Grouper Users - Open Discussion List

[Darren Boss <>]

This seems to be a popular tool these days for automating the scanning for vulnerabilities in container images these days. It best incorporated during the image build process but I think it can also be effectively used outside of building the image as well.

https://github.com/arminc/clair-scanner

On Fri, Jul 3, 2020, 3:26 PM Hyzer, Chris <> wrote:

we could list this on the release notes page if you like so its easy to see, but yeah, right now you would have to go in and look.  if you wanted to maintain that in subimage you could yum update the java, and you could unzip the latest 7.0.* tomee.  ok? 

thanks

Chris

---

From: Baron Fujimoto <>
Sent: Friday, July 3, 2020 1:27 PM
To: Hyzer, Chris <>
Cc: Grouper Users <>
Subject: Re: [grouper-users] containerized grouper noob questions

 

On Fri, Jul 03, 2020 at 06:25:23AM +0000, Hyzer, Chris wrote:
>>
>> As I understand it on a really high level, the container is a collection of all of the
>> components that Grouper will need. With out current deployment, we independently manage
>> those components, such as Tomcat and Java. A significant part of managing those components
>> is tracking their versions, particularly with an eye towards relevant bug and security
>> patches. How do we do we identify and track these versions with the Grouper containers?
>
>1. If there is an issue that is not addressed in a container, tell me about it and we can make a new container
>2. -or- you can make a subimage that upgrades or replaces part of the container
>
>As soon as 2.5.30 is released (which is delayed since its substantial, and should be out in the next week or two), we will go back to release approximately every other week
>
>> I think I understand that any such patches get incorporated into new container versions,
>> but how do we perform the risk assessment for currently deployed containers? Generally I'm
>> trying to determine how we respond to our security groups when they come asking about vulnerabilities.
>
>Was this answered in the above answer?  Its similar to what you would do today I would think...  if you want a schedule for upgrades, then you need to make a new image on that schedule I think

Not quite I'm afraid. I mean, currently, as new vulnerabilities are disclosed in say Java or Tomcat, there's typicaly some way to perform a risk assessment for your deployments based on the version #s and other supplementantary information they provide. But how do you determine what versions of these components are included in the Grouper containers (say, short of looking for logged information on startup or something like that)? Or perhaps non-securitywise, some features or configuration options may only be available for certain versions of Tomcat for example.

>> Is there a difference between the TIER/ITAP(?) containers and those available via the
>> Grouper site? My cursory Googling seems to turn up Grouper 2.4 associated with TIER,
>> but the Grouper site features 2.5? I'm a little unclear on the relationship.
>
>Theres one container for Grouper.  Anything else is for training or integration POCs and is a subimage of the Grouper container...
>
>Good luck!

--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum