From c0f3922e91dd6e5d1dbe448f151409eba4972bdd Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 14:13:52 +0700 Subject: [PATCH 01/17] add trivy ignore, test pipeline --- .github/workflows/publish.yml | 10 ++++++++-- .trivyignore.yaml | 6 ++++++ 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 .trivyignore.yaml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 883b113..17624f1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,6 +4,7 @@ on: push: branches: - 'main' + - 'devops/add-docker-security-r3' tags: - '*' @@ -18,8 +19,13 @@ jobs: run-lint: true docker_pipeline: - needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0 + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@huy/add-docker-sec + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read secrets: inherit with: publish: true + docker_scan: true diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..90b77a7 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,6 @@ + +vulnerabilities: +- id: CVE-2024-27304 + statement: Not using the function. Ignored. +- id: GHSA-7jwh-3vrq-q3m8 + statement: Not using the function. Ignored. From 769952dd8075af5c99ec281aedbd31d81c950231 Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 15:06:23 +0700 Subject: [PATCH 02/17] add lnd related to trivyignore --- .trivyignore.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.trivyignore.yaml b/.trivyignore.yaml index 90b77a7..135cb5f 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -1,6 +1,10 @@ vulnerabilities: - id: CVE-2024-27304 - statement: Not using the function. Ignored. + statement: lnd related, Not using the function. Ignored. - id: GHSA-7jwh-3vrq-q3m8 - statement: Not using the function. Ignored. + statement: lnd related, Not using the function. Ignored. +- id: CVE-2024-27289 + statement: lnd related, Not using the function. Ignored. +- id: CVE-2024-38359 + statement: lnd related, Not using the function. Ignored. From 116573b5488124401d8fd1db289d5bac57ee3ace Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 15:24:02 +0700 Subject: [PATCH 03/17] use regular ignore --- .trivyignore | 5 +++++ .trivyignore.yaml | 10 ---------- 2 files changed, 5 insertions(+), 10 deletions(-) create mode 100644 .trivyignore delete mode 100644 .trivyignore.yaml diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..63355fc --- /dev/null +++ b/.trivyignore @@ -0,0 +1,5 @@ +# LND < 0.17.0 issue, not fixing +CVE-2024-27304 +GHSA-7jwh-3vrq-q3m8 +CVE-2024-27289 +CVE-2024-38359 \ No newline at end of file diff --git a/.trivyignore.yaml b/.trivyignore.yaml deleted file mode 100644 index 135cb5f..0000000 --- a/.trivyignore.yaml +++ /dev/null @@ -1,10 +0,0 @@ - -vulnerabilities: -- id: CVE-2024-27304 - statement: lnd related, Not using the function. Ignored. -- id: GHSA-7jwh-3vrq-q3m8 - statement: lnd related, Not using the function. Ignored. -- id: CVE-2024-27289 - statement: lnd related, Not using the function. Ignored. -- id: CVE-2024-38359 - statement: lnd related, Not using the function. Ignored. From f1dc0d40c36cd7a560441c2ccf82afa2ff3ef0b3 Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 17:20:37 +0700 Subject: [PATCH 04/17] hadolint #21 --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 37b4cd2..4c9f7bb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,11 +24,11 @@ RUN apt-get update && apt-get install -y bash curl jq wget COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \ - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm.$(uname -m).so \ - -O /lib/libwasmvm.$(uname -m).so && \ + wget https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/libwasmvm."$(uname -m)".so \ + -O /lib/libwasmvm."$(uname -m)".so && \ # verify checksum - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \ - sha256sum /lib/libwasmvm.$(uname -m).so | grep $(cat /tmp/checksums.txt | grep libwasmvm.$(uname -m) | cut -d ' ' -f 1) + wget https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/checksums.txt -O /tmp/checksums.txt && \ + sha256sum /lib/libwasmvm."$(uname -m)".so | grep "$(cat /tmp/checksums.txt | grep libwasmvm."$(uname -m)" | cut -d ' ' -f 1)" RUN rm -f /tmp/go.mod COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/build/stakerd /bin/stakerd From 589698a3a6f1f45d40a7286fa94f58b104aa48da Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 17:22:13 +0700 Subject: [PATCH 05/17] hadolint #16,#17 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4c9f7bb..c7eba7f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM golang:1.23.1 AS builder # Install cli tools for building and final image -RUN apt-get update && apt-get install -y make git bash gcc curl jq +RUN apt-get update && apt-get install --no-install-recommends -y make git bash gcc curl jq # Build WORKDIR /go/src/github.com/babylonlabs-io/btc-staker @@ -20,7 +20,7 @@ RUN BUILD_TAGS=netgo \ FROM debian:bookworm-slim AS run RUN addgroup --gid 1138 --system btcstaker && adduser --uid 1138 --system --home /home/btcstaker btcstaker -RUN apt-get update && apt-get install -y bash curl jq wget +RUN apt-get update && apt-get install --no-install-recommends -y bash curl jq wget COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \ From 9ff6495b0c9b8933f79c1ba7ca6740a15875bd8d Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 17:23:08 +0700 Subject: [PATCH 06/17] hadolint #20 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index c7eba7f..0025efa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,7 @@ RUN BUILD_TAGS=netgo \ # FINAL IMAGE FROM debian:bookworm-slim AS run +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN addgroup --gid 1138 --system btcstaker && adduser --uid 1138 --system --home /home/btcstaker btcstaker RUN apt-get update && apt-get install --no-install-recommends -y bash curl jq wget From 5f889c6e8216272ca95e50341d98e462dfb735f9 Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 17:23:44 +0700 Subject: [PATCH 07/17] hadolint #22 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0025efa..5106dff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,10 +25,10 @@ RUN apt-get update && apt-get install --no-install-recommends -y bash curl jq wg COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \ - wget https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/libwasmvm."$(uname -m)".so \ + wget -nv https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/libwasmvm."$(uname -m)".so \ -O /lib/libwasmvm."$(uname -m)".so && \ # verify checksum - wget https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/checksums.txt -O /tmp/checksums.txt && \ + wget -nv https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/checksums.txt -O /tmp/checksums.txt && \ sha256sum /lib/libwasmvm."$(uname -m)".so | grep "$(cat /tmp/checksums.txt | grep libwasmvm."$(uname -m)" | cut -d ' ' -f 1)" RUN rm -f /tmp/go.mod From 5c36e08040b226ba9c92310f0b8a4ee91ebce262 Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 18:02:31 +0700 Subject: [PATCH 08/17] hadolint #15,#18 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5106dff..529d285 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM golang:1.23.1 AS builder # Install cli tools for building and final image -RUN apt-get update && apt-get install --no-install-recommends -y make git bash gcc curl jq +RUN apt-get update && apt-get install --no-install-recommends -y make=4.3-4.1 git=1:2.39.5-0+deb12u1 bash=5.2.15-2+b7 gcc=4:12.2.0-3 curl=7.88.1-10+deb12u7 jq=1.6-2.1 && rm -rf /var/lib/apt/lists/* # Build WORKDIR /go/src/github.com/babylonlabs-io/btc-staker @@ -21,7 +21,7 @@ FROM debian:bookworm-slim AS run SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN addgroup --gid 1138 --system btcstaker && adduser --uid 1138 --system --home /home/btcstaker btcstaker -RUN apt-get update && apt-get install --no-install-recommends -y bash curl jq wget +RUN apt-get update && apt-get install --no-install-recommends -y bash=5.2.15-2+b7 curl=7.88.1-10+deb12u7 jq=1.6-2.1 wget=1.21.3-1+b2 && rm -rf /var/lib/apt/lists/* COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \ From ee6c6c73d1919464212305a275e85355c9dbfd84 Mon Sep 17 00:00:00 2001 From: huynaism Date: Fri, 8 Nov 2024 18:05:06 +0700 Subject: [PATCH 09/17] hadolint #22 better --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 529d285..da72d3a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,10 +25,10 @@ RUN apt-get update && apt-get install --no-install-recommends -y bash=5.2.15-2+b COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \ - wget -nv https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/libwasmvm."$(uname -m)".so \ + wget --progress=dot:giga https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/libwasmvm."$(uname -m)".so \ -O /lib/libwasmvm."$(uname -m)".so && \ # verify checksum - wget -nv https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/checksums.txt -O /tmp/checksums.txt && \ + wget --progress=dot:giga https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/checksums.txt -O /tmp/checksums.txt && \ sha256sum /lib/libwasmvm."$(uname -m)".so | grep "$(cat /tmp/checksums.txt | grep libwasmvm."$(uname -m)" | cut -d ' ' -f 1)" RUN rm -f /tmp/go.mod From a2ed7ef7420a511454bf5a4be67d89404fcc4a12 Mon Sep 17 00:00:00 2001 From: huynaism Date: Sun, 10 Nov 2024 09:59:39 +0700 Subject: [PATCH 10/17] ignore hadolint DL3008 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index da72d3a..03f7869 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM golang:1.23.1 AS builder # Install cli tools for building and final image -RUN apt-get update && apt-get install --no-install-recommends -y make=4.3-4.1 git=1:2.39.5-0+deb12u1 bash=5.2.15-2+b7 gcc=4:12.2.0-3 curl=7.88.1-10+deb12u7 jq=1.6-2.1 && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install --no-install-recommends -y make git bash gcc curl jq && rm -rf /var/lib/apt/lists/* # Build WORKDIR /go/src/github.com/babylonlabs-io/btc-staker @@ -21,7 +21,7 @@ FROM debian:bookworm-slim AS run SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN addgroup --gid 1138 --system btcstaker && adduser --uid 1138 --system --home /home/btcstaker btcstaker -RUN apt-get update && apt-get install --no-install-recommends -y bash=5.2.15-2+b7 curl=7.88.1-10+deb12u7 jq=1.6-2.1 wget=1.21.3-1+b2 && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates bash curl jq wget && rm -rf /var/lib/apt/lists/* COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm /tmp/go.mod | cut -d' ' -f2) && \ From 074be262eba4d1d902b5702e69d478598f758c22 Mon Sep 17 00:00:00 2001 From: huynaism Date: Sun, 10 Nov 2024 10:06:20 +0700 Subject: [PATCH 11/17] remove pipeline branch --- .github/workflows/publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 17624f1..d0a1d00 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,7 +4,6 @@ on: push: branches: - 'main' - - 'devops/add-docker-security-r3' tags: - '*' From 64f33a5e83282fc0dd306dac9181709d903bf77a Mon Sep 17 00:00:00 2001 From: huynaism Date: Sun, 10 Nov 2024 10:09:27 +0700 Subject: [PATCH 12/17] add inline ignore for hadolint DL3008 --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 03f7869..cfcedb7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ FROM golang:1.23.1 AS builder # Install cli tools for building and final image +# hadolint ignore=DL3008 RUN apt-get update && apt-get install --no-install-recommends -y make git bash gcc curl jq && rm -rf /var/lib/apt/lists/* # Build @@ -21,6 +22,7 @@ FROM debian:bookworm-slim AS run SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN addgroup --gid 1138 --system btcstaker && adduser --uid 1138 --system --home /home/btcstaker btcstaker +# hadolint ignore=DL3008 RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates bash curl jq wget && rm -rf /var/lib/apt/lists/* COPY --from=builder /go/src/github.com/babylonlabs-io/btc-staker/go.mod /tmp From c56531ba1cc679c11e6d378a62c2d6e386cbde72 Mon Sep 17 00:00:00 2001 From: huynaism Date: Sun, 10 Nov 2024 10:10:00 +0700 Subject: [PATCH 13/17] reenable pipeline for test --- .github/workflows/publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d0a1d00..17624f1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,6 +4,7 @@ on: push: branches: - 'main' + - 'devops/add-docker-security-r3' tags: - '*' From 586e4415fc57f56d7fb65f1d547fb7b2cd1ae12d Mon Sep 17 00:00:00 2001 From: Filippos Malandrakis Date: Fri, 22 Nov 2024 16:31:59 +0200 Subject: [PATCH 14/17] needs --- .github/workflows/publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 17624f1..0dc586f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -19,6 +19,7 @@ jobs: run-lint: true docker_pipeline: + needs: ["lint_test"] uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@huy/add-docker-sec permissions: # required for all workflows From 9f0791efa697f7e7ce8215261459735062cb935f Mon Sep 17 00:00:00 2001 From: Filippos Malandrakis Date: Fri, 22 Nov 2024 16:35:23 +0200 Subject: [PATCH 15/17] changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 51ae9e5..8eb0b5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### Improvements + +* [#92](https://github.com/babylonlabs-io/btc-staker/pull/92) CI: Enable Dockerfile and image scanning * [#99](https://github.com/babylonlabs-io/btc-staker/pull/99) Bump babylon version and adapt staker to the changes From f62d0a4cf674a7ebaf605b5a6b1a62a3af646735 Mon Sep 17 00:00:00 2001 From: Filippos Malandrakis Date: Fri, 22 Nov 2024 17:12:54 +0200 Subject: [PATCH 16/17] 0.10.2 --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 0dc586f..772e81e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -20,7 +20,7 @@ jobs: docker_pipeline: needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@huy/add-docker-sec + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2 permissions: # required for all workflows security-events: write From 116426df423a188098b0e2df7ed544797186f7c2 Mon Sep 17 00:00:00 2001 From: huynaism Date: Mon, 25 Nov 2024 14:03:03 +0700 Subject: [PATCH 17/17] trivy ignoring geth CVE --- .trivyignore | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index 63355fc..1d2762e 100644 --- a/.trivyignore +++ b/.trivyignore @@ -2,4 +2,7 @@ CVE-2024-27304 GHSA-7jwh-3vrq-q3m8 CVE-2024-27289 -CVE-2024-38359 \ No newline at end of file +CVE-2024-38359 + +# Go-ethereum related +CVE-2024-32972 \ No newline at end of file