Merge pull request #75 from cloudogu/cve_friday/fix_cves

CVE friday/fix cves
cloudogu · Apr 24, 2023 · f36232b · f36232b
2 parents 9418dbf + d2b1f9e
commit f36232b
Show file tree

Hide file tree

Showing 34 changed files with 883 additions and 291 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Changed
+- [#20] Upgrade Base Image to 3.17.3-2
+
+### Security
+- [#20] Fixed CVE-2023-27536, CVE-2023-27536 and some others
 
 ## [v1.23.2-4] - 2023-03-31
 ### Added

diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,20 @@
-FROM registry.cloudogu.com/official/base:3.15.3-1 as builder
+FROM registry.cloudogu.com/official/base:3.17.3-2 as builder
 LABEL maintainer="[email protected]"
 
 # dockerfile is based on https://github.com/dockerfile/nginx and https://github.com/bellycard/docker-loadbalancer
 
-ENV NGINX_VERSION 1.23.2
-ENV NGINX_TAR_SHA256="a80cc272d3d72aaee70aa8b517b4862a635c0256790434dbfc4d618a999b0b46"
+ENV NGINX_VERSION=1.23.2 \
+    NGINX_TAR_SHA256="a80cc272d3d72aaee70aa8b517b4862a635c0256790434dbfc4d618a999b0b46" \
+    CES_CONFD_VERSION=0.8.0 \
+    CES_CONFD_TAR_SHA256="365a4033e80af6953d5b6513296a828dfd772a6640533bb51dd9abd34a1e53e8" \
+    WARP_MENU_VERSION=1.7.2 \
+    WARP_MENU_TAR_SHA256="0f89f3a4bcd24779b792bab34e77c60e27b9142c402e168013711f3094045726" \
+    CES_ABOUT_VERSION=0.2.2 \
+    CES_ABOUT_TAR_SHA256="9926649be62d8d4667b2e7e6d1e3a00ebec1c4bbc5b80a0e830f7be21219d496" \
+    CES_THEME_VERSION=0.7.0 \
+    CES_THEME_TAR_SHA256="d3c8ba654cdaccff8fa3202f3958ac0c61156fb25a288d6008354fae75227941"
+
+WORKDIR /build
 
 COPY nginx-build /
 RUN set -x -o errexit \
@@ -13,73 +23,65 @@ RUN set -x -o errexit \
     && apk update \
     && apk upgrade \
     && apk --update add openssl-dev pcre-dev zlib-dev wget build-base \
-    && mkdir /build \
-    && cd /build \
-    && wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
-    && echo "${NGINX_TAR_SHA256} *nginx-${NGINX_VERSION}.tar.gz" | sha256sum -c - \
-    && tar -zxvf nginx-${NGINX_VERSION}.tar.gz \
+    && wget --progress=bar:force:noscroll http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O /tmp/nginx-${NGINX_VERSION}.tar.gz \
+    && echo "${NGINX_TAR_SHA256} */tmp/nginx-${NGINX_VERSION}.tar.gz" | sha256sum -c - \
+    && tar -zxvf /tmp/nginx-${NGINX_VERSION}.tar.gz -C /build \
     && cd /build/nginx-${NGINX_VERSION} \
-    && /build.sh \
-    && rm -rf /var/cache/apk/* /build
+    && /build.sh
+
+# install ces-confd
+RUN wget --progress=bar:force:noscroll -O "/tmp/ces-confd-${CES_CONFD_VERSION}.tar.gz" https://github.com/cloudogu/ces-confd/releases/download/v${CES_CONFD_VERSION}/ces-confd-${CES_CONFD_VERSION}.tar.gz \
+    && echo "${CES_CONFD_TAR_SHA256} */tmp/ces-confd-${CES_CONFD_VERSION}.tar.gz" | sha256sum -c - \
+    && mkdir -p /build/usr/bin \
+    && tar -xzvf /tmp/ces-confd-${CES_CONFD_VERSION}.tar.gz -C /build/usr/bin \
+    && chmod +x /build/usr/bin/ces-confd \
+    && mkdir -p /build/var/log/nginx \
+    && mkdir -p /build/var/www/html \
+    && mkdir -p /build/var/www/customhtml
+
+# install ces-about page
+RUN wget --progress=bar:force:noscroll -O /tmp/ces-about-v${CES_ABOUT_VERSION}.tar.gz https://github.com/cloudogu/ces-about/releases/download/v${CES_ABOUT_VERSION}/ces-about-v${CES_ABOUT_VERSION}.tar.gz \
+    && echo "${CES_ABOUT_TAR_SHA256} */tmp/ces-about-v${CES_ABOUT_VERSION}.tar.gz" | sha256sum -c - \
+    && tar -xzvf /tmp/ces-about-v${CES_ABOUT_VERSION}.tar.gz -C /build/var/www/html \
+    && sed -i 's@base href=".*"@base href="/info/"@' /build/var/www/html/info/index.html
+
+# install warp menu
+RUN wget --progress=bar:force:noscroll -O /tmp/warp.zip https://github.com/cloudogu/warp-menu/releases/download/v${WARP_MENU_VERSION}/warp-v${WARP_MENU_VERSION}.zip \
+    && echo "${WARP_MENU_TAR_SHA256} */tmp/warp.zip" | sha256sum -c - \
+    && unzip /tmp/warp.zip -d /build/var/www/html
 
+# install custom error pages
+RUN wget --progress=bar:force:noscroll -O /tmp/theme.zip https://github.com/cloudogu/ces-theme/archive/v${CES_THEME_VERSION}.zip \
+    && echo "${CES_THEME_TAR_SHA256} */tmp/theme.zip" | sha256sum -c - \
+    && unzip /tmp/theme.zip -d /tmp/theme \
+    && cp -r /tmp/theme/ces-theme-${CES_THEME_VERSION}/dist/errors /build/var/www/html
 
-FROM registry.cloudogu.com/official/base:3.15.3-1
+# redirect logs
+RUN ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
+
+
+FROM registry.cloudogu.com/official/base:3.17.3-2
 LABEL maintainer="[email protected]" \
       NAME="official/nginx" \
       VERSION="1.23.2-4"
 
-ENV CES_CONFD_VERSION=0.8.0 \
-    CES_CONFD_TAR_SHA256="365a4033e80af6953d5b6513296a828dfd772a6640533bb51dd9abd34a1e53e8" \
-    WARP_MENU_VERSION=1.7.2 \
-    WARP_MENU_TAR_SHA256="0f89f3a4bcd24779b792bab34e77c60e27b9142c402e168013711f3094045726" \
-    CES_ABOUT_VERSION=0.2.2 \
-    CES_ABOUT_TAR_SHA256="9926649be62d8d4667b2e7e6d1e3a00ebec1c4bbc5b80a0e830f7be21219d496" \
-    CES_THEME_VERSION=v0.7.0 \
-    CES_THEME_TAR_SHA256="d3c8ba654cdaccff8fa3202f3958ac0c61156fb25a288d6008354fae75227941" \
-    CES_MAINTENANCE_MODE=false
+ENV CES_MAINTENANCE_MODE=false
 
 RUN set -x -o errexit \
  && set -o nounset \
  && set -o pipefail \
  && apk update \
  && apk upgrade \
  # install required packages
- && apk --update add openssl pcre zlib \
+ && apk --update add --no-cache openssl pcre zlib \
  # add nginx user
- && adduser nginx -D \
- # install ces-confd
- && curl -Lsk https://github.com/cloudogu/ces-confd/releases/download/v${CES_CONFD_VERSION}/ces-confd-${CES_CONFD_VERSION}.tar.gz -o "ces-confd-${CES_CONFD_VERSION}.tar.gz" \
- && echo "${CES_CONFD_TAR_SHA256} *ces-confd-${CES_CONFD_VERSION}.tar.gz" | sha256sum -c - \
- && tar -xzvf ces-confd-${CES_CONFD_VERSION}.tar.gz -O > /usr/bin/ces-confd \
- && chmod +x /usr/bin/ces-confd \
- && mkdir -p /var/log/nginx \
- && mkdir -p /var/www/html \
- && mkdir -p /var/www/customhtml \
- # install ces-about page
- && curl -Lsk https://github.com/cloudogu/ces-about/releases/download/v${CES_ABOUT_VERSION}/ces-about-v${CES_ABOUT_VERSION}.tar.gz -o ces-about-v${CES_ABOUT_VERSION}.tar.gz \
- && echo "${CES_ABOUT_TAR_SHA256} *ces-about-v${CES_ABOUT_VERSION}.tar.gz" | sha256sum -c - \
- && tar -xzvf ces-about-v${CES_ABOUT_VERSION}.tar.gz -C /var/www/html \
- && sed -i 's@base href=".*"@base href="/info/"@' /var/www/html/info/index.html \
- # install warp menu
- && curl -Lsk https://github.com/cloudogu/warp-menu/releases/download/v${WARP_MENU_VERSION}/warp-v${WARP_MENU_VERSION}.zip -o /tmp/warp.zip \
- && echo "${WARP_MENU_TAR_SHA256} */tmp/warp.zip" | sha256sum -c - \
- && unzip /tmp/warp.zip -d /var/www/html \
- # install custom error pages
- && curl -Lsk https://github.com/cloudogu/ces-theme/archive/${CES_THEME_VERSION}.zip -o /tmp/theme.zip \
- && echo "${CES_THEME_TAR_SHA256} */tmp/theme.zip" | sha256sum -c - \
- && mkdir /var/www/html/errors \
- && unzip /tmp/theme.zip -d /tmp/theme \
- && mv /tmp/theme/ces-theme-*/dist/errors/* /var/www/html/errors \
- && rm -rf /tmp/theme.zip /tmp/theme \
- # redirect logs
- && ln -sf /dev/stdout /var/log/nginx/access.log \
- && ln -sf /dev/stderr /var/log/nginx/error.log \
- # cleanup apk cache
- && rm -rf /var/cache/apk/*
+ && adduser nginx -D
 
 # copy files
-COPY --from=builder /usr/sbin/nginx /usr/sbin/nginx
 COPY resources /
+COPY --from=builder /usr/sbin/nginx /usr/sbin/nginx
+COPY --from=builder /build /
 
 # Volumes are used to avoid writing to containers writable layer https://docs.docker.com/storage/
 # Compared to the bind mounted volumes we declare in the dogu.json,

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,5 +1,5 @@
 #!groovy
-@Library(['github.com/cloudogu/dogu-build-lib@v1.10.0', 'github.com/cloudogu/ces-build-lib@1.60.1']) _
+@Library(['github.com/cloudogu/dogu-build-lib@v2.0.0', 'github.com/cloudogu/ces-build-lib@1.64.1']) _
 import com.cloudogu.ces.dogubuildlib.*
 import com.cloudogu.ces.cesbuildlib.*
 
@@ -36,6 +36,11 @@ node('vagrant') {
             lintDockerfile()
         }
 
+        stage('Check Markdown Links') {
+            Markdown markdown = new Markdown(this, "3.11.0")
+            markdown.check()
+        }
+
         stage('Shellcheck'){
             shellCheck('./resources/startup.sh ./nginx-build/build.sh')
         }

diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-MAKEFILES_VERSION=4.2.0
+MAKEFILES_VERSION=7.5.0
 
 .DEFAULT_GOAL:=dogu-release
 

diff --git a/build/make/bats.mk b/build/make/bats.mk
@@ -0,0 +1,64 @@
+WORKSPACE=/workspace
+BATS_LIBRARY_DIR=$(TARGET_DIR)/bats_libs
+TESTS_DIR=$(WORKDIR)/batsTests
+BASH_TEST_REPORT_DIR=$(TARGET_DIR)/shell_test_reports
+BASH_TEST_REPORTS=$(BASH_TEST_REPORT_DIR)/TestReport-*.xml
+BATS_ASSERT=$(BATS_LIBRARY_DIR)/bats-assert
+BATS_MOCK=$(BATS_LIBRARY_DIR)/bats-mock
+BATS_SUPPORT=$(BATS_LIBRARY_DIR)/bats-support
+BATS_FILE=$(BATS_LIBRARY_DIR)/bats-file
+BATS_BASE_IMAGE?=bats/bats
+BATS_CUSTOM_IMAGE?=cloudogu/bats
+BATS_TAG?=1.2.1
+BATS_DIR=build/make/bats
+BATS_WORKDIR="${WORKDIR}"/"${BATS_DIR}"
+
+.PHONY unit-test-shell:
+unit-test-shell: unit-test-shell-$(ENVIRONMENT)
+
+$(BATS_ASSERT):
+	@git clone --depth 1 https://github.com/bats-core/bats-assert $@
+
+$(BATS_MOCK):
+	@git clone --depth 1 https://github.com/grayhemp/bats-mock $@
+
+$(BATS_SUPPORT):
+	@git clone --depth 1 https://github.com/bats-core/bats-support $@
+
+$(BATS_FILE):
+	@git clone --depth 1 https://github.com/bats-core/bats-file $@
+
+$(BASH_SRC):
+	BASH_SRC:=$(shell find "${WORKDIR}" -type f -name "*.sh")
+
+${BASH_TEST_REPORT_DIR}: $(TARGET_DIR)
+	@mkdir -p $(BASH_TEST_REPORT_DIR)
+
+unit-test-shell-ci: $(BASH_SRC) $(BASH_TEST_REPORT_DIR) $(BATS_ASSERT) $(BATS_MOCK) $(BATS_SUPPORT) $(BATS_FILE)
+	@echo "Test shell units on CI server"
+	@make unit-test-shell-generic
+
+unit-test-shell-local: $(BASH_SRC) $(PASSWD) $(ETCGROUP) $(HOME_DIR) buildTestImage $(BASH_TEST_REPORT_DIR) $(BATS_ASSERT) $(BATS_MOCK) $(BATS_SUPPORT) $(BATS_FILE)
+	@echo "Test shell units locally (in Docker)"
+	@docker run --rm \
+		-v $(HOME_DIR):/home/$(USER) \
+		-v $(WORKDIR):$(WORKSPACE) \
+		-w $(WORKSPACE) \
+		--entrypoint="" \
+		$(BATS_CUSTOM_IMAGE):$(BATS_TAG) \
+		"${BATS_DIR}"/customBatsEntrypoint.sh make unit-test-shell-generic-no-junit
+
+unit-test-shell-generic:
+	@bats --formatter junit --output ${BASH_TEST_REPORT_DIR} ${TESTS_DIR}
+
+unit-test-shell-generic-no-junit:
+	@bats ${TESTS_DIR}
+
+.PHONY buildTestImage:
+buildTestImage:
+	@echo "Build shell test container"
+	@cd $(BATS_WORKDIR) && docker build \
+		--build-arg=BATS_BASE_IMAGE=${BATS_BASE_IMAGE} \
+		--build-arg=BATS_TAG=${BATS_TAG} \
+		-t ${BATS_CUSTOM_IMAGE}:${BATS_TAG} \
+		.
diff --git a/build/make/bats/Dockerfile b/build/make/bats/Dockerfile
@@ -0,0 +1,7 @@
+ARG BATS_BASE_IMAGE
+ARG BATS_TAG
+
+FROM ${BATS_BASE_IMAGE}:${BATS_TAG}
+
+# Make bash more findable by scripts and tests
+RUN apk add make git bash
diff --git a/build/make/bats/customBatsEntrypoint.sh b/build/make/bats/customBatsEntrypoint.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+"$@"
diff --git a/build/make/bower.mk b/build/make/bower.mk
@@ -1,7 +1,9 @@
+##@ Bower dependency management
+
 BOWER_JSON=$(WORKDIR)/bower.json
 
 .PHONY: bower-install
-bower-install: $(BOWER_TARGET)
+bower-install: $(BOWER_TARGET) ## Execute yarn run bower (in Docker)
 
 ifeq ($(ENVIRONMENT), ci)
 
@@ -19,7 +21,7 @@ $(BOWER_TARGET): $(BOWER_JSON) $(PASSWD) $(YARN_TARGET)
 	  -v $(PASSWD):/etc/passwd:ro \
 	  -v $(WORKDIR):$(WORKDIR) \
 	  -w $(WORKDIR) \
-	  node:8 \
+	  node:$(NODE_VERSION) \
 	  yarn run bower
 	@touch $@
 

diff --git a/build/make/build.mk b/build/make/build.mk
@@ -1,24 +1,28 @@
+##@ Compiling go software
+
 ADDITIONAL_LDFLAGS?=-extldflags -static
 LDFLAGS?=-ldflags "$(ADDITIONAL_LDFLAGS) -X main.Version=$(VERSION) -X main.CommitID=$(COMMIT_ID)"
-GOIMAGE?=cloudogu/golang
-GOTAG?=1.10.2-2
+GOIMAGE?=golang
+GOTAG?=1.14.13
 GOOS?=linux
 GOARCH?=amd64
 PRE_COMPILE?=
 GO_ENV_VARS?=
+CUSTOM_GO_MOUNT?=-v /tmp:/tmp
+GO_BUILD_FLAGS?=-mod=vendor -a -tags netgo $(LDFLAGS) -installsuffix cgo -o $(BINARY)
 
 .PHONY: compile
-compile: $(BINARY)
+compile: $(BINARY) ## Compile the go program via Docker
 
-compile-ci:
+compile-ci: ## Compile the go program without Docker
 	@echo "Compiling (CI)..."
 	make compile-generic
 
 compile-generic:
 	@echo "Compiling..."
 # here is go called without mod capabilities because of error "go: error loading module requirements"
 # see https://github.com/golang/go/issues/30868#issuecomment-474199640
-	@$(GO_ENV_VARS) go build -a -tags netgo $(LDFLAGS) -installsuffix cgo -o $(BINARY)
+	@$(GO_ENV_VARS) go build $(GO_BUILD_FLAGS)
 
 
 ifeq ($(ENVIRONMENT), ci)
@@ -29,17 +33,19 @@ $(BINARY): $(SRC) vendor $(PRE_COMPILE)
 
 else
 
-$(BINARY): $(SRC) vendor $(PASSWD) $(HOME_DIR) $(PRE_COMPILE)
+$(BINARY): $(SRC) vendor $(PASSWD) $(ETCGROUP) $(HOME_DIR) $(PRE_COMPILE)
 	@echo "Building locally (in Docker)"
 	@docker run --rm \
-	 -e GOOS=$(GOOS) \
-	 -e GOARCH=$(GOARCH) \
-	 -u "$(UID_NR):$(GID_NR)" \
-	 -v $(PASSWD):/etc/passwd:ro \
-	 -v $(HOME_DIR):/home/$(USER) \
-	 -v $(WORKDIR):/go/src/github.com/cloudogu/$(ARTIFACT_ID) \
-	 -w /go/src/github.com/cloudogu/$(ARTIFACT_ID) \
-	 $(GOIMAGE):$(GOTAG) \
+		-e GOOS=$(GOOS) \
+		-e GOARCH=$(GOARCH) \
+		-u "$(UID_NR):$(GID_NR)" \
+		-v $(PASSWD):/etc/passwd:ro \
+		-v $(ETCGROUP):/etc/group:ro \
+		-v $(HOME_DIR):/home/$(USER) \
+		-v $(WORKDIR):/go/src/github.com/cloudogu/$(ARTIFACT_ID) \
+		$(CUSTOM_GO_MOUNT) \
+		-w /go/src/github.com/cloudogu/$(ARTIFACT_ID) \
+		$(GOIMAGE):$(GOTAG) \
   make compile-generic
 
 endif
diff --git a/build/make/clean.mk b/build/make/clean.mk
@@ -1,10 +1,13 @@
+##@ Cleaning
+
 .PHONY: clean
-clean: $(ADDITIONAL_CLEAN)
+clean: $(ADDITIONAL_CLEAN) ## Remove target and tmp directories
 	rm -rf ${TARGET_DIR}
 	rm -rf ${TMP_DIR}
+	rm -rf ${UTILITY_BIN_PATH}
 
 .PHONY: dist-clean
-dist-clean: clean
+dist-clean: clean ## Remove all generated directories
 	rm -rf node_modules
 	rm -rf public/vendor
 	rm -rf vendor

diff --git a/build/make/dependencies-glide.mk b/build/make/dependencies-glide.mk
diff --git a/build/make/dependencies-godep.mk b/build/make/dependencies-godep.mk