Summary

Resolve CVE-2021-20305

Summary

Currently, the Conjur base image builds the Postgres client version 12 (downloading the latest source code from Ubuntu repository), the DAP appliance cannot use this version since it running psql commands which don't exist in the latest Postgres client version.

Expected Results

1. Downgrade Postgres client version to 10 and compiled it against the FIPS 140-2 compliant.
2. Add to appliance PATH the Postgres client location

Is your feature request related to a problem? Please describe.

Ruby installation size is 170MB , most of the size is because of documentation and static library
/var/lib/ruby/lib/libruby-static.a is 60 MB
/var/lib/ruby/share/ri is 59MB

Describe the solution you would like

After this change the ruby installation size is 41MB

To install Ruby without documentation and static library

./configure --with-openssl-dir=/usr/local/ssl  --disable-install-doc --disable-install-rdoc --disable-install-static-library  --disable-install-capi  --prefix=/var/lib/ruby
make -j4
make install

--disable-install-doc - do not install either rdoc indexes or C API
documents during install
--disable-install-rdoc - do not install rdoc indexes during install
--disable-install-capi - do not install C API documents during install
--disable-install-static-library - do not install static ruby library

We are using lastet and hardcoded version
for example latest was 12-12.2 and we had local hardcoded:
PG_VERSION=12-12.2

When ubuntu update, build failed, and we were forced to update the hardcoded version to:
PG_VERSION=12-12.4

Solution can be, to not use version at all, just save file name as we want "pg_client" or something, or to run find/ls to get the filename automatically

see PR for ref

Is your feature request related to a problem? Please describe.

Currenly, the Conjur base image uses pinned version for Postgres client although we are downloading postgres client source code of the latest stable version this break when new postgres version released.

Describe the solution you would like

Unpinned version for postgres client.

Alternate Solution

consuming specific version for Postgres client, this would increase the security vulnerability that might be solved in latest version.

In #25 we add a new UBI-based nginx image to the pipeline. In this card we update the pipeline to publish this image to the RH container registry. Details TBA.

Before publishing, we should ensure the images are being scanned by trivy / etc as is usual for our published images.

Add a new ruby builder image based on UBI image in order to support our conjur UBI flavour.

Motivation

At current, we publish 1.14-latest and latest tags for the RH UBI-based Nginx image. RH requires images use a "good tag", however, and these don't work:

8. Image should include a tag, other than latest

Test name: good_tags
Why? So the image can be uniquely identified
How? Use the docker tag command to add a tag. A common tag is the image version. The latest tag will be automatically added to the most recent image, so it should not be set explicitly.

Proposed Implementation

We are going to move to versioning this project and publishing public images only on new tags / project releases.

To accomplish this, we will:

• Add a VERSION file to the project
• Set the initial VERSION to 1.0.0
• Update the pipeline so that on pipeline builds, images are only published to the internal Docker registry
• Update the pipeline so that on v1.x.y tags, the following image tags are published to DockerHub: latest, 1, 1.x, 1.x.y. This will also involve removing the PUBLISH_DOCKERHUB build param, which will no longer be needed.
• Once these changes are merged, we'll tag 1.0.0 and publish the new images.
• Update the Conjur project to use the 1.x.y tag to build Conjur.

AC:

• Determine a strategy for adding unique tags for images (potentially don't push on every nightly build)
• Implement the new strategy for publishing images

Pushing on daily timmer is creating overhead and confusion image timestamp is updated without any phsyical channge.

Suggestio:

• trigge by tag which is a manual action that developer need to remeber
  when { buildingTag() }

Or

• trigger by SCM SHA code change detection, completely automatic, but can cause commits the be public as soon as push instead of aggregated into version.

• Need to investigate behavior on Jenkins build replay or just triggering build and when we do git rebase

1. The Test scripts should be arranged in a folder rather than main folder.
2. Builder images should be moved to builder folder

we might want to consider to re-arranging the per-library files into a structure more like the following:

PROPOSED

README.md
CHANGELOG.md
test/
    |- test.yml/
    |- test.sh/
builder/
     |- ubuntu/
          |- ubuntu-ruby-builder
   |- phusion/

The master branch for conjur-base-image is currently failing to build in CI: https://jenkins.conjur.net/job/cyberark--conjur-base-image/job/master/

Is your feature request related to a problem? Please describe.

Build an Nginx UBI-based image that can be used when running Conjur in OpenShift and can ultimately be published to the RH container registry.

Describe the solution you would like

Dockerfile with ubi8 base image that builds Nginx with relevant configuration.

Note the latest Jenkins build is failing on the ubi-ruby-fips image tests.

I can reproduce this locally; if I build the ubi-ruby-fips image (following what is done in the Jenkinsfile), and then I run

./test.sh --full-image-name ubi-ruby-fips:"$TAG" --test-file-name test-ubi.yml

I get the same FAIL error that Jenkins is seeing. 8 test cases are failing.

$ cat test-results/ubi-ruby-fips.test-ubiyml.json | jsonpp
{
  "Pass": 5,
  "Fail": 8,
  "Total": 13,
  "Duration": 13884371500,
  "Results": [
    {
      "Name": "Command Test: OpenSSL version",
      "Pass": false,
      "Stdout": "OpenSSL 1.1.1g FIPS  21 Apr 2020\n",
      "Errors": [
        "Expected string '^OpenSSL 1.1.1c FIPS  28 May 2019\n$' not found in output 'OpenSSL 1.1.1g FIPS  21 Apr 2020\n'"
      ],
      "Duration": 759573800
    },
    {
      "Name": "Command Test: libssl.so version",
      "Pass": false,
      "Stdout": "OpenSSL 1.1.1g FIPS  21 Apr 2020",
      "Errors": [
        "Expected string '^OpenSSL 1.1.1c FIPS  28 May 2019$' not found in output 'OpenSSL 1.1.1g FIPS  21 Apr 2020'"
      ],
      "Duration": 1653807300
    },
    {
      "Name": "Command Test: libcrypto.so version",
      "Pass": false,
      "Stdout": "OpenSSL 1.1.1g FIPS  21 Apr 2020",
      "Errors": [
        "Expected string '^OpenSSL 1.1.1c FIPS  28 May 2019$' not found in output 'OpenSSL 1.1.1g FIPS  21 Apr 2020'"
      ],
      "Duration": 1169413200
    },
    {
      "Name": "Command Test: OpenSSL accepts FIPS compliant algorithms",
      "Pass": true,
      "Stdout": "SHA256(/etc/passwd)= 4fca2fc3d1b14741c7ff86ae9c964c680447b4b753139fd6bb8fab863852a365\n",
      "Duration": 861842700
    },
    {
      "Name": "Command Test: Ruby linked with valid libcrypto.so version",
      "Pass": false,
      "Stdout": "OpenSSL 1.1.1g FIPS  21 Apr 2020",
      "Errors": [
        "Expected string '^OpenSSL 1.1.1c FIPS  28 May 2019$' not found in output 'OpenSSL 1.1.1g FIPS  21 Apr 2020'"
      ],
      "Duration": 961570700
    },
    {
      "Name": "Command Test: Ruby linked with valid libssl.so version",
      "Pass": false,
      "Stdout": "OpenSSL 1.1.1g FIPS  21 Apr 2020",
      "Errors": [
        "Expected string '^OpenSSL 1.1.1c FIPS  28 May 2019$' not found in output 'OpenSSL 1.1.1g FIPS  21 Apr 2020'"
      ],
      "Duration": 1072853700
    },
    {
      "Name": "Command Test: Ruby sees valid OpenSSL version",
      "Pass": false,
      "Stdout": "OpenSSL 1.1.1g FIPS  21 Apr 2020\n",
      "Errors": [
        "Expected string '^OpenSSL 1.1.1c FIPS  28 May 2019\n$' not found in output 'OpenSSL 1.1.1g FIPS  21 Apr 2020\n'"
      ],
      "Duration": 862759800
    },
    {
      "Name": "Command Test: Ruby accepts FIPS compliant algorithms",
      "Pass": true,
      "Stdout": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n",
      "Duration": 1348435200
    },
    {
      "Name": "Command Test: Ruby denies FIPS compliant algorithms",
      "Pass": true,
      "Stderr": "/var/lib/ruby/lib/ruby/2.5.0/openssl/digest.rb:40:in `initialize': Digest initialization failed: disabled for FIPS (OpenSSL::Digest::DigestError)\n\tfrom /var/lib/ruby/lib/ruby/2.5.0/openssl/digest.rb:40:in `block (3 levels) in \u003cclass:Digest\u003e'\n\tfrom -e:2:in `new'\n\tfrom -e:2:in `\u003cmain\u003e'\n",
      "Duration": 853809900
    },
    {
      "Name": "Command Test: libpq linked with valid libcrypto.so version",
      "Pass": false,
      "Stdout": "OpenSSL 1.1.1g FIPS  21 Apr 2020",
      "Errors": [
        "Expected string '^OpenSSL 1.1.1c FIPS  28 May 2019$' not found in output 'OpenSSL 1.1.1g FIPS  21 Apr 2020'"
      ],
      "Duration": 1125254300
    },
    {
      "Name": "Command Test: libpq linked with valid libssl.so version",
      "Pass": false,
      "Stdout": "OpenSSL 1.1.1g FIPS  21 Apr 2020",
      "Errors": [
        "Expected string '^OpenSSL 1.1.1c FIPS  28 May 2019$' not found in output 'OpenSSL 1.1.1g FIPS  21 Apr 2020'"
      ],
      "Duration": 1139209400
    },
    {
      "Name": "Command Test: Postgres version",
      "Pass": true,
      "Stdout": "pg_dump (PostgreSQL) 10.14\n",
      "Duration": 1076737500
    },
    {
      "Name": "Command Test: bundler version",
      "Pass": true,
      "Stdout": "Bundler version 2.1.4\n",
      "Duration": 999104000
    }
  ]
}

AC:

• Update the test cases so that there are no failures

Summary

Trivy scans report the following CVE-2020-16119 as high risk.

Mitigation steps can be found in the link above.

Adds Dockerfile scanning using hadolint docker image for:
phusion-ruby-fips
ubuntu-ruby-fips

Exceptions can be added in .hadolint.yml file for ones that apply to all images
and inline exceptions added in each Dockerfile.

See https://hub.docker.com/r/hadolint/hadolint

Summary

When the conjur container is built from ubi the gem install pg is failing due to missing libpq.

Our current version of Ruby (2.5.1), is several versions behind the latest (2.5.8). This is technical debt that introduces risk in unfixed bugs and security issues that we include in the DAP appliance and Conjur OSS images.

At current, the UBI images (ubi-ruby-fips and ubi-nginx) don't have their dependencies reflected in NOTICES.txt.

The NOTICES should be updated to include these dependencies too.

At current, the build is failing because the Postgres version is hardcoded at 10.15 and that version is no longer available in the artifact repository.

To fix this in the short-term, we'll increment the pg version to 10.16 - but we should investigate a longer term fix like #21