From 895f172dbea50428d9d7532913e041a62510f225 Mon Sep 17 00:00:00 2001 From: Peter Somogyvari <peter.somogyvari@accenture.com> Date: Wed, 14 Feb 2024 14:00:37 -0800 Subject: [PATCH] build(weaver/corda-driver): add Trivy scanning capability and steps 1. The build.gradle file now has the maven publish plugin pulled which can be used to generate pom.xml files that we don't really plan on using for publishing but are still necessary to have in a temporary fashion because the scanning tool (Trivy) only suports scanning dependencies for vulnerabilities via pom.xml files of the Maven tool but not through `build.gradle` files of the Gradle tool. 2. The `README.md` file was updated with detailed steps on how to run a scan that includes generating the pom file, renaming it according to the requirements of Trivy itself and then running the actual scan. 3. Some of the cspell issues have been rectified by adding new words to the config. Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com> --- .cspell.json | 3 ++ weaver/core/drivers/corda-driver/README.md | 35 +++++++++++++++++++ weaver/core/drivers/corda-driver/build.gradle | 12 +++++++ 3 files changed, 50 insertions(+) diff --git a/.cspell.json b/.cspell.json index 6992dfe681..76a276f2f8 100644 --- a/.cspell.json +++ b/.cspell.json @@ -50,6 +50,7 @@ "dids", "Dids", "DockerOde", + "dokka", "ealen", "ecparams", "embeddable", @@ -158,6 +159,7 @@ "thream", "tlsca", "tlscacerts", + "Trivy", "txid", "txqueue", "Uisrs", @@ -166,6 +168,7 @@ "Unmarshal", "uuidv", "vscc", + "vuln", "wasm", "Xdai" ], diff --git a/weaver/core/drivers/corda-driver/README.md b/weaver/core/drivers/corda-driver/README.md index 0d5e8c3fd4..68d6313dc8 100644 --- a/weaver/core/drivers/corda-driver/README.md +++ b/weaver/core/drivers/corda-driver/README.md @@ -148,6 +148,41 @@ The docs are then located in `build/dokka/driver-corda`. Opening `index.html` in your browser will allow you to navigate through the project structure. +## Trivy Security Audit of Dependencies + +> Note you either need to be using the VSCode Dev Container or having installed +> Trivy yourself prior to running these steps. + +[Trivy Documentation & Install Guide](https://github.com/aquasecurity/trivy) + +The following command generates a `pom.xml` file with the same exact dependencies +declared as they are in the build.gradle file. + +The reason why we need this step is because Trivy does not yet support build.gradle +files, only pom.xml files. + +```sh +./gradlew generatePomFileForPublication +``` + +After this step, we now have a pom.xml file, but with the wrong name because +Trivy will only accept these if the file is called exactly `pom.xml` but the +script above will name it as `pom-default.xml` which Trivy ignores, so we rename: + +```sh +mv ./build/publications/maven/pom-default.xml ./build/publications/maven/pom.xml +``` + +Finally, we are ready to point Trivy to the directory where the `pom.xml` file +is located and actually run the scan: + +```sh +trivy fs --scanners=vuln ./build/publications/maven/ +``` + +More information about the Maven Publish Plugin can be found here: +https://docs.gradle.org/current/userguide/publishing_maven.html + ## TODO 1. Create an Error class diff --git a/weaver/core/drivers/corda-driver/build.gradle b/weaver/core/drivers/corda-driver/build.gradle index 9309439001..c018789e6b 100644 --- a/weaver/core/drivers/corda-driver/build.gradle +++ b/weaver/core/drivers/corda-driver/build.gradle @@ -33,6 +33,18 @@ plugins { id "application" id "com.google.protobuf" version "0.8.12" id 'org.jetbrains.dokka' version '0.10.1' + id 'maven-publish' +} + +// Can be used to generate a pom.xml file which in turn can be used to run a +// trivy security audit of the dependencies to check for vulnerable versions. +// Check the package README.md file for an example to do it via bash commands. +publishing { + publications { + maven(MavenPublication) { + from components.java + } + } } Properties constants = new Properties()