From dcf5c3611faadcd2c97e550c1ef01889f3057e58 Mon Sep 17 00:00:00 2001 From: jesus-linares Date: Mon, 8 Jul 2024 10:40:08 +0200 Subject: [PATCH 1/8] update --- .github/workflows/trivy.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 000000000..c89dae9b9 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,27 @@ +name: build +on: + push: + branches: + - main + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@0.23.0 + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' From 41576a9f4a81651193649b410eabd47a83a583d7 Mon Sep 17 00:00:00 2001 From: jesus-linares Date: Mon, 8 Jul 2024 10:41:22 +0200 Subject: [PATCH 2/8] update --- test | 1 + 1 file changed, 1 insertion(+) create mode 100644 test diff --git a/test b/test new file mode 100644 index 000000000..968609a4f --- /dev/null +++ b/test @@ -0,0 +1 @@ +Mon Jul 8 10:41:22 CEST 2024 From d2c914df7c83268007c47479bf2b67a087a5f6b6 Mon Sep 17 00:00:00 2001 From: jesus-linares Date: Mon, 8 Jul 2024 10:45:43 +0200 Subject: [PATCH 3/8] update --- test | 1 + 1 file changed, 1 insertion(+) diff --git a/test b/test index 968609a4f..c72f1a073 100644 --- a/test +++ b/test @@ -1 +1,2 @@ Mon Jul 8 10:41:22 CEST 2024 +Mon Jul 8 10:45:43 CEST 2024 From 62bc57f808fa755ba9b9f468ea7d61f1f3be5a2b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 10:48:59 +0200 Subject: [PATCH 4/8] Bump lodash from 4.17.20 to 4.17.21 in /javascript (#5) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.20 to 4.17.21. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.20...4.17.21) --- updated-dependencies: - dependency-name: lodash dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- javascript/package-lock.json | 6 +++--- javascript/package.json | 2 +- javascript/yarn.lock | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/javascript/package-lock.json b/javascript/package-lock.json index 5ff3feb2e..207ad12b3 100644 --- a/javascript/package-lock.json +++ b/javascript/package-lock.json @@ -33,9 +33,9 @@ "integrity": "sha512-/2JL4Xv6xfhN2+AEKQGTYr1LZTmBCR/5fHxJVvb9zWNsmKZfKrl3wYYK8SD/Z8kXkf+ZSusfumLZ4wDTHrWujA==" }, "lodash": { - "version": "4.17.20", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz", - "integrity": "sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA==" + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" }, "tiny-emitter": { "version": "2.1.0", diff --git a/javascript/package.json b/javascript/package.json index 6c78dc8fb..128ac0e21 100644 --- a/javascript/package.json +++ b/javascript/package.json @@ -5,6 +5,6 @@ "license": "MIT", "dependencies": { "hot-formula-parser": "^3.0.0", - "lodash": "^4.17.20" + "lodash": "^4.17.21" } } diff --git a/javascript/yarn.lock b/javascript/yarn.lock index fd3e47b73..14d5c638b 100644 --- a/javascript/yarn.lock +++ b/javascript/yarn.lock @@ -28,10 +28,10 @@ jstat@^1.9.2: resolved "https://registry.yarnpkg.com/jstat/-/jstat-1.9.3.tgz#6a0e60c3b87fd714b61e765b77fc6b035437ee34" integrity sha512-/2JL4Xv6xfhN2+AEKQGTYr1LZTmBCR/5fHxJVvb9zWNsmKZfKrl3wYYK8SD/Z8kXkf+ZSusfumLZ4wDTHrWujA== -lodash@^4.17.20: - version "4.17.20" - resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.20.tgz#b44a9b6297bcb698f1c51a3545a2b3b368d59c52" - integrity sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA== +lodash@^4.17.21: + version "4.17.21" + resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" + integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== tiny-emitter@^2.1.0: version "2.1.0" From cf656ea762bd0036a6225fc8d24d49ea52a61135 Mon Sep 17 00:00:00 2001 From: jesus-linares Date: Mon, 8 Jul 2024 11:17:13 +0200 Subject: [PATCH 5/8] update --- .github/workflows/trivy.yaml | 2 +- test | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index c89dae9b9..a74dbdd93 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -3,7 +3,7 @@ on: push: branches: - main - + pull_request: jobs: build: name: Build diff --git a/test b/test index c72f1a073..cb2f8db48 100644 --- a/test +++ b/test @@ -1,2 +1,3 @@ Mon Jul 8 10:41:22 CEST 2024 Mon Jul 8 10:45:43 CEST 2024 +Mon Jul 8 11:17:13 CEST 2024 From d7f9f56e987418f20f09fdff27656abf78511ea5 Mon Sep 17 00:00:00 2001 From: jesus-linares Date: Mon, 8 Jul 2024 11:20:00 +0200 Subject: [PATCH 6/8] update --- file1 | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 file1 diff --git a/file1 b/file1 new file mode 100644 index 000000000..e69de29bb From c26762b3b76ec330ff409ac930053befd9619557 Mon Sep 17 00:00:00 2001 From: jesus-linares Date: Tue, 9 Jul 2024 11:01:43 +0200 Subject: [PATCH 7/8] update --- .github/workflows/dependency.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/dependency.yaml diff --git a/.github/workflows/dependency.yaml b/.github/workflows/dependency.yaml new file mode 100644 index 000000000..f0b0eb07d --- /dev/null +++ b/.github/workflows/dependency.yaml @@ -0,0 +1,14 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 \ No newline at end of file From f628c6de6b2cbcd8bb75abaafcfd1386ffa00a45 Mon Sep 17 00:00:00 2001 From: jesus-linares Date: Tue, 9 Jul 2024 16:07:26 +0200 Subject: [PATCH 8/8] update --- .github/workflows/trivy.yaml | 66 +++++++++++++++++++++++++++++++++--- Dockerfile1 | 13 +++++++ Dockerfile3 | 10 ++++++ 3 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 Dockerfile1 create mode 100644 Dockerfile3 diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index a74dbdd93..9886dd62e 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -12,16 +12,72 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + - name: Build Docker Image 1 (Vulnerable - Ubuntu) + run: | + docker build -t vulnerable-image-ubuntu -f Dockerfile1 . - - name: Run Trivy vulnerability scanner in fs mode + - name: Build Docker Image 3 (Non-vulnerable) + run: | + docker build -t non-vulnerable-image -f Dockerfile3 . + + - name: "Run Trivy vulnerability scanner: image" + uses: aquasecurity/trivy-action@0.23.0 + with: + image-ref: 'vulnerable-image-ubuntu' + scan-type: 'image' + vuln-type: 'os' + format: 'sarif' + output: 'trivy-results-image1.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-image1.sarif' + category: 'image' + + - name: "Run Trivy vulnerability scanner: image" + uses: aquasecurity/trivy-action@0.23.0 + with: + image-ref: 'non-vulnerable-image' + scan-type: 'image' + vuln-type: 'os' + format: 'sarif' + output: 'trivy-results-image2.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-image2.sarif' + category: 'image' + + - name: "Run Trivy vulnerability scanner: image" + uses: aquasecurity/trivy-action@0.23.0 + with: + image-ref: 'vulnerable-image-ubuntu' + scan-type: 'image' + scanners: 'vuln,secret' + vuln-type: 'os' + format: 'sarif' + output: 'trivy-results-image1.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results-image1.sarif' + category: 'image' + + - name: "Run Trivy vulnerability scanner: image" uses: aquasecurity/trivy-action@0.23.0 with: - scan-type: 'fs' - scan-ref: '.' + image-ref: 'non-vulnerable-image' + scan-type: 'image' + scanners: 'vuln,secret' + vuln-type: 'os' format: 'sarif' - output: 'trivy-results.sarif' + output: 'trivy-results-image2.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' + sarif_file: 'trivy-results-image2.sarif' + category: 'image' diff --git a/Dockerfile1 b/Dockerfile1 new file mode 100644 index 000000000..6029ce87c --- /dev/null +++ b/Dockerfile1 @@ -0,0 +1,13 @@ +# Dockerfile 1 (Vulnerable) +FROM ubuntu:18.04 + +RUN apt-get update && \ + apt-get install -y \ + openssl \ + curl + +# Deliberately using an old version of OpenSSL with known vulnerabilities +RUN apt-get install -y openssl=1.1.0g-2ubuntu4.3 + +# Adding a fake AWS secret key +RUN echo "AWS_SECRET_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" > /root/.aws/credentials \ No newline at end of file diff --git a/Dockerfile3 b/Dockerfile3 new file mode 100644 index 000000000..21da59a1f --- /dev/null +++ b/Dockerfile3 @@ -0,0 +1,10 @@ +# Dockerfile 3 (Non-vulnerable) +FROM ubuntu:20.04 + +RUN apt-get update && \ + apt-get install -y \ + openssl \ + curl + +# Using the latest versions with no known vulnerabilities +RUN apt-get install -y openssl