Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vulnerability detection Github Action to scan built docker images #168

Closed
nigelgbanks opened this issue Dec 13, 2021 · 5 comments
Closed

Add vulnerability detection Github Action to scan built docker images #168

nigelgbanks opened this issue Dec 13, 2021 · 5 comments
Assignees
@nigelgbanks
Labels
enhancement New feature or request release security

Comments

@nigelgbanks
Copy link
Contributor

@g7morris used Syft and Grype to scan the images for vulnerabilities in response to the log4j issue. Look into how to integrate these tools so checks are performed:

  • For every push if it is a cheap operation.
  • For every release.
  • Perhaps also weekly just incase new vulnerabilities are discovered as the repository doesn't change that often at this point.
@nigelgbanks nigelgbanks added enhancement New feature or request security labels Dec 13, 2021
@nigelgbanks nigelgbanks self-assigned this Dec 13, 2021
@nigelgbanks
Copy link
Contributor Author

Initial thought I can integrate it with the Gradle plugin so that it can be run both locally and with github actions.

Reference for Github actions. https://github.com/marketplace/actions/anchore-container-scan

@bseeger bseeger mentioned this issue Dec 13, 2021
Closed
@g7morris
Copy link
Contributor

@nigelgbanks Anything I can do here to help move this along?

@nigelgbanks
Copy link
Contributor Author

#183 should cover it. It generates reports that one can download on the build page, for example https://github.com/Islandora-Devops/isle-buildkit/actions/runs/2030133280; The link to grype reports. https://github.com/Islandora-Devops/isle-buildkit/suites/5774283956/artifacts/192302600

They are markdown files like the following:

NAME               INSTALLED     FIXED-IN   VULNERABILITY        SEVERITY 
commons-io         2.6                      CVE-2021-29425       Medium    
commons-io         2.6           2.7        GHSA-gwrp-pvrq-jmwv  Medium    
flock              2.37.4-r0                CVE-2010-3262        Medium    
guava              25.1-android             CVE-2020-8908        Low       
guava              25.1-android             GHSA-5mg8-w23w-74h3  Low       
jsoup              1.12.1        1.14.2     GHSA-m72m-mhq2-9p6c  High      
jsoup              1.12.1                   CVE-2021-37714       High      
libcrypto1.1       1.1.1l-r7     1.1.1n-r0  CVE-2022-0778        High      
libldap            2.6.0-r0                 CVE-2015-3276        Medium    
libretls           3.3.4-r2      3.3.4-r3   CVE-2022-0778        High      
libssl1.1          1.1.1l-r7     1.1.1n-r0  CVE-2022-0778        High      
postgresql-common  1.0-r0                   CVE-2019-3466        High      
tomcat-jdbc        9.0.58                   CVE-2016-6325        High      
tomcat-jdbc        9.0.58                   CVE-2016-5425        High

@nigelgbanks
Copy link
Contributor Author

Though there isn't a weekly setup or notification system at this point. The pull request was just the first pass in generating the reports on every push so that a pull request reviewer could use that information to see if some new vulnerability has been added. Further automation can be handled post release.

@nigelgbanks
Copy link
Contributor Author

Pull request is merged, any further improvements can be raised as new tickets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nigelgbanks nigelgbanks

Labels
enhancement New feature or request release security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nigelgbanks @g7morris