From 037f4c852e3b3293e32605141eb1fcbb3d0e7cc9 Mon Sep 17 00:00:00 2001
From: Samim Mirhosseini <ssmirr@users.noreply.github.com>
Date: Mon, 5 Feb 2024 10:15:24 -0500
Subject: [PATCH] adding high/critical severity vuln checks

Signed-off-by: Samim Mirhosseini <ssmirr@users.noreply.github.com>
---
 Dockerfile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 2129032..1cc3743 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,6 +15,14 @@ RUN npm install
 ADD --chown=node:node ./samples/solidity .
 RUN npx hardhat compile
 
+FROM alpine:3.19 AS SBOM
+WORKDIR /
+ADD . /SBOM
+RUN apk add --no-cache curl 
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3
+RUN trivy fs --format spdx-json --output /sbom.spdx.json /SBOM
+RUN trivy sbom /sbom.spdx.json --severity UNKNOWN,HIGH,CRITICAL --exit-code 1
+
 FROM node:16-alpine3.15
 RUN apk add curl jq
 RUN mkdir -p /app/contracts/source \
@@ -34,6 +42,7 @@ COPY --from=solidity-build --chown=1001:0 /home/node/artifacts/contracts/TokenFa
 WORKDIR /app
 COPY --from=build --chown=1001:0 /home/node/dist ./dist
 COPY --from=build --chown=1001:0 /home/node/package.json /home/node/package-lock.json ./
+COPY --from=SBOM /sbom.spdx.json /sbom.spdx.json
 
 RUN npm install --production
 EXPOSE 3000