From 15bb179d09a413a7d6df0f8d78564923c2df5ca3 Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Fri, 20 Dec 2024 08:16:53 -0700 Subject: [PATCH 1/3] Improve trivy checks --- .github/workflows/trivy.yml | 71 ++++++------------------------------- openc3-ruby/Dockerfile | 3 +- 2 files changed, 13 insertions(+), 61 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 87b87f350..bc24d5b10 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -32,16 +32,12 @@ jobs: OPENC3_TAG: ${{ github.sha }} - name: Run Trivy on image ruby if: ${{ !cancelled() && steps.build.outcome == 'success' }} + # See https://github.com/aquasecurity/trivy-action uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-ruby.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} uses: github/codeql-action/upload-sarif@v3 @@ -53,13 +49,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-node.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml # On a subsequent call to the action we know trivy is already installed so can skip this skip-setup-trivy: true - name: Upload Trivy scan results @@ -73,13 +64,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-base.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -92,13 +78,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-init.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -111,13 +92,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-redis.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -130,13 +106,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-minio.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -149,13 +120,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-operator.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -168,13 +134,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-cmd-tlm-api.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -187,13 +148,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-script-runner-api.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} @@ -206,13 +162,8 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}" - format: "sarif" - exit-code: 1 output: "trivy-traefik.sarif" - ignore-unfixed: true - vuln-type: "os,library" - scanners: "vuln" - severity: "CRITICAL,HIGH" + trivy-config: trivy.yaml skip-setup-trivy: true - name: Upload Trivy scan results if: ${{ !cancelled() && steps.build.outcome == 'success' }} diff --git a/openc3-ruby/Dockerfile b/openc3-ruby/Dockerfile index 762d5368a..c914c7c28 100644 --- a/openc3-ruby/Dockerfile +++ b/openc3-ruby/Dockerfile @@ -79,7 +79,8 @@ RUN apk update \ && python3 -m venv /openc3/venv \ && source /openc3/venv/bin/activate \ && pip3 config --global set global.index $PYPI_URL/pypi \ - && pip3 config --global set global.index-url $PYPI_URL/simple + && pip3 config --global set global.index-url $PYPI_URL/simple \ + && pip3 install --upgrade pip setuptools # Set user and group ENV IMAGE_USER=openc3 From 3ada8f36529d6d40e584b2cee111417e9209cf6e Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Fri, 20 Dec 2024 08:17:39 -0700 Subject: [PATCH 2/3] Add trivy config file --- trivy.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 trivy.yaml diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 000000000..b588fa36a --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,18 @@ +# See https://trivy.dev/latest/docs/references/configuration/config-file/ +format: "sarif" +exit-code: 1 +vulnerability: + ignore-unfixed: true + # See https://trivy.dev/latest/docs/supply-chain/vex/repo/ + vex: + - repo +pkg: + types: + - os + - library +scan: + scanners: + - vuln +severity: + - CRITICAL + - HIGH From 8a34327d98b1a51181cfd90d017b1572a6cddb94 Mon Sep 17 00:00:00 2001 From: Jason Thomas Date: Fri, 20 Dec 2024 09:49:59 -0700 Subject: [PATCH 3/3] Upgrade vite to 6.0.5 --- .../plugins/packages/openc3-cosmos-ace-diff/package.json | 2 +- .../plugins/packages/openc3-cosmos-demo/package.json | 2 +- .../plugins/packages/openc3-cosmos-tool-admin/package.json | 2 +- .../packages/openc3-cosmos-tool-bucketexplorer/package.json | 2 +- .../plugins/packages/openc3-cosmos-tool-cmdsender/package.json | 2 +- .../packages/openc3-cosmos-tool-cmdtlmserver/package.json | 2 +- .../packages/openc3-cosmos-tool-dataextractor/package.json | 2 +- .../plugins/packages/openc3-cosmos-tool-dataviewer/package.json | 2 +- .../plugins/packages/openc3-cosmos-tool-handbooks/package.json | 2 +- .../plugins/packages/openc3-cosmos-tool-iframe/package.json | 2 +- .../packages/openc3-cosmos-tool-limitsmonitor/package.json | 2 +- .../packages/openc3-cosmos-tool-packetviewer/package.json | 2 +- .../packages/openc3-cosmos-tool-scriptrunner/package.json | 2 +- .../packages/openc3-cosmos-tool-tablemanager/package.json | 2 +- .../plugins/packages/openc3-cosmos-tool-tlmgrapher/package.json | 2 +- .../plugins/packages/openc3-cosmos-tool-tlmviewer/package.json | 2 +- .../plugins/packages/openc3-js-common/package.json | 2 +- .../plugins/packages/openc3-tool-base/package.json | 2 +- .../plugins/packages/openc3-vue-common/package.json | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-ace-diff/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-ace-diff/package.json index 25565fa80..79a6adee8 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-ace-diff/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-ace-diff/package.json @@ -19,6 +19,6 @@ "eslint": "9.17.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3" + "vite": "6.0.5" } } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-demo/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-demo/package.json index 6f265a79e..040f454a4 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-demo/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-demo/package.json @@ -21,7 +21,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vite-plugin-style-inject": "0.0.1", "vue": "3.5.13" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-admin/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-admin/package.json index df3b77454..562526feb 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-admin/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-admin/package.json @@ -27,7 +27,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-bucketexplorer/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-bucketexplorer/package.json index a40564aa6..075edb0f0 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-bucketexplorer/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-bucketexplorer/package.json @@ -29,7 +29,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/package.json index f2a625b46..37f4ace8d 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdsender/package.json @@ -29,7 +29,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdtlmserver/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdtlmserver/package.json index 98f222a42..9f8d84cfa 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdtlmserver/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-cmdtlmserver/package.json @@ -28,7 +28,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-dataextractor/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-dataextractor/package.json index 6b8521656..cc3011eee 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-dataextractor/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-dataextractor/package.json @@ -28,7 +28,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-dataviewer/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-dataviewer/package.json index b008534a6..5cb87ece4 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-dataviewer/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-dataviewer/package.json @@ -29,7 +29,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-handbooks/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-handbooks/package.json index e2fabdd85..9205bbca4 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-handbooks/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-handbooks/package.json @@ -29,7 +29,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-iframe/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-iframe/package.json index f2ae3286f..65ec151e2 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-iframe/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-iframe/package.json @@ -29,7 +29,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-limitsmonitor/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-limitsmonitor/package.json index 43c96890c..caee5bb5e 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-limitsmonitor/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-limitsmonitor/package.json @@ -29,7 +29,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-packetviewer/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-packetviewer/package.json index f3a5792af..b7a60dd69 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-packetviewer/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-packetviewer/package.json @@ -29,7 +29,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-scriptrunner/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-scriptrunner/package.json index 18653acc0..d04342711 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-scriptrunner/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-scriptrunner/package.json @@ -31,7 +31,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tablemanager/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tablemanager/package.json index f01b73699..f75d7f9f0 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tablemanager/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tablemanager/package.json @@ -29,7 +29,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tlmgrapher/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tlmgrapher/package.json index a9512670c..c308b4fb6 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tlmgrapher/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tlmgrapher/package.json @@ -31,7 +31,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tlmviewer/package.json b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tlmviewer/package.json index 851309569..f62e8d62f 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tlmviewer/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-cosmos-tool-tlmviewer/package.json @@ -32,7 +32,7 @@ "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", "sass": "1.83.0", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" } diff --git a/openc3-cosmos-init/plugins/packages/openc3-js-common/package.json b/openc3-cosmos-init/plugins/packages/openc3-js-common/package.json index bd1bfb078..96e431dd8 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-js-common/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-js-common/package.json @@ -59,6 +59,6 @@ "eslint-plugin-prettier": "5.2.1", "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", - "vite": "6.0.3" + "vite": "6.0.5" } } diff --git a/openc3-cosmos-init/plugins/packages/openc3-tool-base/package.json b/openc3-cosmos-init/plugins/packages/openc3-tool-base/package.json index 2524f1502..9f86a2279 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-tool-base/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-tool-base/package.json @@ -27,7 +27,7 @@ "prettier": "3.4.2", "sass": "1.83.0", "serve": "14.2.4", - "vite": "6.0.3", + "vite": "6.0.5", "vue": "3.5.13", "vue-eslint-parser": "9.4.3" }, diff --git a/openc3-cosmos-init/plugins/packages/openc3-vue-common/package.json b/openc3-cosmos-init/plugins/packages/openc3-vue-common/package.json index d56cc7b11..bec3878f9 100644 --- a/openc3-cosmos-init/plugins/packages/openc3-vue-common/package.json +++ b/openc3-cosmos-init/plugins/packages/openc3-vue-common/package.json @@ -89,7 +89,7 @@ "eslint-plugin-prettier": "5.2.1", "eslint-plugin-vue": "9.32.0", "prettier": "3.4.2", - "vite": "6.0.3", + "vite": "6.0.5", "vue-eslint-parser": "9.4.3" } }