Merge pull request #152 from groldan/trivy_library_dependency_analysis

Trivy vulnerability analysis and fixes to docker images at the library level
geoserver · Jan 7, 2022 · 1fc6892 · 1fc6892
2 parents dfcbeab + 659b278
commit 1fc6892
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 16 deletions.
diff --git a/catalog-support/catalog-event-bus-amqp/pom.xml b/catalog-support/catalog-event-bus-amqp/pom.xml
@@ -15,8 +15,20 @@
       <artifactId>gs-cloud-event-bus</artifactId>
     </dependency>
     <dependency>
+      <!-- trivy: Upgrade jsoup version carried over by spring-cloud-starter-bus-amqp:3.1.0 due to CVE-2021-37714 -->
       <groupId>org.springframework.cloud</groupId>
       <artifactId>spring-cloud-starter-bus-amqp</artifactId>
+      <exclusions>
+        <exclusion>
+          <artifactId>jsoup</artifactId>
+          <groupId>org.jsoup</groupId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.jsoup</groupId>
+      <artifactId>jsoup</artifactId>
+      <version>1.14.3</version>
     </dependency>
   </dependencies>
 </project>
diff --git a/pom.xml b/pom.xml
@@ -19,7 +19,7 @@
     <maven.compiler.source>11</maven.compiler.source>
     <maven.compiler.target>11</maven.compiler.target>
     <spring-cloud.version>2021.0.0</spring-cloud.version>
-    <spring-boot.version>2.6.1</spring-boot.version>
+    <spring-boot.version>2.6.2</spring-boot.version>
     <spring-native.version>0.11.0</spring-native.version>
     <native-buildtools.version>0.9.8</native-buildtools.version>
     <feign-reactor.version>3.1.5</feign-reactor.version>
@@ -44,6 +44,13 @@
   </properties>
   <dependencyManagement>
     <dependencies>
+      <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-bom</artifactId>
+        <version>2.17.1</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>org.springframework.cloud</groupId>
         <artifactId>spring-cloud-dependencies</artifactId>
@@ -866,13 +873,4 @@
       </plugin>
     </plugins>
   </build>
-  <profiles>
-    <profile>
-      <id>geoserver_stable_version</id>
-      <properties>
-        <gs.version>2.18.1</gs.version>
-        <gt.version>24.1</gt.version>
-      </properties>
-    </profile>
-  </profiles>
 </project>
diff --git a/run-trivy-image-scan.sh b/run-trivy-image-scan.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+v1=1.0-RC5
+echo Gettig current version...
+v2=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+
+echo Comparing $v1 vs $v2...
+echo Summary:
+
+for i in `docker images|grep geoservercloud|grep "$v2 "|sort|cut -d" " -f1`
+do
+  export image=$i
+  echo "* $image:"
+  echo "\t\`$v1\`": $(trivy image --vuln-type library --no-progress --light $image:$v1 | grep Total) 
+  echo "\t\`$v2\`": $(trivy image --vuln-type library --no-progress --light $image:$v2 | grep Total)
+done
+
+echo $v2 library vulnerabilities
+for i in `docker images|grep geoservercloud|grep "$v2 "|sort|cut -d" " -f1`
+do
+  export image=$i
+  echo "--------------------------------------------------"
+  echo "$image:"
+  trivy image --vuln-type library --no-progress -s "HIGH,CRITICAL" $image:$v2 |grep -v INFO
+done
diff --git a/services/pom.xml b/services/pom.xml
@@ -56,6 +56,12 @@
       <artifactId>junit-vintage-engine</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <!-- trivy: override commons-collections:3.2.1 by 3.2.2 due to CVE-2015-7501 (CRITICAL), and CVE-2015-6420 (HIGH) -->
+      <groupId>commons-collections</groupId>
+      <artifactId>commons-collections</artifactId>
+      <version>3.2.2</version>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

diff --git a/services/wms/pom.xml b/services/wms/pom.xml
@@ -31,12 +31,6 @@
       <groupId>org.geoserver</groupId>
       <artifactId>gs-wms</artifactId>
     </dependency>
-    <dependency>
-      <!-- ClassNotFoundException in FreeMarkerTemplateManager, see https://osgeo-org.atlassian.net/browse/GEOS-9734 -->
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
-      <version>1.2.17</version>
-    </dependency>
   </dependencies>
   <profiles>
     <profile>