dependabot · jesus-linares · Jul 8, 2024 · Jul 8, 2024 · Jul 8, 2024 · Jul 8, 2024
diff --git a/.github/workflows/dependency.yaml b/.github/workflows/dependency.yaml
@@ -0,0 +1,14 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,83 @@
+name: build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build Docker Image 1 (Vulnerable - Ubuntu)
+        run: |
+          docker build -t vulnerable-image-ubuntu -f Dockerfile1 .
+
+      - name: Build Docker Image 3 (Non-vulnerable)
+        run: |
+          docker build -t non-vulnerable-image -f Dockerfile3 .
+
+      - name: "Run Trivy vulnerability scanner: image"
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'vulnerable-image-ubuntu'
+          scan-type: 'image'
+          vuln-type: 'os'
+          format: 'sarif'
+          output: 'trivy-results-image1.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-image1.sarif'
+          category: 'image'
+
+      - name: "Run Trivy vulnerability scanner: image"
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'non-vulnerable-image'
+          scan-type: 'image'
+          vuln-type: 'os'
+          format: 'sarif'
+          output: 'trivy-results-image2.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-image2.sarif'
+          category: 'image'
+
+      - name: "Run Trivy vulnerability scanner: image"
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'vulnerable-image-ubuntu'
+          scan-type: 'image'
+          scanners: 'vuln,secret'
+          vuln-type: 'os'
+          format: 'sarif'
+          output: 'trivy-results-image1.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-image1.sarif'
+          category: 'image'
+
+      - name: "Run Trivy vulnerability scanner: image"
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'non-vulnerable-image'
+          scan-type: 'image'
+          scanners: 'vuln,secret'
+          vuln-type: 'os'
+          format: 'sarif'
+          output: 'trivy-results-image2.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-image2.sarif'
+          category: 'image'
diff --git a/Dockerfile1 b/Dockerfile1
@@ -0,0 +1,13 @@
+# Dockerfile 1 (Vulnerable)
+FROM ubuntu:18.04
+
+RUN apt-get update && \
+    apt-get install -y \
+    openssl \
+    curl
+
+# Deliberately using an old version of OpenSSL with known vulnerabilities
+RUN apt-get install -y openssl=1.1.0g-2ubuntu4.3
+
+# Adding a fake AWS secret key
+RUN echo "AWS_SECRET_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" > /root/.aws/credentials
diff --git a/Dockerfile3 b/Dockerfile3
@@ -0,0 +1,10 @@
+# Dockerfile 3 (Non-vulnerable)
+FROM ubuntu:20.04
+
+RUN apt-get update && \
+    apt-get install -y \
+    openssl \
+    curl
+
+# Using the latest versions with no known vulnerabilities
+RUN apt-get install -y openssl
diff --git a/file1 b/file1
diff --git a/javascript/package-lock.json b/javascript/package-lock.json
diff --git a/javascript/package.json b/javascript/package.json
@@ -5,6 +5,6 @@
   "license": "MIT",
   "dependencies": {
     "hot-formula-parser": "^3.0.0",
-    "lodash": "^4.17.20"
+    "lodash": "^4.17.21"
   }
 }
diff --git a/javascript/yarn.lock b/javascript/yarn.lock
@@ -28,10 +28,10 @@ jstat@^1.9.2:
   resolved "https://registry.yarnpkg.com/jstat/-/jstat-1.9.3.tgz#6a0e60c3b87fd714b61e765b77fc6b035437ee34"
   integrity sha512-/2JL4Xv6xfhN2+AEKQGTYr1LZTmBCR/5fHxJVvb9zWNsmKZfKrl3wYYK8SD/Z8kXkf+ZSusfumLZ4wDTHrWujA==
 
-lodash@^4.17.20:
-  version "4.17.20"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.20.tgz#b44a9b6297bcb698f1c51a3545a2b3b368d59c52"
-  integrity sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA==
+lodash@^4.17.21:
+  version "4.17.21"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
+  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
 
 tiny-emitter@^2.1.0:
   version "2.1.0"

diff --git a/test b/test
@@ -0,0 +1,3 @@
+Mon Jul 8 10:41:22 CEST 2024
+Mon Jul 8 10:45:43 CEST 2024
+Mon Jul 8 11:17:13 CEST 2024