From ce5510daa4fe3bd9e27b0d9a63468e6c9ccb726d Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Fri, 21 Jun 2024 13:16:42 +0200 Subject: [PATCH 01/16] DAOS-623 ci: Add a workflow for Trivy scans Skip-test: true Skip-unit-test: true Skip-func-test: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 86 ++++++++++++ utils/trivy/.trivyignore | 31 +++++ utils/trivy/csv.tpl | 29 ++++ utils/trivy/trivy.yaml | 254 +++++++++++++++++++++++++++++++++++ 4 files changed, 400 insertions(+) create mode 100644 .github/workflows/triviy.yml create mode 100644 utils/trivy/.trivyignore create mode 100644 utils/trivy/csv.tpl create mode 100644 utils/trivy/trivy.yaml diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml new file mode 100644 index 00000000000..36098a313ed --- /dev/null +++ b/.github/workflows/triviy.yml @@ -0,0 +1,86 @@ +name: Trivy scan + +on: + workflow_dispatch: + schedule: + - cron: '46 8 * * 0' + push: + branches: ["master"] + pull_request: + +# Declare default permissions as nothing. +permissions: {} + +jobs: + trivy-scan: + name: Trivy scan + runs-on: ubuntu-22.04 + strategy: + matrix: + branch: [master, release/2.6] + fail-fast: false + + steps: + - name: Install trivy package + run: | + sudo apt-get install wget apt-transport-https gnupg lsb-release + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - + echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | \ + sudo tee -a /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy + + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1 + with: + ref: ${{ matrix.branch }} + persist-credentials: false + + - name: Checkout latest trivy configuration + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: grom72/trivy # 'grom72/trivy' to be changed to 'master' before the merge + path: trivy + persist-credentials: false + + - name: Update trivy configuration + run: | + cp -f -r ./trivy/utils/trivy ./utils + rm -rf ./trivy + + - name: Scan with trivy + run: | + trivy fs -c utils/trivy/trivy.yaml -f table --dependency-tree \ + --skip-files "src/client/java/hadoop-daos/pom.xml" \ + --show-suppressed --exit-code 1 . + + # generate trivy report only if no errors detected + - name: Generate trivy report file extension + id: gen_extension + run: | + EXTENSION=$(echo "${{ matrix.branch }}" | sed -e 's/release\///' | sed -e's/\//_/' ) + echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT + + - name: Generate trivy report + run: | + trivy fs -c utils/trivy/trivy.yaml \ + --skip-files "src/client/java/hadoop-daos/pom.xml" \ + --show-suppressed \ + --output trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt . + + - name: Print trivy report + run: cat trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt + + - name: Prepare the report to be uploaded to the GitHub artifactory + run: | + mkdir report + cp trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt report + cp utils/trivy/.trivyignore report/trivyignore.txt + + - name: Upload the report to the GitHub artifactory + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + env: + EXTENSION: ${{ steps.gen_extension.outputs.EXTENSION }} + with: + path: report/* + name: trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }} diff --git a/utils/trivy/.trivyignore b/utils/trivy/.trivyignore new file mode 100644 index 00000000000..a1ac478ef02 --- /dev/null +++ b/utils/trivy/.trivyignore @@ -0,0 +1,31 @@ +## Ignored hadoop related CVE +## CVE-2023-52428,MEDIUM,,"Denial of Service in Connect2id Nimbus JOSE+JWT","com.nimbusds:nimbus-jose-jwt","9.8.1","9.37.2",https://avd.aquasec.com/nvd/cve-2023-52428 +CVE-2023-52428 +## CVE-2023-39410,HIGH,7.5,"apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK","org.apache.avro:avro","1.7.7","1.11.3",https://avd.aquasec.com/nvd/cve-2023-39410 +CVE-2023-39410 +## CVE-2024-25710,HIGH,5.5,"commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file","org.apache.commons:commons-compress","1.21","1.26.0",https://avd.aquasec.com/nvd/cve-2024-25710 +CVE-2024-25710 +## CVE-2024-26308,HIGH,5.5,"commons-compress: OutOfMemoryError unpacking broken Pack200 file","org.apache.commons:commons-compress","1.21","1.26.0",https://avd.aquasec.com/nvd/cve-2024-26308 +CVE-2024-26308 +## CVE-2024-29131,MEDIUM,,"commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()","org.apache.commons:commons-configuration2","2.8.0","2.10.1",https://avd.aquasec.com/nvd/cve-2024-29131 +CVE-2024-29131 +## CVE-2024-29133,MEDIUM,,"commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree","org.apache.commons:commons-configuration2","2.8.0","2.10.1",https://avd.aquasec.com/nvd/cve-2024-29133 +CVE-2024-29133 +## CVE-2022-40150,HIGH,7.5,"jettison: memory exhaustion via user-supplied XML or JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-40150 +CVE-2022-40150 +## CVE-2022-45685,HIGH,7.5,"jettison: stack overflow in JSONObject() allows attackers to cause a Denial of Service (DoS) via crafted JSON data","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45685 +CVE-2022-45685 +## CVE-2022-45693,HIGH,7.5,"jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos","org.codehaus.jettison:jettison","1.1","1.5.2",https://avd.aquasec.com/nvd/cve-2022-45693 +CVE-2022-45693 +## CVE-2023-1436,HIGH,7.5,"jettison: Uncontrolled Recursion in JSONArray","org.codehaus.jettison:jettison","1.1","1.5.4",https://avd.aquasec.com/nvd/cve-2023-1436 +CVE-2023-1436 +## CVE-2022-40149,MEDIUM,7.5,"jettison: parser crash by stackoverflow","org.codehaus.jettison:jettison","1.1","1.5.1",https://avd.aquasec.com/nvd/cve-2022-40149 +CVE-2022-40149 +## CVE-2023-34455,HIGH,7.5,"snappy-java: Unchecked chunk length leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34455 +CVE-2023-34455 +## CVE-2023-43642,HIGH,7.5,"snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.4",https://avd.aquasec.com/nvd/cve-2023-43642 +CVE-2023-43642 +## CVE-2023-34453,MEDIUM,7.5,"snappy-java: Integer overflow in shuffle leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34453 +CVE-2023-34453 +## CVE-2023-34454,MEDIUM,7.5,"snappy-java: Integer overflow in compress leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34454 +CVE-2023-34454 diff --git a/utils/trivy/csv.tpl b/utils/trivy/csv.tpl new file mode 100644 index 00000000000..0c1e5074461 --- /dev/null +++ b/utils/trivy/csv.tpl @@ -0,0 +1,29 @@ +{{ range . }} +Trivy Vulnerability Scan Results ({{- .Target -}}) +VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information +{{ range .Vulnerabilities }} + {{- .VulnerabilityID }}, + {{- .Severity }}, + {{- range $key, $value := .CVSS }} + {{- if (eq $key "nvd") }} + {{- .V3Score -}} + {{- end }} + {{- end }}, + {{- quote .Title }}, + {{- quote .PkgName }}, + {{- quote .InstalledVersion }}, + {{- quote .FixedVersion }}, + {{- .PrimaryURL }} +{{ else -}} + No vulnerabilities found at this time. +{{ end }} +Trivy Dependency Scan Results ({{ .Target }}) +ID,Name,Version,Notes +{{ range .Packages -}} + {{- quote .ID }}, + {{- quote .Name }}, + {{- quote .Version }} +{{ else -}} + No dependencies found at this time. +{{ end }} +{{ end }} diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml new file mode 100644 index 00000000000..22d3460d41d --- /dev/null +++ b/utils/trivy/trivy.yaml @@ -0,0 +1,254 @@ +cache: + backend: fs + clear: false + dir: + redis: + ca: "" + cert: "" + key: "" + tls: false + ttl: 0s +config: trivy.yaml +db: + download-java-only: false + download-only: false + java-repository: ghcr.io/aquasecurity/trivy-java-db + java-skip-update: false + light: false + no-progress: false + repository: ghcr.io/aquasecurity/trivy-db + skip-update: false +debug: false +dependency-tree: true +exit-code: 0 +format: template +generate-default-config: false +ignore-policy: "" +ignorefile: ./utils/trivy/.trivyignore +include-dev-deps: false +insecure: false +license: + confidencelevel: "0.9" + forbidden: + - AGPL-1.0 + - AGPL-3.0 + - CC-BY-NC-1.0 + - CC-BY-NC-2.0 + - CC-BY-NC-2.5 + - CC-BY-NC-3.0 + - CC-BY-NC-4.0 + - CC-BY-NC-ND-1.0 + - CC-BY-NC-ND-2.0 + - CC-BY-NC-ND-2.5 + - CC-BY-NC-ND-3.0 + - CC-BY-NC-ND-4.0 + - CC-BY-NC-SA-1.0 + - CC-BY-NC-SA-2.0 + - CC-BY-NC-SA-2.5 + - CC-BY-NC-SA-3.0 + - CC-BY-NC-SA-4.0 + - Commons-Clause + - Facebook-2-Clause + - Facebook-3-Clause + - Facebook-Examples + - WTFPL + full: false + ignored: [] + notice: + - AFL-1.1 + - AFL-1.2 + - AFL-2.0 + - AFL-2.1 + - AFL-3.0 + - Apache-1.0 + - Apache-1.1 + - Apache-2.0 + - Artistic-1.0-cl8 + - Artistic-1.0-Perl + - Artistic-1.0 + - Artistic-2.0 + - BSL-1.0 + - BSD-2-Clause-FreeBSD + - BSD-2-Clause-NetBSD + - BSD-2-Clause + - BSD-3-Clause-Attribution + - BSD-3-Clause-Clear + - BSD-3-Clause-LBNL + - BSD-3-Clause + - BSD-4-Clause + - BSD-4-Clause-UC + - BSD-Protection + - CC-BY-1.0 + - CC-BY-2.0 + - CC-BY-2.5 + - CC-BY-3.0 + - CC-BY-4.0 + - FTL + - ISC + - ImageMagick + - Libpng + - Lil-1.0 + - Linux-OpenIB + - LPL-1.02 + - LPL-1.0 + - MS-PL + - MIT + - NCSA + - OpenSSL + - PHP-3.01 + - PHP-3.0 + - PIL + - Python-2.0 + - Python-2.0-complete + - PostgreSQL + - SGI-B-1.0 + - SGI-B-1.1 + - SGI-B-2.0 + - Unicode-DFS-2015 + - Unicode-DFS-2016 + - Unicode-TOU + - UPL-1.0 + - W3C-19980720 + - W3C-20150513 + - W3C + - X11 + - Xnet + - Zend-2.0 + - zlib-acknowledgement + - Zlib + - ZPL-1.1 + - ZPL-2.0 + - ZPL-2.1 + permissive: [] + reciprocal: + - APSL-1.0 + - APSL-1.1 + - APSL-1.2 + - APSL-2.0 + - CDDL-1.0 + - CDDL-1.1 + - CPL-1.0 + - EPL-1.0 + - EPL-2.0 + - FreeImage + - IPL-1.0 + - MPL-1.0 + - MPL-1.1 + - MPL-2.0 + - Ruby + restricted: + - BCL + - CC-BY-ND-1.0 + - CC-BY-ND-2.0 + - CC-BY-ND-2.5 + - CC-BY-ND-3.0 + - CC-BY-ND-4.0 + - CC-BY-SA-1.0 + - CC-BY-SA-2.0 + - CC-BY-SA-2.5 + - CC-BY-SA-3.0 + - CC-BY-SA-4.0 + - GPL-1.0 + - GPL-2.0 + - GPL-2.0-with-autoconf-exception + - GPL-2.0-with-bison-exception + - GPL-2.0-with-classpath-exception + - GPL-2.0-with-font-exception + - GPL-2.0-with-GCC-exception + - GPL-3.0 + - GPL-3.0-with-autoconf-exception + - GPL-3.0-with-GCC-exception + - LGPL-2.0 + - LGPL-2.1 + - LGPL-3.0 + - NPL-1.0 + - NPL-1.1 + - OSL-1.0 + - OSL-1.1 + - OSL-2.0 + - OSL-2.1 + - OSL-3.0 + - QPL-1.0 + - Sleepycat + unencumbered: + - CC0-1.0 + - Unlicense + - 0BSD +list-all-pkgs: false +misconfiguration: + cloudformation: + params: [] + helm: + set: [] + set-file: [] + set-string: [] + values: [] + include-non-failures: false + check-bundle-repository: ghcr.io/aquasecurity/trivy-policies:0 + reset-checks-bundle: false + # scanners: + # - azure-arm + # - cloudformation + # - dockerfile + # - helm + # - kubernetes + # - terraform + # - terraformplan + terraform: + exclude-downloaded-modules: false + vars: [] +module: + dir: + enable-modules: [] +output: "" +output-plugin-arg: "" +quiet: false +registry: + password: [] + token: "" + username: [] +rego: + data: [] + namespaces: [] + policy: [] + skip-policy-update: false + trace: false +report: all +reset: false +scan: + compliance: "" + file-patterns: [] + offline: false + parallel: 5 + rekor-url: https://rekor.sigstore.dev + sbom-sources: [] + scanners: + - vuln + - secret + # ignore all hadoop dependencies + skip-dirs: + ./src/client/java/hadoop-daos + skip-files: [] + slow: false + show-suppressed: true +secret: + config: trivy-secret.yaml +server: + addr: "" + custom-headers: [] + token: "" + token-header: Trivy-Token +severity: + - UNKNOWN + - MEDIUM + - HIGH + - CRITICAL +template: '@./utils/trivy/csv.tpl' +timeout: 5m0s +version: false +vulnerability: + ignore-status: [] + ignore-unfixed: false + type: + - os + - library From 156e9a625501c9016d6f2ed0e87a5d1e358ea080 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 25 Jun 2024 08:13:32 +0200 Subject: [PATCH 02/16] Minor changes after review Skip-test: true Skip-unit-test: true Skip-func-test: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml index 36098a313ed..08b60c03e1f 100644 --- a/.github/workflows/triviy.yml +++ b/.github/workflows/triviy.yml @@ -58,7 +58,7 @@ jobs: - name: Generate trivy report file extension id: gen_extension run: | - EXTENSION=$(echo "${{ matrix.branch }}" | sed -e 's/release\///' | sed -e's/\//_/' ) + EXTENSION=$(echo "${{ matrix.branch }}" | sed -e 's/release\///' -e's/\//_/' ) echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT - name: Generate trivy report @@ -71,13 +71,13 @@ jobs: - name: Print trivy report run: cat trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt - - name: Prepare the report to be uploaded to the GitHub artifactory + - name: Prepare the report to be uploaded to the GitHub artifact store run: | mkdir report cp trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt report cp utils/trivy/.trivyignore report/trivyignore.txt - - name: Upload the report to the GitHub artifactory + - name: Upload the report to the GitHub artifact store uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 env: EXTENSION: ${{ steps.gen_extension.outputs.EXTENSION }} From 6c3d436c9ef6a1c2210219041f167786aacf00d3 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 25 Jun 2024 08:30:30 +0200 Subject: [PATCH 03/16] Limit the scope of workflow triggers Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml index 08b60c03e1f..716ee3dce43 100644 --- a/.github/workflows/triviy.yml +++ b/.github/workflows/triviy.yml @@ -4,9 +4,8 @@ on: workflow_dispatch: schedule: - cron: '46 8 * * 0' - push: - branches: ["master"] pull_request: + branches: ["master", "release/**"] # Declare default permissions as nothing. permissions: {} From c9da1db977fcc556ead88ed634d81d1179356ea3 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 25 Jun 2024 08:33:55 +0200 Subject: [PATCH 04/16] Assume backport to release 2.6 Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml index 716ee3dce43..d4b5695ea20 100644 --- a/.github/workflows/triviy.yml +++ b/.github/workflows/triviy.yml @@ -14,10 +14,6 @@ jobs: trivy-scan: name: Trivy scan runs-on: ubuntu-22.04 - strategy: - matrix: - branch: [master, release/2.6] - fail-fast: false steps: - name: Install trivy package @@ -32,7 +28,6 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1 with: - ref: ${{ matrix.branch }} persist-credentials: false - name: Checkout latest trivy configuration @@ -57,7 +52,10 @@ jobs: - name: Generate trivy report file extension id: gen_extension run: | - EXTENSION=$(echo "${{ matrix.branch }}" | sed -e 's/release\///' -e's/\//_/' ) + EXTENSION=$(echo "${{ github.ref }}" | sed -e 's/release\///' -e's/\//_/' ) + if [ -z "${VAR}" ]; then + EXTENSION=$(echo "${{ github.base_ref }}" | sed -e 's/release\///' -e's/\//_/' ) + fi echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT - name: Generate trivy report From c676df414b28b6a9b2366c250714dd6953db0bba Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 25 Jun 2024 09:25:10 +0200 Subject: [PATCH 05/16] Revert "Assume backport to release 2.6" This reverts commit 4ad656b4f71cd5969ced5d3718f81e1d5db8c9f3. Skip-test: true Skip-unit-test: true Skip-func-test: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml index d4b5695ea20..716ee3dce43 100644 --- a/.github/workflows/triviy.yml +++ b/.github/workflows/triviy.yml @@ -14,6 +14,10 @@ jobs: trivy-scan: name: Trivy scan runs-on: ubuntu-22.04 + strategy: + matrix: + branch: [master, release/2.6] + fail-fast: false steps: - name: Install trivy package @@ -28,6 +32,7 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1 with: + ref: ${{ matrix.branch }} persist-credentials: false - name: Checkout latest trivy configuration @@ -52,10 +57,7 @@ jobs: - name: Generate trivy report file extension id: gen_extension run: | - EXTENSION=$(echo "${{ github.ref }}" | sed -e 's/release\///' -e's/\//_/' ) - if [ -z "${VAR}" ]; then - EXTENSION=$(echo "${{ github.base_ref }}" | sed -e 's/release\///' -e's/\//_/' ) - fi + EXTENSION=$(echo "${{ matrix.branch }}" | sed -e 's/release\///' -e's/\//_/' ) echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT - name: Generate trivy report From cf121a24dc65837f39d92de860dade51f47113c1 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 25 Jun 2024 16:05:45 +0200 Subject: [PATCH 06/16] Revert "Revert "Assume backport to release 2.6"" This reverts commit f5105c58626fb692056904b4d67f8d2ca4b617ea. Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml index 716ee3dce43..d4b5695ea20 100644 --- a/.github/workflows/triviy.yml +++ b/.github/workflows/triviy.yml @@ -14,10 +14,6 @@ jobs: trivy-scan: name: Trivy scan runs-on: ubuntu-22.04 - strategy: - matrix: - branch: [master, release/2.6] - fail-fast: false steps: - name: Install trivy package @@ -32,7 +28,6 @@ jobs: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1 with: - ref: ${{ matrix.branch }} persist-credentials: false - name: Checkout latest trivy configuration @@ -57,7 +52,10 @@ jobs: - name: Generate trivy report file extension id: gen_extension run: | - EXTENSION=$(echo "${{ matrix.branch }}" | sed -e 's/release\///' -e's/\//_/' ) + EXTENSION=$(echo "${{ github.ref }}" | sed -e 's/release\///' -e's/\//_/' ) + if [ -z "${VAR}" ]; then + EXTENSION=$(echo "${{ github.base_ref }}" | sed -e 's/release\///' -e's/\//_/' ) + fi echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT - name: Generate trivy report From b7277dde45089668f5f4e5e76c0d9d908bbce6a6 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 25 Jun 2024 16:08:08 +0200 Subject: [PATCH 07/16] Solution that assumes backport to release 2.6 branch Skip-test: true Skip-unit-test: true Skip-func-test: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml index d4b5695ea20..0c63c70478c 100644 --- a/.github/workflows/triviy.yml +++ b/.github/workflows/triviy.yml @@ -50,11 +50,12 @@ jobs: # generate trivy report only if no errors detected - name: Generate trivy report file extension + # github.base_ref-based for PR and github.ref_name-based for schedule/workflow_dispatch id: gen_extension run: | - EXTENSION=$(echo "${{ github.ref }}" | sed -e 's/release\///' -e's/\//_/' ) - if [ -z "${VAR}" ]; then - EXTENSION=$(echo "${{ github.base_ref }}" | sed -e 's/release\///' -e's/\//_/' ) + EXTENSION=$(echo "${{ github.base_ref }}" | sed -e 's/release\///' -e's/\//_/' ) + if [ -z "${EXTENSION}" ]; then + EXTENSION=$(echo "${{ github.ref_name }}" | sed -e 's/release\///' -e's/\//_/' ) fi echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT From dd69b947d0b7a04bef961c4764c2b23fd1624a6f Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 25 Jun 2024 18:36:13 +0200 Subject: [PATCH 08/16] Simplify file extension generation. Skip-test: true Skip-unit-test: true Skip-func-test: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml index 0c63c70478c..98cb687689a 100644 --- a/.github/workflows/triviy.yml +++ b/.github/workflows/triviy.yml @@ -53,10 +53,8 @@ jobs: # github.base_ref-based for PR and github.ref_name-based for schedule/workflow_dispatch id: gen_extension run: | - EXTENSION=$(echo "${{ github.base_ref }}" | sed -e 's/release\///' -e's/\//_/' ) - if [ -z "${EXTENSION}" ]; then - EXTENSION=$(echo "${{ github.ref_name }}" | sed -e 's/release\///' -e's/\//_/' ) - fi + EXTENSION=$(echo "${{ github.base_ref || github.ref_name }}" \ + | sed -e 's/release\///' -e's/\//_/' ) echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT - name: Generate trivy report From e02ca0f195ef1ceeb65da6eeccd96292bab931f7 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Fri, 26 Jul 2024 00:17:51 +0200 Subject: [PATCH 09/16] A new version based on GHA Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/triviy.yml | 82 ------------------------------------ .github/workflows/trivy.yml | 48 +++++++++++++++++++++ utils/trivy/.trivyignore | 8 ++++ utils/trivy/trivy.yaml | 12 ++---- 4 files changed, 60 insertions(+), 90 deletions(-) delete mode 100644 .github/workflows/triviy.yml create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/triviy.yml b/.github/workflows/triviy.yml deleted file mode 100644 index 98cb687689a..00000000000 --- a/.github/workflows/triviy.yml +++ /dev/null @@ -1,82 +0,0 @@ -name: Trivy scan - -on: - workflow_dispatch: - schedule: - - cron: '46 8 * * 0' - pull_request: - branches: ["master", "release/**"] - -# Declare default permissions as nothing. -permissions: {} - -jobs: - trivy-scan: - name: Trivy scan - runs-on: ubuntu-22.04 - - steps: - - name: Install trivy package - run: | - sudo apt-get install wget apt-transport-https gnupg lsb-release - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | \ - sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update - sudo apt-get install trivy - - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1 - with: - persist-credentials: false - - - name: Checkout latest trivy configuration - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: grom72/trivy # 'grom72/trivy' to be changed to 'master' before the merge - path: trivy - persist-credentials: false - - - name: Update trivy configuration - run: | - cp -f -r ./trivy/utils/trivy ./utils - rm -rf ./trivy - - - name: Scan with trivy - run: | - trivy fs -c utils/trivy/trivy.yaml -f table --dependency-tree \ - --skip-files "src/client/java/hadoop-daos/pom.xml" \ - --show-suppressed --exit-code 1 . - - # generate trivy report only if no errors detected - - name: Generate trivy report file extension - # github.base_ref-based for PR and github.ref_name-based for schedule/workflow_dispatch - id: gen_extension - run: | - EXTENSION=$(echo "${{ github.base_ref || github.ref_name }}" \ - | sed -e 's/release\///' -e's/\//_/' ) - echo "EXTENSION=$EXTENSION" >> $GITHUB_OUTPUT - - - name: Generate trivy report - run: | - trivy fs -c utils/trivy/trivy.yaml \ - --skip-files "src/client/java/hadoop-daos/pom.xml" \ - --show-suppressed \ - --output trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt . - - - name: Print trivy report - run: cat trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt - - - name: Prepare the report to be uploaded to the GitHub artifact store - run: | - mkdir report - cp trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }}.txt report - cp utils/trivy/.trivyignore report/trivyignore.txt - - - name: Upload the report to the GitHub artifact store - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 - env: - EXTENSION: ${{ steps.gen_extension.outputs.EXTENSION }} - with: - path: report/* - name: trivy-report-daos.${{ steps.gen_extension.outputs.EXTENSION }} diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000000..5d29ce8dd16 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,48 @@ +name: Trivy scan + +on: + pull_request: + branches: ["master", "release/**"] + +# Declare default permissions as nothing. +permissions: {} + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: 'utils/trivy/trivy.yaml' + + - name: Prepare the report to be uploaded to the GitHub artifact store + run: | + mkdir report + cp trivy-report-daos.txt report + cp utils/trivy/.trivyignore report/trivyignore.txt + + - name: Upload the report to the GitHub artifact store + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + path: report/* + name: trivy-report-daos + + - name: Adjust config file to show and validate scan results + run: | + sed -i 's/output: "trivy-report-daos.txt"//g' utils/trivy/trivy.yaml + sed -i 's/format: template/format: table/g' utils/trivy/trivy.yaml + sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: 'utils/trivy/trivy.yaml' diff --git a/utils/trivy/.trivyignore b/utils/trivy/.trivyignore index a1ac478ef02..c780a942514 100644 --- a/utils/trivy/.trivyignore +++ b/utils/trivy/.trivyignore @@ -29,3 +29,11 @@ CVE-2023-43642 CVE-2023-34453 ## CVE-2023-34454,MEDIUM,7.5,"snappy-java: Integer overflow in compress leads to DoS","org.xerial.snappy:snappy-java","1.1.8.2","1.1.10.1",https://avd.aquasec.com/nvd/cve-2023-34454 CVE-2023-34454 +## CVE-2024-25638,HIGH,,"dnsjava: Improper response validation allowing DNSSEC bypass","dnsjava:dnsjava","2.1.7","3.6.0",https://avd.aquasec.com/nvd/cve-2024-25638 +CVE-2024-25638 + +## Ignore DNSJava-related issues +## GHSA-crjg-w57m-rqqf,MEDIUM,,"DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-crjg-w57m-rqqf +GHSA-crjg-w57m-rqqf +## GHSA-mmwx-rj87-vfgr,MEDIUM,,"DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-mmwx-rj87-vfgr +GHSA-mmwx-rj87-vfgr \ No newline at end of file diff --git a/utils/trivy/trivy.yaml b/utils/trivy/trivy.yaml index 22d3460d41d..293f7b1ba9f 100644 --- a/utils/trivy/trivy.yaml +++ b/utils/trivy/trivy.yaml @@ -14,14 +14,12 @@ db: download-only: false java-repository: ghcr.io/aquasecurity/trivy-java-db java-skip-update: false - light: false no-progress: false repository: ghcr.io/aquasecurity/trivy-db skip-update: false debug: false dependency-tree: true exit-code: 0 -format: template generate-default-config: false ignore-policy: "" ignorefile: ./utils/trivy/.trivyignore @@ -185,7 +183,6 @@ misconfiguration: values: [] include-non-failures: false check-bundle-repository: ghcr.io/aquasecurity/trivy-policies:0 - reset-checks-bundle: false # scanners: # - azure-arm # - cloudformation @@ -200,7 +197,9 @@ misconfiguration: module: dir: enable-modules: [] -output: "" +output: "trivy-report-daos.txt" +format: template +template: '@./utils/trivy/csv.tpl' output-plugin-arg: "" quiet: false registry: @@ -214,12 +213,11 @@ rego: skip-policy-update: false trace: false report: all -reset: false scan: compliance: "" file-patterns: [] offline: false - parallel: 5 + parallel: 1 rekor-url: https://rekor.sigstore.dev sbom-sources: [] scanners: @@ -229,7 +227,6 @@ scan: skip-dirs: ./src/client/java/hadoop-daos skip-files: [] - slow: false show-suppressed: true secret: config: trivy-secret.yaml @@ -243,7 +240,6 @@ severity: - MEDIUM - HIGH - CRITICAL -template: '@./utils/trivy/csv.tpl' timeout: 5m0s version: false vulnerability: From 660b542a86cd7d31f5e21e0bca7f0cf8c5fa3107 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 30 Jul 2024 18:56:10 +0200 Subject: [PATCH 10/16] Add sarif format scan Skip all functional tests Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 5d29ce8dd16..c2056675036 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -34,9 +34,27 @@ jobs: path: report/* name: trivy-report-daos + - name: Adjust config file to use sarif format + run: | + sed -i 's/output: "trivy-report-daos.txt"/output: "trivy-results.sarif"/g' \ + utils/trivy/trivy.yaml + sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: 'utils/trivy/trivy.yaml' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + - name: Adjust config file to show and validate scan results run: | - sed -i 's/output: "trivy-report-daos.txt"//g' utils/trivy/trivy.yaml + sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml sed -i 's/format: template/format: table/g' utils/trivy/trivy.yaml sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml From 5489392e45d5e76495da132e7a2676bd1f3bf5f1 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 30 Jul 2024 19:06:18 +0200 Subject: [PATCH 11/16] Fix typo Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index c2056675036..d64fd2e3445 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -48,14 +48,14 @@ jobs: trivy-config: 'utils/trivy/trivy.yaml' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' - name: Adjust config file to show and validate scan results run: | sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml - sed -i 's/format: template/format: table/g' utils/trivy/trivy.yaml + sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml - name: Run Trivy vulnerability scanner in repo mode From 666e3b9ca69c22e42db8773ebb018d50f1738374 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 30 Jul 2024 19:07:31 +0200 Subject: [PATCH 12/16] Test for sarif w/ failures Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- utils/trivy/.trivyignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/trivy/.trivyignore b/utils/trivy/.trivyignore index c780a942514..46b952991cf 100644 --- a/utils/trivy/.trivyignore +++ b/utils/trivy/.trivyignore @@ -34,6 +34,6 @@ CVE-2024-25638 ## Ignore DNSJava-related issues ## GHSA-crjg-w57m-rqqf,MEDIUM,,"DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-crjg-w57m-rqqf -GHSA-crjg-w57m-rqqf +# GHSA-crjg-w57m-rqqf ## GHSA-mmwx-rj87-vfgr,MEDIUM,,"DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-mmwx-rj87-vfgr -GHSA-mmwx-rj87-vfgr \ No newline at end of file +# GHSA-mmwx-rj87-vfgr \ No newline at end of file From bceb0ac455a28d4f1eb75ded14519e06e46a3264 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Tue, 30 Jul 2024 19:21:56 +0200 Subject: [PATCH 13/16] Backup Sarif file in the GitHub artifact store Doc-only: true Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index d64fd2e3445..67ba6985200 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -52,6 +52,12 @@ jobs: with: sarif_file: 'trivy-results.sarif' + - name: Upload the Sarif report to the GitHub artifact store + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + path: trivy-results.sarif + name: trivy-results.sarif + - name: Adjust config file to show and validate scan results run: | sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml From 0744af2739c77402da60b16f6986d6418252b50c Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Wed, 31 Jul 2024 08:34:03 +0200 Subject: [PATCH 14/16] Revert "Backup Sarif file in the GitHub artifact store" Doc-only: true This reverts commit bceb0ac455a28d4f1eb75ded14519e06e46a3264. Required-githooks: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 67ba6985200..d64fd2e3445 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -52,12 +52,6 @@ jobs: with: sarif_file: 'trivy-results.sarif' - - name: Upload the Sarif report to the GitHub artifact store - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 - with: - path: trivy-results.sarif - name: trivy-results.sarif - - name: Adjust config file to show and validate scan results run: | sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml From 3036508962bf50c3190211eb5e978124c5466bc6 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Wed, 31 Jul 2024 08:36:59 +0200 Subject: [PATCH 15/16] Revert "Test for sarif w/ failures" This reverts commit 666e3b9ca69c22e42db8773ebb018d50f1738374. Doc-only: true Signed-off-by: Tomasz Gromadzki --- utils/trivy/.trivyignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/trivy/.trivyignore b/utils/trivy/.trivyignore index 46b952991cf..c780a942514 100644 --- a/utils/trivy/.trivyignore +++ b/utils/trivy/.trivyignore @@ -34,6 +34,6 @@ CVE-2024-25638 ## Ignore DNSJava-related issues ## GHSA-crjg-w57m-rqqf,MEDIUM,,"DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-crjg-w57m-rqqf -# GHSA-crjg-w57m-rqqf +GHSA-crjg-w57m-rqqf ## GHSA-mmwx-rj87-vfgr,MEDIUM,,"DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources","dnsjava:dnsjava","2.1.7","3.6.0",https://github.com/advisories/GHSA-mmwx-rj87-vfgr -# GHSA-mmwx-rj87-vfgr \ No newline at end of file +GHSA-mmwx-rj87-vfgr \ No newline at end of file From 857a1d417dd111b2382867fc0ab9765a3862b915 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Wed, 31 Jul 2024 08:44:09 +0200 Subject: [PATCH 16/16] Pin upload-sarif action by hash Required-githooks: true Doc-only: true Signed-off-by: Tomasz Gromadzki --- .github/workflows/trivy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index d64fd2e3445..a9eec6447fd 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -48,7 +48,8 @@ jobs: trivy-config: 'utils/trivy/trivy.yaml' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a + # 3.25.15 (v3) with: sarif_file: 'trivy-results.sarif'