This is an automated email from the ASF dual-hosted git repository.
danwatford pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new fb8973d728 Improved: Address security hotspot in Dockerfile
(OFBIZ-12788)
fb8973d728 is described below
commit fb8973d7286b50e4e2c84a3b9db9a6e27a4297c8
Author: Daniel Watford <[email protected]>
AuthorDate: Fri Mar 31 17:16:19 2023 +0100
Improved: Address security hotspot in Dockerfile (OFBIZ-12788)
Per sonacloud recommendation, ensure executable scripts are not writable
and left under the ownership of root.
---
Dockerfile | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index 92cf2e0efc..3509fc2ff4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -68,9 +68,12 @@ RUN ["mkdir", "/ofbiz/runtime", "/ofbiz/config",
"/ofbiz/lib-extra"]
COPY --chmod=644 --chown=ofbiz:ofbiz VERSION .
RUN echo '${uiLabelMap.CommonJavaVersion}:' "$(java --version | grep Runtime |
sed 's/.*Runtime Environment //; s/ (build.*//;')" >> /ofbiz/VERSION
-COPY --chmod=755 --chown=ofbiz:ofbiz docker/docker-entrypoint.sh
docker/send_ofbiz_stop_signal.sh .
-COPY --chmod=644 --chown=ofbiz:ofbiz docker/disable-component.xslt .
-COPY --chmod=644 --chown=ofbiz:ofbiz docker/templates templates
+# Leave executable scripts owned by root and non-writable, addressing
sonarcloud rule,
+#
https://sonarcloud.io/organizations/apache/rules?open=docker%3AS6504&rule_key=docker%3AS6504
+COPY --chmod=555 docker/docker-entrypoint.sh docker/send_ofbiz_stop_signal.sh .
+
+COPY --chmod=444 docker/disable-component.xslt .
+COPY --chmod=444 docker/templates templates
EXPOSE 8443
EXPOSE 8009
