From 0a02f43b8c02ef3126332168ca3a8546d53c38b0 Mon Sep 17 00:00:00 2001 From: janpapenbrock Date: Sat, 6 May 2017 09:57:39 +0200 Subject: [PATCH 1/8] Refactor Dockerfile for readability. --- Dockerfile | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index c311a3b6b..cb6839911 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,12 +2,20 @@ FROM java:8 MAINTAINER Timo Pagel -RUN wget -O /tmp/current.txt http://jeremylong.github.io/DependencyCheck/current.txt && current=$(cat /tmp/current.txt) && wget https://dl.bintray.com/jeremy-long/owasp/dependency-check-$current-release.zip && unzip dependency-check-$current-release.zip && mv dependency-check /usr/share/ +RUN wget -O /tmp/current.txt http://jeremylong.github.io/DependencyCheck/current.txt && \ + current=$(cat /tmp/current.txt) && \ + wget https://dl.bintray.com/jeremy-long/owasp/dependency-check-$current-release.zip && \ + unzip dependency-check-$current-release.zip && \ + mv dependency-check /usr/share/ + +RUN useradd -ms /bin/bash dockeruser && \ + chown -R dockeruser:dockeruser /usr/share/dependency-check && \ + mkdir /report && \ + chown -R dockeruser:dockeruser /report -RUN useradd -ms /bin/bash dockeruser && chown -R dockeruser:dockeruser /usr/share/dependency-check && mkdir /report && chown -R dockeruser:dockeruser /report USER dockeruser -VOLUME "/src /usr/share/dependency-check/data /report" +VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] WORKDIR /report From 7c1c99f5f924a5c9562ef30dba8a56203b42e49b Mon Sep 17 00:00:00 2001 From: janpapenbrock Date: Sat, 6 May 2017 10:00:37 +0200 Subject: [PATCH 2/8] Use script without arguments as entry point to allow running any command on the resulting container without having to override entry point. --- Dockerfile | 3 ++- README.md | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index cb6839911..8daae2e15 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,4 +19,5 @@ VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] WORKDIR /report -ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh", "--scan", "/src"] +CMD ["--help"] +ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"] diff --git a/README.md b/README.md index 87a68fc54..e07da7ec8 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ if [ ! -d $DATA_DIRECTORY ]; then echo "Initially creating persistent directories" mkdir -p $DATA_DIRECTORY chmod -R 777 $DATA_DIRECTORY - + mkdir -p $REPORT_DIRECTORY chmod -R 777 $REPORT_DIRECTORY fi @@ -123,7 +123,8 @@ docker run --rm \ --volume $DATA_DIRECTORY:/usr/share/dependency-check/data \ --volume $REPORT_DIRECTORY:/report \ --name dependency-check \ - dc \ + owasp/dependency-check \ + --scan /src \ --suppression "/src/security/dependency-check-suppression.xml"\ --format "ALL" \ --project "My OWASP Dependency Check Project" \ From 13d781d2b1ec117d37c2a86b1012b5fa97d45180 Mon Sep 17 00:00:00 2001 From: janpapenbrock Date: Sat, 6 May 2017 10:01:52 +0200 Subject: [PATCH 3/8] Re-order arguments in likeliness of being commented out. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e07da7ec8..41f19304f 100644 --- a/README.md +++ b/README.md @@ -125,9 +125,9 @@ docker run --rm \ --name dependency-check \ owasp/dependency-check \ --scan /src \ - --suppression "/src/security/dependency-check-suppression.xml"\ --format "ALL" \ --project "My OWASP Dependency Check Project" \ + --suppression "/src/security/dependency-check-suppression.xml" ``` From 8edf65186f7d3ee88d2ec1f2cdc2e9a00abbf24d Mon Sep 17 00:00:00 2001 From: janpapenbrock Date: Sat, 6 May 2017 10:03:24 +0200 Subject: [PATCH 4/8] Clean up after download to reduce image size. --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 8daae2e15..01c34b042 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,6 +6,7 @@ RUN wget -O /tmp/current.txt http://jeremylong.github.io/DependencyCheck/current current=$(cat /tmp/current.txt) && \ wget https://dl.bintray.com/jeremy-long/owasp/dependency-check-$current-release.zip && \ unzip dependency-check-$current-release.zip && \ + rm dependency-check-$current-release.zip && \ mv dependency-check /usr/share/ RUN useradd -ms /bin/bash dockeruser && \ From 57b1895b5ebb7b7710656784799a823e5a6d4bb2 Mon Sep 17 00:00:00 2001 From: janpapenbrock Date: Sat, 6 May 2017 10:19:27 +0200 Subject: [PATCH 5/8] Refactor user name into variable. --- Dockerfile | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 01c34b042..becfe66eb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,8 @@ FROM java:8 MAINTAINER Timo Pagel +ENV user=dockeruser + RUN wget -O /tmp/current.txt http://jeremylong.github.io/DependencyCheck/current.txt && \ current=$(cat /tmp/current.txt) && \ wget https://dl.bintray.com/jeremy-long/owasp/dependency-check-$current-release.zip && \ @@ -9,12 +11,12 @@ RUN wget -O /tmp/current.txt http://jeremylong.github.io/DependencyCheck/current rm dependency-check-$current-release.zip && \ mv dependency-check /usr/share/ -RUN useradd -ms /bin/bash dockeruser && \ - chown -R dockeruser:dockeruser /usr/share/dependency-check && \ +RUN useradd -ms /bin/bash ${user} && \ + chown -R ${user}:${user} /usr/share/dependency-check && \ mkdir /report && \ - chown -R dockeruser:dockeruser /report + chown -R ${user}:${user} /report -USER dockeruser +USER ${user} VOLUME ["/src" "/usr/share/dependency-check/data" "/report"] From bf7b8ccce8f24400b206b7e3292e5298037320ba Mon Sep 17 00:00:00 2001 From: janpapenbrock Date: Sat, 6 May 2017 10:20:02 +0200 Subject: [PATCH 6/8] Use specific user name to easily identify who is doing things here. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index becfe66eb..761f6b8bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM java:8 MAINTAINER Timo Pagel -ENV user=dockeruser +ENV user=dependencycheck RUN wget -O /tmp/current.txt http://jeremylong.github.io/DependencyCheck/current.txt && \ current=$(cat /tmp/current.txt) && \ From ff6b3dbd4f6bf87c07c176a3f1c2238c71104c67 Mon Sep 17 00:00:00 2001 From: janpapenbrock Date: Sat, 6 May 2017 10:30:29 +0200 Subject: [PATCH 7/8] Refactor to make URLs easier to change and reduce repetition. --- Dockerfile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 761f6b8bf..ecd4b02ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,12 +3,15 @@ FROM java:8 MAINTAINER Timo Pagel ENV user=dependencycheck +ENV version_url=https://jeremylong.github.io/DependencyCheck/current.txt +ENV download_url=https://dl.bintray.com/jeremy-long/owasp -RUN wget -O /tmp/current.txt http://jeremylong.github.io/DependencyCheck/current.txt && \ - current=$(cat /tmp/current.txt) && \ - wget https://dl.bintray.com/jeremy-long/owasp/dependency-check-$current-release.zip && \ - unzip dependency-check-$current-release.zip && \ - rm dependency-check-$current-release.zip && \ +RUN wget -O /tmp/current.txt ${version_url} && \ + version=$(cat /tmp/current.txt) && \ + file="dependency-check-${version}-release.zip" && \ + wget "$download_url/$file" && \ + unzip ${file} && \ + rm ${file} && \ mv dependency-check /usr/share/ RUN useradd -ms /bin/bash ${user} && \ From 03f84fa77efbf0f261eed7bfa18cc5a370ff347a Mon Sep 17 00:00:00 2001 From: janpapenbrock Date: Sat, 6 May 2017 10:36:25 +0200 Subject: [PATCH 8/8] Improve docker usage documentation. --- README.md | 45 +++++++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 41f19304f..c8785bec5 100644 --- a/README.md +++ b/README.md @@ -101,33 +101,38 @@ Then load the resulting 'DependencyCheck-Report.html' into your favorite browser ### Docker -In the following example it is assumed that the source to be checked is in the actual directory. A persistent data directory and a persistent report directory is used so that the container can be destroyed after running it to make sure that you use the newest version, always. +In the following example it is assumed that the source to be checked is in the current working directory. Persistent data and report directories are used, allowing you to destroy the container after running. + ``` -# After the first run, feel free to change the owner of the directories to the owner of the created files and the permissions to 744 -DATA_DIRECTORY=$HOME/OWASP-Dependency-Check/data -REPORT_DIRECTORY=/$HOME/OWASP-Dependency-Check/reports +#!/bin/sh -if [ ! -d $DATA_DIRECTORY ]; then - echo "Initially creating persistent directories" - mkdir -p $DATA_DIRECTORY - chmod -R 777 $DATA_DIRECTORY +OWASPDC_DIRECTORY=$HOME/OWASP-Dependency-Check +DATA_DIRECTORY="$OWASPDC_DIRECTORY/data" +REPORT_DIRECTORY="$OWASPDC_DIRECTORY/reports" - mkdir -p $REPORT_DIRECTORY - chmod -R 777 $REPORT_DIRECTORY +if [ ! -d "$DATA_DIRECTORY" ]; then + echo "Initially creating persistent directories" + mkdir -p "$DATA_DIRECTORY" + chmod -R 777 "$DATA_DIRECTORY" + + mkdir -p "$REPORT_DIRECTORY" + chmod -R 777 "$REPORT_DIRECTORY" fi -docker pull owasp/dependency-check # Make sure it is the actual version +# Make sure we are using the latest version +docker pull owasp/dependency-check docker run --rm \ - --volume $(pwd):/src \ - --volume $DATA_DIRECTORY:/usr/share/dependency-check/data \ - --volume $REPORT_DIRECTORY:/report \ - --name dependency-check \ - owasp/dependency-check \ - --scan /src \ - --format "ALL" \ - --project "My OWASP Dependency Check Project" \ - --suppression "/src/security/dependency-check-suppression.xml" + --volume $(pwd):/src \ + --volume "$DATA_DIRECTORY":/usr/share/dependency-check/data \ + --volume "$REPORT_DIRECTORY":/report \ + owasp/dependency-check \ + --scan /src \ + --format "ALL" \ + --project "My OWASP Dependency Check Project" + # Use suppression like this: (/src == $pwd) + # --suppression "/src/security/dependency-check-suppression.xml" + ```