added final details

Author: LePhanHN

.DS_Store

@@ -0,0 +1,135 @@
+# Catalog-fed-ramp
+The following folder contains guidelines and examples on how to create scorecards based on custom attributes, as an example to meet FIPS compliance.  See https://harness.atlassian.net/wiki/spaces/IE1/pages/22281127180/IDP+PS+Best+Practice+Implementations for case studies.
+
+The scorecards are being reviewed by development team each week, and OPA policies will be eventually used to warn or enforce from deployment until dev team fixes defects to be in federal compliance.
+
+The score card will be relying on several custom attributes to pass:
+
+metadata.cve.warn
+metadata.cve.fail
+metadata.baseImage.compliance
+metadata.fips.compliance
+
+These attributes are populated using 3 pipelines to test the service Dockerfile, Jira tickets, and deployed image.  The pipelines run once a day for each registered service to update these flags.  Timestamp attributes are stamped for each execution.
+
+In this example, the pipelines are store in infra-harness repo, along with python scripts, and catalog-info.yaml.  But there should be logic to allow overrides to use catalog-info.yaml residing in the service repo.
+
+# Catalog 
+Catalog file is centralized in a repo managed by Infra team, or it could be maintained by each development team owning the service.  However, the pipeline that performs the checks should be owned by infra or security team.
+
+Here is an example of a typical registration of catalog component.
+
+```yaml
+# see https://developer.harness.io/docs/internal-developer-portal/catalog/how-to-create-idp-yaml/
+
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+# name of the service
+  name: test-service
+# tags - python/go/nodejs/java and fedramp are required for the scorecard to include only fedramp tags (exclusion rule does not exist yet)
+  tags:
+    - auto-generated
+    - python
+    - fedramp
+# useful links
+  links:
+    - url: https://app.harness.io/ng/account/xyz/module/cd/orgs/demo/projects/testervice/overview
+      title: Deployment Dashboard
+      icon: dashboard
+ # recommended annotations
+  annotations:
+# source code location for catalog-info.yaml, omit if move to service repo
+    backstage.io/source-location: url:https://github.com/acme/test-service
+# service repository
+    github.com/project-slug: acme/test-service
+# jira project key
+    jira/project-key: xyz
+# optional jira component
+    jira/component: xyz-service
+# technical doc 
+    backstage.io/techdocs-ref: url:https://github.com/acme/test-service
+# project url required for feature flag plugin
+    harness.io/project-url: https://app.harness.io/ng/account/xyz/all/orgs/xyz/projects/testservice
+# serviceId required for listing CD and also used in OPA 
+    harness.io/cd-serviceId: testserviceid    
+# numerate pipelines as needed (cd-serviceId list its default pipelines)
+    harness.io/pipelines: |
+      All in One Pipeline: 
+      Daily Security Scans: https://app.harness.io/ng/account/xyz/module/ci/orgs/demo/projects/testservice/pipelines/Daily_Security_Scan...
+# enumerate services as needed (cd-serviceId list its default service)
+    harness.io/services: |
+      test-service: http://...
+# optional jql warn / fail override (custom)
+    acme/cve-warn: 'project = <<projectKey>> AND type = CVE AND "CVE SLA: Due date[Date]" >= endOfDay() AND "CVE SLA: Due date[Date]" <= 5d AND statusCategory != Done'
+    acme/cve-fail: 'project = <<projectKey>> and type = CVE and "CVE SLA: Due date[Date]" < endOfDay() AND statusCategory != Done'
+
+
+spec:
+  type: service
+  lifecycle: staging
+# claim owner
+  owner: devops_usergroup
+# optional reference to grpc definition
+  providesApis:
+    - test-service-grpc-api  
+```
+
+## Python scripts 
+
+# common.py
+Contains commonly used python functions used across scripts:
+
+extract_image_and_tag - extracts the Dockerfile's image_name and tag.  Requires stage name to be labelled.
+
+fetch_catalog_attributes - reads the catalog info and extract any custom info from catalog info using annotations acme/docker-path and tags for languages
+
+updateCatalogAttributes - very useful fucntion to update IDP catalog attributes 
+
+determine_catalog_path - determines where to pull catalog info yaml, either from service repo path ./harness/idp/catalog-info.yaml or from harness-infra repo (the repo hosting all the catalog-info.yaml owned by infra or security team)
+
+# Base tag compliance check
+docker-basetag-check.py inspects the Dockerfile looking for specific stage tags, and inspects whether the image used matches the ones defined in compliant_image function. The results are posted back to IDP catalog.
+
+# CVE check
+jira-cve-check-dir.py iterates through the catalog configuration file for warn / fail overrides (use default jql query defined in the code otherwise), and post queries to Jira.  Results are updated into IDP catalog.
+
+
+# fetch-repo-default-branch.py
+Queries GITHUB to determine a service's default branch (main or master for example).
+
+# checks language FIPs compliance
+fips-validator.py uses different logic to check if the image built by the service passes compliance for different languages.  It examines the service's helm chart, determine the image built, pulls the image.  It will perform MD5 tests for nodejs and python.  It will check for specific attributes in the docker image for labels matching chain guard inages.  Chain guard images are useful for fed compliance.
+
+# experimental
+docker-image-fips.py is an experimental docker n docker build and execute commands.  Deprecated.  Uses fips subfolder for docker n docker build as an example
+
+# catalog-cve-scorecard.yaml
+Pipeline to pull information from Jira to populate cve ticket violates into IDP
+
+# dockerverifications-pipeline.yaml
+Pipeline to very base image used
+
+# fips-pipeline.yaml
+Examine the helm chart in the service repo to pull the latest image, to check for FIPS compliance for different languages
+
+# Custom checks for score card
+# Fips compliance check
+Catalog Info YAML 
+Equal to TRUE
+jexl: <+metadata.fips.compliance>
+
+# Base Image Compliance
+Catalog Info YAML 
+Equal to TRUE
+jexl: <+metadata.baseImage.compliance>
+
+# CVE Fail
+Catalog Info YAML 
+Equal to 0
+jexl: <+metadata.cve.fail>
+
+# CVE Warn
+Catalog Info YAML 
+Equal to 0
+jexl: <+metadata.cve.warn>

idp-pipelines/catalog-fed-ramp/Readme.md

@@ -0,0 +1,172 @@
+import os
+import re
+import argparse
+from datetime import datetime, timezone
+from common import updateCatalogAttributes, extract_image_and_tag, fetch_service_path
+import sys
+import requests
+import yaml
+import docker
+import subprocess
+
+
+def determine_image_language(dockerfile_path: str, fromstages: list):
+    """
+    Determine the language from the matching stages
+    :param dockerfile_path (str): Path to the Dockerfile
+    :param fromstages (list): list of strings to filter
+    :return: Boolean if crypto program executed successfully
+    """
+    for stage in fromstages:
+        image, tag = extract_image_and_tag(dockerfile_path, stage)
+        print(f"   stage: {stage} image: {image} tag: {tag}")
+        # return first match
+        if image != None and image.startswith("datarobotdev/platform-base-python"):
+            return "python", image, tag
+        if image != None and image.startswith("datarobotdev/platform-base-go"):
+            return "go", image, tag
+        if image != None and image.startswith("datarobotdev/platform-base-node"):
+            return "nodejs", image, tag
+        if image != None and image.startswith("datarobotdev/platform-base-java"):
+            return "java", image, tag
+
+    return None, None, None
+
+
+def fips_build_check(language: str, image: str, tag: str, base_path: str):
+    """
+    An example to build docker in docker to run crypto test
+    :param language (str): Programming language (go, nodejs, python)
+    :param image (str): The image to test
+    :param tag (str): The tag to pull
+    :param base_path (str): The basedirectory holding the harness-infra repo
+    :return: Boolean if crypto program executed successfully
+    """
+    client = docker.from_env()
+    image_pull = f"{image}:{tag}"
+    try:
+        # pull the image
+        image = client.images.pull(image_pull)
+        print(f"Successfully pulled {image_pull}")
+
+        # grab image config and lables
+        image = client.images.get(image_pull)
+        labels = image.attrs.get("Config", {}).get("Labels", {})
+        configs = image.attrs.get("Config", {})
+        print(f"Configs: {configs}")
+        print(f"Labels: {labels}")
+
+        # execute building image with test program
+        print("Running docker build...")
+        docker_command = [
+            "docker",
+            "build",
+            "--build-arg",
+            f"BASE_IMAGE={image_pull}",
+            "-t",
+            "fips-test",
+            f"{base_path}/harness-infra/idp/fips/{language}/.",
+        ]
+        exit_code = subprocess.call(docker_command)
+        if exit_code == 0:
+            print("Docker build succeeded.")
+        else:
+            print(f"Error occurred during Docker build. Exit code: {exit_code}")
+
+        # attempt to execute the built image
+        print("Running docker container...")
+        docker_command_run = ["docker", "run", "--rm", "fips-test"]
+        exit_code = subprocess.call(docker_command_run)
+        print(f"Docker run exited with code {exit_code}")
+
+        if exit_code == 0:
+            print("The container ran successfully.")
+            return True
+
+        print(f"An error occurred during Docker run. Exit code: {exit_code}")
+        return False
+
+    except docker.errors.APIError as e:
+        print(f"Error pulling image: {e}")
+    except docker.errors.ImageNotFound:
+        print(f"Image '{image_pull}' not found.")
+    except Exception as e:
+        print(f"An error occurred while retrieving image labels: {e}")
+
+
+def main():
+
+    parser = argparse.ArgumentParser(
+        description="Process a Dockerfile for FIPS checks."
+    )
+    parser.add_argument(
+        "--dockerfile_path",
+        type=str,
+        help="Absolute path to the Default docker path file (usually root dir of repo)",
+    )
+
+    parser.add_argument(
+        "--catalog_entity", type=str, help="example: component:default/demo-catalog-svc"
+    )
+
+    parser.add_argument("--harness_account_id", type=str, help="harness account id")
+
+    parser.add_argument("--harness_api_token", type=str, help="API Token")
+
+    parser.add_argument(
+        "--base_repo_path",
+        type=str,
+        help="Path to base folder holding repos",
+        default="/harness",
+    )
+
+    args = parser.parse_args()
+    base_path = args.base_repo_path
+    catalog_entity = args.catalog_entity
+    dockerfile_path = args.dockerfile_path
+    service_components = catalog_entity.split("/")
+    catalog_svc = service_components[1]
+
+    # check for custom configure path in catalog-info.yaml
+    print(f"BASE PATH: {base_path}  for SERVICE : {catalog_svc}")
+    relative_path, language_tag = fetch_service_path(base_path, catalog_svc)
+    dockerfile_path_cfg = f"/{base_path}/{catalog_svc}/{relative_path}"
+
+    # if the configure path exists for dockerfile use it instead
+    if relative_path != None and os.path.exists(dockerfile_path_cfg):
+        dockerfile_path = dockerfile_path_cfg
+    else:
+        print(f" configurepath not found using  default instead")
+
+    print(f"catalog_entity: {catalog_entity}   dockerfilePath: {dockerfile_path}")
+
+    # determine the language based on docker base tag
+    language, image, tag = determine_image_language(
+        dockerfile_path, ["build-release-stage", "runtime-stage", "runner", "base"]
+    )
+
+    print(f"    Image supporting language {language} {image} {tag}")
+
+    # test the image with crypto test
+    fips_compliance = fips_build_check(language, image, tag, base_path)
+
+    # use for local testing
+    # fips_compliance = fips_build_check ("python", "python", "slim-bullseye", base_path)
+
+    # prepare to update the catalog
+    harness_account_id = args.harness_account_id
+    harness_api_token = args.harness_api_token
+    properties_array = [
+        {"property": "metadata.fips.compliance", "value": fips_compliance}
+    ]
+
+    # update the catalog
+    # updateCatalogAttributes (harness_account_id,
+    #                        harness_api_token,
+    #                        catalog_entity,
+    #                        "metadata.fips.compliance",
+    #                        properties_array)
+
+
+if __name__ == "__main__":
+    main()

idp-pipelines/catalog-fed-ramp/docker-image-fips.py

@@ -0,0 +1,32 @@
+ARG BASE_IMAGE=debian:bullseye-slim
+
+# Stage 1: Build the Go program
+FROM golang:1.21 AS builder
+
+# Set the working directory
+WORKDIR /app
+
+# Copy the Go source code into the container
+COPY fips_check.go .
+COPY go.mod .
+
+# Download Go modules and build the application
+RUN go mod tidy
+RUN go build -o fips-checker fips_check.go
+
+# Stage 2: Testing the Go program
+FROM ${BASE_IMAGE} AS stage
+
+# Install dependencies (OpenSSL and others if needed)
+RUN apt-get update && \
+    apt-get install -y openssl gcc libssl-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+# Set the working directory
+WORKDIR /app
+
+# Copy the built Go binary from the build stage
+COPY --from=builder /app/fips-checker .
+
+# Run the Go program
+CMD ["./fips-checker"]