From cb0df814854072df332460b14cf2af598446e136 Mon Sep 17 00:00:00 2001 From: Martijn Kamphuis Date: Thu, 9 Jan 2025 10:56:10 +0100 Subject: [PATCH 1/9] Add container scanning --- .github/workflows/delivery.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index 1730a6b..1b75ed0 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -1,6 +1,8 @@ name: Delivery on: + pull_request: + types: [synchronize, opened, reopened] push: branches: [ master ] release: @@ -34,10 +36,29 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build container and push to GitHub Container Registry + - name: Build container and export to local Docker uses: docker/build-push-action@v5 with: context: . - push: true + load: true + tags: local/yivitube:scan + + - name: Scan Image + uses: anchore/scan-action@v3 + id: scan + with: + image: local/yivitube:scan + fail-build: true + output-format: sarif + + - name: Upload Anchore Scan SARIF Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + + - name: Push image to GitHub Container Registry + uses: docker/build-push-action@v5 + with: + push: github.event_name != 'pull_request' tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file From ffa9007ad62be6fc6ce068cd1bdaa4fc540d323a Mon Sep 17 00:00:00 2001 From: Martijn Kamphuis Date: Thu, 9 Jan 2025 11:01:20 +0100 Subject: [PATCH 2/9] Output vuln scan to output --- .github/workflows/delivery.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index 1b75ed0..adff8f3 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -49,12 +49,7 @@ jobs: with: image: local/yivitube:scan fail-build: true - output-format: sarif - - - name: Upload Anchore Scan SARIF Report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + output-format: table - name: Push image to GitHub Container Registry uses: docker/build-push-action@v5 From c1e9d5f61fe68f4ff0dfb5336c2d5a23c5e30982 Mon Sep 17 00:00:00 2001 From: Jasper van der Linden Date: Fri, 24 Jan 2025 12:59:40 +0100 Subject: [PATCH 3/9] chore: Upgrade components to mitigate some of the vulnerabilties --- Dockerfile | 43 ++++++++++++++++++++----------------------- www/composer.json | 4 ++-- www/composer.lock | 26 ++++++++++++++++---------- 3 files changed, 38 insertions(+), 35 deletions(-) diff --git a/Dockerfile b/Dockerfile index f2636ef..ba4679f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,35 +1,32 @@ -FROM node:14 AS builder +FROM node:18 AS node -RUN apt-get update && apt-get install -y \ - php \ - php-cli \ - php-zip \ - php-xml \ - php-mbstring \ - php-curl \ - php-sqlite3 \ - php-ldap \ - unzip \ - cron +WORKDIR /build -RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer -WORKDIR /app +COPY www/package*.json . -COPY . . +RUN npm i -RUN cd /app/www && npm install -RUN cd /app/www && composer install +# --- -FROM php:8.0-apache +FROM composer:latest AS composer +FROM dunglas/frankenphp -COPY --from=builder /app/www /var/www/html -COPY --from=builder /app/data /app/data +ENV SERVER_NAME=:8080 +ENV DEBIAN_FRONTEND=noninteractive -RUN chown -R www-data:www-data /var/www/html \ - && chmod -R 755 /var/www/html +# Enable PHP production settings +RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" \ + && apt update && apt upgrade -y \ + && install-php-extensions zip +COPY ./data /app/data +COPY ./www /app/public -RUN echo "Listen 8080" >> /etc/apache2/ports.conf +COPY --from=composer /usr/bin/composer /usr/local/bin/composer +COPY --from=node /build/node_modules /app/public/node_modules + +RUN cd /app/public \ + && composer install --no-interaction --optimize-autoloader --no-dev EXPOSE 8080 diff --git a/www/composer.json b/www/composer.json index 30db571..829a54b 100644 --- a/www/composer.json +++ b/www/composer.json @@ -3,7 +3,7 @@ "description": "IRMA demo showing issuance and verification of IRMA attributes", "type": "project", "require": { - "firebase/php-jwt": "6.0.0", + "firebase/php-jwt": "6.11.0", "ext-json": "*", "ext-ctype": "*" }, @@ -14,4 +14,4 @@ "email": "irma@privacybydesign.foundation" } ] -} +} \ No newline at end of file diff --git a/www/composer.lock b/www/composer.lock index 739daa5..e37eed2 100644 --- a/www/composer.lock +++ b/www/composer.lock @@ -4,29 +4,35 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "1c8e3eb675985782bd3fc73d5a4b6b74", + "content-hash": "d2a28716a26a8a726fde7227fdf1160b", "packages": [ { "name": "firebase/php-jwt", - "version": "v6.0.0", + "version": "v6.11.0", "source": { "type": "git", "url": "https://github.com/firebase/php-jwt.git", - "reference": "0541cba75ab108ef901985e68055a92646c73534" + "reference": "8f718f4dfc9c5d5f0c994cdfd103921b43592712" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/firebase/php-jwt/zipball/0541cba75ab108ef901985e68055a92646c73534", - "reference": "0541cba75ab108ef901985e68055a92646c73534", + "url": "https://api.github.com/repos/firebase/php-jwt/zipball/8f718f4dfc9c5d5f0c994cdfd103921b43592712", + "reference": "8f718f4dfc9c5d5f0c994cdfd103921b43592712", "shasum": "" }, "require": { - "php": ">=5.3.0" + "php": "^8.0" }, "require-dev": { - "phpunit/phpunit": ">=4.8 <=9" + "guzzlehttp/guzzle": "^7.4", + "phpspec/prophecy-phpunit": "^2.0", + "phpunit/phpunit": "^9.5", + "psr/cache": "^2.0||^3.0", + "psr/http-client": "^1.0", + "psr/http-factory": "^1.0" }, "suggest": { + "ext-sodium": "Support EdDSA (Ed25519) signatures", "paragonie/sodium_compat": "Support EdDSA (Ed25519) signatures when libsodium is not present" }, "type": "library", @@ -59,9 +65,9 @@ ], "support": { "issues": "https://github.com/firebase/php-jwt/issues", - "source": "https://github.com/firebase/php-jwt/tree/v6.0.0" + "source": "https://github.com/firebase/php-jwt/tree/v6.11.0" }, - "time": "2022-01-24T15:18:34+00:00" + "time": "2025-01-23T05:11:06+00:00" } ], "packages-dev": [], @@ -75,5 +81,5 @@ "ext-ctype": "*" }, "platform-dev": [], - "plugin-api-version": "2.3.0" + "plugin-api-version": "2.6.0" } From 0ea08cdfa5d420d7d96393ef65927d967cf7c845 Mon Sep 17 00:00:00 2001 From: Jasper van der Linden Date: Fri, 24 Jan 2025 13:19:51 +0100 Subject: [PATCH 4/9] fix: Update to bootstrap version without CVE --- www/package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/www/package.json b/www/package.json index 1cb1e42..dc397ff 100644 --- a/www/package.json +++ b/www/package.json @@ -6,8 +6,8 @@ "license": "Apache", "dependencies": { "@privacybydesign/yivi-frontend": "^0.1.3", - "bootstrap": "^3.3.6", + "bootstrap": "^5.0.0", "jquery": "^3.5.0", "mustache": "^2.3.0" } -} +} \ No newline at end of file From 9a23fc8245e8f29e842b1fab8d25e3e036fe5dad Mon Sep 17 00:00:00 2001 From: Jasper van der Linden Date: Fri, 24 Jan 2025 13:24:24 +0100 Subject: [PATCH 5/9] chore: Prevent not-fixed CVE's from blocking a build --- .github/workflows/delivery.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index adff8f3..7eb0614 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -1,13 +1,13 @@ name: Delivery -on: +on: pull_request: types: [synchronize, opened, reopened] push: - branches: [ master ] + branches: [master] release: # Note: a current limitation is that when a release is edited after publication, then the Docker tags are not automatically updated. - types: [ published ] + types: [published] permissions: contents: write @@ -34,15 +34,15 @@ jobs: with: registry: ghcr.io username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build container and export to local Docker uses: docker/build-push-action@v5 with: context: . load: true tags: local/yivitube:scan - + - name: Scan Image uses: anchore/scan-action@v3 id: scan @@ -50,10 +50,11 @@ jobs: image: local/yivitube:scan fail-build: true output-format: table - + only-fixed: true + - name: Push image to GitHub Container Registry uses: docker/build-push-action@v5 with: push: github.event_name != 'pull_request' tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file + labels: ${{ steps.meta.outputs.labels }} From ea8deaf5a1ef31bbdd4d4aed3ea50d2ee48ffa7e Mon Sep 17 00:00:00 2001 From: Jasper van der Linden Date: Fri, 24 Jan 2025 13:28:06 +0100 Subject: [PATCH 6/9] chore: Enable build cache --- .github/workflows/delivery.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index 7eb0614..78c6aa6 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -42,6 +42,8 @@ jobs: context: . load: true tags: local/yivitube:scan + cache-from: type=gha + cache-to: type=gha,mode=max - name: Scan Image uses: anchore/scan-action@v3 From b520f3d74b1edff5ba54850d85e9596ee50f97a0 Mon Sep 17 00:00:00 2001 From: Jasper van der Linden Date: Fri, 24 Jan 2025 13:30:06 +0100 Subject: [PATCH 7/9] chore: Evaluate condition --- .github/workflows/delivery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index 78c6aa6..f43befb 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -57,6 +57,6 @@ jobs: - name: Push image to GitHub Container Registry uses: docker/build-push-action@v5 with: - push: github.event_name != 'pull_request' + push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 870e2d3dbd4ff9efa60a1ec23df2952e8e2010ce Mon Sep 17 00:00:00 2001 From: Jasper van der Linden Date: Fri, 24 Jan 2025 13:33:32 +0100 Subject: [PATCH 8/9] chore: Make use of cache --- .github/workflows/delivery.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index f43befb..8c54c86 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -29,6 +29,9 @@ jobs: type=semver,pattern={{major}}.{{minor}}.{{patch}} type=raw,value=edge + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: @@ -40,7 +43,6 @@ jobs: uses: docker/build-push-action@v5 with: context: . - load: true tags: local/yivitube:scan cache-from: type=gha cache-to: type=gha,mode=max @@ -50,9 +52,9 @@ jobs: id: scan with: image: local/yivitube:scan + only-fixed: true fail-build: true output-format: table - only-fixed: true - name: Push image to GitHub Container Registry uses: docker/build-push-action@v5 From 00ea48419344c7574cca8569343505734ee05654 Mon Sep 17 00:00:00 2001 From: Jasper van der Linden Date: Fri, 24 Jan 2025 13:36:47 +0100 Subject: [PATCH 9/9] chore(revert): Load image --- .github/workflows/delivery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index 8c54c86..b5d1f1b 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -43,6 +43,7 @@ jobs: uses: docker/build-push-action@v5 with: context: . + load: true tags: local/yivitube:scan cache-from: type=gha cache-to: type=gha,mode=max