From de33bfcdaaad07f192a1ace4be5210684b09fb15 Mon Sep 17 00:00:00 2001
From: Ilya <138466237+ikheifets-splunk@users.noreply.github.com>
Date: Wed, 27 Mar 2024 09:47:47 +0100
Subject: [PATCH] fix: scan docker image on cves & upgrade deps (#2373)

---
 .github/workflows/ci-lite.yaml        | 15 +++++++++++++++
 .github/workflows/ci-main.yaml        | 15 +++++++++++++++
 package/Dockerfile                    |  4 ++--
 package/Dockerfile.lite               |  4 ++--
 package/etc/syslog-ng.conf            |  2 +-
 package/lite/etc/syslog-ng.conf.jinja |  2 +-
 poetry.lock                           | 23 ++++++-----------------
 pyproject.toml                        |  1 +
 tests/Dockerfile.nc                   |  2 +-
 9 files changed, 44 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/ci-lite.yaml b/.github/workflows/ci-lite.yaml
index 74935b4db9..db441bba0a 100644
--- a/.github/workflows/ci-lite.yaml
+++ b/.github/workflows/ci-lite.yaml
@@ -154,6 +154,21 @@ jobs:
           cache-from: type=registry,ref=${{ needs.meta.outputs.container_base }}
           cache-to: type=inline
 
+  scan-docker-image-cves:
+    runs-on: ubuntu-latest
+    name: Scan docker image on CVEs
+    needs:
+      - meta
+      - build_action
+    steps:
+      - name: Run docker vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ needs.meta.outputs.container_base }}
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+
   test-container:
     runs-on: ubuntu-latest
     needs:
diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml
index a981c1deb8..41cf8f340e 100644
--- a/.github/workflows/ci-main.yaml
+++ b/.github/workflows/ci-main.yaml
@@ -153,6 +153,21 @@ jobs:
             REVISION=${{ needs.meta.outputs.container_revision }}
           cache-from: type=registry,ref=${{ needs.meta.outputs.container_base }}
           cache-to: type=inline
+    
+  scan-docker-image-cves:
+    runs-on: ubuntu-latest
+    name: Scan docker image on CVEs
+    needs:
+      - meta
+      - build_action
+    steps:
+      - name: Run docker vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ needs.meta.outputs.container_base }}
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
 
   test-container:
     runs-on: ubuntu-latest
diff --git a/package/Dockerfile b/package/Dockerfile
index 2f1cd5daf4..35c6523201 100644
--- a/package/Dockerfile
+++ b/package/Dockerfile
@@ -16,7 +16,7 @@
 #work.  If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
 
 
-ARG SYSLOGNG_VERSION=4.5.0
+ARG SYSLOGNG_VERSION=4.6.0
 FROM ghcr.io/axoflow/axosyslog:${SYSLOGNG_VERSION}
 
 
@@ -40,7 +40,7 @@ RUN apk add -U --upgrade --no-cache \
       wget \
       cargo \
       ca-certificates \
-    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.4 sh \
+    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.6 sh \
     && groupadd --gid 1024 syslog \
     && useradd -M -g 1024 -u 1024 syslog \
     && usermod -L syslog \
diff --git a/package/Dockerfile.lite b/package/Dockerfile.lite
index bcf964f3ac..b47386e808 100644
--- a/package/Dockerfile.lite
+++ b/package/Dockerfile.lite
@@ -16,7 +16,7 @@
 #work.  If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
 
 
-ARG SYSLOGNG_VERSION=4.5.0
+ARG SYSLOGNG_VERSION=4.6.0
 FROM ghcr.io/axoflow/axosyslog:${SYSLOGNG_VERSION}
 
 
@@ -40,7 +40,7 @@ RUN apk add -U --upgrade --no-cache \
       wget \
       cargo \
       ca-certificates \
-    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.4 sh \
+    && curl -fsSL https://goss.rocks/install | GOSS_VER=v0.4.6 sh \
     && groupadd --gid 1024 syslog \
     && useradd -M -g 1024 -u 1024 syslog \
     && usermod -L syslog \
diff --git a/package/etc/syslog-ng.conf b/package/etc/syslog-ng.conf
index 3b71cf9003..15ff938a64 100644
--- a/package/etc/syslog-ng.conf
+++ b/package/etc/syslog-ng.conf
@@ -1,4 +1,4 @@
-@version:4.5
+@version:4.6
 
 
 # syslog-ng configuration file.
diff --git a/package/lite/etc/syslog-ng.conf.jinja b/package/lite/etc/syslog-ng.conf.jinja
index ae75631f59..47e037a705 100644
--- a/package/lite/etc/syslog-ng.conf.jinja
+++ b/package/lite/etc/syslog-ng.conf.jinja
@@ -1,4 +1,4 @@
-@version:4.5
+@version:4.6
 
 
 # syslog-ng configuration file.
diff --git a/poetry.lock b/poetry.lock
index 85d0ba79d6..8d751541b8 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -502,16 +502,6 @@ files = [
     {file = "MarkupSafe-2.1.3-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac"},
     {file = "MarkupSafe-2.1.3-cp311-cp311-win32.whl", hash = "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb"},
     {file = "MarkupSafe-2.1.3-cp311-cp311-win_amd64.whl", hash = "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-win32.whl", hash = "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-win_amd64.whl", hash = "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707"},
@@ -955,7 +945,6 @@ files = [
     {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"},
     {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"},
     {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"},
-    {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a08c6f0fe150303c1c6b71ebcd7213c2858041a7e01975da3a99aed1e7a378ef"},
     {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"},
     {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"},
     {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"},
@@ -1129,19 +1118,19 @@ use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
 
 [[package]]
 name = "setuptools"
-version = "69.0.3"
+version = "69.2.0"
 description = "Easily download, build, install, upgrade, and uninstall Python packages"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "setuptools-69.0.3-py3-none-any.whl", hash = "sha256:385eb4edd9c9d5c17540511303e39a147ce2fc04bc55289c322b9e5904fe2c05"},
-    {file = "setuptools-69.0.3.tar.gz", hash = "sha256:be1af57fc409f93647f2e8e4573a142ed38724b8cdd389706a867bb4efcf1e78"},
+    {file = "setuptools-69.2.0-py3-none-any.whl", hash = "sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c"},
+    {file = "setuptools-69.2.0.tar.gz", hash = "sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e"},
 ]
 
 [package.extras]
 docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
-testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "pip (>=19.1)", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
-testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.1)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
+testing = ["build[virtualenv]", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "mypy (==1.9)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
 
 [[package]]
 name = "shortuuid"
@@ -1325,4 +1314,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.9"
-content-hash = "0b31081a4eb1554c16e9cf4d9a9726022295bd632beddb26a9478fbcbf20a7a5"
+content-hash = "0a11cc1ea5fc2f73b836188efbd186d46d6a378f3d678b711c07175ea56fc634"
diff --git a/pyproject.toml b/pyproject.toml
index bb37dde942..c81575e5b0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -12,6 +12,7 @@ sqlitedict = "^2.0.0"
 requests = "^2.28.1"
 shortuuid = "^1.0.11"
 pyyaml = "6.0.1"
+setuptools = ">=69.0"
 
 
 [tool.poetry.group.dev.dependencies]
diff --git a/tests/Dockerfile.nc b/tests/Dockerfile.nc
index b548fd2c1b..405e8650fa 100644
--- a/tests/Dockerfile.nc
+++ b/tests/Dockerfile.nc
@@ -1,4 +1,4 @@
-ARG SYSLOGNG_VERSION=4.5.0
+ARG SYSLOGNG_VERSION=4.6.0
 FROM ghcr.io/axoflow/axosyslog:${SYSLOGNG_VERSION}
 
 RUN apk add -U netcat-openbsd
\ No newline at end of file