Merge pull request #627 from exasol/develop

Changelog:

#573: Pushed test container to Dockerhub (#603) 
#616: Performed login to dockerhub for specific tests (#617) 
#621: Fixed CVE-2022-21499 (#622) 
#620: Fixed trivy false positive during secret scan (#624) 
#623: Removed CVE-2021-43816 from ignore list (#626)

.current_gitmodules

@@ -1 +1 @@
-160000 0a2c54f2ba6b8e134cfff0a761b9427f7cc547dc 0	script-languages
+160000 32f37b36694c5477d05897866cf99e56eff7d948 0	script-languages

.github/workflows/check_package_diffs.yaml

@@ -1,10 +1,11 @@
-name: Check if package diff tool
+name: Check package diff tool
 
 on:
   push:
     branches:
-      - master
       - develop
+#      - master
+#      - main
   pull_request:
 
 jobs:

.github/workflows/push_docker_test_container.yaml

@@ -0,0 +1,35 @@
+name: Publish Docker Test Container
+
+on:
+  push:
+    branches:
+      - master
+      - main
+      - 'ci-release-test/**'
+
+jobs:
+  publish-test-container:
+    runs-on: ubuntu-latest
+    environment: publish
+    steps:
+      - uses: actions/checkout@v2
+      - name: Init submodules
+        run: git submodule update --init --recursive
+      - name: Build TestContainer
+        run: ./exaslct build-test-container --force-rebuild
+      - name: Push TestContainer image
+        if: ${{ (github.ref == 'refs/heads/master') || (github.ref == 'refs/heads/main') }}
+        run: |
+          ./exaslct push-test-container --source-docker-username "$SECRET_DOCKER_USER_NAME" --target-docker-username "$SECRET_DOCKER_USER_NAME" --force-push
+        env: # Set the secret as an input
+          SECRET_DOCKER_USER_NAME: ${{ secrets.DOCKER_USER_NAME }}
+          TARGET_DOCKER_PASSWORD: ${{ secrets.DOCKER_TOKEN }}
+          SOURCE_DOCKER_PASSWORD: ${{ secrets.DOCKER_TOKEN }}
+      - name: Push  ci-release-test TestContainer image
+        if: ${{ (github.ref != 'refs/heads/master') && (github.ref != 'refs/heads/main') }}
+        run: |
+          ./exaslct push-test-container --source-docker-username "$SECRET_DOCKER_USER_NAME" --target-docker-username "$SECRET_DOCKER_USER_NAME" --force-push --source-docker-tag-prefix ci_release_test --target-docker-tag-prefix ci_release_test
+        env: # Set the secret as an input
+          SECRET_DOCKER_USER_NAME: ${{ secrets.DOCKER_USER_NAME }}
+          TARGET_DOCKER_PASSWORD: ${{ secrets.DOCKER_TOKEN }}
+          SOURCE_DOCKER_PASSWORD: ${{ secrets.DOCKER_TOKEN }}

doc/changes/changes-4.3.0.md

@@ -15,6 +15,9 @@ This release uses version 0.9.0 of the container tool.
 ## Bug Fixes
 
  - #599: Fixed duplicated packages
+ - #573: Pushed test container to Dockerhub
+ - #616: Performed login to dockerhub for specific tests
+
 
 ## Features / Enhancements
 
@@ -40,5 +43,8 @@ This release uses version 0.9.0 of the container tool.
  - #582: Updated libssl
  - #596: Updated packages
  - #605: Updated packages
- - #607: Ignored CVE-2022-1116
- - #613: Ignored CVE-2022-29581 
+ - #607: Ignored CVE-2022-1116 as it affects the Linux kernel only
+ - #613: Ignored CVE-2022-29581 as it affects the Linux kernel only
+ - #621: Ignored CVE-2022-21499 as it affects the Linux kernel only
+ - #620: Fixed trivy false positive during secret scan 
+ - #623: Removed CVE-2021-43816 from ignore list

flavors/r-4-minimal-EXASOL-6.2.0/flavor_base/security_scan/.trivyignore

@@ -1,12 +1,11 @@
-#CVE-2021-43816 was caused by bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680)
-CVE-2021-43816
 #the following CVE's affect kernel, no issue for container
 CVE-2022-0847
 CVE-2022-0001
 CVE-2022-0002
 CVE-2022-1015
 CVE-2022-1116
 CVE-2022-29581
+CVE-2022-21499
 #CVE-2022-23648 is a bug in containerd, not issue for containers
 CVE-2022-23648
 #issue in cgroups, but no threat for ScriptLanguageContainer

flavors/r-4-minimal-EXASOL-6.2.0/flavor_base/security_scan/Dockerfile

@@ -14,5 +14,6 @@ RUN /scripts/install_scripts/install_via_r_remotes.pl --file /build_info/package
 
 ENV SECURITY_SCANNERS="trivy oyster"
 COPY /security_scan/.trivyignore /.trivyignore
+COPY /security_scan/trivy-secret.yaml /trivy-secret.yaml
 
 ENTRYPOINT ["/scripts/security_scan/run.sh"]

flavors/r-4-minimal-EXASOL-6.2.0/flavor_base/security_scan/trivy-secret.yaml

@@ -0,0 +1,4 @@
+allow-rules:
+  - id: r-open-ssl-samples
+    description: skip R open ssl sample secrets
+    path: usr/local/lib/R/site-library/openssl/doc/keys.html

flavors/standard-EXASOL-7.0.0/flavor_base/security_scan/.trivyignore

@@ -1,13 +1,12 @@
 CVE-2021-37714
-#CVE-2021-43816 was caused by bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680)
-CVE-2021-43816
 #the following CVE's affect kernel, no issue for container
 CVE-2022-0847
 CVE-2022-0001
 CVE-2022-0002
 CVE-2022-1015
 CVE-2022-1116
 CVE-2022-29581
+CVE-2022-21499
 #CVE-2022-23648 is a bug in containerd, not issue for containers
 CVE-2022-23648
 #issue in cgroups, but no threat for ScriptLanguageContainer

flavors/standard-EXASOL-7.1.0-without-python2.7/flavor_base/security_scan/.trivyignore

@@ -1,13 +1,12 @@
 CVE-2021-37714
-#CVE-2021-43816 was caused by bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680)
-CVE-2021-43816
 #the following CVE's affect kernel, no issue for container
 CVE-2022-0847
 CVE-2022-0001
 CVE-2022-0002
 CVE-2022-1015
 CVE-2022-1116
 CVE-2022-29581
+CVE-2022-21499
 #CVE-2022-23648 is a bug in containerd, not issue for containers
 CVE-2022-23648
 #issue in cgroups, but no threat for ScriptLanguageContainer

flavors/standard-EXASOL-7.1.0/flavor_base/security_scan/.trivyignore

@@ -1,13 +1,12 @@
 CVE-2021-37714
-#CVE-2021-43816 was caused by bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680)
-CVE-2021-43816
 #the following CVE's affect kernel, no issue for container
 CVE-2022-0847
 CVE-2022-0001
 CVE-2022-0002
 CVE-2022-1015
 CVE-2022-1116
 CVE-2022-29581
+CVE-2022-21499
 #CVE-2022-23648 is a bug in containerd, not issue for containers
 CVE-2022-23648
 #issue in cgroups, but no threat for ScriptLanguageContainer

flavors/standard-EXASOL-8.0.0/flavor_base/security_scan/.trivyignore

@@ -1,5 +1,3 @@
-#CVE-2021-43816 was caused by bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680)
-CVE-2021-43816
 #the following CVE's affect kernel, no issue for container
 CVE-2022-0847
 CVE-2022-0001
@@ -9,6 +7,7 @@ CVE-2022-1116
 CVE-2022-23960
 CVE-2022-25636
 CVE-2022-29581
+CVE-2022-21499
 #CVE-2022-23648 is a bug in containerd, not issue for containers
 CVE-2022-23648
 #issue in cgroups, but no threat for ScriptLanguageContainer