Options for vulnerability scanning for Besu. There are tools. Lots of tools.
Dependabot
- Dependabot is enabled. No current alerts, open or closed:
https://github.com/hyperledger/besu/security/dependabot
LGTM
running on PRs
CodeQL analysis
Running on main
Trivy
Teku uses Trivy, and scans the develop docker images. So scan results only include runtime dependencies not build or test dependencies. See https://github.com/ConsenSys/teku/blob/master/.circleci/config.yml
- Nightly scan of docker image for Besu - sample report https://app.circleci.com/pipelines/github/hyperledger/besu/12961/workflows/dde97a21-0eb3-4345-8767-0d4490a2ee44/jobs/71864
NexusIQ
It is from sonatype https://blog.sonatype.com/nexus-vulnerability-scanner-and-vulnerability-analysis but I couldn’t even try it out without agreeing to a whole bunch of stuff on behalf of company so did not proceed.
Has a number of "levels" 1-10. According to the user’s report, there were a number of “level 7” and “level 10” vulnerabilities (details in the ticket). (These were fixed in 21.10.7)
Snyk
Integrates quite nicely with github but there is a lot of noise.
- Also integrates with DockerHub but only admins can see the report
Dependency check gradle plugin
Useful but we don't want to gate PRs on this.
There is also a homebrew option
Maven central
Maven central does an ok job of pointing out some CVEs https://mvnrepository.com/artifact/org.hyperledger.besu.internal/eth/21.10.6
Disadvantage is it’s only available once the artefact is published, by which time it's a bit late. SNAPSHOT versions don’t get imported into mvnrepository.com
8 Comments
Sally MacFarlane
Ry Jones thanks for the update on Snyk and DockerHub - I don't see that view though - is that an admin thing?
Ry Jones
Maybe? I'm not sure. The account that pushes those images is named pegasysengci, so perhaps ask that person if they can see it?
Sally MacFarlane
but - you can see it under your login? Are you an admin for the hyperledger org on DockerHub? pegasysengci is only used for automation
Ry Jones
yes, I can see it, as an admin for Hyperledger. Pegasysci has admin powers for the besu repos
Sally MacFarlane
Is it an option to add more admins for the besu repos?
Ry Jones
what is your dockerhub ID?
Sally MacFarlane
macfarla
Ry Jones
you now have admin privs