Trivy is a cutting-edge security tool designed to enhance

the safety of containerized applications by conducting thorough vulnerability assessments. Specifically developed for scanning container images, ranging from low-severity issues to critical threats. It employs an intelligent rating system to categorize vulnerabilities based on their severity levels, ensuring that high to critical vulnerabilities are given special attention. Upon detecting vulnerabilities that fall within this elevated range, Trivy will throw an error. By integrating Trivy into our deployment pipeline, we can proactively mitigate security risks and enhance the resilience of our repository. Fixes hyperledger#1876 Depends On: hyperledger#2865 Depends On: hyperledger#2864 Depends On: hyperledger#2863 Depends On: hyperledger#2862 Signed-off-by: zondervancalvez <[email protected]>
zondervancalvez · Nov 10, 2023 · 606d9a5 · 606d9a5
1 parent c0c48c7
commit 606d9a5
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 130 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1774,16 +1774,7 @@ jobs:
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-besu-all-in-one
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one
-      - name: Run Trivy vulnerability scan for cactus-besu-all-in-one
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-besu-all-in-one'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile
   ghcr-cmd-api-server:
     runs-on: ubuntu-20.04
     steps:
@@ -1805,7 +1796,7 @@ jobs:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-connector-besu
         run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-connector-besu
-      - name: Run Trivy vulnerability scan for cactus-connector-besu
+      - name: Run Trivy vulnerability scan for cactus-connector-plugin-ledger-besu
         uses: aquasecurity/[email protected]
         with:
           image-ref: 'cactus-connector-besu'
@@ -1820,7 +1811,7 @@ jobs:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-connector-corda-server
         run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-corda/src/main-server/ -f ./packages/cactus-plugin-ledger-connector-corda/src/main-server/Dockerfile -t cactus-connector-corda-server
-      - name: Run Trivy vulnerability scan for cactus-connector-corda-server
+      - name: Run Trivy vulnerability scan for plugin-ledger-connector-corda
         uses: aquasecurity/[email protected]
         with:
           image-ref: 'cactus-connector-corda-server'
@@ -1835,7 +1826,7 @@ jobs:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-connector-fabric
         run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-fabric/ -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile -t cactus-connector-fabric
-      - name: Run Trivy vulnerability scan for cactus-connector-fabric
+      - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-fabric
         uses: aquasecurity/[email protected]
         with:
           image-ref: 'cactus-connector-fabric'
@@ -1844,6 +1835,36 @@ jobs:
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
+  scan-cactus-connector-quorum:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/[email protected]
+      - name: Build an image from Dockerfile
+        run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-quorum/ -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t cactus-connector-quorum
+      - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-quorum
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'cactus-connector-quorum'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+  scan-cactus-connector-iroha:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/[email protected]
+      - name: Build an image from Dockerfile
+        run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-iroha/ -f ./packages/cactus-plugin-ledger-connector-iroha/Dockerfile -t cactus-connector-iroha
+      - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-iroha
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'cactus-connector-iroha'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
   ghcr-corda-all-in-one:
     runs-on: ubuntu-20.04
     steps:
@@ -1870,16 +1891,7 @@ jobs:
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-corda-all-in-one-obligation
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-all-in-one-obligation
-      - name: Run Trivy vulnerability scan for cactus-corda-all-in-one-obligation
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-corda-all-in-one-obligation'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile 
   ghcr-dev-container-vscode:
     runs-on: ubuntu-20.04
     env:
@@ -1899,83 +1911,38 @@ jobs:
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-example-carbon-accounting
-        run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
-      - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-example-carbon-accounting'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile
   ghcr-example-supply-chain-app:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-example-supply-chain-app
-        run: DOCKER_BUILDKIT=1 docker build . -f ./examples/supply-chain-app/Dockerfile -t cactus-example-supply-chain-app
-      - name: Run Trivy vulnerability scan for cactus-example-supply-chain-app
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-example-supply-chain-app'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build . -f ./examples/supply-chain-app/Dockerfile
   ghcr-fabric-all-in-one:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-fabric-all-in-one
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x -t cactus-fabric-all-in-one
-      - name: Run Trivy vulnerability scan for cactus-fabric-all-in-one
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-fabric-all-in-one'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v1.4.x
   ghcr-fabric2-all-in-one:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-fabric2-all-in-one
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x -t cactus-fabric2-all-in-one
-      - name: Run Trivy vulnerability scan for cactus-fabric2-all-in-one
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-fabric2-all-in-one'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/fabric-all-in-one/ -f ./tools/docker/fabric-all-in-one/Dockerfile_v2.x 
   ghcr-iroha-all-in-one:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-iroha-all-in-one
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile -t cactus-iroha-all-in-one
-      - name: Run Trivy vulnerability scan for cactus-iroha-all-in-one
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-iroha-all-in-one'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/iroha-all-in-one/ -f ./tools/docker/iroha-all-in-one/Dockerfile
   ghcr-keychain-vault-server:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-keychain-vault-server
         run: DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/ -f ./packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile -t cactus-keychain-vault-server
-      - name: Run Trivy vulnerability scan for cactus-keychain-vault-server
+      - name: Run Trivy vulnerability scan for cactus-plugin-keychain-vault-server
         uses: aquasecurity/[email protected]
         with:
           image-ref: 'cactus-keychain-vault-server'
@@ -1989,76 +1956,31 @@ jobs:
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-quorum-all-in-one
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile -t cactus-quorum-all-in-one
-      - name: Run Trivy vulnerability scan for cactus-quorum-all-in-one
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-quorum-all-in-one'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-all-in-one/ -f ./tools/docker/quorum-all-in-one/Dockerfile
   ghcr-quorum-multi-party-all-in-one:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-quorum-multi-party-all-in-one
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile -t cactus-quorum-multi-party-all-in-one
-      - name: Run Trivy vulnerability scan for cactus-quorum-multi-party-all-in-one
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-quorum-multi-party-all-in-one'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/quorum-multi-party-all-in-one/ -f ./tools/docker/quorum-multi-party-all-in-one/Dockerfile
   ghcr-rust-compiler:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-rust-compiler
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile -t cactus-rust-compiler
-      - name: Run Trivy vulnerability scan for cactus-rust-compiler
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-rust-compiler'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/rust-compiler/ -f ./tools/docker/rust-compiler/Dockerfile
   ghcr-test-npm-registry:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-test-npm-registry
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/test-npm-registry/ -f ./tools/docker/test-npm-registry/Dockerfile -t cactus-test-npm-registry
-      - name: Run Trivy vulnerability scan for cactus-test-npm-registry
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-test-npm-registry'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/test-npm-registry/ -f ./tools/docker/test-npm-registry/Dockerfile
   ghcr-whitepaper:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/[email protected]
       - name: ghcr.io/hyperledger/cactus-whitepaper
-        run: DOCKER_BUILDKIT=1 docker build ./whitepaper/ -f ./whitepaper/Dockerfile -t cactus-whitepaper
-      - name: Run Trivy vulnerability scan for cactus-whitepaper
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: 'cactus-whitepaper'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+        run: DOCKER_BUILDKIT=1 docker build ./whitepaper/ -f ./whitepaper/Dockerfile 
 name: Cactus_CI
 'on':
   pull_request:

diff --git a/weaver/core/network/fabric-interop-cc/contracts/interop/go.mod b/weaver/core/network/fabric-interop-cc/contracts/interop/go.mod
@@ -41,8 +41,8 @@ require (
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
-	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
-	google.golang.org/grpc v1.54.0 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
+	google.golang.org/grpc v1.56.3 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/weaver/core/network/fabric-interop-cc/contracts/interop/go.sum b/weaver/core/network/fabric-interop-cc/contracts/interop/go.sum
@@ -148,10 +148,10 @@ golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20190624180213-70d37148ca0c/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag=
-google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
+google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc=
+google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=