Merge pull request #123 from kaleido-io/vuln-check

peterbroadhurst · web-flow · commit 65de030a9042 · 2024-05-13T17:56:56.000-04:00
adding high/critical severity vuln checks
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,3 @@
+# not relevant to the way grpc is used in fabconnect
+# see https://github.com/hyperledger/firefly-fabconnect/pull/123#discussion_r1543748524
+GHSA-m425-mq94-257g
diff --git a/Dockerfile b/Dockerfile
@@ -7,10 +7,19 @@ RUN mkdir /.cache \
     && chmod -R g+rwX /.cache
 RUN make
 
+FROM alpine:3.19 AS SBOM
+WORKDIR /
+COPY . /SBOM
+RUN apk add --no-cache curl
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3
+RUN trivy fs --format spdx-json --output /sbom.spdx.json /SBOM
+RUN trivy sbom /sbom.spdx.json --severity UNKNOWN,HIGH,CRITICAL --exit-code 1 --ignorefile /SBOM/.trivyignore
+
 FROM alpine:3.19
 RUN apk add curl
 WORKDIR /fabconnect
 COPY --from=fabconnect-builder /fabconnect/fabconnect ./
 ADD ./openapi ./openapi/
 RUN ln -s /fabconnect/fabconnect /usr/bin/fabconnect
+COPY --from=SBOM /sbom.spdx.json /sbom.spdx.json
 ENTRYPOINT [ "fabconnect" ]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# not relevant to the way grpc is used in fabconnect`
	`2`	`+# see https://github.com/hyperledger/firefly-fabconnect/pull/123#discussion_r1543748524`
	`3`	`+GHSA-m425-mq94-257g`