eclipse-tractusx · saudkhan116 · Feb 2, 2024 · Jan 22, 2024 · Jan 22, 2024 · Jan 23, 2024
diff --git a/.github/actions/setup-java/action.yaml b/.github/actions/setup-java/action.yaml
@@ -27,7 +27,7 @@ runs:
   using: "composite"
   steps:
     - name: Setup Java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: '19'
         distribution: 'adopt'
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -2,6 +2,7 @@
 # Catena-X - Product Passport Consumer Application
 #
 # Copyright (c) 2022, 2023 BASF SE, BMW AG, Henkel AG & Co. KGaA
+# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -58,22 +59,22 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: "config"
-          # ignore-unfixed: true
-          exit-code: "1"
+          ignore-unfixed: true
           hide-progress: false
-          # image-ref: "${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ github.sha }}"
           format: "sarif"
           output: "trivy-results1.sarif"
           severity: "CRITICAL,HIGH"
+          args: "--ignorefile .trivyignore"
+          skip-dirs: "deployment/infrastructure/edc-consumer,deployment/infrastructure/edc-provider,deployment/infrastructure/edc-provider/data-service,deployment/infrastructure/registry"  # skip scanning external images.
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: "trivy-results1.sarif"
@@ -87,7 +88,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Build frontend image from Dockerfile - GHCR
         id: build-docker-frontend-ghcr
@@ -107,10 +108,11 @@ jobs:
         with:
           image-ref: "${{ env.REGISTRY }}/${{ github.repository }}/${{ env.FRONTEND_IMAGE_NAME }}"
           format: "sarif"
+          ignore-unfixed: true
           output: "trivy-results-dpp-frontend.sarif"
-          exit-code: "1"
           hide-progress: false
           severity: "CRITICAL,HIGH"
+          args: "--ignorefile .trivyignore"
 
       # Build action for docker hub registry
       - name: Run Trivy vulnerability scanner - Docker Hub
@@ -119,15 +121,16 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "${{ env.IMAGE_NAMESPACE }}/${{ env.FRONTEND_IMAGE_NAME }}"
+          ignore-unfixed: true
           format: "sarif"
           output: "trivy-results-dpp-frontend.sarif"
-          exit-code: "1"
           hide-progress: false
           severity: "CRITICAL,HIGH"
+          args: "--ignorefile .trivyignore"
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: always()
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: "trivy-results-dpp-frontend.sarif"
 
@@ -140,9 +143,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           java-version: "${{ env.JAVA_VERSION }}"
           distribution: "temurin"
@@ -175,10 +178,11 @@ jobs:
         with:
           image-ref: "${{ env.REGISTRY }}/${{ github.repository }}/${{ env.BACKEND_IMAGE_NAME }}"
           format: "sarif"
+          ignore-unfixed: true
           output: "trivy-results-dpp-backend.sarif"
-          exit-code: "1"
           hide-progress: false
           severity: "CRITICAL,HIGH"
+          args: "--ignorefile .trivyignore"
 
         # Build action for docker hub registry
       - name: Run Trivy vulnerability scanner - Docker Hub
@@ -188,14 +192,15 @@ jobs:
         with:
           image-ref: "${{ env.IMAGE_NAMESPACE }}/${{ env.BACKEND_IMAGE_NAME }}"
           format: "sarif"
+          ignore-unfixed: true
           output: "trivy-results-dpp-backend.sarif"
-          exit-code: "1"
           hide-progress: false
           severity: "CRITICAL,HIGH"
+          args: "--ignorefile .trivyignore"
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: always()
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: "trivy-results-dpp-backend.sarif"
 
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,32 @@
+#################################################################################
+# Catena-X - Product Passport Consumer Frontend
+#
+# Copyright (c) 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA
+# Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the
+# License for the specific language govern in permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+##################################################################################
+
+# List of false positives
+CVE-2023-5363
+CVE-2023-0464
+CVE-2023-44487
+CVE-2023-51074
+CVE-2023-33201
+AVD-KSV-0109
+KSV014
+KSV117