From 8e5002c2d7cab1f6c941d77832c23320abfaabeb Mon Sep 17 00:00:00 2001 From: aldousalvarez Date: Tue, 21 Nov 2023 11:44:49 +0800 Subject: [PATCH] carbon accounting trivy scan --- .github/workflows/azure-container-scan.yaml | 38 +++ .github/workflows/trivy-container-scan.yaml | 52 ++++ .../package.json | 6 +- examples/carbon-accounting/Dockerfile | 9 +- examples/carbon-accounting/supervisord.conf | 2 +- .../package.json | 4 +- yarn.lock | 226 +++--------------- 7 files changed, 131 insertions(+), 206 deletions(-) create mode 100644 .github/workflows/azure-container-scan.yaml create mode 100644 .github/workflows/trivy-container-scan.yaml diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml new file mode 100644 index 00000000000..1ad619520ae --- /dev/null +++ b/.github/workflows/azure-container-scan.yaml @@ -0,0 +1,38 @@ +name: azure-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + build-secure-and-push: + name: Scan cactus-example-carbon-accounting image + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2.4.0 + env: + # (Required) The token to use to make API calls to GitHub. + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - uses: actions/checkout@v1 + - name: Login to DockerHub Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + + - name: Build Images from Dockerfile + run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting + + - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true + with: + image-name: cactus-example-carbon-accounting \ No newline at end of file diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml new file mode 100644 index 00000000000..ced5b34198a --- /dev/null +++ b/.github/workflows/trivy-container-scan.yaml @@ -0,0 +1,52 @@ +name: trivy-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + + build: + name: Scan cactus-example-carbon-accounting table image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + build2: + name: Scan cactus-example-carbon-accounting json image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'json' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/examples/cactus-example-carbon-accounting-backend/package.json b/examples/cactus-example-carbon-accounting-backend/package.json index 8a4056de1e5..adfe4272565 100644 --- a/examples/cactus-example-carbon-accounting-backend/package.json +++ b/examples/cactus-example-carbon-accounting-backend/package.json @@ -76,13 +76,17 @@ "devDependencies": { "@types/express": "4.17.19", "@types/fs-extra": "9.0.13", + "@types/http-cache-semantics": "^4", "@types/json-stable-stringify": "1.0.34", + "@types/qs": "^6", "@types/uuid": "8.3.4", "express-jwt": "8.4.1", "hardhat": "2.17.2", + "http-cache-semantics": "4.1.1", "http-status-codes": "2.1.4", "jose": "4.9.2", - "json-stable-stringify": "1.0.2" + "json-stable-stringify": "1.0.2", + "qs": "6.7.3" }, "engines": { "node": ">=10", diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile index 89c203dbe59..ff50c12f9cd 100644 --- a/examples/carbon-accounting/Dockerfile +++ b/examples/carbon-accounting/Dockerfile @@ -33,12 +33,11 @@ WORKDIR ${APP} SHELL ["/bin/bash", "--login", "-i", "-c"] # Installing Node Version Manager (nvm) -RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash +RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash RUN source ~/.bashrc && \ - nvm install 16.15.1 && \ - npm install -g yarn && \ - yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production - + nvm install 20.9.0 && \ + nvm use 20.9.0 && \ + npm install @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.2 SHELL ["/bin/bash", "--login", "-c"] diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf index f4349a038c4..e21c123a9ca 100644 --- a/examples/carbon-accounting/supervisord.conf +++ b/examples/carbon-accounting/supervisord.conf @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log stdout_logfile=/usr/src/app/log/dockerd.out.log [program:carbon-accounting-app] -command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js +command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js autostart=true autorestart=unexpected exitcodes=0 diff --git a/packages/cactus-plugin-persistence-ethereum/package.json b/packages/cactus-plugin-persistence-ethereum/package.json index e9e54247b01..828e01a08bd 100644 --- a/packages/cactus-plugin-persistence-ethereum/package.json +++ b/packages/cactus-plugin-persistence-ethereum/package.json @@ -77,8 +77,8 @@ "@openapitools/openapi-generator-cli": "2.7.0", "@types/express": "4.17.19", "@types/pg": "8.6.5", - "body-parser": "1.19.0", - "express": "4.17.1", + "body-parser": "1.20.2", + "express": "4.18.2", "jest-extended": "4.0.1", "npm-run-all": "4.1.5", "rxjs": "7.8.1", diff --git a/yarn.lock b/yarn.lock index 3e81a4e1d8c..330d6f756f2 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6847,17 +6847,21 @@ __metadata: "@openzeppelin/contracts-upgradeable": 4.9.3 "@types/express": 4.17.19 "@types/fs-extra": 9.0.13 + "@types/http-cache-semantics": ^4 "@types/json-stable-stringify": 1.0.34 + "@types/qs": ^6 "@types/uuid": 8.3.4 async-exit-hook: 2.0.1 express-jwt: 8.4.1 fabric-network: 2.2.19 fs-extra: 10.1.0 hardhat: 2.17.2 + http-cache-semantics: 4.1.1 http-status-codes: 2.1.4 jose: 4.9.2 json-stable-stringify: 1.0.2 openapi-types: 9.1.0 + qs: 6.7.3 typescript-optional: 2.0.1 uuid: 8.3.2 web3-core: 1.6.1 @@ -7812,7 +7816,7 @@ __metadata: "@hyperledger/cactus-test-tooling": 2.0.0-alpha.2 "@types/express": 4.17.20 "@types/uuid": 9.0.6 - axios: 1.5.1 + axios: 1.6.0 body-parser: 1.20.2 cbor: 9.0.1 express: 4.18.2 @@ -7978,8 +7982,8 @@ __metadata: "@types/pg": 8.6.5 async-mutex: 0.4.0 axios: 1.6.0 - body-parser: 1.19.0 - express: 4.17.1 + body-parser: 1.20.2 + express: 4.18.2 jest-extended: 4.0.1 npm-run-all: 4.1.5 pg: 8.8.0 @@ -12905,6 +12909,13 @@ __metadata: languageName: node linkType: hard +"@types/http-cache-semantics@npm:^4": + version: 4.0.4 + resolution: "@types/http-cache-semantics@npm:4.0.4" + checksum: 7f4dd832e618bc1e271be49717d7b4066d77c2d4eed5b81198eb987e532bb3e1c7e02f45d77918185bad936f884b700c10cebe06305f50400f382ab75055f9e8 + languageName: node + linkType: hard + "@types/http-cache-semantics@npm:^4.0.1": version: 4.0.1 resolution: "@types/http-cache-semantics@npm:4.0.1" @@ -13490,6 +13501,13 @@ __metadata: languageName: node linkType: hard +"@types/qs@npm:^6": + version: 6.9.10 + resolution: "@types/qs@npm:6.9.10" + checksum: 3e479ee056bd2b60894baa119d12ecd33f20a25231b836af04654e784c886f28a356477630430152a86fba253da65d7ecd18acffbc2a8877a336e75aa0272c67 + languageName: node + linkType: hard + "@types/range-parser@npm:*": version: 1.2.4 resolution: "@types/range-parser@npm:1.2.4" @@ -14833,7 +14851,7 @@ __metadata: languageName: node linkType: hard -"accepts@npm:^1.3.5, accepts@npm:~1.3.7, accepts@npm:~1.3.8": +"accepts@npm:^1.3.5, accepts@npm:~1.3.8": version: 1.3.8 resolution: "accepts@npm:1.3.8" dependencies: @@ -17199,24 +17217,6 @@ __metadata: languageName: node linkType: hard -"body-parser@npm:1.19.0": - version: 1.19.0 - resolution: "body-parser@npm:1.19.0" - dependencies: - bytes: 3.1.0 - content-type: ~1.0.4 - debug: 2.6.9 - depd: ~1.1.2 - http-errors: 1.7.2 - iconv-lite: 0.4.24 - on-finished: ~2.3.0 - qs: 6.7.0 - raw-body: 2.4.0 - type-is: ~1.6.17 - checksum: 490231b4c89bbd43112762f7ba8e5342c174a6c9f64284a3b0fcabf63277e332f8316765596f1e5b15e4f3a6cf0422e005f4bb3149ed3a224bb025b7a36b9ac1 - languageName: node - linkType: hard - "body-parser@npm:1.20.1": version: 1.20.1 resolution: "body-parser@npm:1.20.1" @@ -17851,13 +17851,6 @@ __metadata: languageName: node linkType: hard -"bytes@npm:3.1.0": - version: 3.1.0 - resolution: "bytes@npm:3.1.0" - checksum: 7c3b21c5d9d44ed455460d5d36a31abc6fa2ce3807964ba60a4b03fd44454c8cf07bb0585af83bfde1c5cc2ea4bbe5897bc3d18cd15e0acf25a3615a35aba2df - languageName: node - linkType: hard - "bytes@npm:3.1.2": version: 3.1.2 resolution: "bytes@npm:3.1.2" @@ -19501,15 +19494,6 @@ __metadata: languageName: node linkType: hard -"content-disposition@npm:0.5.3": - version: 0.5.3 - resolution: "content-disposition@npm:0.5.3" - dependencies: - safe-buffer: 5.1.2 - checksum: 95bf164c0b0b8199d3f44b7631e51b37f683c6a90b9baa4315bd3d405a6d1bc81b7346f0981046aa004331fb3d7a28b629514d01fc209a5251573fc7e4d33380 - languageName: node - linkType: hard - "content-disposition@npm:0.5.4": version: 0.5.4 resolution: "content-disposition@npm:0.5.4" @@ -21472,13 +21456,6 @@ __metadata: languageName: node linkType: hard -"destroy@npm:~1.0.4": - version: 1.0.4 - resolution: "destroy@npm:1.0.4" - checksum: da9ab4961dc61677c709da0c25ef01733042614453924d65636a7db37308fef8a24cd1e07172e61173d471ca175371295fbc984b0af5b2b4ff47cd57bd784c03 - languageName: node - linkType: hard - "detect-file@npm:^1.0.0": version: 1.0.0 resolution: "detect-file@npm:1.0.0" @@ -24830,44 +24807,6 @@ __metadata: languageName: node linkType: hard -"express@npm:4.17.1": - version: 4.17.1 - resolution: "express@npm:4.17.1" - dependencies: - accepts: ~1.3.7 - array-flatten: 1.1.1 - body-parser: 1.19.0 - content-disposition: 0.5.3 - content-type: ~1.0.4 - cookie: 0.4.0 - cookie-signature: 1.0.6 - debug: 2.6.9 - depd: ~1.1.2 - encodeurl: ~1.0.2 - escape-html: ~1.0.3 - etag: ~1.8.1 - finalhandler: ~1.1.2 - fresh: 0.5.2 - merge-descriptors: 1.0.1 - methods: ~1.1.2 - on-finished: ~2.3.0 - parseurl: ~1.3.3 - path-to-regexp: 0.1.7 - proxy-addr: ~2.0.5 - qs: 6.7.0 - range-parser: ~1.2.1 - safe-buffer: 5.1.2 - send: 0.17.1 - serve-static: 1.14.1 - setprototypeof: 1.1.1 - statuses: ~1.5.0 - type-is: ~1.6.18 - utils-merge: 1.0.1 - vary: ~1.1.2 - checksum: d964e9e17af331ea6fa2f84999b063bc47189dd71b4a735df83f9126d3bb2b92e830f1cb1d7c2742530eb625e2689d7a9a9c71f0c3cc4dd6015c3cd32a01abd5 - languageName: node - linkType: hard - "express@npm:4.18.2, express@npm:^4.10.6, express@npm:^4.14.0, express@npm:^4.16.3, express@npm:^4.17.1, express@npm:^4.17.3": version: 4.18.2 resolution: "express@npm:4.18.2" @@ -25507,21 +25446,6 @@ __metadata: languageName: node linkType: hard -"finalhandler@npm:~1.1.2": - version: 1.1.2 - resolution: "finalhandler@npm:1.1.2" - dependencies: - debug: 2.6.9 - encodeurl: ~1.0.2 - escape-html: ~1.0.3 - on-finished: ~2.3.0 - parseurl: ~1.3.3 - statuses: ~1.5.0 - unpipe: ~1.0.0 - checksum: 617880460c5138dd7ccfd555cb5dde4d8f170f4b31b8bd51e4b646bb2946c30f7db716428a1f2882d730d2b72afb47d1f67cc487b874cb15426f95753a88965e - languageName: node - linkType: hard - "find-cache-dir@npm:^0.1.1": version: 0.1.1 resolution: "find-cache-dir@npm:0.1.1" @@ -28037,19 +27961,6 @@ __metadata: languageName: node linkType: hard -"http-errors@npm:1.7.2": - version: 1.7.2 - resolution: "http-errors@npm:1.7.2" - dependencies: - depd: ~1.1.2 - inherits: 2.0.3 - setprototypeof: 1.1.1 - statuses: ">= 1.5.0 < 2" - toidentifier: 1.0.0 - checksum: 5534b0ae08e77f5a45a2380f500e781f6580c4ff75b816cb1f09f99a290b57e78a518be6d866db1b48cca6b052c09da2c75fc91fb16a2fe3da3c44d9acbb9972 - languageName: node - linkType: hard - "http-errors@npm:2.0.0": version: 2.0.0 resolution: "http-errors@npm:2.0.0" @@ -28063,19 +27974,6 @@ __metadata: languageName: node linkType: hard -"http-errors@npm:~1.7.2": - version: 1.7.3 - resolution: "http-errors@npm:1.7.3" - dependencies: - depd: ~1.1.2 - inherits: 2.0.4 - setprototypeof: 1.1.1 - statuses: ">= 1.5.0 < 2" - toidentifier: 1.0.0 - checksum: a59f359473f4b3ea78305beee90d186268d6075432622a46fb7483059068a2dd4c854a20ac8cd438883127e06afb78c1309168bde6cdfeed1e3700eb42487d99 - languageName: node - linkType: hard - "http-https@npm:^1.0.0": version: 1.0.0 resolution: "http-https@npm:1.0.0" @@ -35080,13 +34978,6 @@ __metadata: languageName: node linkType: hard -"ms@npm:2.1.1": - version: 2.1.1 - resolution: "ms@npm:2.1.1" - checksum: 0078a23cd916a9a7435c413caa14c57d4b4f6e2470e0ab554b6964163c8a4436448ac7ae020e883685475da6b6796cc396b670f579cb275db288a21e3e57721e - languageName: node - linkType: hard - "ms@npm:2.1.2": version: 2.1.2 resolution: "ms@npm:2.1.2" @@ -39958,7 +39849,7 @@ __metadata: languageName: node linkType: hard -"proxy-addr@npm:~2.0.5, proxy-addr@npm:~2.0.7": +"proxy-addr@npm:~2.0.7": version: 2.0.7 resolution: "proxy-addr@npm:2.0.7" dependencies: @@ -40103,10 +39994,10 @@ __metadata: languageName: node linkType: hard -"qs@npm:6.7.0": - version: 6.7.0 - resolution: "qs@npm:6.7.0" - checksum: dfd5f6adef50e36e908cfa70a6233871b5afe66fbaca37ecc1da352ba29eb2151a3797991948f158bb37fccde51bd57845cb619a8035287bfc24e4591172c347 +"qs@npm:6.7.3": + version: 6.7.3 + resolution: "qs@npm:6.7.3" + checksum: c91046d3a648374d4cb98a872b69753a039a5d57f879bd56174b57d80014ab2bea4f7bcaa5db5e6c1ca7d2e29119b4f844125a082a0facf30adeb90e8e686078 languageName: node linkType: hard @@ -40244,18 +40135,6 @@ __metadata: languageName: node linkType: hard -"raw-body@npm:2.4.0": - version: 2.4.0 - resolution: "raw-body@npm:2.4.0" - dependencies: - bytes: 3.1.0 - http-errors: 1.7.2 - iconv-lite: 0.4.24 - unpipe: 1.0.0 - checksum: 6343906939e018c6e633a34a938a5d6d1e93ffcfa48646e00207d53b418e941953b521473950c079347220944dc75ba10e7b3c08bf97e3ac72c7624882db09bb - languageName: node - linkType: hard - "raw-body@npm:2.5.1": version: 2.5.1 resolution: "raw-body@npm:2.5.1" @@ -42518,27 +42397,6 @@ __metadata: languageName: node linkType: hard -"send@npm:0.17.1": - version: 0.17.1 - resolution: "send@npm:0.17.1" - dependencies: - debug: 2.6.9 - depd: ~1.1.2 - destroy: ~1.0.4 - encodeurl: ~1.0.2 - escape-html: ~1.0.3 - etag: ~1.8.1 - fresh: 0.5.2 - http-errors: ~1.7.2 - mime: 1.6.0 - ms: 2.1.1 - on-finished: ~2.3.0 - range-parser: ~1.2.1 - statuses: ~1.5.0 - checksum: d214c2fa42e7fae3f8fc1aa3931eeb3e6b78c2cf141574e09dbe159915c1e3a337269fc6b7512e7dfddcd7d6ff5974cb62f7c3637ba86a55bde20a92c18bdca0 - languageName: node - linkType: hard - "send@npm:0.18.0": version: 0.18.0 resolution: "send@npm:0.18.0" @@ -42650,18 +42508,6 @@ __metadata: languageName: node linkType: hard -"serve-static@npm:1.14.1": - version: 1.14.1 - resolution: "serve-static@npm:1.14.1" - dependencies: - encodeurl: ~1.0.2 - escape-html: ~1.0.3 - parseurl: ~1.3.3 - send: 0.17.1 - checksum: c6b268e8486d39ecd54b86c7f2d0ee4a38cd7514ddd9c92c8d5793bb005afde5e908b12395898ae206782306ccc848193d93daa15b86afb3cbe5a8414806abe8 - languageName: node - linkType: hard - "serve-static@npm:1.15.0": version: 1.15.0 resolution: "serve-static@npm:1.15.0" @@ -42738,13 +42584,6 @@ __metadata: languageName: node linkType: hard -"setprototypeof@npm:1.1.1": - version: 1.1.1 - resolution: "setprototypeof@npm:1.1.1" - checksum: a8bee29c1c64c245d460ce53f7460af8cbd0aceac68d66e5215153992cc8b3a7a123416353e0c642060e85cc5fd4241c92d1190eec97eda0dcb97436e8fcca3b - languageName: node - linkType: hard - "setprototypeof@npm:1.2.0": version: 1.2.0 resolution: "setprototypeof@npm:1.2.0" @@ -44089,7 +43928,7 @@ __metadata: languageName: node linkType: hard -"statuses@npm:>= 1.4.0 < 2, statuses@npm:>= 1.5.0 < 2, statuses@npm:~1.5.0": +"statuses@npm:>= 1.4.0 < 2": version: 1.5.0 resolution: "statuses@npm:1.5.0" checksum: c469b9519de16a4bb19600205cffb39ee471a5f17b82589757ca7bd40a8d92ebb6ed9f98b5a540c5d302ccbc78f15dc03cc0280dd6e00df1335568a5d5758a5c @@ -45784,13 +45623,6 @@ __metadata: languageName: node linkType: hard -"toidentifier@npm:1.0.0": - version: 1.0.0 - resolution: "toidentifier@npm:1.0.0" - checksum: 199e6bfca1531d49b3506cff02353d53ec987c9ee10ee272ca6484ed97f1fc10fb77c6c009079ca16d5c5be4a10378178c3cacdb41ce9ec954c3297c74c6053e - languageName: node - linkType: hard - "toidentifier@npm:1.0.1": version: 1.0.1 resolution: "toidentifier@npm:1.0.1" @@ -46516,7 +46348,7 @@ __metadata: languageName: node linkType: hard -"type-is@npm:^1.6.4, type-is@npm:~1.6.17, type-is@npm:~1.6.18": +"type-is@npm:^1.6.4, type-is@npm:~1.6.18": version: 1.6.18 resolution: "type-is@npm:1.6.18" dependencies: