carbon accounting trivy scan

.github/workflows/.github/workflows/trivy-container-scan.yaml

@@ -0,0 +1,53 @@
+name: trivy-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+
+  build:
+    name: Scan cactus-example-carbon-accounting table image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'table'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  build2:
+    name: Scan cactus-example-carbon-accounting json image
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build an image from Dockerfile
+        run: |
+          DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-example-carbon-accounting'
+          format: 'json'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'

examples/carbon-accounting/Dockerfile

@@ -37,7 +37,7 @@ RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | b
 RUN source ~/.bashrc && \
     nvm install 16.15.1 && \
     npm install -g yarn && \
-    yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
+    yarn add @hyperledger/cactus-example-carbon-accounting-backend@1.1.3 --ignore-engines --production
 
 SHELL ["/bin/bash", "--login", "-c"]
 

tools/docker/corda-all-in-one/corda-v4_8/Dockerfile

@@ -1,8 +1,8 @@
-FROM docker:24.0.2-dind
+FROM docker:24.0.5-dind
 
 # cordaVersion=4.8.5
 # cordaCoreVersion=4.8.5
-ARG SAMPLES_KOTLIN_SHA=1504878ce446555bd861bbe4dd3d1154e905a07f
+ARG SAMPLES_KOTLIN_SHA=8ce33f57ad1dd77f721af4d1f59d72f3d331fd0c
 ARG SAMPLES_KOTLIN_CORDAPP_SUB_DIR_PATH="./Advanced/obligation-cordapp/"
 ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8
 
@@ -11,7 +11,7 @@ WORKDIR /
 RUN apk update
 
 # Install dependencies of Docker Compose
-RUN apk add py-pip python3-dev libffi-dev openssl-dev gcc libc-dev make
+RUN apk add docker-cli docker-cli-compose
 
 # Install git so we can check out the kotlin-samples repo of Corda
 RUN apk add --no-cache git
@@ -25,16 +25,22 @@ RUN apk add --no-cache curl
 # The file binary is used to inspect exectubles when debugging container image issues
 RUN apk add --no-cache file
 
-RUN apk add --no-cache openjdk8
+RUN apk add --no-cache openjdk11
 
 # Need gradle to execute the corda sample app setup commands
 RUN apk add --no-cache gradle
 
+RUN gradle --version
+
 ENV CACTUS_CFG_PATH=/etc/hyperledger/cactus
 RUN mkdir -p $CACTUS_CFG_PATH
 
+# Need to install augtool for manipulating the SSH configuration files below
+RUN apk add --no-cache augeas
+
+RUN apk upgrade
 # OpenSSH - need to have it so we can shell in and install/instantiate contracts and troubleshoot
-RUN apk add --no-cache openssh augeas
+RUN apk update && apk --no-cache upgrade openssh-client
 
 # Configure the OpenSSH server we just installed
 RUN augtool 'set /files/etc/ssh/sshd_config/AuthorizedKeysFile ".ssh/authorized_keys /etc/authorized_keys/%u"'