DAOS-623 ci: Add a workflow for Trivy scans

Skip-test: true Skip-unit-test: true Skip-func-test: true Required-githooks: true Signed-off-by: Tomasz Gromadzki <tomasz.gromadzki@intel.com>
daos-stack · Jun 21, 2024 · 61b1785 · 61b1785
1 parent 2f4172d
commit 61b1785
Show file tree

Hide file tree

Showing 4 changed files with 400 additions and 0 deletions.
diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml
@@ -0,0 +1,86 @@
+name: Trivy scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '46 8 * * 0'
+  push:
+    branches: ["master"]
+  pull_request:
+
+# Declare default permissions as nothing.
+permissions: {}
+
+jobs:
+  trivy-scan:
+    name: Trivy scan
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        branch: [master, release/2.6]
+      fail-fast: false
+
+    steps:
+      - name: Install trivy package
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | \
+          sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy
+
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1
+        with:
+          ref: ${{ matrix.branch }}
+          persist-credentials: false
+
+      - name: Checkout latest trivy configuration
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        with:
+          ref: grom72/trivy  # 'grom72/trivy' to be changed to 'master' before the merge
+          path: trivy
+          persist-credentials: false
+
+      - name: Update trivy configuration
+        run: |
+          cp -f -r ./trivy/utils/trivy ./utils
+          rm -rf ./trivy
+
+      - name: Scan with trivy
+        run: |
+          trivy fs -c utils/trivy/trivy.yaml -f table --dependency-tree \
+          --skip-files "src/client/java/hadoop-daos/pom.xml" \
+          --show-suppressed --exit-code 1 .
+
+      # generate trivy report only if no errors detected
+      - name: Generate trivy report file extension
+        id: gen_extension
+        run: |
+          EXTENSION=$(echo "${{ matrix.branch }}" | sed -e 's/release\///' | sed -e's/\//_/' )
+          echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT
+
+      - name: Generate trivy report
+        run: |
+          trivy fs -c utils/trivy/trivy.yaml \
+          --skip-files "src/client/java/hadoop-daos/pom.xml" \
+          --show-suppressed \
+          --output trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt .
+
+      - name: Print trivy report
+        run: cat trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt
+
+      - name: Prepare the report to be uploaded to the GitHub artifactory
+        run: |
+          mkdir report
+          cp trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt report
+          cp utils/trivy/.trivyignore report/trivyignore.txt
+
+      - name: Upload the report to the GitHub artifactory
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808  # v4.3.3
+        env:
+          EXTENSION: ${{ steps.gen_extension.outputs.EXTENSION }}
+        with:
+          path: report/*
+          name: trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}
diff --git a/utils/trivy/.trivyignore b/utils/trivy/.trivyignore
@@ -0,0 +1,31 @@
+## Ignored hadoop related CVE
+## CVE-2023-52428,MEDIUM,,"Denial of Service in Connect2id Nimbus JOSE+JWT","com.nimbusds:nimbus-jose-jwt","9.8.1","9.37.2",https://avd.aquasec.com/nvd/cve-2023-52428
+CVE-2023-52428
+## CVE-2023-39410,HIGH,7.5,"apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK","org.apache.avro:avro","1.7.7","1.11.3",https://avd.aquasec.com/nvd/cve-2023-39410
+CVE-2023-39410
+## CVE-2024-25710,HIGH,5.5,"commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file","org.apache.commons:commons-compress","1.21","1.26.0",https://avd.aquasec.com/nvd/cve-2024-25710
+CVE-2024-25710
+## CVE-2024-26308,HIGH,5.5,"commons-compress: OutOfMemoryError unpacking broken Pack200 file","org.apache.commons:commons-compress","1.21","1.26.0",https://avd.aquasec.com/nvd/cve-2024-26308
+CVE-2024-26308
+## CVE-2024-29131,MEDIUM,,"commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()","org.apache.commons:commons-configuration2","2.8.0","2.10.1",https://avd.aquasec.com/nvd/cve-2024-29131
+CVE-2024-29131
+## CVE-2024-29133,MEDIUM,,"commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree","org.apache.commons:commons-configuration2","2.8.0","2.10.1",https://avd.aquasec.com/nvd/cve-2024-29133
+CVE-2024-29133
+## CVE-2022-40150,HIGH,7.5,"jettison: memory exhaustion via user-supplied XML or JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-40150
+CVE-2022-40150
+## CVE-2022-45685,HIGH,7.5,"jettison: stack overflow in JSONObject() allows attackers to cause a Denial of Service (DoS) via crafted JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45685
+CVE-2022-45685
+## CVE-2022-45693,HIGH,7.5,"jettison:  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45693
+CVE-2022-45693
+## CVE-2023-1436,HIGH,7.5,"jettison: Uncontrolled Recursion in JSONArray","org.codehaus.jettison:jettison","1.1","1.5.4",https://avd.aquasec.com/nvd/cve-2023-1436
+CVE-2023-1436
+## CVE-2022-40149,MEDIUM,7.5,"jettison: parser crash by stackoverflow","org.codehaus.jettison:jettison","1.1","1.5.1",https://avd.aquasec.com/nvd/cve-2022-40149
+CVE-2022-40149
+## CVE-2023-34455,HIGH,7.5,"snappy-java: Unchecked chunk length leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34455
+CVE-2023-34455
+## CVE-2023-43642,HIGH,7.5,"snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.4",https://avd.aquasec.com/nvd/cve-2023-43642
+CVE-2023-43642
+## CVE-2023-34453,MEDIUM,7.5,"snappy-java: Integer overflow in shuffle leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34453
+CVE-2023-34453
+## CVE-2023-34454,MEDIUM,7.5,"snappy-java: Integer overflow in compress leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34454
+CVE-2023-34454
diff --git a/utils/trivy/csv.tpl b/utils/trivy/csv.tpl
@@ -0,0 +1,29 @@
+{{ range . }}
+Trivy Vulnerability Scan Results ({{- .Target -}})
+VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information
+{{ range .Vulnerabilities }}
+    {{- .VulnerabilityID }},
+    {{- .Severity }},
+    {{- range $key, $value := .CVSS }}
+        {{- if (eq $key "nvd") }}
+            {{- .V3Score -}}
+        {{- end }}
+    {{- end }},
+    {{- quote .Title }},
+    {{- quote .PkgName }},
+    {{- quote .InstalledVersion }},
+    {{- quote .FixedVersion }},
+    {{- .PrimaryURL }}
+{{ else -}}
+    No vulnerabilities found at this time.
+{{ end }}
+Trivy Dependency Scan Results ({{ .Target }})
+ID,Name,Version,Notes
+{{ range .Packages -}}
+    {{- quote .ID }},
+    {{- quote .Name }},
+    {{- quote .Version }}
+{{ else -}}
+    No dependencies found at this time.
+{{ end }}
+{{ end }}