carbon accounting trivy scan

.github/workflows/azure-container-scan.yaml

@@ -0,0 +1,38 @@
+name: azure-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+ build-secure-and-push:
+    name: Scan cactus-example-carbon-accounting image
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2.4.0
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+    - name: Build Images from Dockerfile
+      run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting
+
+    - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: cactus-example-carbon-accounting

.github/workflows/ci.yaml

@@ -16,6 +16,16 @@ jobs:
       - name: Get the output response
         run: echo "${{ steps.lint-git-repo.outputs.lint-git-repo-response }}"
 
+  check_trivy_condition:
+    name: Check Trivy Condition
+    runs-on: ubuntu-20.04
+    outputs:
+      run_trivy_scan: ${{ steps.set_condition_trivy_scan.outputs.run_trivy_scan }}
+    steps:
+      - name: Set Trivy Condition for cactus-example-carbon-accounting
+        id: set_condition_trivy_scan
+        run: echo "::set-output name=run_trivy_scan::true"  # Set your condition for cactus-example-carbon-accounting here
+
   compute_changed_packages:
     outputs:
       cmd-api-server-changed: ${{ steps.changes.outputs.cmd-api-server-changed }}
@@ -684,6 +694,7 @@ jobs:
       JEST_TEST_PATTERN: packages/cactus-plugin-consortium-manual/src/test/typescript/(unit|integration|benchmark)/.*/*.test.ts
       JEST_TEST_RUNNER_DISABLED: false
       TAPE_TEST_RUNNER_DISABLED: true
+      JEST_CODE_COVERAGE_FOLDER: ./code-coverage-ts/cactus-plugin-consortium-manual
     needs: build-dev
     runs-on: ubuntu-20.04
     steps:
@@ -2053,6 +2064,9 @@ jobs:
       - run: ./tools/ci.sh
   ghcr-besu-all-in-one:
     runs-on: ubuntu-20.04
+    needs:
+      - check_trivy_condition
+    if: needs.check_trivy_condition.outputs.run_trivy_scan == 'true'
     steps:
       - uses: actions/checkout@v3.5.2
       - name: ghcr.io/hyperledger/cactus-besu-all-in-one
@@ -2070,7 +2084,8 @@ jobs:
     runs-on: ubuntu-20.04
     needs:
       - compute_changed_packages
-    if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true'
+      - check_trivy_condition
+    if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true' || needs.check_trivy_condition.outputs.run_trivy_scan == 'true'
     steps:
       - uses: actions/checkout@v3.5.2
       - name: ghcr.io/hyperledger/cactus-cmd-api-server

.github/workflows/trivy-container-scan.yaml

@@ -0,0 +1,64 @@
+name: trivy-container-image-scan
+
+on:
+  push:
+  pull_request:
+    branches:
+      - main
+    tags:
+      - v*
+
+jobs:
+
+  check_trivy_condition:
+    name: Check Trivy Condition
+    runs-on: ubuntu-20.04
+    outputs:
+      run_trivy_scan: ${{ steps.set_condition_trivy_scan.outputs.run_trivy_scan }}
+    steps:
+      - name: Set Trivy Condition for cactus-example-carbon-accounting
+        id: set_condition_trivy_scan
+        run: echo "::set-output name=run_trivy_scan::true"  # Set your condition for cactus-example-carbon-accounting here
+
+  build:
+    name: Scan cactus-example-carbon-accounting table image
+    runs-on: ubuntu-20.04
+    needs:
+      - check_trivy_condition
+    if: ${{ needs.check_trivy_condition.outputs.run_trivy_scan == 'true' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'table'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  build2:
+    name: Scan cactus-connector-besu json image
+    runs-on: ubuntu-20.04
+    needs:
+      - check_trivy_condition
+    if: ${{ needs.check_trivy_condition.outputs.run_trivy_scan == 'false' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          DOCKER_BUILDKIT=1 docker build ./packages/cactus-plugin-ledger-connector-besu/ -f ./packages/cactus-plugin-ledger-connector-besu/Dockerfile -t cactus-plugin-besu
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-plugin-besu'
+          format: 'table'
+          exit-code: '0'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'

examples/cactus-example-carbon-accounting-backend/package.json

@@ -76,13 +76,19 @@
   "devDependencies": {
     "@types/express": "4.17.19",
     "@types/fs-extra": "9.0.13",
+    "@types/http-cache-semantics": "4.0.4",
     "@types/json-stable-stringify": "1.0.34",
+    "@types/jsrsasign": "10.5.12",
+    "@types/qs": "6.9.11",
     "@types/uuid": "8.3.4",
     "express-jwt": "8.4.1",
     "hardhat": "2.17.2",
+    "http-cache-semantics": "4.1.1",
     "http-status-codes": "2.1.4",
     "jose": "4.9.2",
-    "json-stable-stringify": "1.0.2"
+    "json-stable-stringify": "1.0.2",
+    "jsrsasign": "11.0.0",
+    "qs": "6.11.2"
   },
   "engines": {
     "node": ">=18",

examples/carbon-accounting/Dockerfile

@@ -1,4 +1,4 @@
-FROM cruizba/ubuntu-dind:19.03.11 as runner
+FROM cruizba/ubuntu-dind:20.10.9 as runner
 
 USER root
 
@@ -34,11 +34,12 @@ WORKDIR ${APP}
 SHELL ["/bin/bash", "--login", "-i", "-c"]
 # Installing Node Version Manager (nvm)
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
+ARG NPM_PKG_VERSION=latest
 RUN source ~/.bashrc && \
-    nvm install 16.15.1 && \
+    nvm install 16.20.2 && \
     npm install -g yarn && \
-    yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
-
+    yarn add @hyperledger/cactus-example-carbon-accounting-backend@${NPM_PKG_VERSION} --ignore-engines --production
+    
 SHELL ["/bin/bash", "--login", "-c"]
 
 

examples/carbon-accounting/supervisord.conf

@@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
 stdout_logfile=/usr/src/app/log/dockerd.out.log
 
 [program:carbon-accounting-app]
-command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
+command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
 autostart=true
 autorestart=unexpected
 exitcodes=0

extensions/cactus-plugin-htlc-coordinator-besu/package.json

@@ -7,7 +7,7 @@
     "Cactus",
     "Integration",
     "Blockchain",
-    "Distributed Ledger Technology"
+    "Distributed Ledger Technology" 
   ],
   "homepage": "https://github.com/hyperledger/cacti#readme",
   "bugs": {

package.json

@@ -70,7 +70,7 @@
     "webpack": "lerna run webpack:dev",
     "webpack:dev:web": "lerna run webpack:dev:web",
     "webpack:dev:node": "lerna run webpack:dev:node",
-    "test:jest:all": "NODE_OPTIONS=\"--max_old_space_size=3072 --experimental-vm-modules\" jest",
+    "test:jest:all": "NODE_OPTIONS=\"--max_old_space_size=3072 --experimental-vm-modules\" jest --coverage",
     "test:tap:all": "NODE_OPTIONS=\"--experimental-vm-modules\" tap",
     "test:all": "NODE_OPTIONS=\"--experimental-vm-modules\" yarn test:jest:all && yarn test:tap:all",
     "prettier": "prettier --write --config .prettierrc.js \"./**/src/main/json/openapi.json\"",
@@ -115,7 +115,7 @@
     "@types/adm-zip": "0.5.0",
     "@types/benchmark": "2.1.5",
     "@types/fs-extra": "9.0.13",
-    "@types/jest": "29.5.3",
+    "@types/jest": "29.5.12",
     "@types/node": "16.18.41",
     "@types/node-fetch": "2.6.4",
     "@types/tape": "4.13.4",
@@ -151,8 +151,9 @@
     "grpc_tools_node_protoc_ts": "5.3.3",
     "husky": "7.0.4",
     "inquirer": "8.2.6",
-    "jest": "29.6.2",
-    "jest-extended": "4.0.1",
+    "istanbul-merge": "2.0.0",
+    "jest": "29.7.0",
+    "jest-extended": "4.0.2",
     "json5": "2.2.3",
     "license-report": "6.4.0",
     "lint-staged": "11.2.6",
@@ -175,7 +176,7 @@
     "tap": "16.3.8",
     "tape": "5.6.6",
     "tape-promise": "4.0.0",
-    "ts-jest": "29.1.1",
+    "ts-jest": "29.1.2",
     "ts-loader": "9.4.4",
     "ts-node": "10.9.1",
     "typescript": "5.3.3",

packages/cactus-plugin-ledger-connector-besu/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/hyperledger/cactus-cmd-api-server:2022-08-05-7309f2a
+FROM ghcr.io/hyperledger/cactus-cmd-api-server:2024-01-24-dd85b12
 RUN npm install -g yarn@1.22.17
 
 ENV NODE_ENV=production

packages/cactus-plugin-ledger-connector-besu/package.json

@@ -78,12 +78,22 @@
     "@hyperledger/cactus-plugin-keychain-memory": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
     "@types/body-parser": "1.19.4",
+    "@types/convict": "6.1.1",
     "@types/express": "4.17.19",
+    "@types/http-cache-semantics": "4.0.4",
     "@types/http-errors": "2.0.4",
+    "@types/node-forge": "1.0.1",
+    "@types/qs": "6.9.10",
     "@types/uuid": "9.0.6",
     "body-parser": "1.20.2",
+    "convict": "6.2.4",
+    "http-cache-semantics": "4.1.1",
     "key-encoder": "2.0.3",
+    "node-forge": "1.3.0",
+    "protobufjs": "6.11.4",
+    "qs": "6.7.3",
     "socket.io": "4.5.4",
+    "socket.io-parser": "4.2.3",
     "uuid": "9.0.1",
     "web3-core": "1.6.1",
     "web3-eth": "1.6.1"

packages/cactus-plugin-ledger-connector-iroha/Dockerfile

@@ -1,7 +1,7 @@
-FROM ghcr.io/hyperledger/cactus-cmd-api-server:2022-11-14-6ff6aac
-RUN npm install -g yarn@1.22.17
+FROM ghcr.io/hyperledger/cactus-cmd-api-server:2023-12-21-f8f6bcb
+RUN npm i -g corepack && corepack enable && corepack prepare yarn@3.6.0 --activate
 
 ENV NODE_ENV=production
 ARG NPM_PKG_VERSION=latest
 
-RUN yarn add @hyperledger/cactus-plugin-ledger-connector-iroha@${NPM_PKG_VERSION} --production --ignore-engines
+RUN yarn add @hyperledger/cactus-plugin-ledger-connector-iroha@${NPM_PKG_VERSION}

packages/cactus-plugin-persistence-ethereum/package.json

@@ -77,8 +77,8 @@
     "@openapitools/openapi-generator-cli": "2.7.0",
     "@types/express": "4.17.19",
     "@types/pg": "8.6.5",
-    "body-parser": "1.19.0",
-    "express": "4.17.1",
+    "body-parser": "1.20.2",
+    "express": "4.18.2",
     "jest-extended": "4.0.1",
     "npm-run-all": "4.1.5",
     "rxjs": "7.8.1",

tools/ci.sh

@@ -147,7 +147,7 @@ function mainTask()
   if [ "${JEST_TEST_RUNNER_DISABLED:-false}" = "true" ]; then
     echo "$(date +%FT%T%z) [CI] Jest test runner disabled. Skipping..."
   else
-    yarn test:jest:all $JEST_TEST_PATTERN
+    yarn test:jest:all $JEST_TEST_PATTERN --coverage $JEST_CODE_COVERAGE_FOLDER
   fi
 
   if [ "${DUMP_DISK_USAGE_INFO_DISABLED:-true}" = "true" ]; then

tools/docker/iroha-all-in-one/Dockerfile

@@ -1,7 +1,7 @@
-FROM hyperledger/iroha:1.4.0-patch-3
+FROM hyperledger/iroha:1.6.0-hotfix-3
 
-ARG DEBIAN_FRONTEND=noninteractive  
-RUN set -e && apt-get update && \   
+ARG DEBIAN_FRONTEND=noninteractive
+RUN set -e && apt-get update && \
     apt-get install -y moreutils jq wget python3 python3-pip && \
     pip install iroha && \
     apt-get purge -y `apt-get -s purge python3-pip | grep '^ ' | tr -d '*'` && \