SORMAS-Project icon indicating copy to clipboard operation
SORMAS-Project copied to clipboard

Published 20 hours ago verified publisher icon SORMAS-Foundation

[#7542] introduce trivy repo scanner

Open JonasCir opened this issue 3 years ago • 4 comments
trafficstars

Fixes #7542

This introduces the trivy security scanner which we let operate in its repo/filesystem scan mode. It scan everything in the repo from the poms up to shipped jars we include as server dependencies.

I have to say I'm quite impressed by this tool.

We can skip this until keycloak and payara are updated.

JonasCir avatar Dec 22 '21 12:12 JonasCir

Nice! If I get this right, it doesn't prevent PRs from being merged, it just raises a red flag in the PR and in the security section, right?

MartinWahnschaffe avatar Jan 07 '22 07:01 MartinWahnschaffe

Correct, as you can see in the box, the corresponding CI job will fail and it will report findings to the security tab (if run on development)

JonasCir avatar Jan 07 '22 08:01 JonasCir

@StefanKock I'd like to merge this. The alerts that are shown for this PR will go into the security alerts section and should be fixed with one of the next versions. The critical ones are not really critical, because they are about spring-context. From my understanding this is only used for the expressions within the campaigns feature, which are defined in the database. Thoughts?

MartinWahnschaffe avatar Jun 30 '22 09:06 MartinWahnschaffe

I'm against merging something where the epic and ticket were not discussed/refined first.

StefanKock avatar Jun 30 '22 09:06 StefanKock