search

department-of-veterans-affairs / veterans-employment-center

Veterans Employment Center
https://www.vets.gov/veterans-employment-center
5 stars 4 forks source link

CI docker pipeline #406

Closed b00klegger closed 6 years ago

b00klegger commented 6 years ago

This change introduces using Docker to perform the testing on the project instead of testing directly on the Jenkins node. I have heavily copied from vets-website pipeline for this project.

I have commented out bundler-audit testing for two reasons:

GitHub Insights also flagged rubyzip as needing an update to 1.2.2 which I have included.

The initial issue with sprockets and pg-0.15 have been resolved and is included in this branch.

Diff between master and dockerize-ci Gemfile.lock:

diff --git a/Gemfile.lock b/Gemfile.lock
index 51bd53e..7c284ea 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -317,7 +317,7 @@ GEM
     rspec-support (3.5.0)
     ruby_dep (1.5.0)
     rubysl-securerandom (2.0.0)
-    rubyzip (1.2.1)
+    rubyzip (1.2.2)
     safe_yaml (1.0.4)
     sass (3.4.23)
     sass-rails (5.0.6)

bundler-audit error output:

Name: actionpack
Version: 4.2.7.1
Advisory: CVE-2015-7581
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
Title: Object leak vulnerability for wildcard controller routes in Action Pack
Solution: upgrade to ~> 4.2.5.1, ~> 4.1.14.1

Name: actionpack
Version: 4.2.7.1
Advisory: CVE-2016-0751
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Title: Possible Object Leak and Denial of Service attack in Action Pack
Solution: upgrade to ~> 5.0.0.beta1.1, ~> 4.2.5.1, ~> 4.1.14.1, ~> 3.2.22.1

Name: actionpack
Version: 4.2.7.1
Advisory: CVE-2015-7576
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Title: Timing attack vulnerability in basic authentication in Action Controller.
Solution: upgrade to ~> 5.0.0.beta1.1, ~> 4.2.5.1, ~> 4.1.14.1, ~> 3.2.22.1

Name: actionview
Version: 4.2.7.1
Advisory: CVE-2016-0752
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Title: Possible Information Leak Vulnerability in Action View
Solution: upgrade to ~> 5.0.0.beta1.1, ~> 4.2.5.1, ~> 4.1.14.1, ~> 3.2.22.1

Name: activemodel
Version: 4.2.7.1
Advisory: CVE-2016-0753
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
Title: Possible Input Validation Circumvention in Active Model
Solution: upgrade to ~> 5.0.0.beta1.1, ~> 4.2.5.1, ~> 4.1.14.1

Name: activerecord
Version: 4.2.7.1
Advisory: CVE-2015-7577
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Title: Nested attributes rejection proc bypass in Active Record
Solution: upgrade to ~> 5.0.0.beta1.1, ~> 4.2.5.1, ~> 4.1.14.1, ~> 3.2.22.1

Vulnerabilities found!

Ref: https://app.zenhub.com/workspace/o/department-of-veterans-affairs/vets.gov-team/issues/11066

b00klegger commented 6 years ago

Wowser! Awesome feedback. Will get all this incorporated.

b00klegger commented 6 years ago

@wyattwalter Re-wrote the pipeline using the declarative style which supports post actions. Setup the cleanup stage in post - always. @omgitsbillryan Uncommented the bundle-audit steps and remove the throw(err). Any errors are caught and handled.

b00klegger commented 6 years ago

Whoo-hoo! Christmas in September