carbon accounting trivy scan

.github/workflows/azure-container-scan.yaml

@@ -0,0 +1,38 @@
+name: azure-container-image-scan
+
+on:
+ push:
+ pull_request:
+ # Publish `main` as Docker `latest` image.
+ branches:
+ - main
+
+ # Publish `v1.2.3` tags as releases.
+ tags:
+ - v*
+
+
+jobs:
+ build-secure-and-push:
+ name: Scan cactus-example-carbon-accounting image
+ runs-on: ubuntu-20.04
+ steps:
+ - uses: actions/checkout@v2.4.0
+ env:
+ # (Required) The token to use to make API calls to GitHub.
+ GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+ - uses: actions/checkout@v1
+ - name: Login to DockerHub Registry
+ run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+ - name: Build Images from Dockerfile
+ run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting
+
+ - uses: Azure/container-scan@v0.1
+ name: Scan image for vulnerabilities
+ id: container-scan
+ continue-on-error: true
+ with:
+ image-name: cactus-example-carbon-accounting

.github/workflows/trivy-container-scan.yaml

@@ -0,0 +1,52 @@
+name: trivy-container-image-scan
+
+on:
+ push:
+ pull_request:
+ # Publish `main` as Docker `latest` image.
+ branches:
+ - main
+
+ # Publish `v1.2.3` tags as releases.
+ tags:
+ - v*
+
+
+jobs:
+
+ build:
+ name: Scan cactus-plugin-ledger-connector-quorum table image
+ runs-on: ubuntu-22.04
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - name: Build an image from Dockerfile
+ run: DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-plugin-ledger-connector-quorum/Dockerfile -t cactus-plugin-ledger-connector-quorum
+ - name: Run Trivy vulnerability scan for cactus-plugin-ledger-connector-quorum
+ uses: aquasecurity/trivy-action@0.11.2
+ with:
+ image-ref: 'cactus-plugin-ledger-connector-quorum'
+ format: 'table'
+ exit-code: '0'
+ ignore-unfixed: true
+ vuln-type: 'os,library'
+ severity: 'CRITICAL,HIGH'
+
+ build2:
+ name: Scan cactus-example-carbon-accounting json image
+ runs-on: ubuntu-22.04
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - name: Build an image from Dockerfile
+ run: |
+ DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+ - name: Run Trivy vulnerability scanner
+ uses: aquasecurity/trivy-action@0.11.2
+ with:
+ image-ref: 'cactus-example-carbon-accounting'
+ format: 'json'
+ exit-code: '0'
+ ignore-unfixed: true
+ vuln-type: 'os,library'
+ severity: 'CRITICAL,HIGH'

examples/cactus-example-carbon-accounting-backend/package.json

@@ -77,12 +77,14 @@
  "@types/express": "4.17.19",
  "@types/fs-extra": "9.0.13",
  "@types/json-stable-stringify": "1.0.34",
+ "@types/qs": "^6",
  "@types/uuid": "9.0.8",
  "express-jwt": "8.4.1",
  "hardhat": "2.17.2",
  "http-status-codes": "2.1.4",
  "jose": "4.15.5",
- "json-stable-stringify": "1.0.2"
+ "json-stable-stringify": "1.0.2",
+ "qs": "6.7.3"
  },
  "engines": {
  "node": ">=18",

examples/carbon-accounting/Dockerfile

@@ -1,4 +1,4 @@
-FROM cruizba/ubuntu-dind:19.03.11 as runner
+FROM cruizba/ubuntu-dind:20.10.18 as runner
 
 USER root
 
@@ -33,15 +33,16 @@ WORKDIR ${APP}
 
 SHELL ["/bin/bash", "--login", "-i", "-c"]
 # Installing Node Version Manager (nvm)
-RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
+ARG NPM_PKG_VERSION="latest"
 RUN source ~/.bashrc && \
- nvm install 16.15.1 && \
- npm install -g yarn && \
- yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
-
+ nvm install 20.11.1 && \
+ npm install --location=global yarn && \
+ yarn set version 4.1.0 && \
+ yarn config set nodeLinker node-modules && \
+ yarn add @hyperledger/cactus-example-carbon-accounting-backend@${NPM_PKG_VERSION} --exact
 SHELL ["/bin/bash", "--login", "-c"]
 
-
 COPY --chown=${APP_USER}:${APP_USER} ./examples/carbon-accounting/healthcheck.sh /
 
 ENV AUTHORIZATION_CONFIG_JSON="{}"

examples/carbon-accounting/supervisord.conf

@@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
 stdout_logfile=/usr/src/app/log/dockerd.out.log
 
 [program:carbon-accounting-app]
-command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
+command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
 autostart=true
 autorestart=unexpected
 exitcodes=0

packages/cactus-plugin-ledger-connector-quorum/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/hyperledger/cactus-cmd-api-server:v1.0.0
+FROM ghcr.io/hyperledger/cactus-cmd-api-server:2024-03-18-8ddc02d
 
 ARG NPM_PKG_VERSION=latest
 

yarn.lock

@@ -7729,6 +7729,7 @@ __metadata:
  "@types/express": "npm:4.17.19"
  "@types/fs-extra": "npm:9.0.13"
  "@types/json-stable-stringify": "npm:1.0.34"
+ "@types/qs": "npm:^6"
  "@types/uuid": "npm:9.0.8"
  async-exit-hook: "npm:2.0.1"
  express-jwt: "npm:8.4.1"
@@ -7739,6 +7740,7 @@ __metadata:
  jose: "npm:4.15.5"
  json-stable-stringify: "npm:1.0.2"
  openapi-types: "npm:12.1.3"
+ qs: "npm:6.7.3"
  typescript-optional: "npm:2.0.1"
  uuid: "npm:9.0.1"
  web3-core: "npm:1.6.1"
@@ -15391,6 +15393,13 @@ __metadata:
  languageName: node
  linkType: hard
 
+"@types/qs@npm:^6":
+ version: 6.9.10
+ resolution: "@types/qs@npm:6.9.10"
+ checksum: 10/3e479ee056bd2b60894baa119d12ecd33f20a25231b836af04654e784c886f28a356477630430152a86fba253da65d7ecd18acffbc2a8877a336e75aa0272c67
+ languageName: node
+ linkType: hard
+
 "@types/range-parser@npm:*":
  version: 1.2.4
  resolution: "@types/range-parser@npm:1.2.4"
@@ -42104,6 +42113,13 @@ __metadata:
  languageName: node
  linkType: hard
 
+"qs@npm:6.7.3":
+ version: 6.7.3
+ resolution: "qs@npm:6.7.3"
+ checksum: 10/b299d27f4ac4e47511dc15ff5650bd7a1c07cfbe514190a479b0b3a0d5b401198ff6910371b473e70fbde8e114f1bcba9c64ea52a147053e3b0b554aeb5a41ad
+ languageName: node
+ linkType: hard
+
 "qs@npm:^6.11.0, qs@npm:^6.9.4":
  version: 6.11.2
  resolution: "qs@npm:6.11.2"