We will build, deploy and test the customer-ms-spring runtime branch and then look at the implications of resolving some vulnerabilities but not all. StackRox runtime monitoring of a container will be demonstrated.
Deploy the IBM Blue Compute shop if you have not already done so.
Install the tooling if you have not already done so.
Scan and Import the images that are used by the tool-chain if you have not already done so.
The tools setup has installed stackrox.
helm get notes stackrox-central-services -n stackrox
We are looking for:
helm get notes stackrox-central-services -n stackrox | grep -A3 "initial setup"
Setup port-forwarding:
oc port-forward svc/central -n stackrox 8443:443
Login via your browser, via right-click, open a new tab "here".
Use the login that was previously obtained. You should now be logged in:
Go to Platform Configuration, Integrations, Authentication Tokens, StackRox
Click on New Integration and create an API token with name set to ci_token adn Role set to Continuous Integration.
Copy the token and store it safely.
Click on Integrations on the left hand menu and select the image integration docker "generic docker registry" as shown below:
Click New Integration button and complete the details as shown below
Integration Name - OpenShift_Image_registry
Get your user name:
oc whoami
Get your token:
oc whoami -t
For Endpoint use:
image-registry.openshift-image-registry.svc:5000
Disable TLS Certificate Validation.
Click Test button to confirm details are correct and then Save and exit.
Edit the configuration of the installer.
vi ~/config.bc-full
Set the value of STACKROX_API_TOKEN with the previously created CI Token.
Run the setup:
bash scripts/pipeline/stackrox-setup.sh
bash scripts/pipeline/stackrox-setup-runtime.sh
oc create -f tekton-pipeline-run/customer-stackrox-pipeline-ibm-prevail-2021-runtime.yaml
scripts/watch-the-pipeline-run.sh
Go to the vulnerability overview in Stackrox
Inspect the Stackrox report for the image that was built
Inspect the Customer Micro Service Dockerfile
Drill down on the critical vulnerability by clicking on View All CVES by CVSS Score and then sorting by severity
As we see below the CVE-2020-1938 is the critical vulnrability in our image. Click on this to find out more detail.
Find out what needs to be fixed and look at the component and deployment tabs in the related entities section on the left hand side.
Take a careful look at the recommended fix version.
Summary
The scan has failed due to one policy violation:
- Tomcat needs upgrading
The scan has an additional violation:
- The use of root user is prohibited.
...but StackRox isn't configured to enforce it so won't cause the task to fail.
We will fix the Tomcat vulnerability, but choose to "overlook" the other violations to "make life easier" - however we wish to demonstrate the implications this decision will have!
So far we have looked at using tools to analyise our application once a pipeline is triggered, however we can shift even further left! We can use Red Hat Dependency Analytics to enable developers to create more secure applications by showing code vulnrabilities in thier IDE environment. It will automatically analyze software composition, and provides recommendations to address security holes and licensing problems that a developer may miss. This will help developers to fix any security issues before they have even pushed any code to a pipeline. Red Hat Dependancy Analysis uses the Snyk database of vulnrabilities.
If you don't already have Maven, Visual Studio Code (VS Code) and Red Hat Dependency Analytics installed and configured on your machine, follow these instructions (ensure to open in a new tab so that you can return here). They provide additional steps to ensure Maven is correctly configured. If you have Maven configured, then:
- Install Visual Studio Code (VS Code)
- Install the Red Hat Dependency Analytics plugin in VS Code
Clone the repo and checkout the the branch named solo. (it is very important to inspect the correct branch, otherwise the results of the inspection will not be accurate)
git checkout solo
Branch 'solo' set up to track remote branch 'solo' from 'origin'.
Switched to a new branch 'solo'
Right click on the pom.xml and select Dependency Analytics Report as shown below. (You may need to click on the right hand side window area in VS Code for the Dependency Analytics screen to appear)
Click on the Orange Snyk Token button and generate a Snyk Token by signing up with your GitHub credentials to Snyk.
Inspect the report:
If we drill down we can view the detail of the dependencies which shows current version and also the recommneded or latest version available.
As a developer this provides us with the infomration needed to improve our code before we have even deployed anything. Any further left and we will fall off our chair! :)
You may fork the repo that we are building, and make the mod yourself. For the interest of time we suggest you use the pre-built branch with the Tomcat fix, but still running as root user:
oc create -f tekton-pipeline-run/customer-stackrox-pipeline-ibm-prevail-2021-tomcatfix-stillroot-version.yaml
scripts/watch-the-pipeline-run.sh
The pipeline now runs to completion:
Inspect the stackrox console and verify the vulnerability was successfully patched.
- Go to UI > Platform Configuration > System Policies
- Type "Enforcement" in the filter bar, click on it so it becomes blue. Then type "FAIL_BUILD_ENFORCEMENT" and press enter.
See how, by default, only a small number of policies are configured to apply enforcement of the policy (that would cause pipeline to fail if violated).
Note: For informational purposes only - do not set this policy's enforcement behaviour to "on" as part of th demo run.
It is possible to turn enforcement behaviour on by doing the following:
- Go to UI > Platform Configuration > System Policies
- Filter for "Docker CIS 4.1: Ensure That a User for the Container Has Been Created"
- Click on the policy. Then click on: Edit > Next > Next > Next > Turn "Enforcement Behaviour" on > Save
Please run the script we have provided to upload progress from the lab to our internal webhook for tracking.
bash scripts/slackhook/upload-script.sh