diff --git a/.devcontainer/Dockerfile.bootstrap b/.devcontainer/Dockerfile.bootstrap index a4a6ccd..001885d 100644 --- a/.devcontainer/Dockerfile.bootstrap +++ b/.devcontainer/Dockerfile.bootstrap @@ -1,16 +1,3 @@ -# This can be used to bootstrap devcontainer when no images have been pushed -FROM alpine:3.23.3 AS build -ARG TARGETARCH -RUN apk add --no-cache cosign bash curl jq -COPY src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN case "${TARGETARCH}" in \ - x86_64|amd64) TRIVY_ARCH=64bit ;; \ - aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ - *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ - esac \ - && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh - - FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG TARGETARCH ENV TARGETARCH=${TARGETARCH} @@ -75,8 +62,6 @@ RUN git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets && \ chmod 755 /usr/share/secrets-scanner && \ curl -L https://raw.githubusercontent.com/NHSDigital/software-engineering-quality-framework/main/tools/nhsd-git-secrets/nhsd-rules-deny.txt -o /usr/share/secrets-scanner/nhsd-rules-deny.txt -COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy - USER vscode ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.local/bin:$PATH:/workspaces/eps-devcontainers/node_modules/.bin" diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml index 10ee80c..269408f 100644 --- a/.github/workflows/build_multi_arch_image.yml +++ b/.github/workflows/build_multi_arch_image.yml @@ -63,13 +63,6 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 - # - name: setup trivy - # run: | - # mkdir -p "$RUNNER_TEMP/bin" - # docker build --output="$RUNNER_TEMP/bin" -f "src/base/.devcontainer/Dockerfile.trivy.${ARCH}" . - # echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH" - # env: - # ARCH: '${{ matrix.arch }}' - name: setup node uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: diff --git a/.gitignore b/.gitignore index 7c362b6..e8b9796 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,4 @@ src/base/.devcontainer/language_versions/ .trivyignore_combined.yaml .out/ .envrc -.trivy_out/ +.grype_out/ diff --git a/.trivyignore.yaml b/.trivyignore.yaml deleted file mode 100644 index 62fcf7b..0000000 --- a/.trivyignore.yaml +++ /dev/null @@ -1,529 +0,0 @@ -vulnerabilities: - - id: CVE-2026-25547 - statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@3.0.0" - expired_at: 2026-06-01 - - id: CVE-2021-3807 - statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" - purls: - - "pkg:npm/ansi-regex@5.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - expired_at: 2026-06-01 - - id: CVE-2025-64756 - statement: "glob glob Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@11.0.3" - expired_at: 2026-06-01 - - id: CVE-2022-25881 - statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" - purls: - - "pkg:npm/http-cache-semantics@4.1.0" - expired_at: 2026-06-01 - - id: CVE-2024-29415 - statement: "node-ip Incomplete fix for CVE-2023-42282" - purls: - - "pkg:npm/ip@1.1.5" - expired_at: 2026-06-01 - - id: CVE-2022-3517 - statement: "nodejs-minimatch ReDoS via the braceExpand function" - purls: - - "pkg:npm/minimatch@3.0.4" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@11.6.2" - expired_at: 2026-06-01 - - id: CVE-2022-29244 - statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2026-0775 - statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" - purls: - - "pkg:npm/npm@8.5.0" - expired_at: 2026-06-01 - - id: CVE-2022-25883 - statement: "nodejs-semver Regular expression denial of service" - purls: - - "pkg:npm/semver@7.3.5" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@6.1.11" - expired_at: 2026-06-01 - - id: CVE-2026-23745 - statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2026-23950 - statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@56.0.0" - expired_at: 2026-06-01 - - id: CVE-2022-40897 - statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-6345 - statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2025-47273 - statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-06-01 - - id: CVE-2024-49761 - statement: "rexml REXML ReDoS vulnerability" - purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-06-01 - - id: CVE-2025-22874 - statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.3" - expired_at: 2026-06-01 - - id: CVE-2025-66564 - statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" - purls: - - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.23.4" - expired_at: 2026-06-01 - - id: CVE-2023-24538 - statement: "golang html/template backticks not treated as string delimiters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24540 - statement: "golang html/template improper handling of JavaScript whitespace" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-24790 - statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-24675 - statement: "golang encoding/pem fix stack overflow in Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-27664 - statement: "golang net/http handle server errors after sending GOAWAY" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28131 - statement: "golang encoding/xml stack exhaustion in Decoder.Skip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-28327 - statement: "golang crypto/elliptic panic caused by oversized scalar" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2879 - statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-2880 - statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-29804 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30580 - statement: "golang os/exec Code injection in Cmd.Start" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30630 - statement: "golang io/fs stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30631 - statement: "golang compress/gzip stack exhaustion in Reader.Read" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30632 - statement: "golang path/filepath stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30633 - statement: "golang encoding/xml stack exhaustion in Unmarshal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30634 - statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-30635 - statement: "golang encoding/gob stack exhaustion in Decoder.Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-32189 - statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41715 - statement: "golang regexp/syntax limit memory used by parsing regexps" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41716 - statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41720 - statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41722 - statement: "golang path/filepath path-filepath filepath.Clean path traversal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41723 - statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41724 - statement: "golang crypto/tls large handshake records may cause panics" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2022-41725 - statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24534 - statement: "golang net/http, net/textproto denial of service from excessive memory allocation" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24536 - statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24537 - statement: "golang go/parser Infinite loop in parsing" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-24539 - statement: "golang html/template improper sanitization of CSS values" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29400 - statement: "golang html/template improper handling of empty HTML attributes" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-29403 - statement: "golang runtime unexpected behavior of setuid/setgid binaries" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-39325 - statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a prefix as sp ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45287 - statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2023-45288 - statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-34156 - statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-47907 - statement: "database/sql Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-58183 - statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-06-01 - - id: CVE-2024-25621 - statement: "github.com/containerd/containerd containerd local privilege escalation" - purls: - - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-06-01 - - id: CVE-2025-61726 - statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61728 - statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2025-61729 - statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" - expired_at: 2026-06-01 - - id: CVE-2025-68121 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-61730 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-35870 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2024-53179 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37849 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-37899 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2025-38118 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-26007 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24842 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-23949 - statement: "CHANGE ME" - expired_at: 2026-06-01 - - id: CVE-2026-24049 - statement: "CHANGE ME" - expired_at: 2026-06-01 diff --git a/Makefile b/Makefile index 40646c3..a316f6c 100644 --- a/Makefile +++ b/Makefile @@ -85,43 +85,9 @@ build-githubactions-image: guard-BASE_IMAGE_NAME guard-BASE_IMAGE_TAG guard-IMAG scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER echo "Not implemented" -# mkdir -p .out -# @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ -# common="src/common/.trivyignore.yaml"; \ -# extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ -# specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ -# exit_code="$${EXIT_CODE:-1}"; \ -# echo "vulnerabilities:" > "$$combined"; \ -# if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ -# if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ -# if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ -# trivy image \ -# --severity HIGH,CRITICAL \ -# --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ -# --scanners vuln \ -# --exit-code $$exit_code \ -# --format table \ -# --output .out/scan_results_docker.txt "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER guard-IMAGE_TAG echo "Not implemented" -# mkdir -p .out -# @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ -# common="src/common/.trivyignore.yaml"; \ -# extra_common="src/$${EXTRA_COMMON}/.trivyignore.yaml"; \ -# specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ -# exit_code="$${EXIT_CODE:-1}"; \ -# echo "vulnerabilities:" > "$$combined"; \ -# if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ -# if [ -f "$$extra_common" ]; then sed -n '2,$$p' "$$extra_common" >> "$$combined"; fi; \ -# if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi; \ -# trivy image \ -# --severity HIGH,CRITICAL \ -# --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ -# --scanners vuln \ -# --exit-code "$$exit_code" \ -# --format json \ -# --output .out/scan_results_docker.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}:$${IMAGE_TAG}" shell-image: guard-CONTAINER_NAME guard-IMAGE_TAG docker run -it \ @@ -142,7 +108,6 @@ lint-githubaction-scripts: clean: rm -rf .out - find . -type f -name '.trivyignore_combined.yaml' -delete %: @$(MAKE) -f /usr/local/share/eps/Mk/common.mk $@ diff --git a/README.md b/README.md index 388b233..1f6183e 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,6 @@ EPS DEV CONTAINERS - [Building images](#building-images) - [Scanning images](#scanning-images) - [Interactive shell on image](#interactive-shell-on-image) -- [Generating a .trivyignore file](#generating-a-trivyignore-file) - [Cleaning up unused container images](#cleaning-up-unused-container-images) # Introduction @@ -45,10 +44,10 @@ asdf install and setup for these so they are available globally as vscode user - direnv - actionlint - ruby (for GitHub Pages) - - Trivy - yq -Install and setup git-secrets +Install and setup git-secrets. +Install [zizmor](https://github.com/zizmorcore/zizmor). # Using the images ## Project setup @@ -178,6 +177,7 @@ Check targets (`check.mk`) - `actionlint` - runs actionlint against GitHub Actions - `secret-scan` - runs git-secrets (including scanning history) against the repository - `guard-` - checks if an environment variable is set and errors if it is not +- `zizmor` runs [zizmor](https://github.com/zizmorcore/zizmor) in the local directory to check github workflows and actions Credentials targets (`credentials.mk`) - `aws-configure` - configures an AWS SSO session @@ -186,13 +186,14 @@ Credentials targets (`credentials.mk`) - `create-npmrc` - depends on `github-login`, then writes `.npmrc` with a GitHub Packages auth token and `@nhsdigital` registry Trivy targets (`trivy.mk`) -- `trivy-license-check` - runs Trivy license scan (HIGH/CRITICAL) and writes `.trivy_out/license_scan.txt` -- `trivy-generate-sbom` - generates CycloneDX SBOM at `.trivy_out/sbom.cdx.json` -- `trivy-scan-python` - scans Python dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_python.txt` -- `trivy-scan-node` - scans Node dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_node.txt` -- `trivy-scan-go` - scans Go dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_go.txt` -- `trivy-scan-java` - scans Java dependencies (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_java.txt` -- `trivy-scan-docker` - scans a built image (HIGH/CRITICAL) and writes `.trivy_out/dependency_results_docker.txt` (requires `DOCKER_IMAGE`), for example: +These are all changed to not run anything and will be removed in a future release +- `trivy-license-check` +- `trivy-generate-sbom` +- `trivy-scan-python` +- `trivy-scan-node` +- `trivy-scan-go` +- `trivy-scan-java` +- `trivy-scan-docker` # Project structure We have 5 types of dev container. These are defined under src @@ -207,17 +208,13 @@ Each image to be built contains a .devcontainer folder that defines how the devc Images under languages should point to a Dockerfile under src/common or src/common_node_24 that is based off the base or node image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build. These files should be in the language specific folder. -We use Trivy to scan for vulnerabilities in the built Docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` files in each image folder. These are combined before running a scan to exclude all known vulnerabilities - # Pull requests and merge to main process -For each pull request, and merge to main, images are built and scanned using Trivy, and pushed to GitHub Container Registry. +For each pull request, and merge to main, images are built, and pushed to GitHub Container Registry. Docker images are built for AMD64 and ARM64 architecture, and a combined manifest is created and pushed as part of the build. The main images have a vscode user with ID 1000. A separately tagged image is also created with the vscode user mapped to user ID 1001 so it can be used by GitHub Actions. The base image is built first, and then language images, and finally project images. -Docker images are scanned for vulnerabilities using Trivy as part of a build step, and the build fails if vulnerabilities are found that are not in the .trivyignore file. - For pull requests, images are tagged with the pr-{pull request id}-{short commit sha}. For merges to main, images are tagged with the ci-{short commit sha}. GitHub Actions images are tagged with githubactions-{full tag} @@ -335,25 +332,6 @@ CONTAINER_NAME=base \ make shell-image ``` -# Generating a .trivyignore file -You can generate a .trivyignore file for known vulnerabilities by either downloading the JSON scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json - -If generated locally, then the output goes into .out/scan_results_docker.json. -You can use GitHub CLI tools to download the scan output file. Replace the run ID from the URL, and the -n with the filename to download -``` -gh run download -n scan_results_docker_fhir_facade_api_arm64.json -``` - -Once you have the scan output, use the following to generate a new .trivyignore file called .trivyignore.new.yaml. Note this will overwrite the output file when run so it should point to a new file and the contents merged with existing .trivyignore file - - -``` -poetry run python \ - scripts/trivy_to_trivyignore.py \ - --input .out/scan_results_docker.json \ - --output src/projects/fhir_facade_api/.trivyignore.new.yaml -``` - # Cleaning up unused container images There is a script to delete unused container images. This runs on every merge to main and deletes pull request images, and on a weekly schedule it deletes images created by CI. diff --git a/scripts/trivy_to_trivyignore.py b/scripts/trivy_to_trivyignore.py deleted file mode 100644 index bcbb023..0000000 --- a/scripts/trivy_to_trivyignore.py +++ /dev/null @@ -1,151 +0,0 @@ -#!/usr/bin/env python3 -"""Convert Trivy JSON output into a .trivyignore YAML file.""" - -import argparse -import datetime as dt -import json -from pathlib import Path -from typing import Any, Dict, Iterable, List, Optional - - -def add_months(date_value: dt.date, months: int) -> dt.date: - """ - Add months to a date, clamping the day to the last day of the target month. - """ - if months == 0: - return date_value - - month_index = date_value.month - 1 + months - year = date_value.year + month_index // 12 - month = month_index % 12 + 1 - - # Clamp day to the last day of the target month. - next_year = year + (1 if month == 12 else 0) - next_month = 1 if month == 12 else month + 1 - first_of_next = dt.date(next_year, next_month, 1) - last_day = first_of_next - dt.timedelta(days=1) - day = min(date_value.day, last_day.day) - return dt.date(year, month, day) - - -def extract_vulnerabilities(data: Dict[str, Any]) -> List[Dict[str, Any]]: - """Collect vulnerability entries from Trivy JSON output.""" - results = data.get("Results", []) - if not isinstance(results, list): - return [] - - vulnerabilities: List[Dict[str, Any]] = [] - for result in results: - if not isinstance(result, dict): - continue - for vuln in result.get("Vulnerabilities", []) or []: - if isinstance(vuln, dict): - vulnerabilities.append(vuln) - return vulnerabilities - - -def normalize_purl(vuln: Dict[str, Any]) -> Optional[str]: - identifier = vuln.get("PkgIdentifier") - if isinstance(identifier, dict): - purl = identifier.get("PURL") - if isinstance(purl, str) and purl.strip(): - return purl.strip() - return None - - -def build_entries( - vulnerabilities: Iterable[Dict[str, Any]], - expires_on: dt.date -) -> List[Dict[str, Any]]: - """Build YAML entries with de-duplication by CVE, merging PURLs.""" - entries: Dict[str, Dict[str, Any]] = {} - - for vuln in vulnerabilities: - vuln_id = vuln.get("VulnerabilityID") - title = vuln.get("Title") - purl = normalize_purl(vuln) - - if not isinstance(vuln_id, str) or not vuln_id.strip(): - continue - if not isinstance(title, str) or not title.strip(): - continue - - key = vuln_id.strip() - entry = entries.get(key) - if entry is None: - entry = { - "id": key, - "statement": title.strip(), - "purls": set(), - "expired_at": expires_on.isoformat(), - } - entries[key] = entry - - if purl: - entry["purls"].add(purl) - - merged_entries: List[Dict[str, Any]] = [] - for entry in entries.values(): - purls = sorted(entry["purls"]) - if purls: - entry["purls"] = purls - else: - entry.pop("purls", None) - merged_entries.append(entry) - - return merged_entries - - -def write_yaml(entries: List[Dict[str, Any]], output_path: Path) -> None: - """Write entries to a YAML file without external dependencies.""" - lines: List[str] = ["vulnerabilities:"] - for entry in entries: - lines.append(f" - id: {entry['id']}") - lines.append(f" statement: {json.dumps(entry['statement'])}") - if "purls" in entry: - lines.append(" purls:") - for purl in entry["purls"]: - lines.append(f" - {json.dumps(purl)}") - lines.append(f" expired_at: {entry['expired_at']}") - - output_path.parent.mkdir(parents=True, exist_ok=True) - output_path.write_text("\n".join(lines) + "\n", encoding="utf-8") - - -def parse_args() -> argparse.Namespace: - parser = argparse.ArgumentParser( - description="Convert Trivy JSON output to .trivyignore YAML." - ) - parser.add_argument( - "--input", - required=True, - help="Path to the Trivy JSON output file.", - ) - parser.add_argument( - "--output", - required=True, - help="Path to write the .trivyignore YAML file.", - ) - return parser.parse_args() - - -def main() -> int: - args = parse_args() - input_path = Path(args.input) - output_path = Path(args.output) - - if not input_path.is_file(): - raise FileNotFoundError(f"Input file not found: {input_path}") - - data = json.loads(input_path.read_text(encoding="utf-8")) - vulnerabilities = extract_vulnerabilities(data) - - expires_on = add_months(dt.date.today(), 6) - entries = build_entries(vulnerabilities, expires_on) - - write_yaml(entries, output_path) - return 0 - - -if __name__ == "__main__": - raise SystemExit(main()) diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 8b1f4fd..29a175e 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -1,14 +1,3 @@ -# FROM alpine:3.23.3 AS build -# ARG TARGETARCH -# RUN apk add --no-cache cosign bash curl jq -# COPY --chmod=755 scripts/install_trivy.sh /tmp/install_trivy.sh -# RUN case "${TARGETARCH}" in \ -# x86_64|amd64) TRIVY_ARCH=64bit ;; \ -# aarch64|arm64) TRIVY_ARCH=ARM64 ;; \ -# *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \ -# esac \ -# && INSTALL_DIR=/tmp/trivy/ ARCH="${TRIVY_ARCH}" /tmp/install_trivy.sh - FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG SCRIPTS_DIR=/usr/local/share/eps @@ -27,14 +16,12 @@ COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./root_install.sh -# COPY --from=build /tmp/trivy/trivy /usr/local/bin/trivy - COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh USER vscode COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions -ENV PATH="/home/vscode/.asdf/shims/:/home/vscode/.guard/bin/:$PATH" +ENV PATH="/home/vscode/.asdf/shims:/home/vscode/.guard/bin:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./vscode_install.sh diff --git a/src/base/.devcontainer/Dockerfile.trivy.amd64 b/src/base/.devcontainer/Dockerfile.trivy.amd64 deleted file mode 100644 index 4a719ad..0000000 --- a/src/base/.devcontainer/Dockerfile.trivy.amd64 +++ /dev/null @@ -1,8 +0,0 @@ -FROM alpine:3.23.3 AS build -RUN apk add --no-cache cosign bash curl jq -COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN INSTALL_DIR=/tmp/trivy/ ARCH=64bit /tmp/install_trivy.sh - -FROM scratch -COPY --from=build /tmp/trivy/trivy / -ENTRYPOINT ["/trivy"] diff --git a/src/base/.devcontainer/Dockerfile.trivy.arm64 b/src/base/.devcontainer/Dockerfile.trivy.arm64 deleted file mode 100644 index 899ea76..0000000 --- a/src/base/.devcontainer/Dockerfile.trivy.arm64 +++ /dev/null @@ -1,8 +0,0 @@ -FROM alpine:3.23.3 AS build -RUN apk add --no-cache cosign bash curl jq -COPY --chmod=755 src/base/.devcontainer/scripts/install_trivy.sh /tmp/install_trivy.sh -RUN INSTALL_DIR=/tmp/trivy/ ARCH=ARM64 /tmp/install_trivy.sh - -FROM scratch -COPY --from=build /tmp/trivy/trivy / -ENTRYPOINT ["/trivy"] diff --git a/src/base/.devcontainer/Mk/check.mk b/src/base/.devcontainer/Mk/check.mk index 4beddbf..679bc4b 100644 --- a/src/base/.devcontainer/Mk/check.mk +++ b/src/base/.devcontainer/Mk/check.mk @@ -1,4 +1,4 @@ -.PHONY: lint test shellcheck cfn-lint cdk-synth cfn-guard-sam-templates cfn-guard-cloudformation cfn-guard-cdk cfn-guard-terraform +.PHONY: lint test shellcheck cfn-lint cdk-synth cfn-guard-sam-templates cfn-guard-cloudformation cfn-guard-cdk cfn-guard-terraform zizmor lint: echo "Not implemented" exit 1 @@ -91,3 +91,6 @@ guard-%: echo "Environment variable $* not set"; \ exit 1; \ fi + +zizmor: + zizmor . diff --git a/src/base/.devcontainer/Mk/trivy.mk b/src/base/.devcontainer/Mk/trivy.mk index cee440c..ab4c136 100644 --- a/src/base/.devcontainer/Mk/trivy.mk +++ b/src/base/.devcontainer/Mk/trivy.mk @@ -2,97 +2,21 @@ trivy-license-check: echo "Not implemented" -# mkdir -p .trivy_out/ -# @if [ -f poetry.lock ]; then \ -# poetry self add poetry-plugin-export; \ -# poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt; \ -# fi -# @if [ -f src/go.sum ]; then \ -# cd src && go mod vendor; \ -# fi -# VIRTUAL_ENV=./.venv/ trivy fs . \ -# --scanners license \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --pkg-types library \ -# --exit-code 1 \ -# --output .trivy_out/license_scan.txt \ -# --format table -# @if [ -f poetry.lock ]; then rm -f requirements.txt; fi -# @if [ -f src/go.sum ]; then rm -rf src/vendor; fi trivy-generate-sbom: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 0 \ -# --output .trivy_out/sbom.cdx.json \ -# --format cyclonedx trivy-scan-python: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 1 \ -# --skip-files "**/package-lock.json,**/go.mod,**/pom.xml" \ -# --output .trivy_out/dependency_results_python.txt \ -# --format table trivy-scan-node: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 1 \ -# --skip-files "**/poetry.lock,**/go.mod,**/pom.xml" \ -# --output .trivy_out/dependency_results_node.txt \ -# --format table trivy-scan-go: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 1 \ -# --skip-files "**/poetry.lock,**/package-lock.json,**/pom.xml" \ -# --output .trivy_out/dependency_results_go.txt \ -# --format table trivy-scan-java: echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy fs . \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --include-dev-deps \ -# --exit-code 1 \ -# --skip-files "**/poetry.lock,**/package-lock.json,**/go.mod" \ -# --output .trivy_out/dependency_results_java.txt \ -# --format table trivy-scan-docker: guard-DOCKER_IMAGE echo "Not implemented" -# mkdir -p .trivy_out/ -# trivy image $${DOCKER_IMAGE} \ -# --scanners vuln \ -# --severity HIGH,CRITICAL \ -# --config trivy.yaml \ -# --exit-code 1 \ -# --pkg-types os,library \ -# --output .trivy_out/dependency_results_docker.txt \ -# --format table diff --git a/src/base/.devcontainer/scripts/install_trivy.sh b/src/base/.devcontainer/scripts/install_trivy.sh deleted file mode 100755 index c49ab97..0000000 --- a/src/base/.devcontainer/scripts/install_trivy.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -DEFAULT_INSTALL_DIR="/usr/local/bin" -INSTALL_DIR="${INSTALL_DIR:-$DEFAULT_INSTALL_DIR}" -VERSION="${VERSION:-v0.69.3}" -DEFAULT_ARCH="64bit" -ARCH="${ARCH:-$DEFAULT_ARCH}" -RELEASE_NUMBER="${VERSION#v}" -BASE_URL="https://github.com/aquasecurity/trivy/releases/download/${VERSION}" -ARCHIVE="trivy_${RELEASE_NUMBER}_Linux-${ARCH}.tar.gz" -BUNDLE="${ARCHIVE}.sigstore.json" -CERT_IDENTITY="https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/${VERSION}" - -usage() { - cat <<'EOF' -Usage: install_trivy.sh - -Downloads the Trivy archive and its sigstore bundle to a temporary directory, -verifies the sigstore bundle following -https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/signature-verification.md, -and installs the trivy binary into INSTALL_DIR (default: /usr/local/bin). - -Environment variables: - INSTALL_DIR Directory to install the trivy binary into (default: /usr/local/bin) - VERSION Trivy version tag to install (default: v0.69.3) - ARCH Architecture suffix used in the download (default: 64bit) -EOF -} - -if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then - usage - exit 0 -fi - -for cmd in curl cosign; do - if ! command -v "$cmd" >/dev/null 2>&1; then - echo "Error: $cmd is required but not found in PATH" >&2 - exit 1 - fi -done - -TMP_DIR="$(mktemp -d)" -trap 'rm -rf "$TMP_DIR"' EXIT - -download() { - local url="${1}" dest="${2}" - echo "Downloading ${dest} ..." - curl -fsSL "${url}" -o "${dest}" -} -ARCHIVE_PATH="${TMP_DIR}/${ARCHIVE}" -BUNDLE_PATH="${TMP_DIR}/${BUNDLE}" -download "${BASE_URL}/${ARCHIVE}" "${ARCHIVE_PATH}" -download "${BASE_URL}/${BUNDLE}" "${BUNDLE_PATH}" - - -cosign verify-blob-attestation "${ARCHIVE_PATH}" \ - --bundle "${BUNDLE_PATH}" \ - --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity "${CERT_IDENTITY}" - -echo "Sigstore verification passed" -tar -xzf "${ARCHIVE_PATH}" -C "${TMP_DIR}" - -mkdir -p "$INSTALL_DIR" -install -m 0755 "$TMP_DIR/trivy" "${INSTALL_DIR}/trivy" - -echo "trivy ${VERSION} installed to ${INSTALL_DIR}" diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index b1b66de..e14f35a 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -18,7 +18,6 @@ asdf plugin add direnv asdf plugin add actionlint asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git -asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git asdf plugin add yq https://github.com/sudermanjr/asdf-yq.git # install cfn-guard diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/base/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/base/trivy.yaml b/src/base/trivy.yaml deleted file mode 100644 index 48343ee..0000000 --- a/src/base/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/base/.trivyignore_combined.yaml" diff --git a/src/base_node/node_24/trivy.yaml b/src/base_node/node_24/trivy.yaml deleted file mode 100644 index 20e8f24..0000000 --- a/src/base_node/node_24/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/base_node/node_24/.trivyignore_combined.yaml" diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml deleted file mode 100644 index 2fa09b9..0000000 --- a/src/common/.trivyignore.yaml +++ /dev/null @@ -1,441 +0,0 @@ -vulnerabilities: - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37849 - statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2026-23111 - statement: "kernel: Kernel: Privilege escalation or denial of service in nf_tables via inverted element activity check" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=amd64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-171.181?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-26 - - id: CVE-2025-61594 - statement: "uri: URI module: Credential exposure via URI + operator" - purls: - - "pkg:gem/uri@0.13.0" - expired_at: 2026-08-26 - - id: CVE-2026-26007 - statement: "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves" - purls: - - "pkg:pypi/cryptography@46.0.3" - expired_at: 2026-08-12 - - id: CVE-2024-49761 - statement: "rexml: REXML ReDoS vulnerability" - purls: - - "pkg:gem/rexml@3.2.6" - expired_at: 2026-08-12 - - id: CVE-2025-68121 - statement: "During session resumption in crypto/tls, if the underlying Config has ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61726 - statement: "golang: net/url: Memory exhaustion in query parameter parsing in net/url" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61728 - statement: "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-61730 - statement: "During the TLS 1.3 handshake if multiple messages are sent in records ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - expired_at: 2026-08-12 - - id: CVE-2025-47907 - statement: "database/sql: Postgres Scan Race Condition" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-08-12 - - id: CVE-2025-58183 - statement: "golang: archive/tar: Unbounded allocation when parsing GNU sparse map" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - expired_at: 2026-08-12 - - id: CVE-2025-61729 - statement: "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate" - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - expired_at: 2026-08-12 - - id: CVE-2023-24538 - statement: "golang: html/template: backticks not treated as string delimiters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24540 - statement: "golang: html/template: improper handling of JavaScript whitespace" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-24790 - statement: "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-24675 - statement: "golang: encoding/pem: fix stack overflow in Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-27664 - statement: "golang: net/http: handle server errors after sending GOAWAY" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-28131 - statement: "golang: encoding/xml: stack exhaustion in Decoder.Skip" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-28327 - statement: "golang: crypto/elliptic: panic caused by oversized scalar" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-2879 - statement: "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-2880 - statement: "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-29804 - statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30580 - statement: "golang: os/exec: Code injection in Cmd.Start" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30630 - statement: "golang: io/fs: stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30631 - statement: "golang: compress/gzip: stack exhaustion in Reader.Read" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30632 - statement: "golang: path/filepath: stack exhaustion in Glob" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30633 - statement: "golang: encoding/xml: stack exhaustion in Unmarshal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30634 - statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-30635 - statement: "golang: encoding/gob: stack exhaustion in Decoder.Decode" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-32189 - statement: "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41715 - statement: "golang: regexp/syntax: limit memory used by parsing regexps" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41716 - statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41720 - statement: "golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41722 - statement: "golang: path/filepath: path-filepath filepath.Clean path traversal" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41723 - statement: "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41724 - statement: "golang: crypto/tls: large handshake records may cause panics" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2022-41725 - statement: "golang: net/http, mime/multipart: denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24534 - statement: "golang: net/http, net/textproto: denial of service from excessive memory allocation" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24536 - statement: "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24537 - statement: "golang: go/parser: Infinite loop in parsing" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-24539 - statement: "golang: html/template: improper sanitization of CSS values" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-29400 - statement: "golang: html/template: improper handling of empty HTML attributes" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-29403 - statement: "golang: runtime: unexpected behavior of setuid/setgid binaries" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-39325 - statement: "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45283 - statement: "The filepath package does not recognize paths with a \\??\\ prefix as sp ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45287 - statement: "golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges." - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2023-45288 - statement: "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-34156 - statement: "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" - purls: - - "pkg:golang/stdlib@v1.16.15" - expired_at: 2026-08-12 - - id: CVE-2024-25621 - statement: "github.com/containerd/containerd: containerd local privilege escalation" - purls: - - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" - expired_at: 2026-08-12 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37849 - statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2025-68121 - statement: "crypto/tls: Unexpected session resumption in crypto/tls" - purls: - - "pkg:golang/stdlib@v1.25.6" - expired_at: 2026-08-13 - - id: CVE-2025-15558 - statement: "docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries" - purls: - - "pkg:golang/github.com/docker/cli@v28.5.1%2Bincompatible" - - "pkg:golang/github.com/docker/cli@v29.0.3%2Bincompatible" - - "pkg:golang/github.com/docker/cli@v29.1.1%2Bincompatible" - expired_at: 2026-09-09 - - id: CVE-2026-24051 - statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" - purls: - - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.36.0" - expired_at: 2026-09-09 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2025-21780 - statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-09 - - id: CVE-2026-25679 - statement: "url.Parse insufficiently validated the host/authority component and ac ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - - "pkg:golang/stdlib@v1.25.7" - - "pkg:golang/stdlib@v1.26.0" - expired_at: 2026-09-11 - - id: CVE-2026-27142 - statement: "Actions which insert URLs into the content attribute of HTML meta tags ..." - purls: - - "pkg:golang/stdlib@v1.16.15" - - "pkg:golang/stdlib@v1.23.4" - - "pkg:golang/stdlib@v1.24.4" - - "pkg:golang/stdlib@v1.24.9" - - "pkg:golang/stdlib@v1.25.5" - - "pkg:golang/stdlib@v1.25.7" - - "pkg:golang/stdlib@v1.26.0" - expired_at: 2026-09-11 - - id: CVE-2026-27137 - statement: "When verifying a certificate chain which contains a certificate contai ..." - purls: - - "pkg:golang/stdlib@v1.26.0" - expired_at: 2026-09-11 - - id: CVE-2026-24051 - statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" - purls: - - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0" - expired_at: 2026-09-16 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2024-35870 - statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2024-53179 - statement: "kernel: smb: client: fix use-after-free of signing key" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2025-37899 - statement: "kernel: ksmbd: fix use-after-free in session logoff" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2025-38118 - statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" - purls: - - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-173.183?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-09-16 - - id: CVE-2026-33186 - statement: "gRPC-Go has an authorization bypass via missing leading slash in :path" - purls: - - "pkg:golang/google.golang.org/grpc@v1.74.2" - - "pkg:golang/google.golang.org/grpc@v1.78.0" - - "pkg:golang/google.golang.org/grpc@v1.79.2" - expired_at: 2026-09-20 diff --git a/src/common_node_24/Dockerfile b/src/common_node_24/Dockerfile index 9227065..7e3aa83 100644 --- a/src/common_node_24/Dockerfile +++ b/src/common_node_24/Dockerfile @@ -21,6 +21,8 @@ WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} RUN ./root_install.sh COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh +# use glob pattern to copy requirements-user.txt if it exists, to avoid build failure if it doesn't +COPY scripts/requirements-user.tx[t] ${SCRIPTS_DIR}/${CONTAINER_NAME}/requirements-user.txt USER vscode WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} diff --git a/src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt b/src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt new file mode 100644 index 0000000..37e7b2f --- /dev/null +++ b/src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt @@ -0,0 +1 @@ +zizmor==1.23.1 diff --git a/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh index f13cedf..a82f26f 100755 --- a/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh @@ -1,8 +1,11 @@ #!/usr/bin/env bash set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install + +pip install --user -r "${SCRIPT_DIR}/requirements-user.txt" diff --git a/src/languages/node_24_python_3_10/.trivyignore.yaml b/src/languages/node_24_python_3_10/.trivyignore.yaml deleted file mode 100644 index dfaba04..0000000 --- a/src/languages/node_24_python_3_10/.trivyignore.yaml +++ /dev/null @@ -1,16 +0,0 @@ -vulnerabilities: - - id: CVE-2022-40897 - statement: "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 - - id: CVE-2024-6345 - statement: "pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 - - id: CVE-2025-47273 - statement: "setuptools: Path Traversal Vulnerability in setuptools PackageIndex" - purls: - - "pkg:pypi/setuptools@65.5.0" - expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_10/trivy.yaml b/src/languages/node_24_python_3_10/trivy.yaml deleted file mode 100644 index 549851b..0000000 --- a/src/languages/node_24_python_3_10/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_10/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt b/src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt new file mode 100644 index 0000000..ac96856 --- /dev/null +++ b/src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt @@ -0,0 +1,2 @@ +zizmor==1.23.1 +cfn-lint==1.47.1 diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh index 2ef142b..a82f26f 100755 --- a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git @@ -7,5 +8,4 @@ asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install -# install cfn-lint -pip install --user cfn-lint +pip install --user -r "${SCRIPT_DIR}/requirements-user.txt" diff --git a/src/languages/node_24_python_3_12/.trivyignore.yaml b/src/languages/node_24_python_3_12/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/languages/node_24_python_3_12/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/languages/node_24_python_3_12/trivy.yaml b/src/languages/node_24_python_3_12/trivy.yaml deleted file mode 100644 index 48cfe23..0000000 --- a/src/languages/node_24_python_3_12/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_12/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt b/src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt new file mode 100644 index 0000000..ac96856 --- /dev/null +++ b/src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt @@ -0,0 +1,2 @@ +zizmor==1.23.1 +cfn-lint==1.47.1 diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh index 2ef142b..a82f26f 100755 --- a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git @@ -7,5 +8,4 @@ asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install -# install cfn-lint -pip install --user cfn-lint +pip install --user -r "${SCRIPT_DIR}/requirements-user.txt" diff --git a/src/languages/node_24_python_3_13/.trivyignore.yaml b/src/languages/node_24_python_3_13/.trivyignore.yaml deleted file mode 100644 index 8697da6..0000000 --- a/src/languages/node_24_python_3_13/.trivyignore.yaml +++ /dev/null @@ -1 +0,0 @@ -vulnerabilities: diff --git a/src/languages/node_24_python_3_13/trivy.yaml b/src/languages/node_24_python_3_13/trivy.yaml deleted file mode 100644 index 6af84d8..0000000 --- a/src/languages/node_24_python_3_13/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_13/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt b/src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt new file mode 100644 index 0000000..ac96856 --- /dev/null +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt @@ -0,0 +1,2 @@ +zizmor==1.23.1 +cfn-lint==1.47.1 diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh index 2ef142b..a82f26f 100755 --- a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -e +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) asdf plugin add python asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git @@ -7,5 +8,4 @@ asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf install python asdf install -# install cfn-lint -pip install --user cfn-lint +pip install --user -r "${SCRIPT_DIR}/requirements-user.txt" diff --git a/src/languages/node_24_python_3_14/.trivyignore.yaml b/src/languages/node_24_python_3_14/.trivyignore.yaml deleted file mode 100644 index 8799951..0000000 --- a/src/languages/node_24_python_3_14/.trivyignore.yaml +++ /dev/null @@ -1,11 +0,0 @@ -vulnerabilities: - - id: CVE-2026-23949 - statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" - purls: - - "pkg:pypi/jaraco.context@5.3.0" - expired_at: 2026-08-12 - - id: CVE-2026-24049 - statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" - purls: - - "pkg:pypi/wheel@0.45.1" - expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_14/trivy.yaml b/src/languages/node_24_python_3_14/trivy.yaml deleted file mode 100644 index e786be4..0000000 --- a/src/languages/node_24_python_3_14/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/languages/node_24_python_3_14/.trivyignore_combined.yaml" diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml deleted file mode 100644 index 6fa00f4..0000000 --- a/src/projects/eps-storage-terraform/.trivyignore.yaml +++ /dev/null @@ -1,117 +0,0 @@ -vulnerabilities: - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-13 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-16 - - id: CVE-2026-24051 - statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking" - purls: - - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0" - expired_at: 2026-09-10 - - id: CVE-2026-33186 - statement: "gRPC-Go has an authorization bypass via missing leading slash in :path" - purls: - - "pkg:golang/google.golang.org/grpc@v1.69.4" - expired_at: 2026-09-20 diff --git a/src/projects/eps-storage-terraform/trivy.yaml b/src/projects/eps-storage-terraform/trivy.yaml deleted file mode 100644 index 06fd4b7..0000000 --- a/src/projects/eps-storage-terraform/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/eps-storage-terraform/.trivyignore_combined.yaml" diff --git a/src/projects/fhir_facade_api/.devcontainer/.tool-versions b/src/projects/fhir_facade_api/.devcontainer/.tool-versions index af19266..2675179 100644 --- a/src/projects/fhir_facade_api/.devcontainer/.tool-versions +++ b/src/projects/fhir_facade_api/.devcontainer/.tool-versions @@ -1 +1 @@ -java openjdk-20 +java openjdk-20.0.2 diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml deleted file mode 100644 index 3c4b5c4..0000000 --- a/src/projects/fhir_facade_api/.trivyignore.yaml +++ /dev/null @@ -1,51 +0,0 @@ -vulnerabilities: - - id: CVE-2022-25235 - statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-25236 - statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" - purls: - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26485 - statement: "Mozilla: Use-after-free in XSLT parameter processing" - purls: - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2022-26486 - statement: "Mozilla: Use-after-free in WebGPU IPC Framework" - purls: - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" - - "pkg:deb/ubuntu/firefox@148.0.2%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" - expired_at: 2026-08-12 - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-08-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-08-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-08-12 diff --git a/src/projects/fhir_facade_api/trivy.yaml b/src/projects/fhir_facade_api/trivy.yaml deleted file mode 100644 index 1d8a75c..0000000 --- a/src/projects/fhir_facade_api/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/fhir_facade_api/.trivyignore_combined.yaml" diff --git a/src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml b/src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml deleted file mode 100644 index 93088a1..0000000 --- a/src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml +++ /dev/null @@ -1,21 +0,0 @@ -vulnerabilities: - - id: CVE-2026-23949 - statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" - purls: - - "pkg:pypi/jaraco.context@5.3.0" - expired_at: 2026-08-12 - - id: CVE-2026-24049 - statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" - purls: - - "pkg:pypi/wheel@0.45.1" - expired_at: 2026-08-12 - - id: CVE-2026-25679 - statement: "url.Parse insufficiently validated the host/authority component and ac ..." - purls: - - "pkg:golang/stdlib@v1.24.13" - expired_at: 2026-09-11 - - id: CVE-2026-27142 - statement: "Actions which insert URLs into the content attribute of HTML meta tags ..." - purls: - - "pkg:golang/stdlib@v1.24.13" - expired_at: 2026-09-11 diff --git a/src/projects/node_24_python_3_14_golang_1_24/trivy.yaml b/src/projects/node_24_python_3_14_golang_1_24/trivy.yaml deleted file mode 100644 index 1af5385..0000000 --- a/src/projects/node_24_python_3_14_golang_1_24/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/node_24_python_3_14_golang_1_24/.trivyignore_combined.yaml" diff --git a/src/projects/node_24_python_3_14_java_24/.trivyignore.yaml b/src/projects/node_24_python_3_14_java_24/.trivyignore.yaml deleted file mode 100644 index 8799951..0000000 --- a/src/projects/node_24_python_3_14_java_24/.trivyignore.yaml +++ /dev/null @@ -1,11 +0,0 @@ -vulnerabilities: - - id: CVE-2026-23949 - statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" - purls: - - "pkg:pypi/jaraco.context@5.3.0" - expired_at: 2026-08-12 - - id: CVE-2026-24049 - statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" - purls: - - "pkg:pypi/wheel@0.45.1" - expired_at: 2026-08-12 diff --git a/src/projects/node_24_python_3_14_java_24/trivy.yaml b/src/projects/node_24_python_3_14_java_24/trivy.yaml deleted file mode 100644 index b4277c5..0000000 --- a/src/projects/node_24_python_3_14_java_24/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/node_24_python_3_14_java_24/.trivyignore_combined.yaml" diff --git a/src/projects/regression_tests/.trivyignore.yaml b/src/projects/regression_tests/.trivyignore.yaml deleted file mode 100644 index 6abd994..0000000 --- a/src/projects/regression_tests/.trivyignore.yaml +++ /dev/null @@ -1,75 +0,0 @@ -vulnerabilities: - - id: GHSA-72hv-8253-57qq - statement: "jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition" - purls: - - "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.0" - expired_at: 2026-09-12 - - id: CVE-2026-25547 - statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" - purls: - - "pkg:npm/%40isaacs/brace-expansion@5.0.0" - expired_at: 2026-09-12 - - id: CVE-2025-64756 - statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" - purls: - - "pkg:npm/glob@10.4.5" - - "pkg:npm/glob@11.0.3" - expired_at: 2026-09-12 - - id: CVE-2026-26996 - statement: "minimatch: minimatch: Denial of Service via specially crafted glob patterns" - purls: - - "pkg:npm/minimatch@10.0.3" - - "pkg:npm/minimatch@9.0.5" - expired_at: 2026-09-12 - - id: CVE-2026-27903 - statement: "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns" - purls: - - "pkg:npm/minimatch@10.0.3" - - "pkg:npm/minimatch@9.0.5" - expired_at: 2026-09-12 - - id: CVE-2026-27904 - statement: "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions" - purls: - - "pkg:npm/minimatch@10.0.3" - - "pkg:npm/minimatch@9.0.5" - expired_at: 2026-09-12 - - id: CVE-2026-23745 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-23950 - statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-24842 - statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-26960 - statement: "tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-29786 - statement: "node-tar: hardlink path traversal via drive-relative linkpath" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-31802 - statement: "node-tar Symlink Path Traversal via Drive-Relative Linkpath" - purls: - - "pkg:npm/tar@7.5.1" - expired_at: 2026-09-12 - - id: CVE-2026-25679 - statement: "url.Parse insufficiently validated the host/authority component and ac ..." - purls: - - "pkg:golang/stdlib@v1.25.6" - expired_at: 2026-09-12 - - id: CVE-2026-27142 - statement: "Actions which insert URLs into the content attribute of HTML meta tags ..." - purls: - - "pkg:golang/stdlib@v1.25.6" - expired_at: 2026-09-12 diff --git a/src/projects/regression_tests/trivy.yaml b/src/projects/regression_tests/trivy.yaml deleted file mode 100644 index 3d3a40c..0000000 --- a/src/projects/regression_tests/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: "src/projects/regression_tests/.trivyignore_combined.yaml" diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index eb24337..0000000 --- a/trivy.yaml +++ /dev/null @@ -1 +0,0 @@ -ignorefile: ".trivyignore.yaml"