Merge pull request #44 from catenax-ng/fix/trivy_findings

Fix Trivy findings
eclipse-tractusx · Nov 20, 2023 · 805c894 · 805c894
2 parents aa67d74 + 98aa894
commit 805c894
Show file tree

Hide file tree

Showing 10 changed files with 70 additions and 23 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,6 +5,7 @@ on:
     branches:
       - "main"
       - "dev"
+      - "fix/*"
     tags:
       - "v*.*.*"
       - "v*.*.*-*"

diff --git a/.github/workflows/trivy-test-images.yml b/.github/workflows/trivy-test-images.yml
@@ -0,0 +1,55 @@
+name: Trivy Docker Image Analysis
+
+on:
+  push:
+    branches:
+      - fix/trivy_findings
+  # Trigger manually
+  workflow_dispatch:
+
+permissions:
+  security-events: write # To upload sarif files
+
+jobs:
+  build-and-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: '3.6.3'
+
+      - name: Set up python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.7'
+
+      # Workaround: https://github.com/docker/build-push-action/issues/461
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          tags: frontend:latest
+          load: true  # Load the image into Docker's local image store
+
+
+      - name: Run Trivy Table
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'image'
+          image-ref: 'frontend:latest'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          format: 'table'
+
diff --git a/DOCKER_NOTICE.md b/DOCKER_NOTICE.md
@@ -16,7 +16,7 @@ Eclipse Tractus-X product(s) installed within the image:
 
 **Used base image**
 
-- Dockerfile: [`nginxinc/nginx-unprivileged:alpine`](https://hub.docker.com/r/nginxinc/nginx-unprivileged)
+- Dockerfile: [`nginxinc/nginx-unprivileged:alpine`](https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/Dockerfile-alpine.template)
 - GitHub Project: [nginxinc/docker-nginx-unprivileged](https://github.com/nginxinc/docker-nginx-unprivileged)
 - DockerHub: [nginxinc/nginx-unprivileged](https://hub.docker.com/r/nginxinc/nginx-unprivileged)
 

diff --git a/Dockerfile b/Dockerfile
@@ -48,7 +48,7 @@ RUN npm install --ignore-scripts
 RUN npm run build
 
 # Base image for the final stage
-FROM nginxinc/nginx-unprivileged:stable-alpine
+FROM nginxinc/nginx-unprivileged:alpine
 
 # Copy Nginx configuration file
 COPY .conf/nginx.conf /etc/nginx/conf.d/default.conf
@@ -67,8 +67,6 @@ COPY ./scripts/inject-dynamic-env.sh /docker-entrypoint.d/00-inject-dynamic-env.
 
 RUN chmod +x /docker-entrypoint.d/00-inject-dynamic-env.sh
 
-# Update vulnerable packages
-RUN apk update
 
 # Change ownership and switch back to nginx user
 RUN chown -R 101:101 /usr/share/nginx/html/

diff --git a/README.md b/README.md
@@ -14,20 +14,6 @@ This dashboard calculates a risk score per country based on information regardin
 Country risk refers to the risk of investing or lending money in a country, arising from possible changes in the business environment that may adversely affect operating profits or the value of assets in the country. For example, financial factors such as currency controls, devaluation or regulatory changes, or stability factors such as mass riots, civil war and other potential events contribute to companies' operational risks. This term is also sometimes referred to as political risk - however, 
 country risk is a more general term that generally refers only to risks affecting all companies operating within or involved with a particular country.
 
-## Container images
-
-This application provides container images for demonstration purposes.
-The base image used, to build this demo application image is `node:18-alpine` and `nginxinc/nginx-unprivileged:stable-alpine`
-
-Docker Hub:
-
-* [node:18-alpine](https://hub.docker.com/_/node)
-* [nginxinc](https://hub.docker.com/r/nginxinc/nginx-unprivileged)
-
-Source:
-
-* [node repo info](https://github.com/docker-library/repo-info/tree/master/repos/node)
-* [nginxinc repo info](https://github.com/nginxinc/docker-nginx-unprivileged/pkgs/container/nginx-unprivileged)
 
 ## More documentation
 

diff --git a/charts/country-risk/Chart.yaml b/charts/country-risk/Chart.yaml
@@ -20,7 +20,8 @@
 apiVersion: v2
 name: country-risk
 type: application
-version: 1.1.0
+version: 1.1.1
+appVersion: "1.2.0"
 description: A Helm chart for deploying the Country Risk service
 home: https://github.com/eclipse-tractusx/vas-country-risk-frontend
 sources:
@@ -37,6 +38,6 @@ dependencies:
   repository: https://helm.runix.net
   version: 1.x.x
 - name: country-risk-backend
-  version: 3.0.1
+  version: 3.0.2
 - name: country-risk-frontend
-  version: 3.0.1
+  version: 3.0.2
diff --git a/charts/country-risk/charts/country-risk-backend/Chart.yaml b/charts/country-risk/charts/country-risk-backend/Chart.yaml
@@ -36,7 +36,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.0.1
+version: 3.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/country-risk/charts/country-risk-backend/values.yaml b/charts/country-risk/charts/country-risk-backend/values.yaml
@@ -64,6 +64,9 @@ securityContext:
   runAsUser: 10001
   # -- Specifies the group ID that the process inside the container should run
   runAsGroup: 3000
+  # -- Specifies Seccomp profile
+  seccompProfile:
+    type: RuntimeDefault
   # -- Capabilities that the process inside the container should have
   capabilities:
     drop:

diff --git a/charts/country-risk/charts/country-risk-frontend/Chart.yaml b/charts/country-risk/charts/country-risk-frontend/Chart.yaml
@@ -34,7 +34,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.0.1
+version: 3.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/country-risk/charts/country-risk-frontend/values.yaml b/charts/country-risk/charts/country-risk-frontend/values.yaml
@@ -64,6 +64,9 @@ securityContext:
   runAsUser: 101
   # -- Specifies the group ID that the process inside the container should run
   runAsGroup: 3000
+  # -- Specifies Seccomp profile
+  seccompProfile:
+    type: RuntimeDefault
   # -- Capabilities that the process inside the container should have
   capabilities:
     drop: