Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-13901

Provide DoD-Approved docker images in Platform1

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 8.5
    • Component/s: None
    • Labels:
      None
    • Edition:
      Community
    • Production Notes:
      None

      Description

      WHY

      The USA Department of Defense (DoD) maintains a repository of images [https://software.af.mil/dsop/services/] that are accredited for use by DoD customers.

      Why can’t they use our standard Docker images?

      The DoD wants all approved containers to be based on approved & hardened base images as well as for the top software layers to undergo a thorough security scan. Software based on non-compliant base images or with outstanding vulnerabilities that have not been addressed or justified will not be approved for use by DoD customers.
      We decided to fully with a process for making SonarQube images available within this repo.

      What are the benefits?

      • Adopting DoD-compliant security scanning practices as part of our own release hardening will allow us to detect vulnerabilities in our own & dependent software that we were otherwise only learning of reactively.
      • Software that’s gone through the approval process will not require customers to complete STIGs in order to run the software. STIG requests from US Government customers represent a not-insignificant volume of Community threads and commercial support tickets.

      WHAT

      Resources

      We want to provide and support official images for all the SonarQube editions we already offer on DockerHub: SonarQube CE, DE, EE

      HOW

      The current Structure by the DoD is already confirmed functional from a technical point of view.

      The majority of the changes that need to happen are process related, specially how we react to vulnerabilities that are found by the DoD in our Software

      Technical Changes

      Take ownership in the Repositories provided by the DoD

      https://repo1.dsop.io/dsop/sonarsource/sonarqube

      The Sonarqube repositories were originally created by RedHat contractors that are no longer working for the DoD. They have been adopted by internal sources of the DoD and should now fall in our responsibility as a Vendor. 

      For the Majority there are no adaptations needed apart from:

      • The Docker Healthcheck 
      • Should be synced with what we have in the docker-healthcheck library
      • The Scripts folder needs to be kept up to date with our docker repository
      • Implement Sync mechanism for Vendor scripts using kpt and renovate

       

      Create a new Repository for the DE in the same gitlab Space as the other once

      • Follow the DoDs Spec on this one
      • There is information about an internal project of the DoD with the DE but to fully deliver we should create a new repository that is under our ownership 

       

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tobias.trabelsi Tobias Trabelsi
              Reporter:
              tobias.trabelsi Tobias Trabelsi
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: