From 037f4c852e3b3293e32605141eb1fcbb3d0e7cc9 Mon Sep 17 00:00:00 2001 From: Samim Mirhosseini Date: Mon, 5 Feb 2024 10:15:24 -0500 Subject: [PATCH 1/2] adding high/critical severity vuln checks Signed-off-by: Samim Mirhosseini --- Dockerfile | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Dockerfile b/Dockerfile index 2129032..1cc3743 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,14 @@ RUN npm install ADD --chown=node:node ./samples/solidity . RUN npx hardhat compile +FROM alpine:3.19 AS SBOM +WORKDIR / +ADD . /SBOM +RUN apk add --no-cache curl +RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.3 +RUN trivy fs --format spdx-json --output /sbom.spdx.json /SBOM +RUN trivy sbom /sbom.spdx.json --severity UNKNOWN,HIGH,CRITICAL --exit-code 1 + FROM node:16-alpine3.15 RUN apk add curl jq RUN mkdir -p /app/contracts/source \ @@ -34,6 +42,7 @@ COPY --from=solidity-build --chown=1001:0 /home/node/artifacts/contracts/TokenFa WORKDIR /app COPY --from=build --chown=1001:0 /home/node/dist ./dist COPY --from=build --chown=1001:0 /home/node/package.json /home/node/package-lock.json ./ +COPY --from=SBOM /sbom.spdx.json /sbom.spdx.json RUN npm install --production EXPOSE 3000 From 04b68377938954ee8a8f5c92cf7e8753de0e47e6 Mon Sep 17 00:00:00 2001 From: Samim Mirhosseini Date: Thu, 28 Mar 2024 15:04:04 -0400 Subject: [PATCH 2/2] python python3 3.10.13-r0 => 3.10.14-r1 Signed-off-by: Samim Mirhosseini --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 67906bc..f8dd240 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ ADD --chown=node:node . . RUN npm run build FROM node:20-alpine3.17 as solidity-build -RUN apk add python3=3.10.13-r0 alpine-sdk=1.0-r1 +RUN apk add python3=3.10.14-r1 alpine-sdk=1.0-r1 USER node WORKDIR /home/node ADD --chown=node:node ./samples/solidity/package*.json ./