fix security

eclipse-tractusx · Nov 16, 2023 · 6294a67 · 6294a67
1 parent 5984cae
commit 6294a67
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 60 deletions.
diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml
@@ -18,7 +18,6 @@
 #* SPDX-License-Identifier: Apache-2.0
 #********************************************************************************
 
-
 name: "KICS"
 
 on:

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -1,23 +1,22 @@
-#*******************************************************************************
-#* Copyright (c) 2022, 2023 T-Systems International GmbH
-#* Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
-#*
-#* See the NOTICE file(s) distributed with this work for additional
-#* information regarding copyright ownership.
-#*
-#* This program and the accompanying materials are made available under the
-#* terms of the Apache License, Version 2.0 which is available at
-#* https://www.apache.org/licenses/LICENSE-2.0.
-#*
-#* Unless required by applicable law or agreed to in writing, software
-#* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#* License for the specific language governing permissions and limitations
-#* under the License.
-#*
-#* SPDX-License-Identifier: Apache-2.0
-#********************************************************************************
----
+#################################################################################
+# Copyright (c) 2022,2023 T-Systems International GmbH
+# Copyright (c) 2022,2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+################################################################################
 
 name: "Trivy"
 on:
@@ -39,50 +38,17 @@ jobs:
       security-events: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: "config"
-          exit-code: "1"
-          hide-progress: false
-          format: "sarif"
-          output: "trivy-results1.sarif"
-          severity: "CRITICAL,HIGH"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: "trivy-results1.sarif"
-
-  analyze-product-autosetup-backend:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-
+
       - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/[email protected]
         with:
           # Path to Docker image
           image-ref: "tractusx/managed-service-orchestrator:latest"
           format: "sarif"
           output: "trivy-results.sarif"
-          exit-code: "1"
-          severity: "CRITICAL,HIGH"
+          vuln-type: "os,library"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: "trivy-results.sarif"
-
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,11 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
- - The customer already gets an email from Portal and the third-Party-provider after the successful deployment that the SDE-Service is ready to use. If the connector End2End test is unsuccessful (this might be based on the cloud communication issue), the customer will be informed about the failing connectivity. This behavior might need to be clarified for the customer. We will change this behavior in the next release.
+
 
-## [1.5.1] - 2023-10-16
+## [1.5.1] - 2023-11-16
 ### Changed
  - Update DT asset creation for oauth secret information
+ - Updated trivy workflow
+ - Changed the base image for security issue
 
 ## [1.5.0] - 2023-09-04
 

diff --git a/Dockerfile b/Dockerfile
@@ -33,7 +33,7 @@ COPY ./src ./src
 # build for release
 RUN mvn clean install -Dmaven.test.skip=true 
 
-FROM eclipse-temurin:17-jdk-alpine
+FROM eclipse-temurin:17.0.8.1_1-jdk
 
 ENV USER=autosetupuser
 ENV UID=1000
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,7 +18,6 @@ @@
     #* SPDX-License-Identifier: Apache-2.0
     #********************************************************************************
     name: "KICS"
     on:
@@ Expand Down @@