diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000000..a9eec6447fd --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,67 @@ +name: Trivy scan + +on: + pull_request: + branches: ["master", "release/**"] + +# Declare default permissions as nothing. +permissions: {} + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: 'utils/trivy/trivy.yaml' + + - name: Prepare the report to be uploaded to the GitHub artifact store + run: | + mkdir report + cp trivy-report-daos.txt report + cp utils/trivy/.trivyignore report/trivyignore.txt + + - name: Upload the report to the GitHub artifact store + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + path: report/* + name: trivy-report-daos + + - name: Adjust config file to use sarif format + run: | + sed -i 's/output: "trivy-report-daos.txt"/output: "trivy-results.sarif"/g' \ + utils/trivy/trivy.yaml + sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: 'utils/trivy/trivy.yaml' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a + # 3.25.15 (v3) + with: + sarif_file: 'trivy-results.sarif' + + - name: Adjust config file to show and validate scan results + run: | + sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml + sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml + sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: 'utils/trivy/trivy.yaml' diff --git a/utils/trivy/.trivyignore b/utils/trivy/.trivyignore new file mode 100644 index 00000000000..c780a942514 --- /dev/null +++ b/utils/trivy/.trivyignore @@ -0,0 +1,39 @@ +## Ignored hadoop related CVE +## CVE-2023-52428,MEDIUM,,"Denial of Service in Connect2id Nimbus JOSE+JWT","com.nimbusds:nimbus-jose-jwt","9.8.1","9.37.2",https://avd.aquasec.com/nvd/cve-2023-52428 +CVE-2023-52428 +## CVE-2023-39410,HIGH,7.5,"apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK","org.apache.avro:avro","1.7.7","1.11.3",https://avd.aquasec.com/nvd/cve-2023-39410 +CVE-2023-39410 +## CVE-2024-25710,HIGH,5.5,"commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file","org.apache.commons:commons-compress","1.21","1.26.0",https://avd.aquasec.com/nvd/cve-2024-25710 +CVE-2024-25710 +## CVE-2024-26308,HIGH,5.5,"commons-compress: OutOfMemoryError unpacking broken Pack200 file","org.apache.commons:commons-compress","1.21","1.26.0",https://avd.aquasec.com/nvd/cve-2024-26308 +CVE-2024-26308 +## CVE-2024-29131,MEDIUM,,"commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()","org.apache.commons:commons-configuration2","2.8.0","2.10.1",https://avd.aquasec.com/nvd/cve-2024-29131 +CVE-2024-29131 +## CVE-2024-29133,MEDIUM,,"commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree","org.apache.commons:commons-configuration2","2.8.0","2.10.1",https://avd.aquasec.com/nvd/cve-2024-29133 +CVE-2024-29133 +## CVE-2022-40150,HIGH,7.5,"jettison: memory exhaustion via user-supplied XML or JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-40150 +CVE-2022-40150 +## CVE-2022-45685,HIGH,7.5,"jettison: stack overflow in JSONObject() allows attackers to cause a Denial of Service (DoS) via crafted JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45685 +CVE-2022-45685 +## CVE-2022-45693,HIGH,7.5,"jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45693 +CVE-2022-45693 +## CVE-2023-1436,HIGH,7.5,"jettison: Uncontrolled Recursion in JSONArray","org.codehaus.jettison:jettison","1.1","1.5.4",https://avd.aquasec.com/nvd/cve-2023-1436 +CVE-2023-1436 +## CVE-2022-40149,MEDIUM,7.5,"jettison: parser crash by stackoverflow","org.codehaus.jettison:jettison","1.1","1.5.1",https://avd.aquasec.com/nvd/cve-2022-40149 +CVE-2022-40149 +## CVE-2023-34455,HIGH,7.5,"snappy-java: Unchecked chunk length leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34455 +CVE-2023-34455 +## CVE-2023-43642,HIGH,7.5,"snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.4",https://avd.aquasec.com/nvd/cve-2023-43642 +CVE-2023-43642 +## CVE-2023-34453,MEDIUM,7.5,"snappy-java: Integer overflow in shuffle leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34453 +CVE-2023-34453 +## CVE-2023-34454,MEDIUM,7.5,"snappy-java: Integer overflow in compress leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34454 +CVE-2023-34454 +## CVE-2024-25638,HIGH,,"dnsjava: Improper response validation allowing DNSSEC bypass","dnsjava:dnsjava","2.1.7","3.6.0",https://avd.aquasec.com/nvd/cve-2024-25638 +CVE-2024-25638 + +## Ignore DNSJava-related issues +## GHSA-crjg-w57m-rqqf,MEDIUM,,"DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-crjg-w57m-rqqf +GHSA-crjg-w57m-rqqf +## GHSA-mmwx-rj87-vfgr,MEDIUM,,"DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-mmwx-rj87-vfgr +GHSA-mmwx-rj87-vfgr \ No newline at end of file diff --git a/utils/trivy/csv.tpl b/utils/trivy/csv.tpl new file mode 100644 index 00000000000..0c1e5074461 --- /dev/null +++ b/utils/trivy/csv.tpl @@ -0,0 +1,29 @@ +{{ range . }} +Trivy Vulnerability Scan Results ({{- .Target -}}) +VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information +{{ range .Vulnerabilities }} + {{- .VulnerabilityID }}, + {{- .Severity }}, + {{- range $key, $value := .CVSS }} + {{- if (eq $key "nvd") }} + {{- .V3Score -}} + {{- end }} + {{- end }}, + {{- quote .Title }}, + {{- quote .PkgName }}, + {{- quote .InstalledVersion }}, + {{- quote .FixedVersion }}, + {{- .PrimaryURL }} +{{ else -}} + No vulnerabilities found at this time. +{{ end }} +Trivy Dependency Scan Results ({{ .Target }}) +ID,Name,Version,Notes +{{ range .Packages -}} + {{- quote .ID }}, + {{- quote .Name }}, + {{- quote .Version }} +{{ else -}} + No dependencies found at this time. +{{ end }} +{{ end }} diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml new file mode 100644 index 00000000000..293f7b1ba9f --- /dev/null +++ b/utils/trivy/trivy.yaml @@ -0,0 +1,250 @@ +cache: + backend: fs + clear: false + dir: + redis: + ca: "" + cert: "" + key: "" + tls: false + ttl: 0s +config: trivy.yaml +db: + download-java-only: false + download-only: false + java-repository: ghcr.io/aquasecurity/trivy-java-db + java-skip-update: false + no-progress: false + repository: ghcr.io/aquasecurity/trivy-db + skip-update: false +debug: false +dependency-tree: true +exit-code: 0 +generate-default-config: false +ignore-policy: "" +ignorefile: ./utils/trivy/.trivyignore +include-dev-deps: false +insecure: false +license: + confidencelevel: "0.9" + forbidden: + - AGPL-1.0 + - AGPL-3.0 + - CC-BY-NC-1.0 + - CC-BY-NC-2.0 + - CC-BY-NC-2.5 + - CC-BY-NC-3.0 + - CC-BY-NC-4.0 + - CC-BY-NC-ND-1.0 + - CC-BY-NC-ND-2.0 + - CC-BY-NC-ND-2.5 + - CC-BY-NC-ND-3.0 + - CC-BY-NC-ND-4.0 + - CC-BY-NC-SA-1.0 + - CC-BY-NC-SA-2.0 + - CC-BY-NC-SA-2.5 + - CC-BY-NC-SA-3.0 + - CC-BY-NC-SA-4.0 + - Commons-Clause + - Facebook-2-Clause + - Facebook-3-Clause + - Facebook-Examples + - WTFPL + full: false + ignored: [] + notice: + - AFL-1.1 + - AFL-1.2 + - AFL-2.0 + - AFL-2.1 + - AFL-3.0 + - Apache-1.0 + - Apache-1.1 + - Apache-2.0 + - Artistic-1.0-cl8 + - Artistic-1.0-Perl + - Artistic-1.0 + - Artistic-2.0 + - BSL-1.0 + - BSD-2-Clause-FreeBSD + - BSD-2-Clause-NetBSD + - BSD-2-Clause + - BSD-3-Clause-Attribution + - BSD-3-Clause-Clear + - BSD-3-Clause-LBNL + - BSD-3-Clause + - BSD-4-Clause + - BSD-4-Clause-UC + - BSD-Protection + - CC-BY-1.0 + - CC-BY-2.0 + - CC-BY-2.5 + - CC-BY-3.0 + - CC-BY-4.0 + - FTL + - ISC + - ImageMagick + - Libpng + - Lil-1.0 + - Linux-OpenIB + - LPL-1.02 + - LPL-1.0 + - MS-PL + - MIT + - NCSA + - OpenSSL + - PHP-3.01 + - PHP-3.0 + - PIL + - Python-2.0 + - Python-2.0-complete + - PostgreSQL + - SGI-B-1.0 + - SGI-B-1.1 + - SGI-B-2.0 + - Unicode-DFS-2015 + - Unicode-DFS-2016 + - Unicode-TOU + - UPL-1.0 + - W3C-19980720 + - W3C-20150513 + - W3C + - X11 + - Xnet + - Zend-2.0 + - zlib-acknowledgement + - Zlib + - ZPL-1.1 + - ZPL-2.0 + - ZPL-2.1 + permissive: [] + reciprocal: + - APSL-1.0 + - APSL-1.1 + - APSL-1.2 + - APSL-2.0 + - CDDL-1.0 + - CDDL-1.1 + - CPL-1.0 + - EPL-1.0 + - EPL-2.0 + - FreeImage + - IPL-1.0 + - MPL-1.0 + - MPL-1.1 + - MPL-2.0 + - Ruby + restricted: + - BCL + - CC-BY-ND-1.0 + - CC-BY-ND-2.0 + - CC-BY-ND-2.5 + - CC-BY-ND-3.0 + - CC-BY-ND-4.0 + - CC-BY-SA-1.0 + - CC-BY-SA-2.0 + - CC-BY-SA-2.5 + - CC-BY-SA-3.0 + - CC-BY-SA-4.0 + - GPL-1.0 + - GPL-2.0 + - GPL-2.0-with-autoconf-exception + - GPL-2.0-with-bison-exception + - GPL-2.0-with-classpath-exception + - GPL-2.0-with-font-exception + - GPL-2.0-with-GCC-exception + - GPL-3.0 + - GPL-3.0-with-autoconf-exception + - GPL-3.0-with-GCC-exception + - LGPL-2.0 + - LGPL-2.1 + - LGPL-3.0 + - NPL-1.0 + - NPL-1.1 + - OSL-1.0 + - OSL-1.1 + - OSL-2.0 + - OSL-2.1 + - OSL-3.0 + - QPL-1.0 + - Sleepycat + unencumbered: + - CC0-1.0 + - Unlicense + - 0BSD +list-all-pkgs: false +misconfiguration: + cloudformation: + params: [] + helm: + set: [] + set-file: [] + set-string: [] + values: [] + include-non-failures: false + check-bundle-repository: ghcr.io/aquasecurity/trivy-policies:0 + # scanners: + # - azure-arm + # - cloudformation + # - dockerfile + # - helm + # - kubernetes + # - terraform + # - terraformplan + terraform: + exclude-downloaded-modules: false + vars: [] +module: + dir: + enable-modules: [] +output: "trivy-report-daos.txt" +format: template +template: '@./utils/trivy/csv.tpl' +output-plugin-arg: "" +quiet: false +registry: + password: [] + token: "" + username: [] +rego: + data: [] + namespaces: [] + policy: [] + skip-policy-update: false + trace: false +report: all +scan: + compliance: "" + file-patterns: [] + offline: false + parallel: 1 + rekor-url: https://rekor.sigstore.dev + sbom-sources: [] + scanners: + - vuln + - secret + # ignore all hadoop dependencies + skip-dirs: + ./src/client/java/hadoop-daos + skip-files: [] + show-suppressed: true +secret: + config: trivy-secret.yaml +server: + addr: "" + custom-headers: [] + token: "" + token-header: Trivy-Token +severity: + - UNKNOWN + - MEDIUM + - HIGH + - CRITICAL +timeout: 5m0s +version: false +vulnerability: + ignore-status: [] + ignore-unfixed: false + type: + - os + - library