From 46730b0df778ba229b0e91e28bfa4fa7e166495a Mon Sep 17 00:00:00 2001 From: aldousalvarez Date: Wed, 20 Sep 2023 15:55:38 +0800 Subject: [PATCH] carbon accounting trivy scan --- .../.dast-nuclei-cmd-api-server.yaml | 2 +- .github/workflows/azure-container-scan.yaml | 38 ++++++++++++++ .github/workflows/trivy-container-scan.yaml | 52 +++++++++++++++++++ examples/carbon-accounting/Dockerfile | 2 +- examples/carbon-accounting/supervisord.conf | 2 +- .../get-keychain-entry-endpoint.ts | 4 +- .../set-keychain-entry-endpoint.ts | 4 +- .../get-keychain-entry-endpoint-v1.ts | 6 +-- .../openapi/openapi-validation.test.ts | 14 ++--- 9 files changed, 107 insertions(+), 17 deletions(-) create mode 100644 .github/workflows/azure-container-scan.yaml create mode 100644 .github/workflows/trivy-container-scan.yaml diff --git a/.github/workflows/.dast-nuclei-cmd-api-server.yaml b/.github/workflows/.dast-nuclei-cmd-api-server.yaml index fef72723f4..e6e3284924 100644 --- a/.github/workflows/.dast-nuclei-cmd-api-server.yaml +++ b/.github/workflows/.dast-nuclei-cmd-api-server.yaml @@ -118,7 +118,7 @@ jobs: with: build: yarn --version start: yarn start:api-server - command: "nuclei --config=.nuclei-config.yaml --list=urls.txt --sarif-export ~/nuclei.sarif --output nuclei.log" + command: "nuclei -config=.nuclei-config.yaml --list=urls.txt --sarif-export ~/nuclei.sarif --output nuclei.log" wait-on: "https://localhost:4000/api/v1/api-server/healthcheck" # wait for 10 minutes for the server to respond wait-on-timeout: 120 diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml new file mode 100644 index 0000000000..1ad619520a --- /dev/null +++ b/.github/workflows/azure-container-scan.yaml @@ -0,0 +1,38 @@ +name: azure-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + build-secure-and-push: + name: Scan cactus-example-carbon-accounting image + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2.4.0 + env: + # (Required) The token to use to make API calls to GitHub. + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - uses: actions/checkout@v1 + - name: Login to DockerHub Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + + - name: Build Images from Dockerfile + run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting + + - uses: Azure/container-scan@v0.1 + name: Scan image for vulnerabilities + id: container-scan + continue-on-error: true + with: + image-name: cactus-example-carbon-accounting \ No newline at end of file diff --git a/.github/workflows/trivy-container-scan.yaml b/.github/workflows/trivy-container-scan.yaml new file mode 100644 index 0000000000..ced5b34198 --- /dev/null +++ b/.github/workflows/trivy-container-scan.yaml @@ -0,0 +1,52 @@ +name: trivy-container-image-scan + +on: + push: + pull_request: + # Publish `main` as Docker `latest` image. + branches: + - main + + # Publish `v1.2.3` tags as releases. + tags: + - v* + + +jobs: + + build: + name: Scan cactus-example-carbon-accounting table image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'table' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + build2: + name: Scan cactus-example-carbon-accounting json image + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build an image from Dockerfile + run: | + DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.11.2 + with: + image-ref: 'cactus-example-carbon-accounting' + format: 'json' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/examples/carbon-accounting/Dockerfile b/examples/carbon-accounting/Dockerfile index 89c203dbe5..d8445a3cb6 100644 --- a/examples/carbon-accounting/Dockerfile +++ b/examples/carbon-accounting/Dockerfile @@ -37,7 +37,7 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | b RUN source ~/.bashrc && \ nvm install 16.15.1 && \ npm install -g yarn && \ - yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production + yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.1 --ignore-engines --production SHELL ["/bin/bash", "--login", "-c"] diff --git a/examples/carbon-accounting/supervisord.conf b/examples/carbon-accounting/supervisord.conf index f4349a038c..e21c123a9c 100644 --- a/examples/carbon-accounting/supervisord.conf +++ b/examples/carbon-accounting/supervisord.conf @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log stdout_logfile=/usr/src/app/log/dockerd.out.log [program:carbon-accounting-app] -command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js +command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js autostart=true autorestart=unexpected exitcodes=0 diff --git a/packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/get-keychain-entry-endpoint.ts b/packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/get-keychain-entry-endpoint.ts index e20e4ea417..5bf5259805 100644 --- a/packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/get-keychain-entry-endpoint.ts +++ b/packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/get-keychain-entry-endpoint.ts @@ -17,7 +17,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core"; import { PluginKeychainAzureKv } from "../plugin-keychain-azure-kv"; import OAS from "../../json/openapi.json"; -import { GetKeychainEntryRequest } from "../generated/openapi/typescript-axios"; +import { GetKeychainEntryRequestV1 } from "../generated/openapi/typescript-axios"; export interface IGetKeychainEntryEndpointOptions { logLevel?: LogLevelDesc; @@ -87,7 +87,7 @@ export class GetKeychainEntryEndpoint implements IWebServiceEndpoint { public async handleRequest(req: Request, res: Response): Promise { const reqTag = `${this.getVerbLowerCase()} - ${this.getPath()}`; this.log.debug(reqTag); - const { key } = req.body as GetKeychainEntryRequest; + const { key } = req.body as GetKeychainEntryRequestV1; try { const value = await this.options.connector.get(key); res.json({ diff --git a/packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/set-keychain-entry-endpoint.ts b/packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/set-keychain-entry-endpoint.ts index c8ff9c6743..40590ce5f5 100644 --- a/packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/set-keychain-entry-endpoint.ts +++ b/packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/set-keychain-entry-endpoint.ts @@ -17,7 +17,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core"; import { PluginKeychainAzureKv } from "../plugin-keychain-azure-kv"; import OAS from "../../json/openapi.json"; -import { SetKeychainEntryRequest } from "../generated/openapi/typescript-axios"; +import { SetKeychainEntryRequestV1 } from "../generated/openapi/typescript-axios"; export interface ISetKeychainEntryEndpointOptions { logLevel?: LogLevelDesc; @@ -88,7 +88,7 @@ export class SetKeychainEntryEndpoint implements IWebServiceEndpoint { const reqTag = `${this.getVerbLowerCase()} - ${this.getPath()}`; this.log.debug(reqTag); try { - const { key, value } = req.body as SetKeychainEntryRequest; + const { key, value } = req.body as SetKeychainEntryRequestV1; const resBody = await this.options.connector.set(key, value); res.json(resBody); } catch (ex) { diff --git a/packages/cactus-plugin-keychain-vault/src/main/typescript/web-services/get-keychain-entry-endpoint-v1.ts b/packages/cactus-plugin-keychain-vault/src/main/typescript/web-services/get-keychain-entry-endpoint-v1.ts index 1d2f22d67f..9504555cfb 100644 --- a/packages/cactus-plugin-keychain-vault/src/main/typescript/web-services/get-keychain-entry-endpoint-v1.ts +++ b/packages/cactus-plugin-keychain-vault/src/main/typescript/web-services/get-keychain-entry-endpoint-v1.ts @@ -16,7 +16,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core"; import OAS from "../../json/openapi.json"; import { PluginKeychainVault } from "../plugin-keychain-vault"; -import { GetKeychainEntryResponse } from "../generated/openapi/typescript-axios"; +import { GetKeychainEntryResponseV1 } from "../generated/openapi/typescript-axios"; export interface IGetKeychainEntryEndpointV1Options { logLevel?: LogLevelDesc; @@ -50,7 +50,7 @@ export class GetKeychainEntryEndpointV1 implements IWebServiceEndpoint { this.log.debug(`Instantiated ${this.className} OK`); } - public get oasPath(): typeof OAS.paths["/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry"] { + public get oasPath(): (typeof OAS.paths)["/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry"] { return OAS.paths[ "/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry" ]; @@ -94,7 +94,7 @@ export class GetKeychainEntryEndpointV1 implements IWebServiceEndpoint { try { this.log.debug(`${tag} %o`, req.body); const value = await this.plugin.get(req.body.key); - const resBody: GetKeychainEntryResponse = { + const resBody: GetKeychainEntryResponseV1 = { key: req.body.key, value: value as string, }; diff --git a/packages/cactus-plugin-keychain-vault/src/test/typescript/integration/openapi/openapi-validation.test.ts b/packages/cactus-plugin-keychain-vault/src/test/typescript/integration/openapi/openapi-validation.test.ts index c7a296ef34..66a63d3c00 100644 --- a/packages/cactus-plugin-keychain-vault/src/test/typescript/integration/openapi/openapi-validation.test.ts +++ b/packages/cactus-plugin-keychain-vault/src/test/typescript/integration/openapi/openapi-validation.test.ts @@ -21,11 +21,11 @@ import { import { Configuration, DeleteKeychainEntryRequestV1, - GetKeychainEntryRequest, + GetKeychainEntryRequestV1, HasKeychainEntryRequestV1, IPluginKeychainVaultOptions, PluginKeychainVault, - SetKeychainEntryRequest, + SetKeychainEntryRequestV1, } from "../../../../main/typescript/public-api"; import { DefaultApi as KeychainVaultApi } from "../../../../main/typescript/public-api"; @@ -138,7 +138,7 @@ test(`${testCase}`, async (t: Test) => { try { await apiClient.setKeychainEntryV1({ value: value1, - } as SetKeychainEntryRequest); + } as SetKeychainEntryRequestV1); } catch (err) { const e = err as AxiosError<{ path: string }[]>; t2.equal( @@ -174,7 +174,7 @@ test(`${testCase}`, async (t: Test) => { test(`${testCase} - ${fGet} - ${cWithoutParams}`, async (t2: Test) => { try { - await apiClient.getKeychainEntryV1({} as GetKeychainEntryRequest); + await apiClient.getKeychainEntryV1({} as GetKeychainEntryRequestV1); } catch (err) { const e = err as AxiosError<{ path: string }[]>; t2.equal( @@ -214,7 +214,7 @@ test(`${testCase}`, async (t: Test) => { key: key1, value: value1, fake: 4, - } as SetKeychainEntryRequest); + } as SetKeychainEntryRequestV1); } catch (err) { const e = err as AxiosError<{ path: string }[]>; t2.equal( @@ -262,7 +262,7 @@ test(`${testCase}`, async (t: Test) => { await apiClient.getKeychainEntryV1({ key: key1, fake: 4, - } as GetKeychainEntryRequest); + } as GetKeychainEntryRequestV1); } catch (err) { const e = err as AxiosError<{ path: string }[]>; t2.equal( @@ -286,7 +286,7 @@ test(`${testCase}`, async (t: Test) => { await apiClient.deleteKeychainEntryV1({ key: key1, fake: 4, - } as GetKeychainEntryRequest); + } as GetKeychainEntryRequestV1); } catch (err) { const e = err as AxiosError; t2.equal(