From 763bdcdd65ffd1a973132899a2c5f1a1d811cfa8 Mon Sep 17 00:00:00 2001 From: Wade Barnes Date: Wed, 15 Dec 2021 14:53:28 -0800 Subject: [PATCH] Apply mitigation for CVE-2021-45046 Mitigation documented here; https://logging.apache.org/log4j/2.x/security.html Signed-off-by: Wade Barnes --- Dockerfile | 20 ++++++++++++++------ README.md | 8 ++++---- sonarqube-postgresql-template.yaml | 2 +- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 19feccc..184babb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM sonarqube:8-community +FROM sonarqube:8.2-community MAINTAINER Erik Jacobs MAINTAINER Siamak Sadeghianfar @@ -21,24 +21,32 @@ LABEL summary="$SUMMARY" \ # Define Plug-in Versions ARG SONAR_ZAP_PLUGIN_VERSION=1.2.0 ENV SONARQUBE_PLUGIN_DIR="$SONARQUBE_HOME/extensions/plugins" + +# Switch to root for package installs +USER 0 +RUN apt-get update && \ + apt-get install -y curl zip + # =============================================================================================== -# Mitigation for CVE-2021-44228 +# Mitigation for CVE-2021-44228 and CVE-2021-45046 +# - Set LOG4J_FORMAT_MSG_NO_LOOKUPS=true +# - Remove JndiLookup.class from the classpath. # # References: # - https://logging.apache.org/log4j/2.x/security.html +# +# Search for jars containing JndiLookup.class: +# - find / -name log4j-core*.jar -exec unzip -vl {} \; 2>/dev/null | grep JndiLookup.class # ----------------------------------------------------------------------------------------------- ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true +RUN find / -name log4j-core*.jar -exec zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class \; 2>/dev/null # =============================================================================================== -# Switch to root for package installs -USER 0 - # ================================================================================================================================================================================ # Bundle Plug-in(s) # -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- # sonar-zap-plugin - https://github.com/Coveros/zap-sonar-plugin -RUN apk add curl RUN set -x \ && cd "$SONARQUBE_PLUGIN_DIR" \ && curl -o "sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION.jar" -fsSL "https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION/sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION.jar" diff --git a/README.md b/README.md index 595f25a..eeee565 100644 --- a/README.md +++ b/README.md @@ -46,12 +46,12 @@ SonarQube server images are now available on DockerHub: ### Building the SonarQube Server Image -The SonarQube server image (`bcgovimages/sonarqube:8.2`) is already available on DockerHub, so **you do not have to repeat this step** unless you are building a customized or updated version of the SonarQube Server. +The SonarQube server image (`bcgovimages/sonarqube:8.2.2`) is already available on DockerHub, so **you do not have to repeat this step** unless you are building a customized or updated version of the SonarQube Server. Logon to your `tools` project and run the following command: ```bash -oc new-build https://github.com/BCDevOps/sonarqube --strategy=docker --name=sonarqube --to=sonarqube:8.2 +oc new-build https://github.com/BCDevOps/sonarqube --strategy=docker --name=sonarqube --to=sonarqube:8.2.2 ``` ### Deploy on OpenShift @@ -62,7 +62,7 @@ The [sonarqube-postgresql-template](./sonarqube-postgresql-template.yaml) has be Logon to your `tools` project and run the following command: ```bash -oc new-app -f sonarqube-postgresql-template.yaml --param=SONARQUBE_VERSION=8.2 +oc new-app -f sonarqube-postgresql-template.yaml --param=SONARQUBE_VERSION=8.2.2 ``` ### Change the Default Admin Password @@ -126,7 +126,7 @@ You can now browse your project report on the SonarQube server site. To find the Now that you have static scanning, you'll probably notice your code coverage results are at 0% since no unit tests are being executed during the scan. You'll likely what to integrate unit tests into the scans so you get code coverage metrics to help you determine how well you are testing your code. **As you journey down this road, please contribute your experience back to this project to make it better for the whole community.** ### Integrate OWASP ZAP Security Vulnerability Scanning into SonarQube -To make the results of your ZAP security vulnerability scanning accessible and therefore more actionable, you can integrate the scan results into a SonarQube project report. To accomplish this you can use the [ZAP Plugin for SonarQube](https://github.com/Coveros/zap-sonar-plugin), which is bundled in the `bcgovimages/sonarqube:8.2` image. +To make the results of your ZAP security vulnerability scanning accessible and therefore more actionable, you can integrate the scan results into a SonarQube project report. To accomplish this you can use the [ZAP Plugin for SonarQube](https://github.com/Coveros/zap-sonar-plugin), which is bundled in the `bcgovimages/sonarqube:8.2.2` image. The [SonarQube-Integrated-ZapScan-Jenkinsfile](./jenkins/SonarQube-Integrated-ZapScan-Jenkinsfile) example shows you how to utilize ZAP and the plug-in together to perform a ZAP security vulnerability scan on your application, and then publish the report with SonarQube. The example can be used as a starting point for your project. diff --git a/sonarqube-postgresql-template.yaml b/sonarqube-postgresql-template.yaml index 561d581..77f4caa 100644 --- a/sonarqube-postgresql-template.yaml +++ b/sonarqube-postgresql-template.yaml @@ -435,7 +435,7 @@ parameters: - displayName: SonarQube version name: SONARQUBE_VERSION required: true - value: "8.2" + value: "8.2.2" - description: Password for SonarQube Server PostgreSQL backend displayName: SonarQube's PostgreSQL Password from: "[a-zA-Z0-9]{16}"