From 1ba3b1c662d36e0d1be2c90502141ea52de6557b Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Tue, 21 Nov 2023 13:32:31 +0000 Subject: [PATCH 01/19] KASM-5262 update libssl --- src/ubuntu/install/squid/install/install_squid.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/ubuntu/install/squid/install/install_squid.sh b/src/ubuntu/install/squid/install/install_squid.sh index 87814e6..7901d7d 100644 --- a/src/ubuntu/install/squid/install/install_squid.sh +++ b/src/ubuntu/install/squid/install/install_squid.sh @@ -2,12 +2,17 @@ set -ex ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g') +if [[ "${ARCH}" == "arm64" ]]; then + LIBSSLURL="http://ports.ubuntu.com/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_arm64.deb" +else + LIBSSLURL="http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_amd64.deb" +fi # intall squid SQUID_COMMIT='1149fc830c7edcb383eec390cce2beba16befde5' if $(grep -q Jammy /etc/os-release) || $(grep -q Kali /etc/os-release) ; then wget -qO- https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/${SQUID_COMMIT}/output/kasm-squid-builder_${ARCH}.tar.gz | tar -xzf - -C / - wget https://kasm-ci.s3.amazonaws.com/libssl1.1.${ARCH}.deb + wget ${LIBSSLURL} -O libssl1.1.${ARCH}.deb dpkg -i libssl1.1.${ARCH}.deb rm -f libssl1.1.${ARCH}.deb elif [[ "${DISTRO}" != @(centos|oracle7|oracle8|oracle9|opensuse|fedora37|fedora38|rockylinux9|rockylinux8|almalinux9|almalinux8|alpine) ]] ; then @@ -39,7 +44,7 @@ elif [[ "${DISTRO}" == @(centos|oracle7) ]]; then elif [[ "${DISTRO}" == "alpine" ]]; then apk add --no-cache openssl1.1-compat elif grep -q bookworm /etc/os-release; then - wget https://kasm-ci.s3.amazonaws.com/libssl1.1.${ARCH}.deb + wget ${LIBSSLURL} -O libssl1.1.${ARCH}.deb dpkg -i libssl1.1.${ARCH}.deb rm -f libssl1.1.${ARCH}.deb fi From 5ba3e7307bcfeab27e175883ed519ca24570f75a Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Tue, 21 Nov 2023 15:56:09 +0000 Subject: [PATCH 02/19] test without layer squash --- dockerfile-kasm-core | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dockerfile-kasm-core b/dockerfile-kasm-core index bd090eb..945ded8 100644 --- a/dockerfile-kasm-core +++ b/dockerfile-kasm-core @@ -172,8 +172,8 @@ COPY ./src/ubuntu/install/cleanup $INST_SCRIPTS/cleanup/ RUN bash $INST_SCRIPTS/cleanup/cleanup.sh && rm -rf $INST_SCRIPTS/cleanup/ #### Runtime Stage #### -FROM scratch -COPY --from=base_layer / / +#FROM scratch +#COPY --from=base_layer / / ### Labels LABEL "org.opencontainers.image.authors"='Kasm Tech "info@kasmweb.com"' From d76366154a8b64797630fa7c302240ada46d466f Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Tue, 21 Nov 2023 18:10:52 +0000 Subject: [PATCH 03/19] try removing python3 --- src/common/startup_scripts/vnc_startup.sh | 10 ++++++---- src/ubuntu/install/cleanup/cleanup.sh | 3 +++ src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh | 1 - src/ubuntu/install/tools/install_tools.sh | 6 +++--- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/src/common/startup_scripts/vnc_startup.sh b/src/common/startup_scripts/vnc_startup.sh index ae1a14b..11822a4 100755 --- a/src/common/startup_scripts/vnc_startup.sh +++ b/src/common/startup_scripts/vnc_startup.sh @@ -349,10 +349,12 @@ if [[ -f $PASSWD_PATH ]]; then echo -e "\n--------- purging existing VNC password settings ---------" rm -f $PASSWD_PATH fi -VNC_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_PW}', '\$5\$kasm\$'));") -VNC_VIEW_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_VIEW_ONLY_PW}', '\$5\$kasm\$'));") -echo "kasm_user:${VNC_PW_HASH}:ow" > $PASSWD_PATH -echo "kasm_viewer:${VNC_VIEW_PW_HASH}:" >> $PASSWD_PATH +#VNC_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_PW}', '\$5\$kasm\$'));") +#VNC_VIEW_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_VIEW_ONLY_PW}', '\$5\$kasm\$'));") +#echo "kasm_user:${VNC_PW_HASH}:ow" > $PASSWD_PATH +#echo "kasm_viewer:${VNC_VIEW_PW_HASH}:" >> $PASSWD_PATH +echo -e "${VNC_PW}\n${VNC_PW}\n" | kasmvncpasswd -u kasm_user -wo +echo -e "${VNC_PW}\n${VNC_PW}\n" | kasmvncpasswd -u kasm_viewer -r chmod 600 $PASSWD_PATH diff --git a/src/ubuntu/install/cleanup/cleanup.sh b/src/ubuntu/install/cleanup/cleanup.sh index 0765e1b..cabf239 100644 --- a/src/ubuntu/install/cleanup/cleanup.sh +++ b/src/ubuntu/install/cleanup/cleanup.sh @@ -9,6 +9,9 @@ elif [[ "${DISTRO}" == @(almalinux8|almalinux9|fedora37|fedora38|oracle8|oracle9 elif [ "${DISTRO}" == "opensuse" ]; then zypper clean --all elif [[ "${DISTRO}" == @(debian|kali|parrotos5|ubuntu) ]]; then + # Uninstall unneccesary/vulnerable packages + apt remove -y ipp-usb #KASM-5266 + apt-get autoremove -y apt-get autoclean -y fi diff --git a/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh b/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh index c2456a3..5c2bd6d 100644 --- a/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh +++ b/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh @@ -157,7 +157,6 @@ elif [[ "${DISTRO}" == "alpine" ]] ; then perl-datetime-timezone \ pixman \ py3-xdg \ - python3 \ setxkbmap \ xauth \ xf86-video-amdgpu \ diff --git a/src/ubuntu/install/tools/install_tools.sh b/src/ubuntu/install/tools/install_tools.sh index da4506b..f5c21e4 100644 --- a/src/ubuntu/install/tools/install_tools.sh +++ b/src/ubuntu/install/tools/install_tools.sh @@ -3,12 +3,12 @@ set -e echo "Install some common tools for further installation" if [[ "${DISTRO}" == @(centos|oracle7) ]] ; then - yum install -y vim wget net-tools bzip2 python3 ca-certificates bc + yum install -y vim wget net-tools bzip2 ca-certificates bc elif [[ "${DISTRO}" == @(fedora37|fedora38|oracle8|oracle9|rockylinux9|rockylinux8|almalinux8|almalinux9) ]]; then - dnf install -y wget net-tools bzip2 python3 tar vim hostname procps-ng bc + dnf install -y wget net-tools bzip2 tar vim hostname procps-ng bc elif [ "${DISTRO}" == "opensuse" ]; then sed -i 's/download.opensuse.org/mirrorcache-us.opensuse.org/g' /etc/zypp/repos.d/*.repo - zypper install -yn wget net-tools bzip2 python3 tar vim gzip iputils bc + zypper install -yn wget net-tools bzip2 tar vim gzip iputils bc elif [ "${DISTRO}" == "alpine" ]; then apk add --no-cache \ ca-certificates \ From a7c5411959c922a68ff87ca8a6e3e14e94b54590 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Tue, 21 Nov 2023 20:20:53 +0000 Subject: [PATCH 04/19] add squash layers back in, add trivy --- ci-scripts/download-trivy | 14 ++++++++ ci-scripts/gitlab-ci.template | 60 +++++++++++++++++++++++++++++++++++ ci-scripts/junit.tpl | 31 ++++++++++++++++++ ci-scripts/scan | 36 +++++++++++++++++++++ dockerfile-kasm-core | 4 +-- 5 files changed, 143 insertions(+), 2 deletions(-) create mode 100644 ci-scripts/download-trivy create mode 100644 ci-scripts/junit.tpl create mode 100644 ci-scripts/scan diff --git a/ci-scripts/download-trivy b/ci-scripts/download-trivy new file mode 100644 index 0000000..d31fb93 --- /dev/null +++ b/ci-scripts/download-trivy @@ -0,0 +1,14 @@ +#!/bin/bash + +set -euo pipefail + +TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') +echo "$TRIVY_VERSION" +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +trivy_dir="${SCRIPT_DIR}/trivy" +rm -rf $trivy_dir +mkdir $trivy_dir +cd $trivy_dir +wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O - | tar -zxvf - + +cp "${SCRIPT_DIR}/junit.tpl" "${SCRIPT_DIR}/trivy/contrib/" \ No newline at end of file diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index 68babc8..c837b6a 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -127,6 +127,66 @@ test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: retry: 1 {% endfor %} +###################################### +# Vulnerability Scans # +###################################### +{% for IMAGE in multiImages %} +scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: + stage: scan + when: always + script: + - apk add bash + - (cd ci-scripts && bash download-trivy) + - bash ci/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} + {% if FILE_LIMITS %}only: + changes: + {% for FILE in files %}- {{ FILE }} + {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} + {% endfor %}{% endif %} + except: + variables: + - $README_USERNAME + - $README_PASSWORD + - $DOCKERHUB_REVERT + - $REVERT_IS_ROLLING + needs: + - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} + when: on_success + tags: + - oci-fixed-amd + retry: 1 + parallel: + matrix: + - ARCH: [ "x86_64", "aarch64" ] +{% endfor %} + +{% for IMAGE in singleImages %} +scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: + stage: scan + when: always + script: + - apk add bash + - (cd ci-scripts && bash download-trivy) + - bash ci/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} + {% if FILE_LIMITS %}only: + changes: + {% for FILE in files %}- {{ FILE }} + {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} + {% endfor %}{% endif %} + except: + variables: + - $README_USERNAME + - $README_PASSWORD + - $DOCKERHUB_REVERT + - $REVERT_IS_ROLLING + needs: + - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} + when: on_success + tags: + - oci-fixed-amd + retry: 1 +{% endfor %} + ############################################ # Manifest Containers if their test passed # ############################################ diff --git a/ci-scripts/junit.tpl b/ci-scripts/junit.tpl new file mode 100644 index 0000000..e3d95fa --- /dev/null +++ b/ci-scripts/junit.tpl @@ -0,0 +1,31 @@ + + +{{- range . -}} +{{- $failures := len .Vulnerabilities }} + + {{- if not (eq .Type "") }} + + + + {{- end -}} + {{ range .Vulnerabilities }} + + <{{ if .FixedVersion -}}error{{- else -}}skipped{{- end }} message="{{ escapeXML .Title }}" type="description">Upgrade {{ .PkgName }} to {{ .FixedVersion }} - {{ escapeXML .Description }} + + {{- end }} + +{{- $failures := len .Misconfigurations }} + + {{- if not (eq .Type "") }} + + + + {{- end -}} + {{ range .Misconfigurations }} + + {{ escapeXML .Description }} + + {{- end }} + +{{- end }} + \ No newline at end of file diff --git a/ci-scripts/scan b/ci-scripts/scan new file mode 100644 index 0000000..b5f0977 --- /dev/null +++ b/ci-scripts/scan @@ -0,0 +1,36 @@ +#!/bin/bash + +set -eo pipefail + +build_report() { + $trivy_cmd --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target" + #$trivy_cmd --exit-code 0 --format json -o "$source_dir/report.json" "$target" +} + +print_report_and_fail_on_vulnerabilities() { + $trivy_cmd --exit-code 1 "$target" +} + +scan_cmd="$1" +target="$2" +if [[ -z "$scan_cmd" || -z "$target" ]]; then + echo >&2 "Usage: $(basename "$0") " + exit 1 +fi + +case "$scan_cmd" in + repo) options="--scanners config,secret,vuln" ;; + image) options="--scanners vuln" ;; + *) options="--scanners vuln,config,secret" ;; +esac + +set -u +set -x + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +trivy_dir="${SCRIPT_DIR}/trivy" +trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --cache-dir $HOME/.trivycache $options" +source_dir="${CI_PROJECT_DIR:-$trivy_dir}" + +build_report +#print_report_and_fail_on_vulnerabilities \ No newline at end of file diff --git a/dockerfile-kasm-core b/dockerfile-kasm-core index 945ded8..bd090eb 100644 --- a/dockerfile-kasm-core +++ b/dockerfile-kasm-core @@ -172,8 +172,8 @@ COPY ./src/ubuntu/install/cleanup $INST_SCRIPTS/cleanup/ RUN bash $INST_SCRIPTS/cleanup/cleanup.sh && rm -rf $INST_SCRIPTS/cleanup/ #### Runtime Stage #### -#FROM scratch -#COPY --from=base_layer / / +FROM scratch +COPY --from=base_layer / / ### Labels LABEL "org.opencontainers.image.authors"='Kasm Tech "info@kasmweb.com"' From 2d0192593b23d5bcf756bad3be708d64b13dc50c Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Tue, 21 Nov 2023 20:25:58 +0000 Subject: [PATCH 05/19] wip trivy --- ci-scripts/gitlab-ci.template | 1 + 1 file changed, 1 insertion(+) diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index c837b6a..0f81187 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -8,6 +8,7 @@ stages: - readme - revert - build + - scan - test - manifest variables: From 69cd026a7a3cdd9fd7d4a38103f4ab1ae23fd176 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Tue, 21 Nov 2023 20:34:09 +0000 Subject: [PATCH 06/19] wip trivvy --- ci-scripts/gitlab-ci.template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index 0f81187..8faed46 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -138,7 +138,7 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: script: - apk add bash - (cd ci-scripts && bash download-trivy) - - bash ci/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} + - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} {% if FILE_LIMITS %}only: changes: {% for FILE in files %}- {{ FILE }} @@ -168,7 +168,7 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: script: - apk add bash - (cd ci-scripts && bash download-trivy) - - bash ci/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} + - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} {% if FILE_LIMITS %}only: changes: {% for FILE in files %}- {{ FILE }} From c6eb1b14af96e2314d0f11ca454663ac7de9a826 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Tue, 21 Nov 2023 20:41:40 +0000 Subject: [PATCH 07/19] wip trivvy --- ci-scripts/gitlab-ci.template | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index 8faed46..e685a89 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -156,6 +156,10 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: tags: - oci-fixed-amd retry: 1 + artifacts: + reports: + junit: + - $CI_PROJECT_DIR/trivy-report.xml parallel: matrix: - ARCH: [ "x86_64", "aarch64" ] @@ -182,6 +186,10 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: - $REVERT_IS_ROLLING needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} + artifacts: + reports: + junit: + - $CI_PROJECT_DIR/trivy-report.xml when: on_success tags: - oci-fixed-amd From c5269e2e276eb9e9286861473036761146cfa448 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Wed, 22 Nov 2023 14:07:43 +0000 Subject: [PATCH 08/19] KASM-5269 update trivvy junit template, upgrade packages on base images --- ci-scripts/junit.tpl | 2 +- dockerfile-kasm-core-alpine | 4 ++++ dockerfile-kasm-core-suse | 4 ++++ .../install/package_rules/package_rules.sh | 16 ++++++++++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/ci-scripts/junit.tpl b/ci-scripts/junit.tpl index e3d95fa..00e2aa7 100644 --- a/ci-scripts/junit.tpl +++ b/ci-scripts/junit.tpl @@ -10,7 +10,7 @@ {{- end -}} {{ range .Vulnerabilities }} - <{{ if .FixedVersion -}}error{{- else -}}skipped{{- end }} message="{{ escapeXML .Title }}" type="description">Upgrade {{ .PkgName }} to {{ .FixedVersion }} - {{ escapeXML .Description }} + <{{ if not .FixedVersion -}}passed{{- else if (eq .Vulnerability.Severity "CRITICAL") -}}failure{{- else if (eq .Vulnerability.Severity "HIGH") -}}error{{- else -}}skipped{{- end }} message="{{ escapeXML .Title }}" type="description">Upgrade {{ .PkgName }} to {{ .FixedVersion }} - {{ escapeXML .Description }} {{- end }} diff --git a/dockerfile-kasm-core-alpine b/dockerfile-kasm-core-alpine index f7a9483..8654d58 100644 --- a/dockerfile-kasm-core-alpine +++ b/dockerfile-kasm-core-alpine @@ -41,6 +41,10 @@ ENV DISTRO=$DISTRO \ WORKDIR $HOME RUN mkdir -p $HOME/Desktop +### Setup package rules +COPY ./src/ubuntu/install/package_rules $INST_SCRIPTS/package_rules/ +RUN bash $INST_SCRIPTS/package_rules/package_rules.sh && rm -rf $INST_SCRIPTS/package_rules/ + ### Install custom fonts COPY ./src/ubuntu/install/fonts $INST_SCRIPTS/fonts/ RUN bash $INST_SCRIPTS/fonts/install_custom_fonts.sh && rm -rf $INST_SCRIPTS/fonts/ diff --git a/dockerfile-kasm-core-suse b/dockerfile-kasm-core-suse index f5997c6..457318d 100644 --- a/dockerfile-kasm-core-suse +++ b/dockerfile-kasm-core-suse @@ -45,6 +45,10 @@ ENV HOME=/home/kasm-default-profile \ WORKDIR $HOME RUN mkdir -p $HOME/Desktop +### Setup package rules +COPY ./src/ubuntu/install/package_rules $INST_SCRIPTS/package_rules/ +RUN bash $INST_SCRIPTS/package_rules/package_rules.sh && rm -rf $INST_SCRIPTS/package_rules/ + ### Install custom fonts COPY ./src/ubuntu/install/fonts $INST_SCRIPTS/fonts/ RUN bash $INST_SCRIPTS/fonts/install_custom_fonts.sh && rm -rf $INST_SCRIPTS/fonts/ diff --git a/src/ubuntu/install/package_rules/package_rules.sh b/src/ubuntu/install/package_rules/package_rules.sh index 0a50182..d24f31b 100644 --- a/src/ubuntu/install/package_rules/package_rules.sh +++ b/src/ubuntu/install/package_rules/package_rules.sh @@ -18,3 +18,19 @@ elif [[ "${DISTRO}" == @(centos|oracle7) ]]; then yum reinstall -y \ glibc-common fi + +echo "Upgrading packages from upstream base image" +if [[ "${DISTRO}" == @(centos|oracle7) ]] ; then + yum update -y +elif [[ "${DISTRO}" == @(fedora37|fedora38|oracle8|oracle9|rockylinux9|rockylinux8|almalinux8|almalinux9) ]]; then + dnf upgrade -y --refresh +elif [ "${DISTRO}" == "opensuse" ]; then + zypper --non-interactive patch --auto-agree-with-licenses +elif [ "${DISTRO}" == "alpine" ]; then + apk update + apk add --upgrade apk-tools + apk upgrade --available +else + apt-get update + DEBIAN_FRONTEND=noninteractive apt-get upgrade -y +fi \ No newline at end of file From 65aa157d24b7990bb276aa617a1247af551380c2 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Wed, 22 Nov 2023 15:51:05 +0000 Subject: [PATCH 09/19] trivvy filtering --- ci-scripts/scan | 2 +- ci-scripts/vulnerability-filter.rego | 50 ++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 ci-scripts/vulnerability-filter.rego diff --git a/ci-scripts/scan b/ci-scripts/scan index b5f0977..4c93d17 100644 --- a/ci-scripts/scan +++ b/ci-scripts/scan @@ -29,7 +29,7 @@ set -x SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) trivy_dir="${SCRIPT_DIR}/trivy" -trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --cache-dir $HOME/.trivycache $options" +trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-unfixed --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" source_dir="${CI_PROJECT_DIR:-$trivy_dir}" build_report diff --git a/ci-scripts/vulnerability-filter.rego b/ci-scripts/vulnerability-filter.rego new file mode 100644 index 0000000..71be791 --- /dev/null +++ b/ci-scripts/vulnerability-filter.rego @@ -0,0 +1,50 @@ +package trivy + +import data.lib.trivy + +default ignore = false + +# KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros +ignore { + input.PkgName == "libssl1.1" + input.InstalledVersion == "1.1.1f-1ubuntu2.20" + + # Evaluate CWE-ID + deny_vulnerability_ids := { + "CVE-2021-3449", + "CVE-2021-3711", + "CVE-2022-0778", + "CVE-2022-3602", + "CVE-2022-3786", + "CVE-2023-0286", + "CVE-2021-3712", + "CVE-2021-4044", + "CVE-2022-1292", + "CVE-2022-1343", + "CVE-2022-2068", + "CVE-2022-2097", + "CVE-2022-4203", + "CVE-2022-4304", + "CVE-2022-4450", + "CVE-2023-0215", + "CVE-2023-0216", + "CVE-2023-0217", + "CVE-2023-0401", + "CVE-2023-2650", + "CVE-2023-5363", + "CVE-2021-23840", + "CVE-2022-1434", + "CVE-2022-1473", + "CVE-2022-3358", + "CVE-2022-3996", + "CVE-2023-0464", + "CVE-2023-0465", + "CVE-2023-0466", + "CVE-2023-1255", + "CVE-2023-2975", + "CVE-2023-3446", + "CVE-2023-3817" + } + + input.VulnerabilityID == deny_vulnerability_ids[_] +} \ No newline at end of file From c7847a59c1ea7d412755f6b39470aae02200ef70 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Wed, 22 Nov 2023 16:23:13 +0000 Subject: [PATCH 10/19] wip --- .gitlab-ci.yml | 1 + ci-scripts/gitlab-ci.template | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 634e91f..9b06fac 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,6 +10,7 @@ stages: variables: KASM_RELEASE: "1.14.0" TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.7f3582.tar.gz" + RUN_VULNERABILITY_SCANS: "false" before_script: - export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')" diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index e685a89..8a54c77 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -153,6 +153,8 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} when: on_success + rules: + - if: ($RUN_VULNERABILITY_SCANS == "true" || $CI_COMMIT_BRANCH == "develop") tags: - oci-fixed-amd retry: 1 @@ -186,6 +188,8 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: - $REVERT_IS_ROLLING needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} + rules: + - if: ($RUN_VULNERABILITY_SCANS == "true" || $CI_COMMIT_BRANCH == "develop") artifacts: reports: junit: From 37c8fb5f40192c433b852bd08d76757c3abe2835 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Wed, 22 Nov 2023 16:55:49 +0000 Subject: [PATCH 11/19] add rules for when to scan --- .gitlab-ci.yml | 1 - ci-scripts/gitlab-ci.template | 34 ++++++++++++++++++++-------------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9b06fac..634e91f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,7 +10,6 @@ stages: variables: KASM_RELEASE: "1.14.0" TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.7f3582.tar.gz" - RUN_VULNERABILITY_SCANS: "false" before_script: - export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')" diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index 8a54c77..771e044 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -144,17 +144,19 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} - except: - variables: - - $README_USERNAME - - $README_PASSWORD - - $DOCKERHUB_REVERT - - $REVERT_IS_ROLLING + rules: + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + when: never + - if: $CI_COMMIT_BRANCH =~ /^release\/.*$/ + when: always + - if: $CI_COMMIT_BRANCH == "develop" + when: always + - if: $CI_PIPELINE_SOURCE == "schedule" + when: always + - when: manual needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} when: on_success - rules: - - if: ($RUN_VULNERABILITY_SCANS == "true" || $CI_COMMIT_BRANCH == "develop") tags: - oci-fixed-amd retry: 1 @@ -180,12 +182,16 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} - except: - variables: - - $README_USERNAME - - $README_PASSWORD - - $DOCKERHUB_REVERT - - $REVERT_IS_ROLLING + rules: + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + when: never + - if: $CI_COMMIT_BRANCH =~ /^release\/.*$/ + when: always + - if: $CI_COMMIT_BRANCH == "develop" + when: always + - if: $CI_PIPELINE_SOURCE == "schedule" + when: always + - when: manual needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} rules: From 3303760b80fe4c8a9c68d1e21578652e93b8ce31 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Wed, 22 Nov 2023 16:57:46 +0000 Subject: [PATCH 12/19] wip --- ci-scripts/gitlab-ci.template | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index 771e044..ca9cc64 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -134,7 +134,6 @@ test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: {% for IMAGE in multiImages %} scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: scan - when: always script: - apk add bash - (cd ci-scripts && bash download-trivy) @@ -156,7 +155,6 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: - when: manual needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} - when: on_success tags: - oci-fixed-amd retry: 1 @@ -172,7 +170,6 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: {% for IMAGE in singleImages %} scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: scan - when: always script: - apk add bash - (cd ci-scripts && bash download-trivy) @@ -194,13 +191,10 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: - when: manual needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} - rules: - - if: ($RUN_VULNERABILITY_SCANS == "true" || $CI_COMMIT_BRANCH == "develop") artifacts: reports: junit: - $CI_PROJECT_DIR/trivy-report.xml - when: on_success tags: - oci-fixed-amd retry: 1 From eae04604e197b4d272211212a22753cda8b99fd9 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Wed, 22 Nov 2023 17:04:57 +0000 Subject: [PATCH 13/19] wip --- ci-scripts/gitlab-ci.template | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index ca9cc64..4bba0a2 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -138,19 +138,14 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: - apk add bash - (cd ci-scripts && bash download-trivy) - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} - {% if FILE_LIMITS %}only: - changes: - {% for FILE in files %}- {{ FILE }} - {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} - {% endfor %}{% endif %} rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" when: never - - if: $CI_COMMIT_BRANCH =~ /^release\/.*$/ - when: always - - if: $CI_COMMIT_BRANCH == "develop" - when: always - - if: $CI_PIPELINE_SOURCE == "schedule" + - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule") + {% if FILE_LIMITS %}changes: + {% for FILE in files %}- {{ FILE }} + {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} + {% endfor %}{% endif %} when: always - when: manual needs: @@ -174,19 +169,14 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: - apk add bash - (cd ci-scripts && bash download-trivy) - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} - {% if FILE_LIMITS %}only: - changes: - {% for FILE in files %}- {{ FILE }} - {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} - {% endfor %}{% endif %} rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" when: never - - if: $CI_COMMIT_BRANCH =~ /^release\/.*$/ - when: always - - if: $CI_COMMIT_BRANCH == "develop" - when: always - - if: $CI_PIPELINE_SOURCE == "schedule" + - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule") + {% if FILE_LIMITS %}changes: + {% for FILE in files %}- {{ FILE }} + {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} + {% endfor %}{% endif %} when: always - when: manual needs: From cda41bf89fefa5753fbadba04ce7a4056969eb5e Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Wed, 22 Nov 2023 17:13:20 +0000 Subject: [PATCH 14/19] allow force scanning all containers --- .gitlab-ci.yml | 1 + ci-scripts/gitlab-ci.template | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 634e91f..0bba9c8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,6 +10,7 @@ stages: variables: KASM_RELEASE: "1.14.0" TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.7f3582.tar.gz" + SCAN_CONTAINERS: "true" before_script: - export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')" diff --git a/ci-scripts/gitlab-ci.template b/ci-scripts/gitlab-ci.template index 4bba0a2..051c4bb 100644 --- a/ci-scripts/gitlab-ci.template +++ b/ci-scripts/gitlab-ci.template @@ -141,7 +141,7 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" when: never - - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule") + - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true") {% if FILE_LIMITS %}changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} @@ -172,7 +172,7 @@ scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" when: never - - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule") + - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true") {% if FILE_LIMITS %}changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} From 16c44916af3ae8a2ac5e1af05097c48288689cf5 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Fri, 24 Nov 2023 17:08:40 +0000 Subject: [PATCH 15/19] tweaks to vuln filters, add code quality --- .gitlab-ci.yml | 4 ++++ ci-scripts/scan | 2 +- ci-scripts/vulnerability-filter.rego | 6 ++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0bba9c8..2ed93ad 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,6 +4,10 @@ image: docker:24.0.6 services: - docker:24.0.6-dind + +include: + - template: Code-Quality.gitlab-ci.yml + stages: - template - run diff --git a/ci-scripts/scan b/ci-scripts/scan index 4c93d17..65fe469 100644 --- a/ci-scripts/scan +++ b/ci-scripts/scan @@ -29,7 +29,7 @@ set -x SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) trivy_dir="${SCRIPT_DIR}/trivy" -trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-unfixed --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" +trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-status will_not_fix,fix_deferred --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" #--ignore-unfixed --severity HIGH,CRITICAL,MEDIUM source_dir="${CI_PROJECT_DIR:-$trivy_dir}" build_report diff --git a/ci-scripts/vulnerability-filter.rego b/ci-scripts/vulnerability-filter.rego index 71be791..6de740b 100644 --- a/ci-scripts/vulnerability-filter.rego +++ b/ci-scripts/vulnerability-filter.rego @@ -4,6 +4,12 @@ import data.lib.trivy default ignore = false +# Ignore unfixed low and medium +ignore { + not input.FixedVersion + input.Severity == {"LOW", "MEDIUM"}[_] +} + # KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros ignore { input.PkgName == "libssl1.1" From f91e0771068af459ca760073517abba3ded6605e Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Fri, 24 Nov 2023 19:11:42 +0000 Subject: [PATCH 16/19] wip --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2ed93ad..cd59db8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -11,6 +11,7 @@ include: stages: - template - run + - test variables: KASM_RELEASE: "1.14.0" TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.7f3582.tar.gz" From 656289b02658bf12bdb930d2a89c745afa9bfd60 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Fri, 24 Nov 2023 20:24:06 +0000 Subject: [PATCH 17/19] fix removal of ipp-usb when not installed --- src/ubuntu/install/cleanup/cleanup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ubuntu/install/cleanup/cleanup.sh b/src/ubuntu/install/cleanup/cleanup.sh index cabf239..6ae1af8 100644 --- a/src/ubuntu/install/cleanup/cleanup.sh +++ b/src/ubuntu/install/cleanup/cleanup.sh @@ -10,7 +10,7 @@ elif [ "${DISTRO}" == "opensuse" ]; then zypper clean --all elif [[ "${DISTRO}" == @(debian|kali|parrotos5|ubuntu) ]]; then # Uninstall unneccesary/vulnerable packages - apt remove -y ipp-usb #KASM-5266 + dpkg --purge ipp-usb #KASM-5266 apt-get autoremove -y apt-get autoclean -y From b514b31eac5ce3acb1e29c33320bea9d271ae8c6 Mon Sep 17 00:00:00 2001 From: Richard Koliser Date: Mon, 4 Dec 2023 11:07:08 -0500 Subject: [PATCH 18/19] KASM-5269 Convert tabs to spaces --- ci-scripts/vulnerability-filter.rego | 68 ++++++++++++++-------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/ci-scripts/vulnerability-filter.rego b/ci-scripts/vulnerability-filter.rego index 6de740b..bd6c653 100644 --- a/ci-scripts/vulnerability-filter.rego +++ b/ci-scripts/vulnerability-filter.rego @@ -12,45 +12,45 @@ ignore { # KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros ignore { - input.PkgName == "libssl1.1" + input.PkgName == "libssl1.1" input.InstalledVersion == "1.1.1f-1ubuntu2.20" - # Evaluate CWE-ID - deny_vulnerability_ids := { - "CVE-2021-3449", - "CVE-2021-3711", + # Evaluate CWE-ID + deny_vulnerability_ids := { + "CVE-2021-3449", + "CVE-2021-3711", "CVE-2022-0778", "CVE-2022-3602", "CVE-2022-3786", "CVE-2023-0286", - "CVE-2021-3712", - "CVE-2021-4044", - "CVE-2022-1292", - "CVE-2022-1343", - "CVE-2022-2068", - "CVE-2022-2097", - "CVE-2022-4203", - "CVE-2022-4304", - "CVE-2022-4450", - "CVE-2023-0215", - "CVE-2023-0216", - "CVE-2023-0217", - "CVE-2023-0401", - "CVE-2023-2650", - "CVE-2023-5363", - "CVE-2021-23840", - "CVE-2022-1434", - "CVE-2022-1473", - "CVE-2022-3358", - "CVE-2022-3996", - "CVE-2023-0464", - "CVE-2023-0465", - "CVE-2023-0466", - "CVE-2023-1255", - "CVE-2023-2975", - "CVE-2023-3446", - "CVE-2023-3817" - } + "CVE-2021-3712", + "CVE-2021-4044", + "CVE-2022-1292", + "CVE-2022-1343", + "CVE-2022-2068", + "CVE-2022-2097", + "CVE-2022-4203", + "CVE-2022-4304", + "CVE-2022-4450", + "CVE-2023-0215", + "CVE-2023-0216", + "CVE-2023-0217", + "CVE-2023-0401", + "CVE-2023-2650", + "CVE-2023-5363", + "CVE-2021-23840", + "CVE-2022-1434", + "CVE-2022-1473", + "CVE-2022-3358", + "CVE-2022-3996", + "CVE-2023-0464", + "CVE-2023-0465", + "CVE-2023-0466", + "CVE-2023-1255", + "CVE-2023-2975", + "CVE-2023-3446", + "CVE-2023-3817" + } - input.VulnerabilityID == deny_vulnerability_ids[_] + input.VulnerabilityID == deny_vulnerability_ids[_] } \ No newline at end of file From febdac697165d417dac77987ce3a098d217e51c7 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Mon, 4 Dec 2023 19:27:51 +0000 Subject: [PATCH 19/19] fix opensuse --- dockerfile-kasm-core-suse | 4 ---- 1 file changed, 4 deletions(-) diff --git a/dockerfile-kasm-core-suse b/dockerfile-kasm-core-suse index 457318d..f5997c6 100644 --- a/dockerfile-kasm-core-suse +++ b/dockerfile-kasm-core-suse @@ -45,10 +45,6 @@ ENV HOME=/home/kasm-default-profile \ WORKDIR $HOME RUN mkdir -p $HOME/Desktop -### Setup package rules -COPY ./src/ubuntu/install/package_rules $INST_SCRIPTS/package_rules/ -RUN bash $INST_SCRIPTS/package_rules/package_rules.sh && rm -rf $INST_SCRIPTS/package_rules/ - ### Install custom fonts COPY ./src/ubuntu/install/fonts $INST_SCRIPTS/fonts/ RUN bash $INST_SCRIPTS/fonts/install_custom_fonts.sh && rm -rf $INST_SCRIPTS/fonts/