firefly-fabconnect icon indicating copy to clipboard operation
firefly-fabconnect copied to clipboard

Published 20 hours ago verified publisher icon hyperledger

adding high/critical severity vuln checks

Open ssmirr opened this issue 1 year ago • 2 comments
trafficstars

This Pull request updates the Dockerfile to check dependencies of this source code, and fail to build if high/critical severity vulnerabilities are detected.

Currently this one is detected:

8.938 go.mod (gomod)
8.938 ==============
8.938 Total: 1 (UNKNOWN: 0, HIGH: 1, CRITICAL: 0)
8.938 
8.938 ┌────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬───────────────────────────────────────────────────┐
8.938 │        Library         │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                       Title                       │
8.938 ├────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────┤
8.938 │ google.golang.org/grpc │ GHSA-m425-mq94-257g │ HIGH     │ fixed  │ 1.29.0            │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability          │
8.938 │                        │                     │          │        │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g │
8.938 └────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴───────────────────────────────────────────────────┘
------

This is done with the help of Trivy, an open source scanning tool from Aquasec. Trivy is RedHat certified, and is being used as the default container scanner on GitLab (according to this link)

ssmirr avatar Mar 28 '24 18:03 ssmirr

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 68.78%. Comparing base (7300295) to head (e57946a). Report is 3 commits behind head on main.

:exclamation: Current head e57946a differs from pull request most recent head 727fa66. Consider uploading reports for the commit 727fa66 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #123      +/-   ##
==========================================
+ Coverage   68.71%   68.78%   +0.06%     
==========================================
  Files          47       47              
  Lines        4482     4482              
==========================================
+ Hits         3080     3083       +3     
+ Misses       1207     1206       -1     
+ Partials      195      193       -2

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov-commenter avatar Mar 28 '24 19:03 codecov-commenter

Strange... make passes just fine locally

nguyer avatar Mar 28 '24 19:03 nguyer

Changes in https://github.com/hyperledger/firefly-fabconnect/pull/123/commits/7de4ef4fd912d42efc607309ae9cc48e9b17a51f make trivy ignore this specific CVE, as requested in https://github.com/hyperledger/firefly-fabconnect/pull/123#discussion_r1543748524

ssmirr avatar May 13 '24 17:05 ssmirr