Pinning ansible version (#494)

* Pinning ansible version

* Updating redhat to 8.4-200.1622548483, adding --skip-dirs to trivy

* Adding keys.openpgp.org keyserver

Author: nwang92

.circleci/config.yml

@@ -86,7 +86,7 @@ jobs:
             mkdir -p trivy-results
             for image in ./workspace_cache/*.tar; do
               [ -e "$image" ] || continue
-              ./trivy image --exit-code 1 --format template --template "@contrib/junit.tpl" -o trivy-results/`basename $image`.xml --ignore-unfixed --severity "HIGH,CRITICAL" --no-progress -i "$image"
+              ./trivy image --exit-code 1 --format template --vuln-type os --template "@contrib/junit.tpl" -o trivy-results/`basename $image`.xml --ignore-unfixed --severity "HIGH,CRITICAL" --no-progress -i "$image"
             done
       - store_test_results:
           path: trivy-results

.trivyignore

@@ -1,9 +1,3 @@
-# These are coming from the file below, but it's not actually installed in the container
-# /usr/lib/python3.7/site-packages/ansible_collections/netbox/netbox/poetry.lock
-CVE-2020-36242
-CVE-2020-14343
-CVE-2021-29510
-
 # Downgraded to LOW severity by the Product Security team as the packages are not actually
 # shipped with the release.
 # SPL-203200

base/debian-10/install.sh

@@ -32,8 +32,8 @@ ln -sf /usr/share/zoneinfo/UTC /etc/localtime
 # Install utility packages
 apt-get install -y --no-install-recommends curl sudo libgssapi-krb5-2 busybox procps acl gcc make \
                                            libffi-dev libssl-dev make build-essential libbz2-dev \
-                                           wget xz-utils ca-certificates zlib1g-dev python3-apt \
-                                           p11-kit lz4
+                                           wget xz-utils ca-certificates zlib1g-dev python3-apt p11-kit lz4 \
+                                           libhogweed4=3.4.1-1+deb10u1 libgnutls30=3.6.7-4+deb10u7 libgcrypt20=1.8.4-5+deb10u1
 
 # Install Python and necessary packages
 PY_SHORT=${PYTHON_VERSION%.*}
@@ -65,7 +65,7 @@ cp apt_inst.cpython-37m-${ARCH}-linux-gnu.so apt_inst.so
 rm -rf /tmp/python3-apt
 # Install splunk-ansible dependencies
 cd /
-pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible jmespath --upgrade
+pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 urllib3==1.26.5 jmespath --upgrade
 # Remove tests packaged in python libs
 find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \;
 find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \;

base/debian-9/install.sh

@@ -39,7 +39,8 @@ PY_SHORT=${PYTHON_VERSION%.*}
 wget -O /tmp/python.tgz https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz
 wget -O /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz.asc
 apt-get install dirmngr -y
-gpg --keyserver pool.sks-keyservers.net --recv-keys $PYTHON_GPG_KEY_ID \
+gpg --keyserver keys.openpgp.org --recv-keys $PYTHON_GPG_KEY_ID \
+    || gpg --keyserver pool.sks-keyservers.net --recv-keys $PYTHON_GPG_KEY_ID \
     || gpg --keyserver pgp.mit.edu --recv-keys $PYTHON_GPG_KEY_ID \
     || gpg --keyserver keyserver.pgp.com --recv-keys $PYTHON_GPG_KEY_ID
 gpg --verify /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc /tmp/python.tgz
@@ -65,7 +66,7 @@ cp apt_inst.cpython-35m-x86_64-linux-gnu.so apt_inst.so
 rm -rf /tmp/python3-apt
 # Install splunk-ansible dependencies
 cd /
-pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible jmespath --upgrade
+pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 urllib3==1.26.5 jmespath --upgrade
 # Remove tests packaged in python libs
 find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \;
 find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \;

base/redhat-8/Dockerfile

@@ -16,7 +16,7 @@
 # the container catalog moved from registry.access.redhat.com to registry.redhat.io
 # So at some point before they deprecate the old registry we have to make sure that
 # we have access to the new registry and change where we pull the ubi image from.
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3-291
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4-200.1622548483
 
 LABEL name="splunk" \
       maintainer="support@splunk.com" \

base/redhat-8/install.sh

@@ -35,7 +35,8 @@ microdnf -y --nodocs update gnutls kernel-headers librepo libnghttp2 tzdata nett
 PY_SHORT=${PYTHON_VERSION%.*}
 wget -O /tmp/python.tgz https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz
 wget -O /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz.asc
-gpg --keyserver pool.sks-keyservers.net --recv-keys $PYTHON_GPG_KEY_ID \
+gpg --keyserver keys.openpgp.org --recv-keys $PYTHON_GPG_KEY_ID \
+    || gpg --keyserver pool.sks-keyservers.net --recv-keys $PYTHON_GPG_KEY_ID \
     || gpg --keyserver pgp.mit.edu --recv-keys $PYTHON_GPG_KEY_ID \
     || gpg --keyserver keyserver.pgp.com --recv-keys $PYTHON_GPG_KEY_ID
 gpg --verify /tmp/Python-gpg-sig-${PYTHON_VERSION}.tgz.asc /tmp/python.tgz
@@ -51,7 +52,7 @@ ln -sf /usr/bin/python${PY_SHORT} /usr/bin/python
 ln -sf /usr/bin/pip${PY_SHORT} /usr/bin/pip
 # Install splunk-ansible dependencies
 cd /
-pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 jmespath --upgrade
+pip -q --no-cache-dir install six wheel requests cryptography==3.3.2 ansible==3.4.0 urllib3==1.26.5 jmespath --upgrade
 # Remove tests packaged in python libs
 find /usr/lib/ -depth \( -type d -a -not -wholename '*/ansible/plugins/test' -a \( -name test -o -name tests -o -name idle_test \) \) -exec rm -rf '{}' \;
 find /usr/lib/ -depth \( -type f -a -name '*.pyc' -o -name '*.pyo' -o -name '*.a' \) -exec rm -rf '{}' \;

py23-image/centos-7/Dockerfile

@@ -22,4 +22,4 @@ RUN wget https://www.python.org/ftp/python/3.7.4/Python-3.7.4.tgz \
 RUN yum remove -y --setopt=tsflags=noscripts gcc openssl-devel bzip2-devel libffi-devel \
     && yum autoremove -y \
     && yum clean all
-RUN pip3 --no-cache-dir install ansible requests
+RUN pip3 --no-cache-dir install ansible==3.4.0 requests

py23-image/centos-8/Dockerfile

@@ -26,5 +26,5 @@ RUN wget https://www.python.org/ftp/python/3.7.4/Python-3.7.4.tgz \
 RUN yum remove -y --setopt=tsflags=noscripts gcc openssl-devel bzip2-devel libffi-devel \
     && yum autoremove -y \
     && yum clean all
-RUN pip3 --no-cache-dir install ansible requests \
+RUN pip3 --no-cache-dir install ansible==3.4.0 requests \
     && pip --no-cache-dir install pyyaml requests

py23-image/debian-10/Dockerfile

@@ -3,8 +3,9 @@ FROM ${SPLUNK_PRODUCT}-debian-10:latest
 USER root
 
 RUN apt-get update -y \
-    && apt-get install -y --no-install-recommends libpython-dev ansible python-pip python-requests python-jmespath python-yaml \
+    && apt-get install -y --no-install-recommends libpython-dev python-pip python-requests python-jmespath python-yaml \
     && ln -sf /usr/bin/python3.7 /usr/bin/python3 \
     && ln -sf /usr/bin/pip3.7 /usr/bin/pip3 \
     && ln -sf /usr/bin/python3.7 /usr/bin/python \
-    && ln -sf /usr/bin/pip3.7 /usr/bin/pip
+    && ln -sf /usr/bin/pip3.7 /usr/bin/pip \
+    && pip3 install --upgrade ansible==3.4.0

py23-image/debian-9/Dockerfile

@@ -3,8 +3,9 @@ FROM ${SPLUNK_PRODUCT}-debian-9:latest
 USER root
 
 RUN apt-get update -y \
-    && apt-get install -y --no-install-recommends libpython-dev ansible python-pip python-requests python-jmespath python-yaml \
+    && apt-get install -y --no-install-recommends libpython-dev python-pip python-requests python-jmespath python-yaml \
     && ln -sf /usr/bin/python3.7 /usr/bin/python3 \
     && ln -sf /usr/bin/pip3.7 /usr/bin/pip3 \
     && ln -sf /usr/bin/python3.7 /usr/bin/python \
-    && ln -sf /usr/bin/pip3.7 /usr/bin/pip
+    && ln -sf /usr/bin/pip3.7 /usr/bin/pip \
+    && pip3 install --upgrade ansible==3.4.0