From e3e735be08fa8dab2792a8f01a888960053dd911 Mon Sep 17 00:00:00 2001 From: David Manthey <david.manthey@kitware.com> Date: Thu, 12 Dec 2024 10:46:07 -0500 Subject: [PATCH] Use trivy to scan the common docker image --- .circleci/config.yml | 30 ++++++++++++++++++++++++++++++ .trivyignore | 21 +++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 .trivyignore diff --git a/.circleci/config.yml b/.circleci/config.yml index e93a66ab..33202cd0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -270,6 +270,25 @@ jobs: linkchecker /tmp/artifacts/index.html - store_artifacts: path: /tmp/artifacts + scan-docker: + docker: + - image: docker:stable-git + steps: + - checkout + - setup_remote_docker + - attach_workspace: + at: /tmp/workspace + - run: + name: Install trivy + command: | + apk add --update-cache --upgrade curl + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + - run: + name: Scan the local image with trivy; fail on high or critical vulnerabilities + command: trivy image --scanners vuln --input /tmp/workspace/dsa_common.tar --exit-code 1 --severity HIGH,CRITICAL --no-progress + - run: + name: Scan the local image with trivy; report low and medium vulnerabilities, but don't fail + command: trivy image --scanners vuln image --input /tmp/workspace/dsa_common.tar --exit-code 0 --severity LOW,MEDIUM,UNKNOWN --no-progress workflows: version: 2 @@ -339,6 +358,12 @@ workflows: branches: ignore: - gh-pages + - scan-docker: + requires: + - docker-compose + filters: + tags: + only: /^v.*/ - publish-docker-common: requires: - test-cli-common @@ -349,6 +374,7 @@ workflows: - docker-compose-minimal - docker-compose-external-worker - docker-compose-with-dive-volview + - scan-docker filters: tags: only: /^v.*/ @@ -391,6 +417,9 @@ workflows: - docker-compose-minimal - docker-compose-with-dive-volview - docker-compose-external-worker + - scan-docker: + requires: + - docker-compose - docs - publish-docker-common: requires: @@ -399,3 +428,4 @@ workflows: - test-girder-build-common - test-histomicsui-common - test-proxy-common + - scan-docker diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 00000000..6a88647e --- /dev/null +++ b/.trivyignore @@ -0,0 +1,21 @@ +# Accept these; revisit as needed + +# In bioformats_package.jar; shouldn't be an issue because of how xml is used +CVE-2024-47554 +# In bioformats_package.jar; worst case is jvm halts +CVE-2024-36114 +# In bioformats_package.jar; we don't pass urls to bioformats +CVE-2023-32697 + +# possible regex dos issues during girder build, not exposed during running +CVE-2021-3807 +CVE-2024-21538 +CVE-2022-25881 +CVE-2022-25883 +# Partial urls can route badly; this shouldn't ever be exposed except possibly +# during girder build, as node isn't run otherwise +CVE-2024-29415 + +# This is a hyper-v hv_sock issue; it doesn't seem like we should be using that +# in our docker context +CVE-2024-53103