From 413bb12f9c8f6cb8ebec0d260d1c7c2a1acd75a4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 30 Oct 2024 20:17:05 +0000 Subject: [PATCH 1/8] chore: bump chainguard/wolfi-base in /local-rest-scorer (#451) --- local-rest-scorer/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 52e2db4e..9296b653 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3221f96f52fca0020fa6f404b0370d132403be6b3736d8dd92275ccd72129c1f AS builder +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:09b9460e4ff828ac2f84df2759adb0a573bb5e0a57e4c6507074a2c112d5607f AS builder RUN apk add openjdk-17 bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" @@ -6,7 +6,7 @@ WORKDIR /app COPY build/libs/local-rest-scorer-boot.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:3221f96f52fca0020fa6f404b0370d132403be6b3736d8dd92275ccd72129c1f +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:09b9460e4ff828ac2f84df2759adb0a573bb5e0a57e4c6507074a2c112d5607f RUN apk add openjdk-17-jre bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" From ca31c0b7586467dd1bb957cb74b28bc678f4206d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 31 Oct 2024 20:21:25 +0000 Subject: [PATCH 2/8] chore: bump chainguard/wolfi-base in /local-rest-scorer (#452) --- local-rest-scorer/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 9296b653..595326a1 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:09b9460e4ff828ac2f84df2759adb0a573bb5e0a57e4c6507074a2c112d5607f AS builder +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0c1bf69476e3ca3d4763ca3067773e8796a1faecd56678a3b748cd90cfb9b9a5 AS builder RUN apk add openjdk-17 bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" @@ -6,7 +6,7 @@ WORKDIR /app COPY build/libs/local-rest-scorer-boot.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:09b9460e4ff828ac2f84df2759adb0a573bb5e0a57e4c6507074a2c112d5607f +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0c1bf69476e3ca3d4763ca3067773e8796a1faecd56678a3b748cd90cfb9b9a5 RUN apk add openjdk-17-jre bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" From bbf59b3a278acbd8973d71d5b168ae3a09b777f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Nov 2024 15:09:41 +0100 Subject: [PATCH 3/8] chore: bump chainguard/wolfi-base in /local-rest-scorer (#453) Bumps [chainguard/wolfi-base](https://github.com/chainguard-images/images) from `0c1bf69` to `ef6dd24`. - [Commits](https://github.com/chainguard-images/images/commits) --- updated-dependencies: - dependency-name: chainguard/wolfi-base dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- local-rest-scorer/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 595326a1..34536a9b 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0c1bf69476e3ca3d4763ca3067773e8796a1faecd56678a3b748cd90cfb9b9a5 AS builder +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:ef6dd240997674c8a940dd9ab565dd3e8700b8f7a8e7b743ed16b925d81a70ef AS builder RUN apk add openjdk-17 bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" @@ -6,7 +6,7 @@ WORKDIR /app COPY build/libs/local-rest-scorer-boot.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0c1bf69476e3ca3d4763ca3067773e8796a1faecd56678a3b748cd90cfb9b9a5 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:ef6dd240997674c8a940dd9ab565dd3e8700b8f7a8e7b743ed16b925d81a70ef RUN apk add openjdk-17-jre bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" From 484ea2bfceaeed485ee1008905d1f2570e91bbb2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 14 Nov 2024 02:16:16 +0000 Subject: [PATCH 4/8] chore: bump chainguard/wolfi-base in /local-rest-scorer (#457) --- local-rest-scorer/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 34536a9b..0907e99d 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:ef6dd240997674c8a940dd9ab565dd3e8700b8f7a8e7b743ed16b925d81a70ef AS builder +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:2148be123cd047f10c93e2bc88010d4abba1fc56a367d6287a251099ed5f006a AS builder RUN apk add openjdk-17 bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" @@ -6,7 +6,7 @@ WORKDIR /app COPY build/libs/local-rest-scorer-boot.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:ef6dd240997674c8a940dd9ab565dd3e8700b8f7a8e7b743ed16b925d81a70ef +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:2148be123cd047f10c93e2bc88010d4abba1fc56a367d6287a251099ed5f006a RUN apk add openjdk-17-jre bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" From d56f5d236e93d114ef67e40d89225cebec5608c9 Mon Sep 17 00:00:00 2001 From: Rupeekshan Maheswaran <63111541+Rupeekshan@users.noreply.github.com> Date: Thu, 14 Nov 2024 14:08:42 +0530 Subject: [PATCH 5/8] ci: Update Trivy configuration in security scan workflow (#458) --- .github/workflows/component-scan.yml | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/component-scan.yml b/.github/workflows/component-scan.yml index 6f317e72..46ac0d2f 100644 --- a/.github/workflows/component-scan.yml +++ b/.github/workflows/component-scan.yml @@ -27,40 +27,44 @@ jobs: uses: aquasecurity/trivy-action@0.28.0 with: image-ref: image:latest - format: 'json' vuln-type: 'os,library' - output: 'trivy-results.json' env: TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + TRIVY_FORMAT: json + TRIVY_OUTPUT: 'trivy-results.json' - name: Save vulnerabilities report in tabular format if: always() uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: trivy-results.json + scan-ref: trivy-results.json scan-type: convert - vuln-type: '' - format: 'table' - output: 'trivy-results.txt' + env: + TRIVY_FORMAT: table + TRIVY_OUTPUT: 'trivy-results.txt' - name: Display vulnerabilities report if: always() uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: trivy-results.json + scan-ref: trivy-results.json scan-type: convert - vuln-type: '' + env: + TRIVY_FORMAT: table + TRIVY_OUTPUT: '' - name: Fail on high and critical vulnerabilities if: always() uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: trivy-results.json + scan-ref: trivy-results.json scan-type: convert exit-code: '1' - vuln-type: '' severity: 'HIGH,CRITICAL' + env: + TRIVY_FORMAT: table + TRIVY_OUTPUT: '' - name: Publish scan report if: always() From 4f0c9447a93c14ac696a8505d9bd230c1ed3278c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Nov 2024 04:16:31 +0000 Subject: [PATCH 6/8] chore: bump slackapi/slack-github-action in /.github/workflows (#460) --- .github/workflows/component-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/component-scan.yml b/.github/workflows/component-scan.yml index 46ac0d2f..08ee1e59 100644 --- a/.github/workflows/component-scan.yml +++ b/.github/workflows/component-scan.yml @@ -216,7 +216,7 @@ jobs: - name: Send Notification to Slack if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/') }} - uses: slackapi/slack-github-action@v1.27.0 + uses: slackapi/slack-github-action@v2.0.0 with: channel-id: ${{ secrets.SLACK_CHANNEL_ID }} payload: | From d2521334cd5bcd30763c03b1015c9bcb094bee17 Mon Sep 17 00:00:00 2001 From: Rupeekshan Maheswaran <63111541+Rupeekshan@users.noreply.github.com> Date: Wed, 20 Nov 2024 13:47:27 +0530 Subject: [PATCH 7/8] ci: Update slack notification payload format for new upgrade (#461) --- .github/workflows/component-scan.yml | 46 ++++++++++------------------ 1 file changed, 17 insertions(+), 29 deletions(-) diff --git a/.github/workflows/component-scan.yml b/.github/workflows/component-scan.yml index 08ee1e59..b3793dd1 100644 --- a/.github/workflows/component-scan.yml +++ b/.github/workflows/component-scan.yml @@ -218,33 +218,21 @@ jobs: if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/') }} uses: slackapi/slack-github-action@v2.0.0 with: - channel-id: ${{ secrets.SLACK_CHANNEL_ID }} + method: chat.postMessage + token: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }} payload: | - { - "text": "Trivy Vulnerability Report", - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_" - } - }, - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*" - } - }, - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "${{ env.CODE_OWNERS }}, please review the following reports: , " - } - } - ] - } - env: - SLACK_BOT_TOKEN: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }} + channel: ${{ secrets.SLACK_CHANNEL_ID }} + text: "Trivy Vulnerability Report" + blocks: + - type: "section" + text: + type: "mrkdwn" + text: "*Java MOJO Runtime* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_" + - type: "section" + text: + type: "mrkdwn" + text: "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*" + - type: "section" + text: + type: "mrkdwn" + text: "${{ env.CODE_OWNERS }}, please review the following reports: , " From 5bfb8b1784ad1da3b5933b6f1aeb6a89ee2fe798 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 15:15:36 -0500 Subject: [PATCH 8/8] chore: bump chainguard/wolfi-base in /local-rest-scorer (#462) Bumps [chainguard/wolfi-base](https://github.com/chainguard-images/images) from `2148be1` to `b3dd9cf`. - [Commits](https://github.com/chainguard-images/images/commits) --- updated-dependencies: - dependency-name: chainguard/wolfi-base dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- local-rest-scorer/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/local-rest-scorer/Dockerfile b/local-rest-scorer/Dockerfile index 0907e99d..5393a98a 100644 --- a/local-rest-scorer/Dockerfile +++ b/local-rest-scorer/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:2148be123cd047f10c93e2bc88010d4abba1fc56a367d6287a251099ed5f006a AS builder +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b3dd9cf08283b959c6a0a3c833e68b2882a50129930215060154b43ae6a3e81c AS builder RUN apk add openjdk-17 bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH" @@ -6,7 +6,7 @@ WORKDIR /app COPY build/libs/local-rest-scorer-boot.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:2148be123cd047f10c93e2bc88010d4abba1fc56a367d6287a251099ed5f006a +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:b3dd9cf08283b959c6a0a3c833e68b2882a50129930215060154b43ae6a3e81c RUN apk add openjdk-17-jre bash coreutils ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk ENV PATH="$JAVA_HOME/bin:$PATH"