From 1e0360c4daaf7659b7a3f70236a971d603f80fdb Mon Sep 17 00:00:00 2001 From: Maaike Date: Mon, 4 Nov 2024 14:22:59 +0100 Subject: [PATCH 01/11] add trivy and use latest node-version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3ea27eb..4b44e14 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:14.18.1 as ui-builder +FROM node:23.1.0-slim as ui-builder RUN mkdir /usr/src/app RUN echo "deb http://archive.debian.org/debian stretch main" > /etc/apt/sources.list \ From 3bf4427a9deb12ae3608beaa26b08a135016cd31 Mon Sep 17 00:00:00 2001 From: Maaike Date: Mon, 4 Nov 2024 14:23:10 +0100 Subject: [PATCH 02/11] add trivy --- .github/workflows/trivy.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..f7e7515 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,24 @@ +name: Run Trivy vulnerability scanner + +on: [ push ] + +jobs: + main: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Build wis2box-api + run: | + docker build -t wis2box-ui:test . + - name: Run Trivy vulnerability scanner on wis2box-ui + uses: aquasecurity/trivy-action@0.20.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + with: + image-ref: 'wis2box-ui:test' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file From 9d7330b7f5c2bf84cf592fd84e5704fc77fdabeb Mon Sep 17 00:00:00 2001 From: Maaike Date: Mon, 4 Nov 2024 14:59:56 +0100 Subject: [PATCH 03/11] try non-slim base-image --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4b44e14..6c48b1f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:23.1.0-slim as ui-builder +FROM node:23.1.0 as ui-builder RUN mkdir /usr/src/app RUN echo "deb http://archive.debian.org/debian stretch main" > /etc/apt/sources.list \ From 7155b4fbadf2b98e6064b03458eadaae8b88dc35 Mon Sep 17 00:00:00 2001 From: Maaike Date: Mon, 4 Nov 2024 15:59:52 +0100 Subject: [PATCH 04/11] make test pass? --- .github/workflows/trivy.yml | 2 +- Dockerfile | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index f7e7515..437ba14 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -8,7 +8,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v2 - - name: Build wis2box-api + - name: Build wis2box-ui run: | docker build -t wis2box-ui:test . - name: Run Trivy vulnerability scanner on wis2box-ui diff --git a/Dockerfile b/Dockerfile index 6c48b1f..99574e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,8 +3,7 @@ FROM node:23.1.0 as ui-builder RUN mkdir /usr/src/app RUN echo "deb http://archive.debian.org/debian stretch main" > /etc/apt/sources.list \ && apt-get update \ - && apt-get upgrade \ - && apt-get install -y chromium + && apt-get upgrade ENV PATH /usr/src/app/node_modules/.bin:$PATH ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD true From 950c0b3fea6b4cb83da154520641f1731fd00c21 Mon Sep 17 00:00:00 2001 From: Maaike Date: Mon, 4 Nov 2024 16:37:44 +0100 Subject: [PATCH 05/11] -y for update --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 99574e4..0fafb37 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,8 +2,8 @@ FROM node:23.1.0 as ui-builder RUN mkdir /usr/src/app RUN echo "deb http://archive.debian.org/debian stretch main" > /etc/apt/sources.list \ - && apt-get update \ - && apt-get upgrade + && apt-get -y update \ + && apt-get -y upgrade ENV PATH /usr/src/app/node_modules/.bin:$PATH ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD true From ff0418a0c864d6be677953e74853632e1eb2d0c9 Mon Sep 17 00:00:00 2001 From: Maaike Date: Mon, 4 Nov 2024 16:46:58 +0100 Subject: [PATCH 06/11] re-add chromium --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0fafb37..04733c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,8 @@ FROM node:23.1.0 as ui-builder RUN mkdir /usr/src/app RUN echo "deb http://archive.debian.org/debian stretch main" > /etc/apt/sources.list \ && apt-get -y update \ - && apt-get -y upgrade + && apt-get -y upgrade \ + && apt-get install -y chromium ENV PATH /usr/src/app/node_modules/.bin:$PATH ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD true From 06a999082331d6597ead7fa1468a68b63fd30678 Mon Sep 17 00:00:00 2001 From: Maaike Date: Mon, 4 Nov 2024 16:50:37 +0100 Subject: [PATCH 07/11] use --legacy-peer-deps --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 04733c9..b3519be 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ COPY package.json /usr/src/app/package.json WORKDIR /usr/src/app -RUN npm install && \ +RUN npm install --legacy-peer-deps && \ npm install -g @vue/cli COPY . /usr/src/app From f157b0ed03319a3206868c7952257952824390ea Mon Sep 17 00:00:00 2001 From: Maaike Date: Mon, 4 Nov 2024 17:05:34 +0100 Subject: [PATCH 08/11] TRIVY_JAVA_DB_REPOSITORY --- .github/workflows/trivy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 437ba14..d2d889d 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -15,6 +15,7 @@ jobs: uses: aquasecurity/trivy-action@0.20.0 env: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 with: image-ref: 'wis2box-ui:test' format: 'table' From 80d5c33552ad6c17ca9df23dcb7cf464f73d3a6d Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 10:39:50 +0100 Subject: [PATCH 09/11] try slim --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b3519be..62c610b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:23.1.0 as ui-builder +FROM node:23.1.0-slim as ui-builder RUN mkdir /usr/src/app RUN echo "deb http://archive.debian.org/debian stretch main" > /etc/apt/sources.list \ From 7a71271c87565a6ef1f4f87151d55c2a33a9e97f Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 10:52:03 +0100 Subject: [PATCH 10/11] severity to critical, to align with nginx --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index d2d889d..c82f782 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -22,4 +22,4 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' \ No newline at end of file + severity: 'CRITICAL' \ No newline at end of file From f954a8babe104e7f4c0d4e2c85ee160a5304aad4 Mon Sep 17 00:00:00 2001 From: Maaike Date: Tue, 5 Nov 2024 11:16:08 +0100 Subject: [PATCH 11/11] keep scan on HIGH but add ignore for known issue in nginx --- .github/workflows/trivy.yml | 3 ++- .trivyignore | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 .trivyignore diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index c82f782..de11b88 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -22,4 +22,5 @@ jobs: exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' - severity: 'CRITICAL' \ No newline at end of file + severity: 'CRITICAL,HIGH' + ignorefile: '.trivyignore' \ No newline at end of file diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..8ba41c1 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +# not fixed in nginx, does not appear to be a security issue +CVE-2023-49462 \ No newline at end of file