carbon accounting trivy scan

.github/workflows/.dast-nuclei-cmd-api-server.yaml

@@ -118,7 +118,7 @@ jobs:
         with:
           build: yarn --version
           start: yarn start:api-server
-          command: "nuclei --config=.nuclei-config.yaml --list=urls.txt --sarif-export ~/nuclei.sarif --output nuclei.log"
+          command: "nuclei -config=.nuclei-config.yaml --list=urls.txt --sarif-export ~/nuclei.sarif --output nuclei.log"
           wait-on: "https://localhost:4000/api/v1/api-server/healthcheck"
           # wait for 10 minutes for the server to respond
           wait-on-timeout: 120

.github/workflows/azure-container-scan.yaml

@@ -0,0 +1,38 @@
+name: azure-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+ build-secure-and-push:
+    name: Scan cactus-example-carbon-accounting image
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2.4.0
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+    - name: Build Images from Dockerfile
+      run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting
+
+    - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: cactus-example-carbon-accounting

.github/workflows/trivy-container-scan.yaml

@@ -0,0 +1,52 @@
+name: trivy-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+
+  build:
+    name: Scan cactus-example-carbon-accounting table image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'table'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  build2:
+    name: Scan cactus-example-carbon-accounting json image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'json'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'

examples/carbon-accounting/Dockerfile

@@ -36,9 +36,9 @@ SHELL ["/bin/bash", "--login", "-i", "-c"]
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
 RUN source ~/.bashrc && \
     nvm install 16.15.1 && \
-    npm install -g yarn && \
-    yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
-
+    npm install --location=global yarn && \
+    yarn set version 3.6.0 && \
+    yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.1
 SHELL ["/bin/bash", "--login", "-c"]
 
 

examples/carbon-accounting/supervisord.conf

@@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
 stdout_logfile=/usr/src/app/log/dockerd.out.log
 
 [program:carbon-accounting-app]
-command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
+command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
 autostart=true
 autorestart=unexpected
 exitcodes=0

packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/get-keychain-entry-endpoint.ts

@@ -17,7 +17,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core";
 import { PluginKeychainAzureKv } from "../plugin-keychain-azure-kv";
 
 import OAS from "../../json/openapi.json";
-import { GetKeychainEntryRequest } from "../generated/openapi/typescript-axios";
+import { GetKeychainEntryRequestV1 } from "../generated/openapi/typescript-axios";
 
 export interface IGetKeychainEntryEndpointOptions {
   logLevel?: LogLevelDesc;
@@ -87,7 +87,7 @@ export class GetKeychainEntryEndpoint implements IWebServiceEndpoint {
   public async handleRequest(req: Request, res: Response): Promise<void> {
     const reqTag = `${this.getVerbLowerCase()} - ${this.getPath()}`;
     this.log.debug(reqTag);
-    const { key } = req.body as GetKeychainEntryRequest;
+    const { key } = req.body as GetKeychainEntryRequestV1;
     try {
       const value = await this.options.connector.get(key);
       res.json({

packages/cactus-plugin-keychain-azure-kv/src/main/typescript/web-services/set-keychain-entry-endpoint.ts

@@ -17,7 +17,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core";
 import { PluginKeychainAzureKv } from "../plugin-keychain-azure-kv";
 
 import OAS from "../../json/openapi.json";
-import { SetKeychainEntryRequest } from "../generated/openapi/typescript-axios";
+import { SetKeychainEntryRequestV1 } from "../generated/openapi/typescript-axios";
 
 export interface ISetKeychainEntryEndpointOptions {
   logLevel?: LogLevelDesc;
@@ -88,7 +88,7 @@ export class SetKeychainEntryEndpoint implements IWebServiceEndpoint {
     const reqTag = `${this.getVerbLowerCase()} - ${this.getPath()}`;
     this.log.debug(reqTag);
     try {
-      const { key, value } = req.body as SetKeychainEntryRequest;
+      const { key, value } = req.body as SetKeychainEntryRequestV1;
       const resBody = await this.options.connector.set(key, value);
       res.json(resBody);
     } catch (ex) {

packages/cactus-plugin-keychain-vault/src/main/typescript/web-services/get-keychain-entry-endpoint-v1.ts

@@ -16,7 +16,7 @@ import { registerWebServiceEndpoint } from "@hyperledger/cactus-core";
 
 import OAS from "../../json/openapi.json";
 import { PluginKeychainVault } from "../plugin-keychain-vault";
-import { GetKeychainEntryResponse } from "../generated/openapi/typescript-axios";
+import { GetKeychainEntryResponseV1 } from "../generated/openapi/typescript-axios";
 
 export interface IGetKeychainEntryEndpointV1Options {
   logLevel?: LogLevelDesc;
@@ -50,7 +50,7 @@ export class GetKeychainEntryEndpointV1 implements IWebServiceEndpoint {
     this.log.debug(`Instantiated ${this.className} OK`);
   }
 
-  public get oasPath(): typeof OAS.paths["/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry"] {
+  public get oasPath(): (typeof OAS.paths)["/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry"] {
     return OAS.paths[
       "/api/v1/plugins/@hyperledger/cactus-plugin-keychain-vault/get-keychain-entry"
     ];
@@ -94,7 +94,7 @@ export class GetKeychainEntryEndpointV1 implements IWebServiceEndpoint {
     try {
       this.log.debug(`${tag} %o`, req.body);
       const value = await this.plugin.get(req.body.key);
-      const resBody: GetKeychainEntryResponse = {
+      const resBody: GetKeychainEntryResponseV1 = {
         key: req.body.key,
         value: value as string,
       };

packages/cactus-plugin-keychain-vault/src/test/typescript/integration/openapi/openapi-validation.test.ts

@@ -21,11 +21,11 @@ import {
 import {
   Configuration,
   DeleteKeychainEntryRequestV1,
-  GetKeychainEntryRequest,
+  GetKeychainEntryRequestV1,
   HasKeychainEntryRequestV1,
   IPluginKeychainVaultOptions,
   PluginKeychainVault,
-  SetKeychainEntryRequest,
+  SetKeychainEntryRequestV1,
 } from "../../../../main/typescript/public-api";
 
 import { DefaultApi as KeychainVaultApi } from "../../../../main/typescript/public-api";
@@ -138,7 +138,7 @@ test(`${testCase}`, async (t: Test) => {
     try {
       await apiClient.setKeychainEntryV1({
         value: value1,
-      } as SetKeychainEntryRequest);
+      } as SetKeychainEntryRequestV1);
     } catch (err) {
       const e = err as AxiosError<{ path: string }[]>;
       t2.equal(
@@ -174,7 +174,7 @@ test(`${testCase}`, async (t: Test) => {
 
   test(`${testCase} - ${fGet} - ${cWithoutParams}`, async (t2: Test) => {
     try {
-      await apiClient.getKeychainEntryV1({} as GetKeychainEntryRequest);
+      await apiClient.getKeychainEntryV1({} as GetKeychainEntryRequestV1);
     } catch (err) {
       const e = err as AxiosError<{ path: string }[]>;
       t2.equal(
@@ -214,7 +214,7 @@ test(`${testCase}`, async (t: Test) => {
         key: key1,
         value: value1,
         fake: 4,
-      } as SetKeychainEntryRequest);
+      } as SetKeychainEntryRequestV1);
     } catch (err) {
       const e = err as AxiosError<{ path: string }[]>;
       t2.equal(
@@ -262,7 +262,7 @@ test(`${testCase}`, async (t: Test) => {
       await apiClient.getKeychainEntryV1({
         key: key1,
         fake: 4,
-      } as GetKeychainEntryRequest);
+      } as GetKeychainEntryRequestV1);
     } catch (err) {
       const e = err as AxiosError<{ path: string }[]>;
       t2.equal(
@@ -286,7 +286,7 @@ test(`${testCase}`, async (t: Test) => {
       await apiClient.deleteKeychainEntryV1({
         key: key1,
         fake: 4,
-      } as GetKeychainEntryRequest);
+      } as GetKeychainEntryRequestV1);
     } catch (err) {
       const e = err as AxiosError;
       t2.equal(