build(weaver/corda-driver): add Trivy scanning capability and steps

1. The build.gradle file now has the maven publish plugin pulled which can be used to generate pom.xml files that we don't really plan on using for publishing but are still necessary to have in a temporary fashion because the scanning tool (Trivy) only suports scanning dependencies for vulnerabilities via pom.xml files of the Maven tool but not through `build.gradle` files of the Gradle tool. 2. The `README.md` file was updated with detailed steps on how to run a scan that includes generating the pom file, renaming it according to the requirements of Trivy itself and then running the actual scan. 3. Some of the cspell issues have been rectified by adding new words to the config. Signed-off-by: Peter Somogyvari <[email protected]>
hyperledger-cacti · Feb 15, 2024 · 895f172 · 895f172
1 parent 0573684
commit 895f172
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 0 deletions.
diff --git a/.cspell.json b/.cspell.json
@@ -50,6 +50,7 @@
         "dids",
         "Dids",
         "DockerOde",
+        "dokka",
         "ealen",
         "ecparams",
         "embeddable",
@@ -158,6 +159,7 @@
         "thream",
         "tlsca",
         "tlscacerts",
+        "Trivy",
         "txid",
         "txqueue",
         "Uisrs",
@@ -166,6 +168,7 @@
         "Unmarshal",
         "uuidv",
         "vscc",
+        "vuln",
         "wasm",
         "Xdai"
     ],

diff --git a/weaver/core/drivers/corda-driver/README.md b/weaver/core/drivers/corda-driver/README.md
@@ -148,6 +148,41 @@ The docs are then located in `build/dokka/driver-corda`. Opening
 `index.html` in your browser will allow you to navigate through the project
 structure.
 
+## Trivy Security Audit of Dependencies
+
+> Note you either need to be using the VSCode Dev Container or having installed
+> Trivy yourself prior to running these steps.
+
+[Trivy Documentation & Install Guide](https://github.com/aquasecurity/trivy)
+
+The following command generates a `pom.xml` file with the same exact dependencies
+declared as they are in the build.gradle file.
+
+The reason why we need this step is because Trivy does not yet support build.gradle
+files, only pom.xml files.
+
+```sh
+./gradlew generatePomFileForPublication
+```
+
+After this step, we now have a pom.xml file, but with the wrong name because
+Trivy will only accept these if the file is called exactly `pom.xml` but the
+script above will name it as `pom-default.xml` which Trivy ignores, so we rename:
+
+```sh
+mv ./build/publications/maven/pom-default.xml ./build/publications/maven/pom.xml
+```
+
+Finally, we are ready to point Trivy to the directory where the `pom.xml` file
+is located and actually run the scan:
+
+```sh
+trivy fs --scanners=vuln ./build/publications/maven/
+```
+
+More information about the Maven Publish Plugin can be found here:
+https://docs.gradle.org/current/userguide/publishing_maven.html
+
 ## TODO
 
 1. Create an Error class
diff --git a/weaver/core/drivers/corda-driver/build.gradle b/weaver/core/drivers/corda-driver/build.gradle
@@ -33,6 +33,18 @@ plugins {
     id "application"
     id "com.google.protobuf" version "0.8.12"
     id 'org.jetbrains.dokka' version '0.10.1'
+    id 'maven-publish'
+}
+
+// Can be used to generate a pom.xml file which in turn can be used to run a 
+// trivy security audit of the dependencies to check for vulnerable versions.
+// Check the package README.md file for an example to do it via bash commands.
+publishing {
+    publications {
+        maven(MavenPublication) {
+            from components.java
+        }
+    }
 }
 
 Properties constants = new Properties()