diff --git a/Dockerfile b/Dockerfile index d500cbab..32676426 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,90 +1,72 @@ -FROM centos:7 -LABEL maintainer="felix.hammerl@gmail.com" +FROM ekidd/rust-musl-builder AS cargo-audit-build -RUN yum -y -q update -RUN yum -y -q remove iputils -RUN yum -y -q install ca-certificates -RUN yum -y -q install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -RUN yum-config-manager -y -q --enable remi-php72 -RUN yum -y -q install wget epel-release openssl openssl-devel tar unzip \ - libffi-devel python-devel redhat-rpm-config git-core \ - gcc gcc-c++ make zlib-devel pcre-devel \ - java-1.8.0-openjdk.x86_64 which \ - php php-cli \ - maven +RUN cargo install cargo cargo-audit --root /home/rust && \ + strip /home/rust/bin/cargo /home/rust/bin/cargo-audit -ENV PATH /usr/local/rvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH +FROM alpine:3.10 -ENV NODE_VERSION=10.16.0 -RUN curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - -RUN yum -y install nodejs-${NODE_VERSION} +ENV FINDSECBUGS_VERSION=1.10.1 +ENV OWASP_VERSION=5.3.0 -RUN node --version && \ - npm --version - -RUN curl --silent --location https://dl.yarnpkg.com/rpm/yarn.repo | tee /etc/yum.repos.d/yarn.repo -RUN yum -y -q update -RUN yum -y -q install yarn +ARG FINDSECBUGS_FOLDER=/usr/local/opt/findsecbugs +ARG OWASP_DEP_FOLDER=/usr/local/bin/owaspdependency -RUN yum -y -q clean all +RUN apk update && \ + apk add --no-cache bash && \ + bash --login +RUN apk add --no-cache \ + ca-certificates \ + nodejs \ + npm \ + yarn \ + openjdk8 \ + maven \ + python \ + py2-pip \ + perl \ + git \ + php7 \ + php7-cli \ + curl \ + ruby -RUN curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py" -RUN python get-pip.py RUN pip install safety==1.8.4 piprot==0.9.10 bandit==1.5.1 -ENV RUBY_VERSION=2.6.3 -RUN curl -sSL https://rvm.io/mpapis.asc | gpg --import - && \ - curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import - && \ - curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer -o rvm-installer && \ - curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer.asc -o rvm-installer.asc && \ - gpg2 --verify rvm-installer.asc rvm-installer && \ - bash rvm-installer -RUN echo 'source /etc/profile.d/rvm.sh' >> /etc/profile && \ - /bin/bash -l -c "rvm requirements;" && \ - rvm install ${RUBY_VERSION} -RUN /bin/bash -l -c "rvm use --default ${RUBY_VERSION}" -ENV PATH "/usr/local/rvm/gems/ruby-${RUBY_VERSION}/bin/:$PATH" -RUN /bin/bash -l -c "gem install bundler:2.0.1 bundler-audit:0.6.1 brakeman:4.5.1" -RUN /bin/bash -l -c "bundle audit update" +RUN { \ + echo 'install: --no-document'; \ + echo 'update: --no-document'; \ + } >> /etc/gemrc && \ + gem install bundler:2.0.1 bundler-audit:0.6.1 brakeman:4.5.1 && \ + bundle audit update -ENV FINDSECBUGS_VERSION=1.8.0 -ARG FINDSECBUGS_FOLDER=/usr/local/opt/findsecbugs RUN mkdir -p ${FINDSECBUGS_FOLDER} && cd ${FINDSECBUGS_FOLDER} && \ wget --quiet https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-${FINDSECBUGS_VERSION}/findsecbugs-cli-${FINDSECBUGS_VERSION}.zip && \ - unzip -q findsecbugs-cli-${FINDSECBUGS_VERSION}.zip && \ - rm findsecbugs.sh -COPY scripts/findsecbugs.sh ${FINDSECBUGS_FOLDER}/findsecbugs.sh -RUN chmod +x ${FINDSECBUGS_FOLDER}/findsecbugs.sh && \ + unzip findsecbugs-cli-${FINDSECBUGS_VERSION}.zip && \ + rm findsecbugs-cli-${FINDSECBUGS_VERSION}.zip && \ + chmod +x ${FINDSECBUGS_FOLDER}/findsecbugs.sh && \ ln -s ${FINDSECBUGS_FOLDER}/findsecbugs.sh /usr/local/bin/findsecbugs -ENV OWASP_VERSION=5.0.0 -ARG OWASP_DEP_FOLDER=/usr/local/bin/owaspdependency RUN mkdir $OWASP_DEP_FOLDER && cd $OWASP_DEP_FOLDER && \ wget --quiet http://dl.bintray.com/jeremy-long/owasp/dependency-check-${OWASP_VERSION}-release.zip && \ unzip -q dependency-check-${OWASP_VERSION}-release.zip && \ chmod +x $OWASP_DEP_FOLDER/dependency-check/bin/dependency-check.sh && \ rm dependency-check-${OWASP_VERSION}-release.zip && \ - mv dependency-check/bin/dependency-check.sh dependency-check/bin/dependency-check -ENV PATH=$OWASP_DEP_FOLDER/dependency-check/bin:$PATH -RUN dependency-check --updateonly + mv dependency-check/bin/dependency-check.sh dependency-check/bin/dependency-check && \ + $OWASP_DEP_FOLDER/dependency-check/bin/dependency-check --updateonly +ENV PATH $OWASP_DEP_FOLDER/dependency-check/bin:$PATH RUN cd /usr/local/bin && \ wget --quiet https://get.sensiolabs.org/security-checker.phar && \ chmod +x security-checker.phar -ENV RUSTUP_HOME=/usr/local/opt/rust -ENV CARGO_HOME=$RUSTUP_HOME -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y -ENV PATH=$CARGO_HOME/bin:$PATH -RUN cargo install cargo-audit && \ - rustc --version && cargo --version && cargo audit --version +COPY --from=cargo-audit-build /home/rust/bin/ /usr/local/bin/ -RUN mkdir -p /hawkeye -COPY ./ /hawkeye -RUN cd /hawkeye && \ - npm install --production --quiet +WORKDIR /hawkeye +COPY . . +RUN npm install --production --quiet && \ + rm -rf /var/cache/apk/* WORKDIR /target +ENV PATH /hawkeye/bin:$PATH -ENV PATH=/hawkeye/bin:$PATH ENTRYPOINT ["hawkeye", "scan"] diff --git a/Dockerfile.alpine b/Dockerfile.alpine deleted file mode 100644 index 8936c261..00000000 --- a/Dockerfile.alpine +++ /dev/null @@ -1,94 +0,0 @@ -FROM ekidd/rust-musl-builder AS cargo-audit-build - -RUN cargo install cargo cargo-audit --root /home/rust && \ - strip /home/rust/bin/cargo /home/rust/bin/cargo-audit - -FROM alpine:3.10 - -ENV RUBY_VERSION=2.6.3 -ENV FINDSECBUGS_VERSION=1.10.1 -ENV OWASP_VERSION=5.2.4 - -ARG FINDSECBUGS_FOLDER=/usr/local/opt/findsecbugs -ARG OWASP_DEP_FOLDER=/usr/local/bin/owaspdependency - -RUN apk update && \ - apk add --no-cache bash && \ - bash --login -RUN apk add --no-cache \ - ca-certificates \ - nodejs \ - npm \ - yarn \ - openjdk8 \ - maven \ - python \ - py2-pip \ - perl \ - git \ - php7 \ - php7-cli \ - curl - -RUN { \ - echo 'install: --no-document'; \ - echo 'update: --no-document'; \ - } >> /etc/gemrc - -RUN pip install safety==1.8.4 piprot==0.9.10 bandit==1.5.1 - -RUN curl -sSL https://github.com/rvm/rvm/tarball/stable -o rvm-stable.tar.gz && \ - echo 'export rvm_prefix="$HOME"' > /root/.rvmrc && \ - echo 'export rvm_path="$HOME/.rvm"' >> /root/.rvmrc && \ - mkdir rvm && cd rvm && \ - tar --strip-components=1 -xzf ../rvm-stable.tar.gz && \ - ./install --auto-dotfiles --autolibs=0 && \ - source ~/.rvm/scripts/rvm && \ - /bin/bash -l -c "rvm requirements" && \ - /bin/bash -l -c "rvm autolibs 4" && \ - yes | /bin/bash -l -c "rvm install ${RUBY_VERSION}" && \ - /bin/bash -l -c "gem install bundler:2.0.1 bundler-audit:0.6.1 brakeman:4.5.1" && \ - /bin/bash -l -c "bundle audit update" - -RUN mkdir -p ${FINDSECBUGS_FOLDER} && cd ${FINDSECBUGS_FOLDER} && \ - wget --quiet https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-${FINDSECBUGS_VERSION}/findsecbugs-cli-${FINDSECBUGS_VERSION}.zip && \ - unzip -q findsecbugs-cli-${FINDSECBUGS_VERSION}.zip && \ - rm findsecbugs.sh && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y - -ENV PATH $HOME/.cargo/bin:$PATH - -COPY scripts/findsecbugs.sh ${FINDSECBUGS_FOLDER}/findsecbugs.sh - -COPY --from=cargo-audit-build /home/rust/bin/cargo-audit /usr/local/bin/ - -RUN chmod +x ${FINDSECBUGS_FOLDER}/findsecbugs.sh && \ - ln -s ${FINDSECBUGS_FOLDER}/findsecbugs.sh /usr/local/bin/findsecbugs - -RUN mkdir $OWASP_DEP_FOLDER && cd $OWASP_DEP_FOLDER && \ - wget --quiet http://dl.bintray.com/jeremy-long/owasp/dependency-check-${OWASP_VERSION}-release.zip && \ - unzip -q dependency-check-${OWASP_VERSION}-release.zip && \ - chmod +x $OWASP_DEP_FOLDER/dependency-check/bin/dependency-check.sh && \ - rm dependency-check-${OWASP_VERSION}-release.zip && \ - mv dependency-check/bin/dependency-check.sh dependency-check/bin/dependency-check - -RUN cd /usr/local/bin && \ - wget --quiet https://get.sensiolabs.org/security-checker.phar && \ - chmod +x security-checker.phar - -RUN source $HOME/.cargo/env && \ - rustc --version && \ - cargo --version && \ - cargo-audit --help - -WORKDIR /hawkeye -COPY . . -RUN npm install --production --quiet && \ - rm -rf /var/cache/apk/* - -WORKDIR /target -ENV PATH /hawkeye/bin:$OWASP_DEP_FOLDER/dependency-check/bin:$PATH:/root/.rvm/rubies/ruby-2.6.3/bin - -RUN dependency-check --updateonly - -ENTRYPOINT ["hawkeye", "scan"] diff --git a/scripts/findsecbugs.sh b/scripts/findsecbugs.sh deleted file mode 100755 index e8298507..00000000 --- a/scripts/findsecbugs.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -cd $(dirname $(readlink `[[ $OSTYPE == linux* ]] && echo "-f"` $0)) - -java -cp lib/\* edu.umd.cs.findbugs.LaunchAppropriateUI -quiet -pluginList lib/findsecbugs-plugin-1.8.0.jar -include include.xml $@