From e3e735be08fa8dab2792a8f01a888960053dd911 Mon Sep 17 00:00:00 2001
From: David Manthey <david.manthey@kitware.com>
Date: Thu, 12 Dec 2024 10:46:07 -0500
Subject: [PATCH] Use trivy to scan the common docker image

---
 .circleci/config.yml | 30 ++++++++++++++++++++++++++++++
 .trivyignore         | 21 +++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.circleci/config.yml b/.circleci/config.yml
index e93a66ab..33202cd0 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -270,6 +270,25 @@ jobs:
             linkchecker /tmp/artifacts/index.html
       - store_artifacts:
           path: /tmp/artifacts
+  scan-docker:
+    docker:
+      - image: docker:stable-git
+    steps:
+      - checkout
+      - setup_remote_docker
+      - attach_workspace:
+          at: /tmp/workspace
+      - run:
+          name: Install trivy
+          command: |
+            apk add --update-cache --upgrade curl
+            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+      - run:
+          name: Scan the local image with trivy; fail on high or critical vulnerabilities
+          command: trivy image --scanners vuln --input /tmp/workspace/dsa_common.tar --exit-code 1 --severity HIGH,CRITICAL --no-progress
+      - run:
+          name: Scan the local image with trivy; report low and medium vulnerabilities, but don't fail
+          command: trivy image --scanners vuln image --input /tmp/workspace/dsa_common.tar --exit-code 0 --severity LOW,MEDIUM,UNKNOWN --no-progress
 
 workflows:
   version: 2
@@ -339,6 +358,12 @@ workflows:
             branches:
               ignore:
                 - gh-pages
+      - scan-docker:
+          requires:
+            - docker-compose
+          filters:
+            tags:
+              only: /^v.*/
       - publish-docker-common:
           requires:
             - test-cli-common
@@ -349,6 +374,7 @@ workflows:
             - docker-compose-minimal
             - docker-compose-external-worker
             - docker-compose-with-dive-volview
+            - scan-docker
           filters:
             tags:
               only: /^v.*/
@@ -391,6 +417,9 @@ workflows:
       - docker-compose-minimal
       - docker-compose-with-dive-volview
       - docker-compose-external-worker
+      - scan-docker:
+          requires:
+            - docker-compose
       - docs
       - publish-docker-common:
           requires:
@@ -399,3 +428,4 @@ workflows:
             - test-girder-build-common
             - test-histomicsui-common
             - test-proxy-common
+            - scan-docker
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 00000000..6a88647e
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,21 @@
+# Accept these; revisit as needed
+
+# In bioformats_package.jar; shouldn't be an issue because of how xml is used
+CVE-2024-47554
+# In bioformats_package.jar; worst case is jvm halts
+CVE-2024-36114
+# In bioformats_package.jar; we don't pass urls to bioformats
+CVE-2023-32697
+
+# possible regex dos issues during girder build, not exposed during running
+CVE-2021-3807
+CVE-2024-21538
+CVE-2022-25881
+CVE-2022-25883
+# Partial urls can route badly; this shouldn't ever be exposed except possibly
+# during girder build, as node isn't run otherwise
+CVE-2024-29415
+
+# This is a hyper-v hv_sock issue; it doesn't seem like we should be using that
+# in our docker context
+CVE-2024-53103