-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding high/critical severity vuln checks #123
Conversation
Signed-off-by: Samim Mirhosseini <ssmirr@users.noreply.github.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #123 +/- ##
==========================================
+ Coverage 68.71% 68.78% +0.06%
==========================================
Files 47 47
Lines 4482 4482
==========================================
+ Hits 3080 3083 +3
+ Misses 1207 1206 -1
+ Partials 195 193 -2 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Nicko Guyer <nicko.guyer@kaleido.io>
go.mod
Outdated
gopkg.in/ini.v1 v1.67.0 // indirect | ||
gopkg.in/yaml.v3 v3.0.1 // indirect | ||
) | ||
|
||
replace google.golang.org/grpc => google.golang.org/grpc v1.29.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jimthematrix Do you mind taking a look at this one? Our vulnerability tool does not like this version, but it looks like we were very intentionally staying on this version for some reason. Do you know why this was here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pretty sure this is why: https://github.com/hyperledger/fabric-sdk-go/blob/main/go.mod#L30. But I can't remember what the exact error was if we used a later version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way to override the failure in the vulnerability tool? This problem is only relevant when using grpc to implement server endpoints. in the case of FabConnect, grpc is only between it and the Fabric endpoint, so the attack vector is not exposed via FabConnect
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
marking approval on PR based on agreement with this assessment from @jimthematrix
Strange... |
This reverts commit 6aa93a8. Signed-off-by: Nicko Guyer <nicko.guyer@kaleido.io>
Signed-off-by: Samim Mirhosseini <ssmirr@users.noreply.github.com>
… into vuln-check
Changes in 7de4ef4 make trivy ignore this specific CVE, as requested in #123 (comment) |
adding high/critical severity vuln checks
This Pull request updates the Dockerfile to check dependencies of this source code, and fail to build if high/critical severity vulnerabilities are detected.
Currently this one is detected:
This is done with the help of Trivy, an open source scanning tool from Aquasec. Trivy is RedHat certified, and is being used as the default container scanner on GitLab (according to this link)