Apply mitigation for CVE-2021-45046

Mitigation documented here; https://logging.apache.org/log4j/2.x/security.html

Signed-off-by: Wade Barnes <[email protected]>

Dockerfile

@@ -1,4 +1,4 @@
-FROM sonarqube:8-community
+FROM sonarqube:8.2-community
 
 MAINTAINER Erik Jacobs <[email protected]>
 MAINTAINER Siamak Sadeghianfar <[email protected]>
@@ -21,24 +21,32 @@ LABEL summary="$SUMMARY" \
 # Define Plug-in Versions
 ARG SONAR_ZAP_PLUGIN_VERSION=1.2.0
 ENV SONARQUBE_PLUGIN_DIR="$SONARQUBE_HOME/extensions/plugins"
+
+# Switch to root for package installs
+USER 0
+RUN apt-get update && \
+    apt-get install -y curl zip
+
 # ===============================================================================================
-# Mitigation for CVE-2021-44228
+# Mitigation for CVE-2021-44228 and CVE-2021-45046
+#   - Set LOG4J_FORMAT_MSG_NO_LOOKUPS=true
+#   - Remove JndiLookup.class from the classpath.
 #
 # References:
 #   - https://logging.apache.org/log4j/2.x/security.html
+#
+# Search for jars containing JndiLookup.class:
+#   - find / -name log4j-core*.jar -exec unzip -vl {} \; 2>/dev/null | grep JndiLookup.class
 # -----------------------------------------------------------------------------------------------
 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
+RUN find / -name log4j-core*.jar -exec zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class \; 2>/dev/null
 # ===============================================================================================
 
-# Switch to root for package installs
-USER 0
-
 # ================================================================================================================================================================================
 # Bundle Plug-in(s)
 # --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
 # sonar-zap-plugin - https://github.com/Coveros/zap-sonar-plugin
-RUN apk add curl
 RUN set -x \
   && cd "$SONARQUBE_PLUGIN_DIR" \
   && curl -o "sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION.jar" -fsSL "https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION/sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION.jar"

README.md

@@ -46,12 +46,12 @@ SonarQube server images are now available on DockerHub:
 ### Building the SonarQube Server Image
 
 
-The SonarQube server image (`bcgovimages/sonarqube:8.2`) is already available on DockerHub, so **you do not have to repeat this step** unless you are building a customized or updated version of the SonarQube Server.
+The SonarQube server image (`bcgovimages/sonarqube:8.2.2`) is already available on DockerHub, so **you do not have to repeat this step** unless you are building a customized or updated version of the SonarQube Server.
 
 Logon to your `tools` project and run the following command:
 
 ```bash
-oc new-build https://github.com/BCDevOps/sonarqube --strategy=docker --name=sonarqube --to=sonarqube:8.2
+oc new-build https://github.com/BCDevOps/sonarqube --strategy=docker --name=sonarqube --to=sonarqube:8.2.2
 ```
 
 ### Deploy on OpenShift
@@ -62,7 +62,7 @@ The [sonarqube-postgresql-template](./sonarqube-postgresql-template.yaml) has be
 Logon to your `tools` project and run the following command:
 
 ```bash
-oc new-app -f sonarqube-postgresql-template.yaml --param=SONARQUBE_VERSION=8.2
+oc new-app -f sonarqube-postgresql-template.yaml --param=SONARQUBE_VERSION=8.2.2
 ```
 
 ### Change the Default Admin Password
@@ -126,7 +126,7 @@ You can now browse your project report on the SonarQube server site. To find the
 Now that you have static scanning, you'll probably notice your code coverage results are at 0% since no unit tests are being executed during the scan. You'll likely what to integrate unit tests into the scans so you get code coverage metrics to help you determine how well you are testing your code. **As you journey down this road, please contribute your experience back to this project to make it better for the whole community.**
 
 ### Integrate OWASP ZAP Security Vulnerability Scanning into SonarQube
-To make the results of your ZAP security vulnerability scanning accessible and therefore more actionable, you can integrate the scan results into a SonarQube project report.  To accomplish this you can use the [ZAP Plugin for SonarQube](https://github.com/Coveros/zap-sonar-plugin), which is bundled in the `bcgovimages/sonarqube:8.2` image.
+To make the results of your ZAP security vulnerability scanning accessible and therefore more actionable, you can integrate the scan results into a SonarQube project report.  To accomplish this you can use the [ZAP Plugin for SonarQube](https://github.com/Coveros/zap-sonar-plugin), which is bundled in the `bcgovimages/sonarqube:8.2.2` image.
 The [SonarQube-Integrated-ZapScan-Jenkinsfile](./jenkins/SonarQube-Integrated-ZapScan-Jenkinsfile) example shows you how to utilize ZAP and the plug-in together to perform a ZAP security vulnerability scan on your application, and then publish the report with SonarQube.
 
 The example can be used as a starting point for your project.

sonarqube-postgresql-template.yaml

@@ -435,7 +435,7 @@ parameters:
   - displayName: SonarQube version
     name: SONARQUBE_VERSION
     required: true
-    value: "8.2"
+    value: "8.2.2"
   - description: Password for SonarQube Server PostgreSQL backend
     displayName: SonarQube's PostgreSQL Password
     from: "[a-zA-Z0-9]{16}"