From 68ed601199195e276ca85fa5fa80ffd441912911 Mon Sep 17 00:00:00 2001
From: Gabriel Omar Cotelli <g.cotelli@gmail.com>
Date: Thu, 18 Apr 2024 17:23:02 -0300
Subject: [PATCH] Update Pharo VM Improve vulnerability scan

Fixes #12
---
 .github/workflows/scheduled-security-scan.yml | 32 +++++++++++++++++++
 .github/workflows/trivy.yml                   |  7 ----
 LICENSE                                       |  2 +-
 docs/README.md                                |  4 +--
 source/Dockerfile                             |  2 +-
 5 files changed, 36 insertions(+), 11 deletions(-)
 create mode 100644 .github/workflows/scheduled-security-scan.yml

diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml
new file mode 100644
index 0000000..1778173
--- /dev/null
+++ b/.github/workflows/scheduled-security-scan.yml
@@ -0,0 +1,32 @@
+name: Scheduled vulnerabiltiy scanning
+
+on:
+  schedule:
+    - cron: '35 6 * * 2'
+  workflow_dispatch:
+
+jobs:
+  vulnerability-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Scheduled scan for vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'ghcr.io/ba-st/pharo-vm:latest'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 639e616..8d71007 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,5 +1,4 @@
 name: Trivy vulnerability scan
-
 on:
   push:
     branches:
@@ -8,13 +7,7 @@ on:
     # The branches below must be a subset of the branches above
     branches:
     - release-candidate
-  schedule:
-    - cron: '35 6 * * 2'
   workflow_dispatch:
-
-permissions:
-  contents: read
-
 jobs:
   vulnerability-scan:
     permissions:
diff --git a/LICENSE b/LICENSE
index 5b8779b..3ca16a3 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022-2023 Buenos Aires Smalltalk
+Copyright (c) 2022-2024 Buenos Aires Smalltalk
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/docs/README.md b/docs/README.md
index d14a2e2..1ae35da 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,7 +1,7 @@
 # Docker image for Pharo VM Documentation
 
-Docker image for running a headless [Pharo VM](https://github.com/pharo-project/opensmalltalk-vm)
-on top of Debian 11.
+Docker image for running a headless [Pharo VM](https://github.com/pharo-project/pharo-vm)
+on top of Debian 12 slim.
 
 ---
 
diff --git a/source/Dockerfile b/source/Dockerfile
index 7360d22..5dec8e8 100644
--- a/source/Dockerfile
+++ b/source/Dockerfile
@@ -2,7 +2,7 @@
 FROM alpine:3.12 as download-vm
 RUN apk add unzip
 WORKDIR /tmp/pharo-vm
-ADD https://files.pharo.org/vm/pharo-spur64-headless/Linux-x86_64/PharoVM-10.0.8-b323c5f-Linux-x86_64-bin.zip ./PharoVM.zip
+ADD https://files.pharo.org/vm/pharo-spur64-headless/Linux-x86_64/PharoVM-10.1.0-a290a40-Linux-x86_64-bin.zip ./PharoVM.zip
 RUN set -eu; \
   unzip PharoVM.zip; \
   rm PharoVM.zip; \