNLOAD_SHA256=5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f\nENV RUBY_VERSION=2.6.6\nENV RUBY_MAJOR=2.6\nENV LANG=C.UTF-8\nRUN set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} >> /usr/local/etc/gemrc\nRUN apk add --no-cache \t\tgmp-dev\nCMD [\"/bin/sh\"]\nADD file:f17f65714f703db9012f00e5ec98d0b2541ff6147c2633f7ab9ba659d0c507f4 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.1", + "id": "I.4.1", + "desc": "Ensure a user for the container has been created", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "envs": "PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nLANG=C.UTF-8\nRUBY_MAJOR=2.6\nRUBY_VERSION=2.6.6\nRUBY_DOWNLOAD_SHA256=5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f\nGEM_HOME=/usr/local/bundle\nBUNDLE_SILENCE_ROOT_WARNING=1\nBUNDLE_APP_CONFIG=/usr/local/bundle\nRAILS_ROOT=/var/www/heimdall", + "cmds": "CMD [\"rails\" \"server\" \"-p\" \"3000\" \"-b\" \"0.0.0.0\"]\nENTRYPOINT [\"bundle\" \"exec\"]\nEXPOSE 3000\nRUN apk --no-cache --update add nodejs imagemagick6 postgresql-dev tzdata && gem install bundler && bundle install --deployment --without development test\nCOPY dir:cfd6c107e9db5e6d3eb7fdfdc1d993d14c924a53fcb20069ea23e383c8c2967d in /var/www/heimdall\nWORKDIR /var/www/heimdall\nRUN mkdir -p $RAILS_ROOT\nENV RAILS_ROOT=/var/www/heimdall\nCMD [\"irb\"]\nRUN mkdir -p \"$GEM_HOME\" && chmod 777 \"$GEM_HOME\"\nENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle\nENV GEM_HOME=/usr/local/bundle\nRUN set -eux; \t\tapk add --no-cache --virtual .ruby-builddeps \t\tautoconf \t\tbison \t\tbzip2 \t\tbzip2-dev \t\tca-certificates \t\tcoreutils \t\tdpkg-dev dpkg \t\tgcc \t\tgdbm-dev \t\tglib-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl \t\topenssl-dev \t\tpatch \t\tprocps \t\treadline-dev \t\truby \t\ttar \t\txz \t\tyaml-dev \t\tzlib-dev \t; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\twget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \techo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \tpatch -p1 -i thread-stack-fix.patch; \trm thread-stack-fix.patch; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} > file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \texport ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\trunDeps=\"$( \t\tscanelf --needed --nobanner --format '%n#p' --recursive /usr/local \t\t\t| tr ',' '\\n' \t\t\t| sort -u \t\t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t)\"; \tapk add --no-network --virtual .ruby-rundeps \t\t$runDeps \t\tbzip2 \t\tca-certificates \t\tlibffi-dev \t\tprocps \t\tyaml-dev \t\tzlib-dev \t; \tapk del --no-network .ruby-builddeps; \t\tcd /; \trm -r /usr/src/ruby; \t! apk --no-network list --installed \t\t| grep -v '^[.]ruby-rundeps' \t\t| grep -i ruby \t; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version\nENV RUBY_DOWNLOAD_SHA256=5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f\nENV RUBY_VERSION=2.6.6\nENV RUBY_MAJOR=2.6\nENV LANG=C.UTF-8\nRUN set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} >> /usr/local/etc/gemrc\nRUN apk add --no-cache \t\tgmp-dev\nCMD [\"/bin/sh\"]\nADD file:f17f65714f703db9012f00e5ec98d0b2541ff6147c2633f7ab9ba659d0c507f4 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.6", + "id": "I.4.6", + "desc": "Ensure that HEALTHCHECK instructions have been added to container images", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] } ], - "sha256": "95a11366a386c5ab6fc6c2413947d863d92061ae923164e4f7cb35cda9d2c3ee" + "sha256": "e6e4f54fcc973a939dc821d63f6d3841019e9ab626d779de26cc3ec6d6d9bbeb" } ], "passthrough": { diff --git a/test/sample_data/neuvector/neuvector-hdf-mitre-heimdall2.json b/test/sample_data/neuvector/neuvector-hdf-mitre-heimdall2.json index 96ccccfe4..bef7af8f3 100644 --- a/test/sample_data/neuvector/neuvector-hdf-mitre-heimdall2.json +++ b/test/sample_data/neuvector/neuvector-hdf-mitre-heimdall2.json @@ -1,15 +1,20 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.10.18" + "release": "2.10.19" }, - "version": "2.10.18", + "version": "2.10.19", "statistics": {}, "profiles": [ { "name": "NeuVector Scan", "title": "https://registry.hub.docker.com/mitre/heimdall2:latest - Digest: sha256:ae8e58548bb13f1aa5df8aeea51cddf118e163fbe0163165d04552de0bf0ac0a - Image ID: 756f9a308b59ec6a0812ba49f958f2a3f4f0833afc9a3df23afe58f502db10aa", - "supports": [], + "supports": [ + { + "platform-name": "rhel", + "release": "8" + } + ], "attributes": [], "groups": [], "status": "loaded", @@ -4936,9 +4941,67 @@ "start_time": "" } ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "CMD [\"/usr/local/bin/cmd.sh\"]\nUSER 1001\nCOPY --chmod=755 cmd.sh /usr/local/bin/ # buildkit\nCOPY --chown=1001 /src/dist/ dist/ # buildkit\nCOPY --chown=1001 /src/apps/backend/dist apps/backend/dist # buildkit\nCOPY --chown=1001 /src/libs/password-complexity/ libs/password-complexity # buildkit\nCOPY --chown=1001 /src/apps/backend/seeders apps/backend/seeders # buildkit\nCOPY --chown=1001 /src/apps/backend/migrations apps/backend/migrations # buildkit\nCOPY --chown=1001 /src/apps/backend/config apps/backend/config # buildkit\nCOPY --chown=1001 /src/apps/backend/db apps/backend/db # buildkit\nCOPY --chown=1001 /src/apps/backend/.sequelizerc apps/backend/ # buildkit\nCOPY --chown=1001 /src/apps/backend/node_modules apps/backend/node_modules # buildkit\nCOPY --chown=1001 /src/apps/backend/package.json apps/backend/ # buildkit\nCOPY --chown=1001 /src/package.json ./ # buildkit\nRUN curl -sL https://dl.yarnpkg.com/rpm/yarn.repo -o /etc/yum.repos.d/yarn.repo && microdnf install -y yarn && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* # buildkit\nWORKDIR /app\nUSER 0\nENV NODE_ENV=production\nARG NODE_ENV=production\nEXPOSE map[3000/tcp:{}]\nUSER 1001\nRUN mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :\nUSER root\nUSER 1001\nRUN rm -f /tmp/tls-ca-bundle.pem\nRUN rm -f '/etc/yum.repos.d/odcs-3442251-e7456.repo'\nUSER root\nLABEL \"release\"=\"128.1725330794\" \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2024-09-03T02:34:03\" \"architecture\"=\"x86_64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"ed55a1e31785cb589887885082e15145666bd573\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/nodejs-18-minimal/images/1-128.1725330794\"\nADD file:eaeb5130bea91aca8b8f0adb9c562241193d2429da656d379517ea596a339ce9 in /root/buildinfo/Dockerfile-ubi8-nodejs-18-minimal-1-128.1725330794\nADD file:5da8a8bde7c7afbcec865e4c3047eccc1d38cb8b75042f1b3adb8d6572f1f730 in /root/buildinfo/content_manifests/nodejs-18-minimal-container-1-128.1725330794.json\nADD file:3009d1d727725ea9fb6e44f08cc76721d4ff04918aa725b34847fcde963b7154 in /help.1\nUSER 1001\nWORKDIR \"$HOME\"\nRUN mkdir -p \"$HOME\" && chown -R 1001:0 \"$APP_ROOT\" && chmod -R ug+rwx \"$APP_ROOT\"\nCOPY dir:fe4e9034259501521ced258ae36b98bc6cc475e0e34364c8a17e53447c145be1 in /\nCOPY dir:b5a1f1317e0040e7a730c0b1d8cf8a9fa419afa1662d666632dac699455512f1 in /usr/libexec/s2i\nRUN INSTALL_PKGS=\"nodejs nodejs-nodemon nodejs-full-i18n npm findutils tar which\" && microdnf -y module disable nodejs && microdnf -y module enable nodejs:$NODEJS_VERSION && microdnf --nodocs --setopt=install_weak_deps=0 install $INSTALL_PKGS && node -v | grep -qe \"^v$NODEJS_VERSION\\.\" && echo \"Found VERSION $NODEJS_VERSION\" && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.*\nLABEL summary=\"$SUMMARY\" description=\"$DESCRIPTION\" io.k8s.description=\"$DESCRIPTION\" io.k8s.display-name=\"Node.js $NODEJS_VERSION Minimal\" io.openshift.expose-services=\"8080:http\" io.openshift.tags=\"builder,$NAME,${NAME}${NODEJS_VERSION}\" io.openshift.s2i.scripts-url=\"image:///usr/libexec/s2i\" io.s2i.scripts-url=\"image:///usr/libexec/s2i\" com.redhat.dev-mode=\"DEV_MODE:false\" com.redhat.deployments-dir=\"${APP_ROOT}/src\" com.redhat.dev-mode.port=\"DEBUG_PORT:5858\" com.redhat.component=\"${NAME}-${NODEJS_VERSION}-minimal-container\" name=\"ubi8/$NAME-$NODEJS_VERSION-minimal\" version=\"1\" com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\" maintainer=\"SoftwareCollections.org \" help=\"For more information visit https://github.com/sclorg/s2i-nodejs-container\"\nENV SUMMARY=\"Minimal image for running Node.js $NODEJS_VERSION applications\" DESCRIPTION=\"Node.js $NODEJS_VERSION available as container is a base platform for running various Node.js $NODEJS_VERSION applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\" NPM_CONFIG_PREFIX=$HOME/.npm-global PATH=$HOME/node_modules/.bin/:$HOME/.npm-global/bin/:$PATH\nENV APP_ROOT=/opt/app-root HOME=/opt/app-root/src NPM_RUN=start PLATFORM=\"el8\" NODEJS_VERSION=18 NPM_RUN=start NAME=nodejs\nEXPOSE 8080\nADD file:2660c1111176153e62928ea72cad5f0074133db91f3e296cbaf71f765f1f7bfd in /etc/yum.repos.d/\nADD file:5b1f650e1376d79fa3a65df4a154ea5166def95154b52c1c1097dfd8fc7d58eb in /tmp/tls-ca-bundle.pem\nRUN mv -f /etc/yum.repos.d/ubi.repo /tmp || :\nRUN mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :\nRUN rm -f /tmp/tls-ca-bundle.pem\nRUN rm -f '/etc/yum.repos.d/odcs-3398671-876ba.repo' '/etc/yum.repos.d/rhel-8.10-compose-0e878.repo'\nLABEL \"release\"=\"1052.1724178568\" \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2024-08-20T18:30:35\" \"architecture\"=\"x86_64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"4f8da2b64a13f2a264bd802d8909bf803211fb20\" \"io.k8s.description\"=\"The Universal Base Image Minimal is a stripped down image that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8-minimal/images/8.10-1052.1724178568\"\nADD file:849b71c9f9737769080a3214428c39267a1aa9f20785f4c781f1778b56b956e6 in /root/buildinfo/Dockerfile-ubi8-minimal-8.10-1052.1724178568\nADD file:c8ca5f484763321cd5e7b342c283d53c3b929c2eacba0494bcd589c978dc2fe1 in /root/buildinfo/content_manifests/ubi8-minimal-container-8.10-1052.1724178568.json\nRUN rm -rf /var/log/*\nCMD [\"/bin/bash\"]\nENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV container oci\nLABEL io.openshift.tags=\"minimal rhel8\"\nLABEL io.openshift.expose-services=\"\"\nLABEL io.k8s.display-name=\"Red Hat Universal Base Image 8 Minimal\"\nLABEL description=\"The Universal Base Image Minimal is a stripped down image that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\"\nLABEL summary=\"Provides the latest release of the minimal Red Hat Universal Base Image 8.\"\nLABEL com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\"\nLABEL com.redhat.component=\"ubi8-minimal-container\" name=\"ubi8-minimal\" version=\"8.10\"\nLABEL maintainer=\"Red Hat, Inc.\"\nADD multi:d43053580c8e29293fe7178a18c2e44f1578d681ef94e964f4e0e14ef093ace4 in /etc/yum.repos.d/\nADD file:5b1f650e1376d79fa3a65df4a154ea5166def95154b52c1c1097dfd8fc7d58eb in /tmp/tls-ca-bundle.pem\nRUN mv -f /etc/yum.repos.d/ubi.repo /tmp || :\nADD file:0198ad3c1b345f6da74b55236cbce4779329b401acb32e81092e46f6ec5b87d0 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.9", + "id": "I.4.9", + "desc": "Ensure that COPY is used instead of ADD in Dockerfiles", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "CMD [\"/usr/local/bin/cmd.sh\"]\nUSER 1001\nCOPY --chmod=755 cmd.sh /usr/local/bin/ # buildkit\nCOPY --chown=1001 /src/dist/ dist/ # buildkit\nCOPY --chown=1001 /src/apps/backend/dist apps/backend/dist # buildkit\nCOPY --chown=1001 /src/libs/password-complexity/ libs/password-complexity # buildkit\nCOPY --chown=1001 /src/apps/backend/seeders apps/backend/seeders # buildkit\nCOPY --chown=1001 /src/apps/backend/migrations apps/backend/migrations # buildkit\nCOPY --chown=1001 /src/apps/backend/config apps/backend/config # buildkit\nCOPY --chown=1001 /src/apps/backend/db apps/backend/db # buildkit\nCOPY --chown=1001 /src/apps/backend/.sequelizerc apps/backend/ # buildkit\nCOPY --chown=1001 /src/apps/backend/node_modules apps/backend/node_modules # buildkit\nCOPY --chown=1001 /src/apps/backend/package.json apps/backend/ # buildkit\nCOPY --chown=1001 /src/package.json ./ # buildkit\nRUN curl -sL https://dl.yarnpkg.com/rpm/yarn.repo -o /etc/yum.repos.d/yarn.repo && microdnf install -y yarn && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* # buildkit\nWORKDIR /app\nUSER 0\nENV NODE_ENV=production\nARG NODE_ENV=production\nEXPOSE map[3000/tcp:{}]\nUSER 1001\nRUN mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :\nUSER root\nUSER 1001\nRUN rm -f /tmp/tls-ca-bundle.pem\nRUN rm -f '/etc/yum.repos.d/odcs-3442251-e7456.repo'\nUSER root\nLABEL \"release\"=\"128.1725330794\" \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2024-09-03T02:34:03\" \"architecture\"=\"x86_64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"ed55a1e31785cb589887885082e15145666bd573\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/nodejs-18-minimal/images/1-128.1725330794\"\nADD file:eaeb5130bea91aca8b8f0adb9c562241193d2429da656d379517ea596a339ce9 in /root/buildinfo/Dockerfile-ubi8-nodejs-18-minimal-1-128.1725330794\nADD file:5da8a8bde7c7afbcec865e4c3047eccc1d38cb8b75042f1b3adb8d6572f1f730 in /root/buildinfo/content_manifests/nodejs-18-minimal-container-1-128.1725330794.json\nADD file:3009d1d727725ea9fb6e44f08cc76721d4ff04918aa725b34847fcde963b7154 in /help.1\nUSER 1001\nWORKDIR \"$HOME\"\nRUN mkdir -p \"$HOME\" && chown -R 1001:0 \"$APP_ROOT\" && chmod -R ug+rwx \"$APP_ROOT\"\nCOPY dir:fe4e9034259501521ced258ae36b98bc6cc475e0e34364c8a17e53447c145be1 in /\nCOPY dir:b5a1f1317e0040e7a730c0b1d8cf8a9fa419afa1662d666632dac699455512f1 in /usr/libexec/s2i\nRUN INSTALL_PKGS=\"nodejs nodejs-nodemon nodejs-full-i18n npm findutils tar which\" && microdnf -y module disable nodejs && microdnf -y module enable nodejs:$NODEJS_VERSION && microdnf --nodocs --setopt=install_weak_deps=0 install $INSTALL_PKGS && node -v | grep -qe \"^v$NODEJS_VERSION\\.\" && echo \"Found VERSION $NODEJS_VERSION\" && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.*\nLABEL summary=\"$SUMMARY\" description=\"$DESCRIPTION\" io.k8s.description=\"$DESCRIPTION\" io.k8s.display-name=\"Node.js $NODEJS_VERSION Minimal\" io.openshift.expose-services=\"8080:http\" io.openshift.tags=\"builder,$NAME,${NAME}${NODEJS_VERSION}\" io.openshift.s2i.scripts-url=\"image:///usr/libexec/s2i\" io.s2i.scripts-url=\"image:///usr/libexec/s2i\" com.redhat.dev-mode=\"DEV_MODE:false\" com.redhat.deployments-dir=\"${APP_ROOT}/src\" com.redhat.dev-mode.port=\"DEBUG_PORT:5858\" com.redhat.component=\"${NAME}-${NODEJS_VERSION}-minimal-container\" name=\"ubi8/$NAME-$NODEJS_VERSION-minimal\" version=\"1\" com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\" maintainer=\"SoftwareCollections.org \" help=\"For more information visit https://github.com/sclorg/s2i-nodejs-container\"\nENV SUMMARY=\"Minimal image for running Node.js $NODEJS_VERSION applications\" DESCRIPTION=\"Node.js $NODEJS_VERSION available as container is a base platform for running various Node.js $NODEJS_VERSION applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\" NPM_CONFIG_PREFIX=$HOME/.npm-global PATH=$HOME/node_modules/.bin/:$HOME/.npm-global/bin/:$PATH\nENV APP_ROOT=/opt/app-root HOME=/opt/app-root/src NPM_RUN=start PLATFORM=\"el8\" NODEJS_VERSION=18 NPM_RUN=start NAME=nodejs\nEXPOSE 8080\nADD file:2660c1111176153e62928ea72cad5f0074133db91f3e296cbaf71f765f1f7bfd in /etc/yum.repos.d/\nADD file:5b1f650e1376d79fa3a65df4a154ea5166def95154b52c1c1097dfd8fc7d58eb in /tmp/tls-ca-bundle.pem\nRUN mv -f /etc/yum.repos.d/ubi.repo /tmp || :\nRUN mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :\nRUN rm -f /tmp/tls-ca-bundle.pem\nRUN rm -f '/etc/yum.repos.d/odcs-3398671-876ba.repo' '/etc/yum.repos.d/rhel-8.10-compose-0e878.repo'\nLABEL \"release\"=\"1052.1724178568\" \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2024-08-20T18:30:35\" \"architecture\"=\"x86_64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"4f8da2b64a13f2a264bd802d8909bf803211fb20\" \"io.k8s.description\"=\"The Universal Base Image Minimal is a stripped down image that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8-minimal/images/8.10-1052.1724178568\"\nADD file:849b71c9f9737769080a3214428c39267a1aa9f20785f4c781f1778b56b956e6 in /root/buildinfo/Dockerfile-ubi8-minimal-8.10-1052.1724178568\nADD file:c8ca5f484763321cd5e7b342c283d53c3b929c2eacba0494bcd589c978dc2fe1 in /root/buildinfo/content_manifests/ubi8-minimal-container-8.10-1052.1724178568.json\nRUN rm -rf /var/log/*\nCMD [\"/bin/bash\"]\nENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV container oci\nLABEL io.openshift.tags=\"minimal rhel8\"\nLABEL io.openshift.expose-services=\"\"\nLABEL io.k8s.display-name=\"Red Hat Universal Base Image 8 Minimal\"\nLABEL description=\"The Universal Base Image Minimal is a stripped down image that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\"\nLABEL summary=\"Provides the latest release of the minimal Red Hat Universal Base Image 8.\"\nLABEL com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\"\nLABEL com.redhat.component=\"ubi8-minimal-container\" name=\"ubi8-minimal\" version=\"8.10\"\nLABEL maintainer=\"Red Hat, Inc.\"\nADD multi:d43053580c8e29293fe7178a18c2e44f1578d681ef94e964f4e0e14ef093ace4 in /etc/yum.repos.d/\nADD file:5b1f650e1376d79fa3a65df4a154ea5166def95154b52c1c1097dfd8fc7d58eb in /tmp/tls-ca-bundle.pem\nRUN mv -f /etc/yum.repos.d/ubi.repo /tmp || :\nADD file:0198ad3c1b345f6da74b55236cbce4779329b401acb32e81092e46f6ec5b87d0 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.6", + "id": "I.4.6", + "desc": "Ensure that HEALTHCHECK instructions have been added to container images", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] } ], - "sha256": "237f37b61123b607780c10aaf577950e044f69e6292ac0b3e32fbb3704dc5701" + "sha256": "ccffe941d11d6afa77d45ca20c401daa067f29fd02d887c8948c036a53af803e" } ], "passthrough": { diff --git a/test/sample_data/neuvector/neuvector-hdf-mitre-vulcan.json b/test/sample_data/neuvector/neuvector-hdf-mitre-vulcan.json index 982376159..2f22961e3 100644 --- a/test/sample_data/neuvector/neuvector-hdf-mitre-vulcan.json +++ b/test/sample_data/neuvector/neuvector-hdf-mitre-vulcan.json @@ -1,15 +1,20 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.10.18" + "release": "2.10.19" }, - "version": "2.10.18", + "version": "2.10.19", "statistics": {}, "profiles": [ { "name": "NeuVector Scan", "title": "https://registry.hub.docker.com/mitre/vulcan:latest - Digest: sha256:6b7a67de7706e2d47da01e013b0e3d5e3eefdf32484224b4608ec24f27468113 - Image ID: 011bb802218592aadd5ebe70fa83a12ce60b6876bd5322151ef5ede86635a6e3", - "supports": [], + "supports": [ + { + "platform-name": "debian", + "release": "11" + } + ], "attributes": [], "groups": [], "status": "loaded", @@ -129645,9 +129650,67 @@ "start_time": "" } ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "CMD [\"rails\" \"server\" \"-b\" \"0.0.0.0\"]\nUSER 1000\nRUN chown -R 1000:2000 /app # buildkit\nRUN SECRET_KEY_BASE=none NODE_ENV=production bundle exec rake assets:precompile # buildkit\nRUN yarn install --check-files --production # buildkit\nADD . /app # buildkit\nRUN bundle install --without development test # buildkit\nADD Gemfile* /app/ # buildkit\nRUN gem install bundler:2.2.32 # buildkit\nWORKDIR /app\nRUN mkdir $APP_HOME # buildkit\nENV RAILS_ENV=production\nENV APP_HOME=/app\nRUN apt-get update -qq && apt-get install -y build-essential nodejs yarn # buildkit\nRUN echo \"deb https://dl.yarnpkg.com/debian/ stable main\" | tee /etc/apt/sources.list.d/yarn.list # buildkit\nRUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - # buildkit\nRUN curl -sS https://deb.nodesource.com/setup_16.x | bash - # buildkit\nCMD [\"irb\"]\nRUN mkdir -p \"$GEM_HOME\" && chmod 1777 \"$GEM_HOME\"\nENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle\nENV GEM_HOME=/usr/local/bundle\nRUN set -eux; \t\tsavedAptMark=\"$(apt-mark showmanual)\"; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tbison \t\tdpkg-dev \t\tlibgdbm-dev \t\truby \t; \trm -rf /var/lib/apt/lists/*; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} > file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\tapt-mark auto '.*' > /dev/null; \tapt-mark manual $savedAptMark > /dev/null; \tfind /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec ldd '{}' ';' \t\t| awk '/=>/ { print $(NF-1) }' \t\t| sort -u \t\t| grep -vE '^/usr/local/lib/' \t\t| xargs -r dpkg-query --search \t\t| cut -d: -f1 \t\t| sort -u \t\t| xargs -r apt-mark manual \t; \tapt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \t\tcd /; \trm -r /usr/src/ruby; \tif dpkg -l | grep -i ruby; then exit 1; fi; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version\nENV RUBY_DOWNLOAD_SHA256=f22f662da504d49ce2080e446e4bea7008cee11d5ec4858fc69000d0e5b1d7fb\nENV RUBY_VERSION=2.7.8\nENV RUBY_MAJOR=2.7\nENV LANG=C.UTF-8\nRUN set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} >> /usr/local/etc/gemrc\nRUN set -ex; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tautoconf \t\tautomake \t\tbzip2 \t\tdpkg-dev \t\tfile \t\tg++ \t\tgcc \t\timagemagick \t\tlibbz2-dev \t\tlibc6-dev \t\tlibcurl4-openssl-dev \t\tlibdb-dev \t\tlibevent-dev \t\tlibffi-dev \t\tlibgdbm-dev \t\tlibglib2.0-dev \t\tlibgmp-dev \t\tlibjpeg-dev \t\tlibkrb5-dev \t\tliblzma-dev \t\tlibmagickcore-dev \t\tlibmagickwand-dev \t\tlibmaxminddb-dev \t\tlibncurses5-dev \t\tlibncursesw5-dev \t\tlibpng-dev \t\tlibpq-dev \t\tlibreadline-dev \t\tlibsqlite3-dev \t\tlibssl-dev \t\tlibtool \t\tlibwebp-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tlibyaml-dev \t\tmake \t\tpatch \t\tunzip \t\txz-utils \t\tzlib1g-dev \t\t\t\t$( \t\t\tif apt-cache show 'default-libmysqlclient-dev' 2>/dev/null | grep -q '^Version:'; then \t\t\t\techo 'default-libmysqlclient-dev'; \t\t\telse \t\t\t\techo 'libmysqlclient-dev'; \t\t\tfi \t\t) \t; \trm -rf /var/lib/apt/lists/*\nRUN apt-get update && apt-get install -y --no-install-recommends \t\tgit \t\tmercurial \t\topenssh-client \t\tsubversion \t\t\t\tprocps \t&& rm -rf /var/lib/apt/lists/*\nRUN set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tca-certificates \t\tcurl \t\tgnupg \t\tnetbase \t\twget \t; \trm -rf /var/lib/apt/lists/*\nCMD [\"bash\"]\nADD file:fc290cf8ddb984325474583faa79c5a98c5ea0ec7f606bf360251f63acecf389 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.9", + "id": "I.4.9", + "desc": "Ensure that COPY is used instead of ADD in Dockerfiles", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "CMD [\"rails\" \"server\" \"-b\" \"0.0.0.0\"]\nUSER 1000\nRUN chown -R 1000:2000 /app # buildkit\nRUN SECRET_KEY_BASE=none NODE_ENV=production bundle exec rake assets:precompile # buildkit\nRUN yarn install --check-files --production # buildkit\nADD . /app # buildkit\nRUN bundle install --without development test # buildkit\nADD Gemfile* /app/ # buildkit\nRUN gem install bundler:2.2.32 # buildkit\nWORKDIR /app\nRUN mkdir $APP_HOME # buildkit\nENV RAILS_ENV=production\nENV APP_HOME=/app\nRUN apt-get update -qq && apt-get install -y build-essential nodejs yarn # buildkit\nRUN echo \"deb https://dl.yarnpkg.com/debian/ stable main\" | tee /etc/apt/sources.list.d/yarn.list # buildkit\nRUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - # buildkit\nRUN curl -sS https://deb.nodesource.com/setup_16.x | bash - # buildkit\nCMD [\"irb\"]\nRUN mkdir -p \"$GEM_HOME\" && chmod 1777 \"$GEM_HOME\"\nENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle\nENV GEM_HOME=/usr/local/bundle\nRUN set -eux; \t\tsavedAptMark=\"$(apt-mark showmanual)\"; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tbison \t\tdpkg-dev \t\tlibgdbm-dev \t\truby \t; \trm -rf /var/lib/apt/lists/*; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} > file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\tapt-mark auto '.*' > /dev/null; \tapt-mark manual $savedAptMark > /dev/null; \tfind /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec ldd '{}' ';' \t\t| awk '/=>/ { print $(NF-1) }' \t\t| sort -u \t\t| grep -vE '^/usr/local/lib/' \t\t| xargs -r dpkg-query --search \t\t| cut -d: -f1 \t\t| sort -u \t\t| xargs -r apt-mark manual \t; \tapt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \t\tcd /; \trm -r /usr/src/ruby; \tif dpkg -l | grep -i ruby; then exit 1; fi; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version\nENV RUBY_DOWNLOAD_SHA256=f22f662da504d49ce2080e446e4bea7008cee11d5ec4858fc69000d0e5b1d7fb\nENV RUBY_VERSION=2.7.8\nENV RUBY_MAJOR=2.7\nENV LANG=C.UTF-8\nRUN set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} >> /usr/local/etc/gemrc\nRUN set -ex; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tautoconf \t\tautomake \t\tbzip2 \t\tdpkg-dev \t\tfile \t\tg++ \t\tgcc \t\timagemagick \t\tlibbz2-dev \t\tlibc6-dev \t\tlibcurl4-openssl-dev \t\tlibdb-dev \t\tlibevent-dev \t\tlibffi-dev \t\tlibgdbm-dev \t\tlibglib2.0-dev \t\tlibgmp-dev \t\tlibjpeg-dev \t\tlibkrb5-dev \t\tliblzma-dev \t\tlibmagickcore-dev \t\tlibmagickwand-dev \t\tlibmaxminddb-dev \t\tlibncurses5-dev \t\tlibncursesw5-dev \t\tlibpng-dev \t\tlibpq-dev \t\tlibreadline-dev \t\tlibsqlite3-dev \t\tlibssl-dev \t\tlibtool \t\tlibwebp-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tlibyaml-dev \t\tmake \t\tpatch \t\tunzip \t\txz-utils \t\tzlib1g-dev \t\t\t\t$( \t\t\tif apt-cache show 'default-libmysqlclient-dev' 2>/dev/null | grep -q '^Version:'; then \t\t\t\techo 'default-libmysqlclient-dev'; \t\t\telse \t\t\t\techo 'libmysqlclient-dev'; \t\t\tfi \t\t) \t; \trm -rf /var/lib/apt/lists/*\nRUN apt-get update && apt-get install -y --no-install-recommends \t\tgit \t\tmercurial \t\topenssh-client \t\tsubversion \t\t\t\tprocps \t&& rm -rf /var/lib/apt/lists/*\nRUN set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tca-certificates \t\tcurl \t\tgnupg \t\tnetbase \t\twget \t; \trm -rf /var/lib/apt/lists/*\nCMD [\"bash\"]\nADD file:fc290cf8ddb984325474583faa79c5a98c5ea0ec7f606bf360251f63acecf389 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.6", + "id": "I.4.6", + "desc": "Ensure that HEALTHCHECK instructions have been added to container images", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] } ], - "sha256": "b8ec6c67e9599024d5187f4d58d657215d67ea4d8d97690716a4465bc58518ee" + "sha256": "6a875da6cfc3060554012f05ce6b29036796a0d790a11da5d9a271c116160af7" } ], "passthrough": { diff --git a/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-caldera.json b/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-caldera.json index 7b5591bf2..153feccc7 100644 --- a/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-caldera.json +++ b/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-caldera.json @@ -1,15 +1,20 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.10.18" + "release": "2.10.19" }, - "version": "2.10.18", + "version": "2.10.19", "statistics": {}, "profiles": [ { "name": "NeuVector Scan", "title": "https://registry.hub.docker.com/mitre/caldera:latest - Digest: sha256:7dea2536cb13b2f316dad50d74dadc979d812520a7234ddbdfd84e81ef06901d - Image ID: 62532e388bdaa6d918c2c2d5c970157795a246a12784103f08289e29a2285e94", - "supports": [], + "supports": [ + { + "platform-name": "ubuntu", + "release": "20" + } + ], "attributes": [], "groups": [], "status": "loaded", @@ -125065,9 +125070,96 @@ "start_time": "" } ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "true", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "ENTRYPOINT [\"python3\" \"server.py\"]\nEXPOSE map[7012/tcp:{}]\nEXPOSE map[7011/udp:{}]\nEXPOSE map[7010/tcp:{}]\nEXPOSE map[8888/tcp:{}]\nADD . . # buildkit\nRUN pip3 install --no-cache-dir -r requirements.txt # buildkit\nADD requirements.txt . # buildkit\nRUN if [ \"$WIN_BUILD\" = \"true\" ] ; then apt-get -y install mingw-w64; fi # buildkit\nARG WIN_BUILD=false\nRUN apt-get update && apt-get -y install python3 python3-pip golang git # buildkit\nWORKDIR /usr/src/app\nRUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone # buildkit\nARG TZ=UTC\nCMD [\"bash\"]\nADD file:524e8d93ad65f08a0cb0d144268350186e36f508006b05b8faf2e1289499b59f in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.1", + "id": "I.4.1", + "desc": "Ensure a user for the container has been created", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "ENTRYPOINT [\"python3\" \"server.py\"]\nEXPOSE map[7012/tcp:{}]\nEXPOSE map[7011/udp:{}]\nEXPOSE map[7010/tcp:{}]\nEXPOSE map[8888/tcp:{}]\nADD . . # buildkit\nRUN pip3 install --no-cache-dir -r requirements.txt # buildkit\nADD requirements.txt . # buildkit\nRUN if [ \"$WIN_BUILD\" = \"true\" ] ; then apt-get -y install mingw-w64; fi # buildkit\nARG WIN_BUILD=false\nRUN apt-get update && apt-get -y install python3 python3-pip golang git # buildkit\nWORKDIR /usr/src/app\nRUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone # buildkit\nARG TZ=UTC\nCMD [\"bash\"]\nADD file:524e8d93ad65f08a0cb0d144268350186e36f508006b05b8faf2e1289499b59f in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.9", + "id": "I.4.9", + "desc": "Ensure that COPY is used instead of ADD in Dockerfiles", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "ENTRYPOINT [\"python3\" \"server.py\"]\nEXPOSE map[7012/tcp:{}]\nEXPOSE map[7011/udp:{}]\nEXPOSE map[7010/tcp:{}]\nEXPOSE map[8888/tcp:{}]\nADD . . # buildkit\nRUN pip3 install --no-cache-dir -r requirements.txt # buildkit\nADD requirements.txt . # buildkit\nRUN if [ \"$WIN_BUILD\" = \"true\" ] ; then apt-get -y install mingw-w64; fi # buildkit\nARG WIN_BUILD=false\nRUN apt-get update && apt-get -y install python3 python3-pip golang git # buildkit\nWORKDIR /usr/src/app\nRUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone # buildkit\nARG TZ=UTC\nCMD [\"bash\"]\nADD file:524e8d93ad65f08a0cb0d144268350186e36f508006b05b8faf2e1289499b59f in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.6", + "id": "I.4.6", + "desc": "Ensure that HEALTHCHECK instructions have been added to container images", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] } ], - "sha256": "264d58a989a677f58bd4ffe2e26f63e8b359f479604829a844f0f5ae250a2518" + "sha256": "e1e8e80ae599892ef15a27b95c6e0fb9c8b78848c25dcdac31812054d32b5b41" } ], "passthrough": { diff --git a/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-heimdall.json b/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-heimdall.json index 9fb4c669b..f04a91b5a 100644 --- a/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-heimdall.json +++ b/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-heimdall.json @@ -1,15 +1,20 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.10.18" + "release": "2.10.19" }, - "version": "2.10.18", + "version": "2.10.19", "statistics": {}, "profiles": [ { "name": "NeuVector Scan", "title": "https://registry.hub.docker.com/mitre/heimdall:latest - Digest: sha256:54cbfb34a9a8fe00c9a60d722aa1c12f25bec825c505139cfffaeabc91fb10e6 - Image ID: 65785cbf46647c77caf8d7c40485900b013fca1290d1a7ab06c9039c3b29761c", - "supports": [], + "supports": [ + { + "platform-name": "alpine", + "release": "3" + } + ], "attributes": [], "groups": [], "status": "loaded", @@ -8201,9 +8206,69 @@ "start_time": "" } ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "true", + "automated": "false", + "remediation": "", + "level": "WARN", + "envs": "PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nLANG=C.UTF-8\nRUBY_MAJOR=2.6\nRUBY_VERSION=2.6.6\nRUBY_DOWNLOAD_SHA256=5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f\nGEM_HOME=/usr/local/bundle\nBUNDLE_SILENCE_ROOT_WARNING=1\nBUNDLE_APP_CONFIG=/usr/local/bundle\nRAILS_ROOT=/var/www/heimdall", + "cmds": "CMD [\"rails\" \"server\" \"-p\" \"3000\" \"-b\" \"0.0.0.0\"]\nENTRYPOINT [\"bundle\" \"exec\"]\nEXPOSE 3000\nRUN apk --no-cache --update add nodejs imagemagick6 postgresql-dev tzdata && gem install bundler && bundle install --deployment --without development test\nCOPY dir:cfd6c107e9db5e6d3eb7fdfdc1d993d14c924a53fcb20069ea23e383c8c2967d in /var/www/heimdall\nWORKDIR /var/www/heimdall\nRUN mkdir -p $RAILS_ROOT\nENV RAILS_ROOT=/var/www/heimdall\nCMD [\"irb\"]\nRUN mkdir -p \"$GEM_HOME\" && chmod 777 \"$GEM_HOME\"\nENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle\nENV GEM_HOME=/usr/local/bundle\nRUN set -eux; \t\tapk add --no-cache --virtual .ruby-builddeps \t\tautoconf \t\tbison \t\tbzip2 \t\tbzip2-dev \t\tca-certificates \t\tcoreutils \t\tdpkg-dev dpkg \t\tgcc \t\tgdbm-dev \t\tglib-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl \t\topenssl-dev \t\tpatch \t\tprocps \t\treadline-dev \t\truby \t\ttar \t\txz \t\tyaml-dev \t\tzlib-dev \t; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\twget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \techo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \tpatch -p1 -i thread-stack-fix.patch; \trm thread-stack-fix.patch; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} > file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \texport ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\trunDeps=\"$( \t\tscanelf --needed --nobanner --format '%n#p' --recursive /usr/local \t\t\t| tr ',' '\\n' \t\t\t| sort -u \t\t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t)\"; \tapk add --no-network --virtual .ruby-rundeps \t\t$runDeps \t\tbzip2 \t\tca-certificates \t\tlibffi-dev \t\tprocps \t\tyaml-dev \t\tzlib-dev \t; \tapk del --no-network .ruby-builddeps; \t\tcd /; \trm -r /usr/src/ruby; \t! apk --no-network list --installed \t\t| grep -v '^[.]ruby-rundeps' \t\t| grep -i ruby \t; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version\nENV RUBY_DOWNLOAD_SHA256=5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f\nENV RUBY_VERSION=2.6.6\nENV RUBY_MAJOR=2.6\nENV LANG=C.UTF-8\nRUN set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} >> /usr/local/etc/gemrc\nRUN apk add --no-cache \t\tgmp-dev\nCMD [\"/bin/sh\"]\nADD file:f17f65714f703db9012f00e5ec98d0b2541ff6147c2633f7ab9ba659d0c507f4 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.1", + "id": "I.4.1", + "desc": "Ensure a user for the container has been created", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "envs": "PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nLANG=C.UTF-8\nRUBY_MAJOR=2.6\nRUBY_VERSION=2.6.6\nRUBY_DOWNLOAD_SHA256=5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f\nGEM_HOME=/usr/local/bundle\nBUNDLE_SILENCE_ROOT_WARNING=1\nBUNDLE_APP_CONFIG=/usr/local/bundle\nRAILS_ROOT=/var/www/heimdall", + "cmds": "CMD [\"rails\" \"server\" \"-p\" \"3000\" \"-b\" \"0.0.0.0\"]\nENTRYPOINT [\"bundle\" \"exec\"]\nEXPOSE 3000\nRUN apk --no-cache --update add nodejs imagemagick6 postgresql-dev tzdata && gem install bundler && bundle install --deployment --without development test\nCOPY dir:cfd6c107e9db5e6d3eb7fdfdc1d993d14c924a53fcb20069ea23e383c8c2967d in /var/www/heimdall\nWORKDIR /var/www/heimdall\nRUN mkdir -p $RAILS_ROOT\nENV RAILS_ROOT=/var/www/heimdall\nCMD [\"irb\"]\nRUN mkdir -p \"$GEM_HOME\" && chmod 777 \"$GEM_HOME\"\nENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle\nENV GEM_HOME=/usr/local/bundle\nRUN set -eux; \t\tapk add --no-cache --virtual .ruby-builddeps \t\tautoconf \t\tbison \t\tbzip2 \t\tbzip2-dev \t\tca-certificates \t\tcoreutils \t\tdpkg-dev dpkg \t\tgcc \t\tgdbm-dev \t\tglib-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl \t\topenssl-dev \t\tpatch \t\tprocps \t\treadline-dev \t\truby \t\ttar \t\txz \t\tyaml-dev \t\tzlib-dev \t; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\twget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \techo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \tpatch -p1 -i thread-stack-fix.patch; \trm thread-stack-fix.patch; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} > file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \texport ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\trunDeps=\"$( \t\tscanelf --needed --nobanner --format '%n#p' --recursive /usr/local \t\t\t| tr ',' '\\n' \t\t\t| sort -u \t\t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t)\"; \tapk add --no-network --virtual .ruby-rundeps \t\t$runDeps \t\tbzip2 \t\tca-certificates \t\tlibffi-dev \t\tprocps \t\tyaml-dev \t\tzlib-dev \t; \tapk del --no-network .ruby-builddeps; \t\tcd /; \trm -r /usr/src/ruby; \t! apk --no-network list --installed \t\t| grep -v '^[.]ruby-rundeps' \t\t| grep -i ruby \t; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version\nENV RUBY_DOWNLOAD_SHA256=5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f\nENV RUBY_VERSION=2.6.6\nENV RUBY_MAJOR=2.6\nENV LANG=C.UTF-8\nRUN set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} >> /usr/local/etc/gemrc\nRUN apk add --no-cache \t\tgmp-dev\nCMD [\"/bin/sh\"]\nADD file:f17f65714f703db9012f00e5ec98d0b2541ff6147c2633f7ab9ba659d0c507f4 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.6", + "id": "I.4.6", + "desc": "Ensure that HEALTHCHECK instructions have been added to container images", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] } ], - "sha256": "95a11366a386c5ab6fc6c2413947d863d92061ae923164e4f7cb35cda9d2c3ee" + "sha256": "e6e4f54fcc973a939dc821d63f6d3841019e9ab626d779de26cc3ec6d6d9bbeb" } ], "passthrough": { diff --git a/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-heimdall2.json b/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-heimdall2.json index 1b5aa2060..f01e9c64e 100644 --- a/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-heimdall2.json +++ b/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-heimdall2.json @@ -1,15 +1,20 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.10.18" + "release": "2.10.19" }, - "version": "2.10.18", + "version": "2.10.19", "statistics": {}, "profiles": [ { "name": "NeuVector Scan", "title": "https://registry.hub.docker.com/mitre/heimdall2:latest - Digest: sha256:ae8e58548bb13f1aa5df8aeea51cddf118e163fbe0163165d04552de0bf0ac0a - Image ID: 756f9a308b59ec6a0812ba49f958f2a3f4f0833afc9a3df23afe58f502db10aa", - "supports": [], + "supports": [ + { + "platform-name": "rhel", + "release": "8" + } + ], "attributes": [], "groups": [], "status": "loaded", @@ -4936,9 +4941,67 @@ "start_time": "" } ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "CMD [\"/usr/local/bin/cmd.sh\"]\nUSER 1001\nCOPY --chmod=755 cmd.sh /usr/local/bin/ # buildkit\nCOPY --chown=1001 /src/dist/ dist/ # buildkit\nCOPY --chown=1001 /src/apps/backend/dist apps/backend/dist # buildkit\nCOPY --chown=1001 /src/libs/password-complexity/ libs/password-complexity # buildkit\nCOPY --chown=1001 /src/apps/backend/seeders apps/backend/seeders # buildkit\nCOPY --chown=1001 /src/apps/backend/migrations apps/backend/migrations # buildkit\nCOPY --chown=1001 /src/apps/backend/config apps/backend/config # buildkit\nCOPY --chown=1001 /src/apps/backend/db apps/backend/db # buildkit\nCOPY --chown=1001 /src/apps/backend/.sequelizerc apps/backend/ # buildkit\nCOPY --chown=1001 /src/apps/backend/node_modules apps/backend/node_modules # buildkit\nCOPY --chown=1001 /src/apps/backend/package.json apps/backend/ # buildkit\nCOPY --chown=1001 /src/package.json ./ # buildkit\nRUN curl -sL https://dl.yarnpkg.com/rpm/yarn.repo -o /etc/yum.repos.d/yarn.repo && microdnf install -y yarn && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* # buildkit\nWORKDIR /app\nUSER 0\nENV NODE_ENV=production\nARG NODE_ENV=production\nEXPOSE map[3000/tcp:{}]\nUSER 1001\nRUN mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :\nUSER root\nUSER 1001\nRUN rm -f /tmp/tls-ca-bundle.pem\nRUN rm -f '/etc/yum.repos.d/odcs-3442251-e7456.repo'\nUSER root\nLABEL \"release\"=\"128.1725330794\" \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2024-09-03T02:34:03\" \"architecture\"=\"x86_64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"ed55a1e31785cb589887885082e15145666bd573\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/nodejs-18-minimal/images/1-128.1725330794\"\nADD file:eaeb5130bea91aca8b8f0adb9c562241193d2429da656d379517ea596a339ce9 in /root/buildinfo/Dockerfile-ubi8-nodejs-18-minimal-1-128.1725330794\nADD file:5da8a8bde7c7afbcec865e4c3047eccc1d38cb8b75042f1b3adb8d6572f1f730 in /root/buildinfo/content_manifests/nodejs-18-minimal-container-1-128.1725330794.json\nADD file:3009d1d727725ea9fb6e44f08cc76721d4ff04918aa725b34847fcde963b7154 in /help.1\nUSER 1001\nWORKDIR \"$HOME\"\nRUN mkdir -p \"$HOME\" && chown -R 1001:0 \"$APP_ROOT\" && chmod -R ug+rwx \"$APP_ROOT\"\nCOPY dir:fe4e9034259501521ced258ae36b98bc6cc475e0e34364c8a17e53447c145be1 in /\nCOPY dir:b5a1f1317e0040e7a730c0b1d8cf8a9fa419afa1662d666632dac699455512f1 in /usr/libexec/s2i\nRUN INSTALL_PKGS=\"nodejs nodejs-nodemon nodejs-full-i18n npm findutils tar which\" && microdnf -y module disable nodejs && microdnf -y module enable nodejs:$NODEJS_VERSION && microdnf --nodocs --setopt=install_weak_deps=0 install $INSTALL_PKGS && node -v | grep -qe \"^v$NODEJS_VERSION\\.\" && echo \"Found VERSION $NODEJS_VERSION\" && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.*\nLABEL summary=\"$SUMMARY\" description=\"$DESCRIPTION\" io.k8s.description=\"$DESCRIPTION\" io.k8s.display-name=\"Node.js $NODEJS_VERSION Minimal\" io.openshift.expose-services=\"8080:http\" io.openshift.tags=\"builder,$NAME,${NAME}${NODEJS_VERSION}\" io.openshift.s2i.scripts-url=\"image:///usr/libexec/s2i\" io.s2i.scripts-url=\"image:///usr/libexec/s2i\" com.redhat.dev-mode=\"DEV_MODE:false\" com.redhat.deployments-dir=\"${APP_ROOT}/src\" com.redhat.dev-mode.port=\"DEBUG_PORT:5858\" com.redhat.component=\"${NAME}-${NODEJS_VERSION}-minimal-container\" name=\"ubi8/$NAME-$NODEJS_VERSION-minimal\" version=\"1\" com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\" maintainer=\"SoftwareCollections.org \" help=\"For more information visit https://github.com/sclorg/s2i-nodejs-container\"\nENV SUMMARY=\"Minimal image for running Node.js $NODEJS_VERSION applications\" DESCRIPTION=\"Node.js $NODEJS_VERSION available as container is a base platform for running various Node.js $NODEJS_VERSION applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\" NPM_CONFIG_PREFIX=$HOME/.npm-global PATH=$HOME/node_modules/.bin/:$HOME/.npm-global/bin/:$PATH\nENV APP_ROOT=/opt/app-root HOME=/opt/app-root/src NPM_RUN=start PLATFORM=\"el8\" NODEJS_VERSION=18 NPM_RUN=start NAME=nodejs\nEXPOSE 8080\nADD file:2660c1111176153e62928ea72cad5f0074133db91f3e296cbaf71f765f1f7bfd in /etc/yum.repos.d/\nADD file:5b1f650e1376d79fa3a65df4a154ea5166def95154b52c1c1097dfd8fc7d58eb in /tmp/tls-ca-bundle.pem\nRUN mv -f /etc/yum.repos.d/ubi.repo /tmp || :\nRUN mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :\nRUN rm -f /tmp/tls-ca-bundle.pem\nRUN rm -f '/etc/yum.repos.d/odcs-3398671-876ba.repo' '/etc/yum.repos.d/rhel-8.10-compose-0e878.repo'\nLABEL \"release\"=\"1052.1724178568\" \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2024-08-20T18:30:35\" \"architecture\"=\"x86_64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"4f8da2b64a13f2a264bd802d8909bf803211fb20\" \"io.k8s.description\"=\"The Universal Base Image Minimal is a stripped down image that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8-minimal/images/8.10-1052.1724178568\"\nADD file:849b71c9f9737769080a3214428c39267a1aa9f20785f4c781f1778b56b956e6 in /root/buildinfo/Dockerfile-ubi8-minimal-8.10-1052.1724178568\nADD file:c8ca5f484763321cd5e7b342c283d53c3b929c2eacba0494bcd589c978dc2fe1 in /root/buildinfo/content_manifests/ubi8-minimal-container-8.10-1052.1724178568.json\nRUN rm -rf /var/log/*\nCMD [\"/bin/bash\"]\nENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV container oci\nLABEL io.openshift.tags=\"minimal rhel8\"\nLABEL io.openshift.expose-services=\"\"\nLABEL io.k8s.display-name=\"Red Hat Universal Base Image 8 Minimal\"\nLABEL description=\"The Universal Base Image Minimal is a stripped down image that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\"\nLABEL summary=\"Provides the latest release of the minimal Red Hat Universal Base Image 8.\"\nLABEL com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\"\nLABEL com.redhat.component=\"ubi8-minimal-container\" name=\"ubi8-minimal\" version=\"8.10\"\nLABEL maintainer=\"Red Hat, Inc.\"\nADD multi:d43053580c8e29293fe7178a18c2e44f1578d681ef94e964f4e0e14ef093ace4 in /etc/yum.repos.d/\nADD file:5b1f650e1376d79fa3a65df4a154ea5166def95154b52c1c1097dfd8fc7d58eb in /tmp/tls-ca-bundle.pem\nRUN mv -f /etc/yum.repos.d/ubi.repo /tmp || :\nADD file:0198ad3c1b345f6da74b55236cbce4779329b401acb32e81092e46f6ec5b87d0 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.9", + "id": "I.4.9", + "desc": "Ensure that COPY is used instead of ADD in Dockerfiles", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "CMD [\"/usr/local/bin/cmd.sh\"]\nUSER 1001\nCOPY --chmod=755 cmd.sh /usr/local/bin/ # buildkit\nCOPY --chown=1001 /src/dist/ dist/ # buildkit\nCOPY --chown=1001 /src/apps/backend/dist apps/backend/dist # buildkit\nCOPY --chown=1001 /src/libs/password-complexity/ libs/password-complexity # buildkit\nCOPY --chown=1001 /src/apps/backend/seeders apps/backend/seeders # buildkit\nCOPY --chown=1001 /src/apps/backend/migrations apps/backend/migrations # buildkit\nCOPY --chown=1001 /src/apps/backend/config apps/backend/config # buildkit\nCOPY --chown=1001 /src/apps/backend/db apps/backend/db # buildkit\nCOPY --chown=1001 /src/apps/backend/.sequelizerc apps/backend/ # buildkit\nCOPY --chown=1001 /src/apps/backend/node_modules apps/backend/node_modules # buildkit\nCOPY --chown=1001 /src/apps/backend/package.json apps/backend/ # buildkit\nCOPY --chown=1001 /src/package.json ./ # buildkit\nRUN curl -sL https://dl.yarnpkg.com/rpm/yarn.repo -o /etc/yum.repos.d/yarn.repo && microdnf install -y yarn && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.* # buildkit\nWORKDIR /app\nUSER 0\nENV NODE_ENV=production\nARG NODE_ENV=production\nEXPOSE map[3000/tcp:{}]\nUSER 1001\nRUN mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :\nUSER root\nUSER 1001\nRUN rm -f /tmp/tls-ca-bundle.pem\nRUN rm -f '/etc/yum.repos.d/odcs-3442251-e7456.repo'\nUSER root\nLABEL \"release\"=\"128.1725330794\" \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2024-09-03T02:34:03\" \"architecture\"=\"x86_64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"ed55a1e31785cb589887885082e15145666bd573\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/nodejs-18-minimal/images/1-128.1725330794\"\nADD file:eaeb5130bea91aca8b8f0adb9c562241193d2429da656d379517ea596a339ce9 in /root/buildinfo/Dockerfile-ubi8-nodejs-18-minimal-1-128.1725330794\nADD file:5da8a8bde7c7afbcec865e4c3047eccc1d38cb8b75042f1b3adb8d6572f1f730 in /root/buildinfo/content_manifests/nodejs-18-minimal-container-1-128.1725330794.json\nADD file:3009d1d727725ea9fb6e44f08cc76721d4ff04918aa725b34847fcde963b7154 in /help.1\nUSER 1001\nWORKDIR \"$HOME\"\nRUN mkdir -p \"$HOME\" && chown -R 1001:0 \"$APP_ROOT\" && chmod -R ug+rwx \"$APP_ROOT\"\nCOPY dir:fe4e9034259501521ced258ae36b98bc6cc475e0e34364c8a17e53447c145be1 in /\nCOPY dir:b5a1f1317e0040e7a730c0b1d8cf8a9fa419afa1662d666632dac699455512f1 in /usr/libexec/s2i\nRUN INSTALL_PKGS=\"nodejs nodejs-nodemon nodejs-full-i18n npm findutils tar which\" && microdnf -y module disable nodejs && microdnf -y module enable nodejs:$NODEJS_VERSION && microdnf --nodocs --setopt=install_weak_deps=0 install $INSTALL_PKGS && node -v | grep -qe \"^v$NODEJS_VERSION\\.\" && echo \"Found VERSION $NODEJS_VERSION\" && microdnf clean all && rm -rf /mnt/rootfs/var/cache/* /mnt/rootfs/var/log/dnf* /mnt/rootfs/var/log/yum.*\nLABEL summary=\"$SUMMARY\" description=\"$DESCRIPTION\" io.k8s.description=\"$DESCRIPTION\" io.k8s.display-name=\"Node.js $NODEJS_VERSION Minimal\" io.openshift.expose-services=\"8080:http\" io.openshift.tags=\"builder,$NAME,${NAME}${NODEJS_VERSION}\" io.openshift.s2i.scripts-url=\"image:///usr/libexec/s2i\" io.s2i.scripts-url=\"image:///usr/libexec/s2i\" com.redhat.dev-mode=\"DEV_MODE:false\" com.redhat.deployments-dir=\"${APP_ROOT}/src\" com.redhat.dev-mode.port=\"DEBUG_PORT:5858\" com.redhat.component=\"${NAME}-${NODEJS_VERSION}-minimal-container\" name=\"ubi8/$NAME-$NODEJS_VERSION-minimal\" version=\"1\" com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\" maintainer=\"SoftwareCollections.org \" help=\"For more information visit https://github.com/sclorg/s2i-nodejs-container\"\nENV SUMMARY=\"Minimal image for running Node.js $NODEJS_VERSION applications\" DESCRIPTION=\"Node.js $NODEJS_VERSION available as container is a base platform for running various Node.js $NODEJS_VERSION applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\" NPM_CONFIG_PREFIX=$HOME/.npm-global PATH=$HOME/node_modules/.bin/:$HOME/.npm-global/bin/:$PATH\nENV APP_ROOT=/opt/app-root HOME=/opt/app-root/src NPM_RUN=start PLATFORM=\"el8\" NODEJS_VERSION=18 NPM_RUN=start NAME=nodejs\nEXPOSE 8080\nADD file:2660c1111176153e62928ea72cad5f0074133db91f3e296cbaf71f765f1f7bfd in /etc/yum.repos.d/\nADD file:5b1f650e1376d79fa3a65df4a154ea5166def95154b52c1c1097dfd8fc7d58eb in /tmp/tls-ca-bundle.pem\nRUN mv -f /etc/yum.repos.d/ubi.repo /tmp || :\nRUN mv -fZ /tmp/ubi.repo /etc/yum.repos.d/ubi.repo || :\nRUN rm -f /tmp/tls-ca-bundle.pem\nRUN rm -f '/etc/yum.repos.d/odcs-3398671-876ba.repo' '/etc/yum.repos.d/rhel-8.10-compose-0e878.repo'\nLABEL \"release\"=\"1052.1724178568\" \"distribution-scope\"=\"public\" \"vendor\"=\"Red Hat, Inc.\" \"build-date\"=\"2024-08-20T18:30:35\" \"architecture\"=\"x86_64\" \"vcs-type\"=\"git\" \"vcs-ref\"=\"4f8da2b64a13f2a264bd802d8909bf803211fb20\" \"io.k8s.description\"=\"The Universal Base Image Minimal is a stripped down image that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\" \"url\"=\"https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8-minimal/images/8.10-1052.1724178568\"\nADD file:849b71c9f9737769080a3214428c39267a1aa9f20785f4c781f1778b56b956e6 in /root/buildinfo/Dockerfile-ubi8-minimal-8.10-1052.1724178568\nADD file:c8ca5f484763321cd5e7b342c283d53c3b929c2eacba0494bcd589c978dc2fe1 in /root/buildinfo/content_manifests/ubi8-minimal-container-8.10-1052.1724178568.json\nRUN rm -rf /var/log/*\nCMD [\"/bin/bash\"]\nENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV container oci\nLABEL io.openshift.tags=\"minimal rhel8\"\nLABEL io.openshift.expose-services=\"\"\nLABEL io.k8s.display-name=\"Red Hat Universal Base Image 8 Minimal\"\nLABEL description=\"The Universal Base Image Minimal is a stripped down image that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly.\"\nLABEL summary=\"Provides the latest release of the minimal Red Hat Universal Base Image 8.\"\nLABEL com.redhat.license_terms=\"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI\"\nLABEL com.redhat.component=\"ubi8-minimal-container\" name=\"ubi8-minimal\" version=\"8.10\"\nLABEL maintainer=\"Red Hat, Inc.\"\nADD multi:d43053580c8e29293fe7178a18c2e44f1578d681ef94e964f4e0e14ef093ace4 in /etc/yum.repos.d/\nADD file:5b1f650e1376d79fa3a65df4a154ea5166def95154b52c1c1097dfd8fc7d58eb in /tmp/tls-ca-bundle.pem\nRUN mv -f /etc/yum.repos.d/ubi.repo /tmp || :\nADD file:0198ad3c1b345f6da74b55236cbce4779329b401acb32e81092e46f6ec5b87d0 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.6", + "id": "I.4.6", + "desc": "Ensure that HEALTHCHECK instructions have been added to container images", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] } ], - "sha256": "237f37b61123b607780c10aaf577950e044f69e6292ac0b3e32fbb3704dc5701" + "sha256": "ccffe941d11d6afa77d45ca20c401daa067f29fd02d887c8948c036a53af803e" } ], "passthrough": { diff --git a/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-vulcan.json b/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-vulcan.json index fc14b4cb8..08e6d7532 100644 --- a/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-vulcan.json +++ b/test/sample_data/neuvector/neuvector-hdf-withraw-mitre-vulcan.json @@ -1,15 +1,20 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.10.18" + "release": "2.10.19" }, - "version": "2.10.18", + "version": "2.10.19", "statistics": {}, "profiles": [ { "name": "NeuVector Scan", "title": "https://registry.hub.docker.com/mitre/vulcan:latest - Digest: sha256:6b7a67de7706e2d47da01e013b0e3d5e3eefdf32484224b4608ec24f27468113 - Image ID: 011bb802218592aadd5ebe70fa83a12ce60b6876bd5322151ef5ede86635a6e3", - "supports": [], + "supports": [ + { + "platform-name": "debian", + "release": "11" + } + ], "attributes": [], "groups": [], "status": "loaded", @@ -129645,9 +129650,67 @@ "start_time": "" } ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "CMD [\"rails\" \"server\" \"-b\" \"0.0.0.0\"]\nUSER 1000\nRUN chown -R 1000:2000 /app # buildkit\nRUN SECRET_KEY_BASE=none NODE_ENV=production bundle exec rake assets:precompile # buildkit\nRUN yarn install --check-files --production # buildkit\nADD . /app # buildkit\nRUN bundle install --without development test # buildkit\nADD Gemfile* /app/ # buildkit\nRUN gem install bundler:2.2.32 # buildkit\nWORKDIR /app\nRUN mkdir $APP_HOME # buildkit\nENV RAILS_ENV=production\nENV APP_HOME=/app\nRUN apt-get update -qq && apt-get install -y build-essential nodejs yarn # buildkit\nRUN echo \"deb https://dl.yarnpkg.com/debian/ stable main\" | tee /etc/apt/sources.list.d/yarn.list # buildkit\nRUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - # buildkit\nRUN curl -sS https://deb.nodesource.com/setup_16.x | bash - # buildkit\nCMD [\"irb\"]\nRUN mkdir -p \"$GEM_HOME\" && chmod 1777 \"$GEM_HOME\"\nENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle\nENV GEM_HOME=/usr/local/bundle\nRUN set -eux; \t\tsavedAptMark=\"$(apt-mark showmanual)\"; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tbison \t\tdpkg-dev \t\tlibgdbm-dev \t\truby \t; \trm -rf /var/lib/apt/lists/*; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} > file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\tapt-mark auto '.*' > /dev/null; \tapt-mark manual $savedAptMark > /dev/null; \tfind /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec ldd '{}' ';' \t\t| awk '/=>/ { print $(NF-1) }' \t\t| sort -u \t\t| grep -vE '^/usr/local/lib/' \t\t| xargs -r dpkg-query --search \t\t| cut -d: -f1 \t\t| sort -u \t\t| xargs -r apt-mark manual \t; \tapt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \t\tcd /; \trm -r /usr/src/ruby; \tif dpkg -l | grep -i ruby; then exit 1; fi; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version\nENV RUBY_DOWNLOAD_SHA256=f22f662da504d49ce2080e446e4bea7008cee11d5ec4858fc69000d0e5b1d7fb\nENV RUBY_VERSION=2.7.8\nENV RUBY_MAJOR=2.7\nENV LANG=C.UTF-8\nRUN set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} >> /usr/local/etc/gemrc\nRUN set -ex; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tautoconf \t\tautomake \t\tbzip2 \t\tdpkg-dev \t\tfile \t\tg++ \t\tgcc \t\timagemagick \t\tlibbz2-dev \t\tlibc6-dev \t\tlibcurl4-openssl-dev \t\tlibdb-dev \t\tlibevent-dev \t\tlibffi-dev \t\tlibgdbm-dev \t\tlibglib2.0-dev \t\tlibgmp-dev \t\tlibjpeg-dev \t\tlibkrb5-dev \t\tliblzma-dev \t\tlibmagickcore-dev \t\tlibmagickwand-dev \t\tlibmaxminddb-dev \t\tlibncurses5-dev \t\tlibncursesw5-dev \t\tlibpng-dev \t\tlibpq-dev \t\tlibreadline-dev \t\tlibsqlite3-dev \t\tlibssl-dev \t\tlibtool \t\tlibwebp-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tlibyaml-dev \t\tmake \t\tpatch \t\tunzip \t\txz-utils \t\tzlib1g-dev \t\t\t\t$( \t\t\tif apt-cache show 'default-libmysqlclient-dev' 2>/dev/null | grep -q '^Version:'; then \t\t\t\techo 'default-libmysqlclient-dev'; \t\t\telse \t\t\t\techo 'libmysqlclient-dev'; \t\t\tfi \t\t) \t; \trm -rf /var/lib/apt/lists/*\nRUN apt-get update && apt-get install -y --no-install-recommends \t\tgit \t\tmercurial \t\topenssh-client \t\tsubversion \t\t\t\tprocps \t&& rm -rf /var/lib/apt/lists/*\nRUN set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tca-certificates \t\tcurl \t\tgnupg \t\tnetbase \t\twget \t; \trm -rf /var/lib/apt/lists/*\nCMD [\"bash\"]\nADD file:fc290cf8ddb984325474583faa79c5a98c5ea0ec7f606bf360251f63acecf389 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.9", + "id": "I.4.9", + "desc": "Ensure that COPY is used instead of ADD in Dockerfiles", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] + }, + { + "tags": { + "category": "image", + "type": "image", + "profile": "Level 1", + "scored": "false", + "automated": "false", + "remediation": "", + "level": "WARN", + "cmds": "CMD [\"rails\" \"server\" \"-b\" \"0.0.0.0\"]\nUSER 1000\nRUN chown -R 1000:2000 /app # buildkit\nRUN SECRET_KEY_BASE=none NODE_ENV=production bundle exec rake assets:precompile # buildkit\nRUN yarn install --check-files --production # buildkit\nADD . /app # buildkit\nRUN bundle install --without development test # buildkit\nADD Gemfile* /app/ # buildkit\nRUN gem install bundler:2.2.32 # buildkit\nWORKDIR /app\nRUN mkdir $APP_HOME # buildkit\nENV RAILS_ENV=production\nENV APP_HOME=/app\nRUN apt-get update -qq && apt-get install -y build-essential nodejs yarn # buildkit\nRUN echo \"deb https://dl.yarnpkg.com/debian/ stable main\" | tee /etc/apt/sources.list.d/yarn.list # buildkit\nRUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - # buildkit\nRUN curl -sS https://deb.nodesource.com/setup_16.x | bash - # buildkit\nCMD [\"irb\"]\nRUN mkdir -p \"$GEM_HOME\" && chmod 1777 \"$GEM_HOME\"\nENV PATH=/usr/local/bundle/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\nENV BUNDLE_SILENCE_ROOT_WARNING=1 BUNDLE_APP_CONFIG=/usr/local/bundle\nENV GEM_HOME=/usr/local/bundle\nRUN set -eux; \t\tsavedAptMark=\"$(apt-mark showmanual)\"; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tbison \t\tdpkg-dev \t\tlibgdbm-dev \t\truby \t; \trm -rf /var/lib/apt/lists/*; \t\twget -O ruby.tar.xz \"https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz\"; \techo \"$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz\" | sha256sum --check --strict; \t\tmkdir -p /usr/src/ruby; \ttar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \trm ruby.tar.xz; \t\tcd /usr/src/ruby; \t\t{ \t\techo '#define ENABLE_PATH_CHECK 0'; \t\techo; \t\tcat file.c; \t} > file.c.new; \tmv file.c.new file.c; \t\tautoconf; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \t./configure \t\t--build=\"$gnuArch\" \t\t--disable-install-doc \t\t--enable-shared \t; \tmake -j \"$(nproc)\"; \tmake install; \t\tapt-mark auto '.*' > /dev/null; \tapt-mark manual $savedAptMark > /dev/null; \tfind /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec ldd '{}' ';' \t\t| awk '/=>/ { print $(NF-1) }' \t\t| sort -u \t\t| grep -vE '^/usr/local/lib/' \t\t| xargs -r dpkg-query --search \t\t| cut -d: -f1 \t\t| sort -u \t\t| xargs -r apt-mark manual \t; \tapt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \t\tcd /; \trm -r /usr/src/ruby; \tif dpkg -l | grep -i ruby; then exit 1; fi; \t[ \"$(command -v ruby)\" = '/usr/local/bin/ruby' ]; \truby --version; \tgem --version; \tbundle --version\nENV RUBY_DOWNLOAD_SHA256=f22f662da504d49ce2080e446e4bea7008cee11d5ec4858fc69000d0e5b1d7fb\nENV RUBY_VERSION=2.7.8\nENV RUBY_MAJOR=2.7\nENV LANG=C.UTF-8\nRUN set -eux; \tmkdir -p /usr/local/etc; \t{ \t\techo 'install: --no-document'; \t\techo 'update: --no-document'; \t} >> /usr/local/etc/gemrc\nRUN set -ex; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tautoconf \t\tautomake \t\tbzip2 \t\tdpkg-dev \t\tfile \t\tg++ \t\tgcc \t\timagemagick \t\tlibbz2-dev \t\tlibc6-dev \t\tlibcurl4-openssl-dev \t\tlibdb-dev \t\tlibevent-dev \t\tlibffi-dev \t\tlibgdbm-dev \t\tlibglib2.0-dev \t\tlibgmp-dev \t\tlibjpeg-dev \t\tlibkrb5-dev \t\tliblzma-dev \t\tlibmagickcore-dev \t\tlibmagickwand-dev \t\tlibmaxminddb-dev \t\tlibncurses5-dev \t\tlibncursesw5-dev \t\tlibpng-dev \t\tlibpq-dev \t\tlibreadline-dev \t\tlibsqlite3-dev \t\tlibssl-dev \t\tlibtool \t\tlibwebp-dev \t\tlibxml2-dev \t\tlibxslt-dev \t\tlibyaml-dev \t\tmake \t\tpatch \t\tunzip \t\txz-utils \t\tzlib1g-dev \t\t\t\t$( \t\t\tif apt-cache show 'default-libmysqlclient-dev' 2>/dev/null | grep -q '^Version:'; then \t\t\t\techo 'default-libmysqlclient-dev'; \t\t\telse \t\t\t\techo 'libmysqlclient-dev'; \t\t\tfi \t\t) \t; \trm -rf /var/lib/apt/lists/*\nRUN apt-get update && apt-get install -y --no-install-recommends \t\tgit \t\tmercurial \t\topenssh-client \t\tsubversion \t\t\t\tprocps \t&& rm -rf /var/lib/apt/lists/*\nRUN set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tca-certificates \t\tcurl \t\tgnupg \t\tnetbase \t\twget \t; \trm -rf /var/lib/apt/lists/*\nCMD [\"bash\"]\nADD file:fc290cf8ddb984325474583faa79c5a98c5ea0ec7f606bf360251f63acecf389 in /" + }, + "descriptions": [], + "refs": [], + "source_location": {}, + "title": "CIS Docker Benchmark I.4.6", + "id": "I.4.6", + "desc": "Ensure that HEALTHCHECK instructions have been added to container images", + "impact": 1, + "code": null, + "results": [ + { + "status": "skipped", + "code_desc": "Requires manual review.", + "run_time": null, + "start_time": "", + "skip_message": "Requires manual review." + } + ] } ], - "sha256": "b8ec6c67e9599024d5187f4d58d657215d67ea4d8d97690716a4465bc58518ee" + "sha256": "6a875da6cfc3060554012f05ce6b29036796a0d790a11da5d9a271c116160af7" } ], "passthrough": {