Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tools(fabric2-all-in-one): fix multiple vulnerabilities - 2023-08-17 #2135

Merged

Conversation

zondervancalvez
Copy link
Contributor

@zondervancalvez zondervancalvez commented Jul 26, 2022

Hard to dertermine which exact vulnerabilities will this be fixing because
other pull requests also upgrade the image version of this container in
the time while the pull request for this commit was open.

Nevertheless, it is an upgrade of versions and therefore some of the CVEs
are very likely getting addressed by it.

Fixes https://github.com/hyperledger/cacti/issues/2057

Co-authored-by: Peter Somogyvari peter.somogyvari@accenture.com

Signed-off-by: zondervancalvez zondervan.v.calvez@accenture.com
Signed-off-by: Peter Somogyvari peter.somogyvari@accenture.com

zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Jul 27, 2022
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Jul 27, 2022
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
@jagpreetsinghsasan
Copy link
Contributor

Hi @zondervancalvez
The Cactus_CI / ghcr-fabric2-all-in-one is failing (if you scroll down through the CI tests).

@zondervancalvez zondervancalvez force-pushed the zondervancalvez/issue2057 branch 3 times, most recently from 4ddf803 to c65ae79 Compare August 11, 2022 06:59
@zondervancalvez
Copy link
Contributor Author

Hi @zondervancalvez The Cactus_CI / ghcr-fabric2-all-in-one is failing (if you scroll down through the CI tests).

Issue is now addressed. Thanks.

Copy link
Contributor

@jagpreetsinghsasan jagpreetsinghsasan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zondervancalvez Thank you, this looks good to me, I'm just marking it down for a change request because I'd like to ask you to do a manual test of the new image (once the manual test passed please write that down here and then request a review again)

The test needs to make sure that at least one of the Fabric (v2) connector tests are passing fine with this image.

  1. You build the image locally tagging it something like faio
  2. You override one of the test cases to a) not pull the image b) use the faio image instead of the official ghcr.io ones
  3. You run the test case (which now will be running against a container made from your image from this PR)
  4. You verify that the test case has passed.

Please make sure to cover at least these test cases with the above methodology and the explicitly confirm in a follow-up comment that all of these test cases passed with your image:

  • packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/run-transaction-endpoint-v1.test.ts
  • packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/deploy-cc-from-golang-source.test.ts
  • packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/run-transaction-with-identities.test.ts

@petermetz
Copy link
Contributor

@zondervancalvez Ping.

@zondervancalvez
Copy link
Contributor Author

@zondervancalvez Ping.

Hi @petermetz,
As of now, here are the status of the test cases:

  • packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/run-transaction-endpoint-v1.test.ts - PASSED
  • packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/deploy-cc-from-golang-source.test.ts - PASSED
  • packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/run-transaction-with-identities.test.ts - FAILING

On the remaining failing test script, we are encountering issue on ssh.connect. See image below:
MicrosoftTeams-image (2)

As of now this is our blocker but we are trying to debug on the issue and the possible resolution.

@zondervancalvez zondervancalvez force-pushed the zondervancalvez/issue2057 branch 2 times, most recently from b0717ca to 7eef2ad Compare May 4, 2023 06:32
@zondervancalvez
Copy link
Contributor Author

Hi @petermetz,
Here are the status of the test cases using faio image that we created:

packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/run-transaction-endpoint-v1.test.ts - PASSED
packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/deploy-cc-from-golang-source.test.ts - PASSED
packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/run-transaction-with-identities.test.ts - PASSED

zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 15, 2023
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 15, 2023
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 15, 2023
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 15, 2023
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 16, 2023
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
@petermetz petermetz enabled auto-merge (rebase) August 18, 2023 07:00
Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pushed the fixes, LGTM

@petermetz petermetz enabled auto-merge (rebase) August 18, 2023 07:00
@petermetz petermetz changed the title fix(security): vulnerabilities found in fabric2-all-in-one tools(fabric2-all-in-one): fix multiple vulnerabilities - 2023-08-17 Aug 18, 2023
Hard to dertermine which exact vulnerabilities will this be fixing because
other pull requests also upgrade the image version of this container in
the time while the pull request for this commit was open.

Nevertheless, it is an upgrade of versions and therefore some of the CVEs
are very likely getting addressed by it.

Fixes hyperledger-cacti#2057

Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com>

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz merged commit 7864d5d into hyperledger-cacti:main Aug 18, 2023
105 of 117 checks passed
@petermetz petermetz deleted the zondervancalvez/issue2057 branch August 18, 2023 17:41
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 21, 2023
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 23, 2023
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 30, 2023
Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 30, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Aug 30, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez added a commit to zondervancalvez/cactus that referenced this pull request Sep 7, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
petermetz pushed a commit to zondervancalvez/cactus that referenced this pull request Sep 7, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
petermetz pushed a commit that referenced this pull request Sep 7, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes #1876

Depends On: #2121
Depends On: #2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
adrianbatuto pushed a commit to adrianbatuto/cacti that referenced this pull request Sep 8, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
adrianbatuto added a commit to adrianbatuto/cacti that referenced this pull request Sep 8, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
adrianbatuto pushed a commit to adrianbatuto/cacti that referenced this pull request Sep 20, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
sandeepnRES pushed a commit to sandeepnRES/cacti that referenced this pull request Dec 21, 2023
Trivy is a cutting-edge security tool designed to enhance
the safety of containerized applications by conducting thorough
vulnerability assessments. Specifically developed for scanning
container images, ranging from low-severity issues to critical
threats. It employs an intelligent rating system to categorize
vulnerabilities based on their severity levels, ensuring that
high to critical vulnerabilities are given special attention.
Upon detecting vulnerabilities that fall within this elevated
range, Trivy will throw an error.

By integrating Trivy into our deployment pipeline, we can
proactively mitigate security risks and enhance the resilience
of our repository.

Fixes hyperledger-cacti#1876

Depends On: hyperledger-cacti#2121
Depends On: hyperledger-cacti#2135

Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

fix(security): vulnerabilities found in fabric2-all-in-one
5 participants