feat: add trivy-ghcr action (#75)

* feat: add trivy-ghcr action

* fix: dashbord grades color

* fix

* fix

Author: Julien Bouquillon

README.md

@@ -4,11 +4,11 @@ Basic GitHub actions used in [dashlord](https://github.com/socialgouv/dashlord)
 
 Actions
 
-| Action  | Usage                                             |
-| ------- | ------------------------------------------------- |
-| init    | read dashloard.yml                                |
-| save    | save a single url scan result for dashlord        |
-| report  | build a report.json and website from latest scans |
+| Action | Usage                                             |
+| ------ | ------------------------------------------------- |
+| init   | read dashloard.yml                                |
+| save   | save a single url scan result for dashlord        |
+| report | build a report.json and website from latest scans |
 
 [![](./workflows.png)](https://excalidraw.com/#json=5097005936279552,BIdgMf7vmfpdFCKoCVegXg)
 
@@ -26,12 +26,21 @@ yarn
 yarn start
 ```
 
-### Build a `report.json`
+### Build a new report
 
-Build a new report.json on a local repo with scan results :
+This will add `report.json`, `config.json`, `trends.json` in `report/www/src`
+based on the content of `DASHLORD_REPO_PATH` :
 
 ```sh
 DASHLORD_URLS=http://test1.com,http://test1.com  \ # optional
 DASHLORD_REPO_PATH=/path/to/some/dashlord-repo \ #optional
 node report/src > report/www/src/report.json
 ```
+
+### Add a new dashlord action
+
+1. create a GitHub action that can produce some JSON in your `scans/myaction.json`
+2. In `report/src/generateUrlReport`, import the minimum from your action JSON to serve it to the frontend via the generated `report.json`
+3. In `report/src/summary`, add compute logic for your scanner score.
+4. Build a new report.json, see above
+5. Run `yarn start` in the `report/www` folder to start adding types from your action and UI for your component

report/src/__snapshots__/generateUrlReport.test.js.snap

@@ -20,6 +20,7 @@ Object {
   },
   "testssl": null,
   "thirdparties": null,
+  "trivy": null,
   "updownio": null,
   "url": "https://www.test.com",
   "wappalyzer": Object {
@@ -79,6 +80,7 @@ Object {
   "thirdparties": Object {
     "report": "thirdparties.json",
   },
+  "trivy": null,
   "updownio": Object {
     "report": "updownio.json",
   },

report/src/generateUrlReport.js

@@ -69,14 +69,8 @@ const lhrCleanup = (result) => {
   if (!result) {
     return null;
   }
-  const {
-    requestedUrl,
-    finalUrl,
-    fetchTime,
-    runWarnings,
-    categories,
-    audits,
-  } = result;
+  const { requestedUrl, finalUrl, fetchTime, runWarnings, categories, audits } =
+    result;
 
   /** @type {LighthouseReportCategories} */
   // @ts-ignore
@@ -109,13 +103,45 @@ const lhrCleanup = (result) => {
  *
  * Minify wget spider report
  *
- * @param {{broken?:Wget404Report}} result Lighthouse JSON content
+ * @param {{broken?:Wget404Report}} result wget JSON content
  *
  * @returns {Wget404Report|undefined} minified JSON content
  *
  */
 const wget404Cleanup = (result) => result && result.broken;
 
+/**
+ *
+ * Minify trivy report
+ *
+ * @param {TrivyReport} result trivy JSON content
+ *
+ * @returns {TrivyReport} minified JSON content
+ *
+ */
+const trivyCleanup = (result) =>
+  result &&
+  result.map((image) => ({
+    name: image.name,
+    url: image.url,
+    image: image.image,
+    trivy: image.trivy && {
+      Target: image.trivy.Target,
+      Vulnerabilities:
+        image.trivy &&
+        image.trivy.Vulnerabilities &&
+        image.trivy.Vulnerabilities.map(
+          ({ VulnerabilityID, PkgName, PrimaryURL, Title, Severity }) => ({
+            VulnerabilityID,
+            PkgName,
+            PrimaryURL,
+            Title,
+            Severity,
+          })
+        ),
+    },
+  }));
+
 //@ts-expect-error
 const requireToolData = (filename) => (basePath) =>
   requireJson(path.join(basePath, filename));
@@ -138,6 +164,7 @@ const tools = {
   },
   stats: { data: requireToolData("stats.json") },
   404: { data: requireToolData("404.json"), cleanup: wget404Cleanup },
+  trivy: { data: requireToolData("trivy.json"), cleanup: trivyCleanup },
 };
 
 //@ts-expect-error

report/src/summary/index.js

@@ -1,4 +1,3 @@
-
 // each tool can output multiple values
 const tools = {
   /** @param {CodescanReport} report */
@@ -19,8 +18,10 @@ const tools = {
   updownio: (report) => require("./updownio")(report),
   /** @param {StatsReport} report */
   stats: (report) => require("./stats")(report),
-  /** @param {Error404Report} report */
-  404: report => report && report.length && ({ 404: report.length })
+  /** @param {Wget404Report} report */
+  404: (report) => report && report.length && { 404: report.length },
+  /** @param {TrivyReport} report */
+  trivy: (report) => require("./trivy")(report),
 };
 
 /**

report/src/summary/trivy.js

@@ -0,0 +1,26 @@
+/**
+ * sum an array
+ *
+ * @param {number[]} arr
+ *
+ **/
+const sum = (arr) => arr.reduce((a, c) => a + c, 0);
+
+/** @param {TrivyReport} report */
+const summary = (report) => {
+  if (report && report.length) {
+    const allVulns = report.flatMap(
+      (image) => (image.trivy && image.trivy.Vulnerabilities) || []
+    );
+    const vulnsCount = allVulns.length;
+    const critical = allVulns.filter(
+      (vuln) => vuln.Severity === "CRITICAL"
+    ).length;
+    const high = allVulns.filter((vuln) => vuln.Severity === "HIGH").length;
+    const medium = allVulns.filter((vuln) => vuln.Severity === "MEDIUM").length;
+    const trivyGrade = critical ? "F" : high ? "E" : medium ? "C" : "A";
+    return { trivy: vulnsCount, trivyGrade };
+  }
+};
+
+module.exports = summary;

report/src/summary/trivy.test.js

@@ -0,0 +1,110 @@
+const summary = require("./trivy");
+
+const tests = [
+  {
+    title: "invalid report",
+    report: null,
+    expected: undefined,
+  },
+  {
+    title: "critical report",
+    report: [
+      {
+        name: "app",
+        url: "https://github.com//orgs/SocialGouv/packages/container/package/sample-next-app%2Fapp",
+        image: "ghcr.io/socialgouv/sample-next-app/app",
+        trivy: {
+          Target:
+            "ghcr.io/socialgouv/sample-next-app/app:latest (alpine 3.11.12)",
+          Vulnerabilities: [
+            {
+              VulnerabilityID: "CVE-2018-17360",
+              PkgName: "binutils",
+              PrimaryURL: "https://avd.aquasec.com/nvd/cve-2018-17360",
+              Title:
+                "binutils: heap-based buffer over-read in bfd_getl32 in libbfd.c",
+              Severity: "MEDIUM",
+            },
+          ],
+        },
+      },
+      {
+        name: "hasura",
+        url: "https://github.com//orgs/SocialGouv/packages/container/package/sample-next-app%2Fhasura",
+        image: "ghcr.io/socialgouv/sample-next-app/hasura",
+        trivy: {
+          Target:
+            "ghcr.io/socialgouv/sample-next-app/hasura:latest (debian 10.9)",
+          Vulnerabilities: [
+            {
+              VulnerabilityID: "CVE-2019-18276",
+              PkgName: "bash",
+              PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-18276",
+              Title:
+                "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
+              Severity: "HIGH",
+            },
+            {
+              VulnerabilityID: "CVE-2018-12699",
+              PkgName: "binutils",
+              PrimaryURL: "https://avd.aquasec.com/nvd/cve-2018-12699",
+              Title:
+                "binutils: heap-based buffer overflow in finish_stab in stabs.c",
+              Severity: "CRITICAL",
+            },
+          ],
+        },
+      },
+    ],
+    expected: {
+      trivy: 3,
+      trivyGrade: "F",
+    },
+  },
+  {
+    title: "medium report",
+    report: [
+      {
+        name: "app",
+        url: "https://github.com//orgs/SocialGouv/packages/container/package/sample-next-app%2Fapp",
+        image: "ghcr.io/socialgouv/sample-next-app/app",
+        trivy: {
+          Target:
+            "ghcr.io/socialgouv/sample-next-app/app:latest (alpine 3.11.12)",
+          Vulnerabilities: [
+            {
+              VulnerabilityID: "CVE-2018-17360",
+              PkgName: "binutils",
+              PrimaryURL: "https://avd.aquasec.com/nvd/cve-2018-17360",
+              Title:
+                "binutils: heap-based buffer over-read in bfd_getl32 in libbfd.c",
+              Severity: "MEDIUM",
+            },
+          ],
+        },
+      },
+      {
+        name: "hasura",
+        url: "https://github.com//orgs/SocialGouv/packages/container/package/sample-next-app%2Fhasura",
+        image: "ghcr.io/socialgouv/sample-next-app/hasura",
+        trivy: {
+          Target:
+            "ghcr.io/socialgouv/sample-next-app/hasura:latest (debian 10.9)",
+        },
+      },
+    ],
+    expected: {
+      trivy: 1,
+      trivyGrade: "C",
+    },
+  },
+];
+
+describe("trivy", () => {
+  tests.forEach((t) => {
+    test(`${t.title} should return ${JSON.stringify(t.expected)}`, () => {
+      //@ts-expect-error
+      expect(summary(t.report)).toEqual(t.expected);
+    });
+  });
+});

report/src/trends/index.js

@@ -33,22 +33,15 @@ async function generateTrends(gitPath, latestReport, maxDaysHistory = 30) {
   const commits = await Promise.all(
     history
       // include only relevant commits (in the date range)
-      .reduce(
-       (
-          filteredCommits,
-          entry,
-          i
-        ) => {
-          const isAfter = entry.commit.date() >= startDate;
-          const isFirstBefore = !isAfter && i === filteredCommits.length;
-          // include relevant commits
-          if (isAfter || isFirstBefore) {
-            filteredCommits.push(entry);
-          }
-          return filteredCommits;
-        },
-        reduceInit
-      )
+      .reduce((filteredCommits, entry, i) => {
+        const isAfter = entry.commit.date() >= startDate;
+        const isFirstBefore = !isAfter && i === filteredCommits.length;
+        // include relevant commits
+        if (isAfter || isFirstBefore) {
+          filteredCommits.push(entry);
+        }
+        return filteredCommits;
+      }, reduceInit)
       // extract summary content for each commit
       .map(async ({ commit }) => {
         //@ts-expect-error

report/tsconfig.json

@@ -10,7 +10,7 @@
     "resolveJsonModule": true,
     "skipLibCheck": true,
     "strictNullChecks": true,
-    "target": "ES6"
+    "target": "es2019"
   },
   "include": ["src/**/*.js", "../types/index.d.ts"]
 }