Skip to content

Commit

Permalink
Track security scans & updates (#551)
Browse files Browse the repository at this point in the history 
* Update packages
* Set container scans to continue-on-error
* Update grype ignore list
* Update CVE-2015-5237 to closed

Signed-off-by: Victor Chang <[email protected]>
  • Loading branch information
@mocsharp
mocsharp authored Nov 3, 2022
1 parent 3375b78 commit aa1888b
Show file tree
Hide file tree
Showing 40 changed files with 3,483 additions and 3,550 deletions.
6 changes: 6 additions & 0 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ jobs:

- name: Dockle Container Scanner
uses: erzz/dockle-action@v1
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
Expand All @@ -100,12 +101,14 @@ jobs:
# Disable upload due to bug https://github.com/erzz/dockle-action/issues/18
# - name: Upload Dockle SARIF Report
# uses: github/codeql-action/upload-sarif@v2
# continue-on-error: true
# if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
# with:
# sarif_file: dockle-report.sarif

- name: Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
Expand All @@ -114,13 +117,15 @@ jobs:

- name: Upload Trivy SARIF Report
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
sarif_file: 'trivy-results.sarif'

- name: Anchore Container Scan
id: anchore-scan
uses: anchore/[email protected]
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
Expand All @@ -130,6 +135,7 @@ jobs:

- name: Upload Anchore Scan SARIF Report
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
sarif_file: ${{ steps.anchore-scan.outputs.sarif }}
Expand Down
16 changes: 9 additions & 7 deletions .grype.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,12 @@
# limitations under the License.

ignore:
- vulnerability: CVE-2022-37434 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/514
- vulnerability: CVE-2015-5237 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/515
- vulnerability: CVE-2016-20013 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/516
- vulnerability: CVE-2017-11164 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/517
- vulnerability: CVE-2020-16156 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/518
- vulnerability: CVE-2022-29458 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/519

- vulnerability: CVE-2015-5237 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/515 CLOSED
- vulnerability: CVE-2016-20013 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/516 CLOSED
- vulnerability: CVE-2017-11164 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/517 CLOSED
- vulnerability: CVE-2022-29458 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/519 CLOSED
- vulnerability: CVE-2018-1000538 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/552 CLOSED
- vulnerability: CVE-2020-11012 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/553 CLOSED
- vulnerability: CVE-2021-21287 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/554 CLOSED
- vulnerability: CVE-2021-43858 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/555 CLOSED
- vulnerability: CVE-1999-1278 # https://github.com/Project-MONAI/monai-deploy-workflow-manager/issues/556 CLOSED
1 change: 1 addition & 0 deletions .licenserc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ header:
- 'src/.sonarlint/**'
- 'src/coverlet.runsettings'
- 'src/.vs'
- 'doc/dependency_decisions.yml'
- 'docs/templates/**'

comment: never
Expand Down
218 changes: 71 additions & 147 deletions doc/dependency_decisions.yml
View file
Original file line number Diff line number Diff line change
@@ -1,31 +1,17 @@
# Copyright 2022 MONAI Consortium
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

---
- - :approve
- AWSSDK.Core
- :who: mocsharp
:why: Apache-2.0 (http://aws.amazon.com/apache2.0/)
:versions:
- 3.7.13.8
- 3.7.100.6
:when: 2022-10-14 23:36:39.233755632 Z
- - :approve
- AWSSDK.SecurityToken
- :who: mocsharp
:why: Apache-2.0 (http://aws.amazon.com/apache2.0/)
:versions:
- 3.7.1.203
- 3.7.100.6
:when: 2022-10-14 23:36:39.628260680 Z
- - :approve
- Ardalis.GuardClauses
Expand Down Expand Up @@ -116,7 +102,7 @@
- :who: mocsharp
:why: Apache-2.0 (https://github.com/fluentassertions/fluentassertions/raw/develop/LICENSE)
:versions:
- 6.7.0
- 6.8.0
:when: 2022-10-14 23:36:44.688882343 Z
- - :approve
- Fractions
Expand Down Expand Up @@ -490,14 +476,13 @@
- :who: mocsharp
:why: MIT (https://github.com/dotnet/aspnetcore/raw/main/LICENSE.txt)
:versions:
- 6.0.9
- 6.0.10
:when: 2022-10-14 23:37:05.589288760 Z
- - :approve
- Microsoft.Extensions.Diagnostics.HealthChecks.Abstractions
- :who: mocsharp
:why: MIT (https://github.com/dotnet/aspnetcore/raw/main/LICENSE.txt)
:versions:
- 6.0.9
- 6.0.10
:when: 2022-10-14 23:37:05.963687838 Z
- - :approve
Expand Down Expand Up @@ -799,125 +784,8 @@
- :who: mocsharp
:why: Apache-2.0 (https://github.com/minio/minio-dotnet/raw/master/LICENSE)
:versions:
- 4.0.5
- 4.0.6
:when: 2022-10-14 23:37:22.726827733 Z
- - :approve
- Monai.Deploy.Messaging
- &1
:who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-messaging/raw/main/LICENSE)
:versions: []
:when: 2022-10-14 23:37:23.125681503 Z
- - :approve
- version
- *1
- - :approve
- 0.1.8
- *1
- - :approve
- Monai.Deploy.Messaging.RabbitMQ
- &2
:who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-messaging/raw/main/LICENSE)
:versions: []
:when: 2022-10-14 23:37:23.497395535 Z
- - :approve
- version
- *2
- - :approve
- 0.1.8
- *2
- - :approve
- Monai.Deploy.Storage
- &3
:who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-storage/raw/main/LICENSE)
:versions: []
:when: 2022-10-14 23:37:23.855408783 Z
- - :approve
- version
- *3
- - :approve
- 0.2.7
- *3
- - :approve
- Monai.Deploy.Storage.MinIO
- &4
:who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-storage/raw/main/LICENSE)
:versions: []
:when: 2022-10-14 23:37:24.258418409 Z
- - :approve
- version
- *4
- - :approve
- 0.2.7
- *4
- - :approve
- Monai.Deploy.Storage.S3Policy
- &5
:who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-storage/raw/main/LICENSE)
:versions: []
:when: 2022-10-14 23:37:24.629387041 Z
- - :approve
- version
- *5
- - :approve
- 0.2.7
- *5
- - :approve
- MongoDB.Bson
- &6
:who: mocsharp
:why: Apache-2.0 (https://github.com/mongodb/mongo-csharp-driver/raw/master/License.txt)
:versions: []
:when: 2022-10-14 23:37:25.061513979 Z
- - :approve
- version
- *6
- - :approve
- 2.18.0
- *6
- - :approve
- MongoDB.Driver
- &7
:who: mocsharp
:why: Apache-2.0 (https://github.com/mongodb/mongo-csharp-driver/raw/master/License.txt)
:versions: []
:when: 2022-10-14 23:37:25.441147058 Z
- - :approve
- version
- *7
- - :approve
- 2.18.0
- *7
- - :approve
- MongoDB.Driver.Core
- &8
:who: mocsharp
:why: Apache-2.0 (https://github.com/mongodb/mongo-csharp-driver/raw/master/License.txt)
:versions: []
:when: 2022-10-14 23:37:25.846975394 Z
- - :approve
- version
- *8
- - :approve
- 2.18.0
- *8
- - :approve
- MongoDB.Libmongocrypt
- &9
:who: mocsharp
:why: Apache-2.0 (https://github.com/mongodb/mongo-csharp-driver/raw/master/License.txt)
:versions: []
:when: 2022-10-14 23:37:26.232580356 Z
- - :approve
- version
- *9
- - :approve
- 1.6.0
- *9
- - :approve
- Moq
- :who: mocsharp
Expand Down Expand Up @@ -951,7 +819,7 @@
- :who: mocsharp
:why: MIT (https://github.com/nunit/nunit3-vs-adapter/raw/master/LICENSE)
:versions:
- 4.2.1
- 4.3.0
:when: 2022-10-14 23:37:28.273089349 Z
- - :approve
- Newtonsoft.Json
Expand Down Expand Up @@ -2053,7 +1921,7 @@
- :who: mocsharp
:why: MIT (https://github.com/coverlet-coverage/coverlet/raw/master/LICENSE)
:versions:
- 3.1.2
- 3.2.0
:when: 2022-10-14 23:38:33.099118125 Z
- - :approve
- prometheus-net
Expand Down Expand Up @@ -2319,21 +2187,21 @@
- :who: mocsharp
:why: BSD 3-Clause License (https://github.com/NLog/NLog/raw/dev/LICENSE.txt)
:versions:
- 5.0.4
- 5.0.5
:when: 2022-10-12 03:14:06.538744982 Z
- - :approve
- NLog.Extensions.Logging
- :who: mocsharp
:why: BSD 2-Clause Simplified License (https://github.com/NLog/NLog.Extensions.Logging/raw/master/LICENSE)
:versions:
- 5.0.4
- 5.1.0
:when: 2022-10-12 03:14:06.964203977 Z
- - :approve
- NLog.Web.AspNetCore
- :who: mocsharp
:why: BSD 3-Clause License (https://github.com/NLog/NLog.Web/raw/master/LICENSE)
:versions:
- 5.1.4
- 5.1.5
:when: 2022-10-12 03:14:07.396706995 Z
- - :approve
- AspNetCore.HealthChecks.MongoDb
Expand Down Expand Up @@ -2371,9 +2239,65 @@
- 6.23.1
:when: 2022-10-21 05:32:02.785856125 Z
- - :approve
- FluentAssertions
- :who: RemakingEden
:why: Apache-2.0 (https://github.com/fluentassertions/fluentassertions/raw/develop/LICENSE)
- Monai.Deploy.Messaging
- :who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-messaging/raw/main/LICENSE)
:versions:
- 6.8.0
:when: 2022-11-02 09:51:44.688882343 Z
- 0.1.9
:when: 2022-11-02 21:43:10.781625468 Z
- - :approve
- Monai.Deploy.Messaging.RabbitMQ
- :who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-messaging/raw/main/LICENSE)
:versions:
- 0.1.9
:when: 2022-11-02 21:43:20.975488411 Z
- - :approve
- Monai.Deploy.Storage
- :who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-messaging/raw/main/LICENSE)
:versions:
- 0.2.9
:when: 2022-11-02 21:43:46.964761113 Z
- - :approve
- Monai.Deploy.Storage.MinIO
- :who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-messaging/raw/main/LICENSE)
:versions:
- 0.2.9
:when: 2022-11-02 21:43:57.620687413 Z
- - :approve
- Monai.Deploy.Storage.S3Policy
- :who: mocsharp
:why: Apache-2.0 (https://github.com/Project-MONAI/monai-deploy-messaging/raw/main/LICENSE)
:versions:
- 0.2.9
:when: 2022-11-02 21:44:06.994266372 Z
- - :approve
- MongoDB.Bson
- :who: mocsharp
:why: Apache-2.0 (https://github.com/mongodb/mongo-csharp-driver/raw/master/License.txt)
:versions:
- 2.18.0
:when: 2022-11-02 21:44:41.801284907 Z
- - :approve
- MongoDB.Driver
- :who: mocsharp
:why: Apache-2.0 (https://github.com/mongodb/mongo-csharp-driver/raw/master/License.txt)
:versions:
- 2.18.0
:when: 2022-11-02 21:45:01.214220067 Z
- - :approve
- MongoDB.Driver.Core
- :who: mocsharp
:why: Apache-2.0 (https://github.com/mongodb/mongo-csharp-driver/raw/master/License.txt)
:versions:
- 2.18.0
:when: 2022-11-02 21:45:23.777282609 Z
- - :approve
- MongoDB.Libmongocrypt
- :who: mocsharp
:why: Apache-2.0 (https://github.com/mongodb/mongo-csharp-driver/raw/master/License.txt)
:versions:
- 1.6.0
:when: 2022-11-02 21:45:54.431951720 Z
Loading

0 comments on commit aa1888b

Please sign in to comment.