Options for vulnerability scanning for Besu. There are tools. Lots of tools.
Dependabot
- Dependabot is enabled. No current alerts, open or closed:
https://github.com/hyperledger/besu/security/dependabot
CodeQL analysis
This doesn't provide anything better than sonar cloud.
...
Teku uses Trivy, and scans the develop docker images. So scan results only include runtime dependencies not build or test dependencies. See https://github.com/ConsenSys/teku/blob/master/.circleci/config.yml
- Nightly scan of docker image for Besu https://github.com/hyperledger/besu/pull/3346
NexusIQ
It is from sonatype https://blog.sonatype.com/nexus-vulnerability-scanner-and-vulnerability-analysis but I couldn’t even try it out without agreeing to a whole bunch of stuff on behalf of company so did not proceed.
Has a number of "levels" 1-10. According to the user’s report, there are were a number of “level 7” and “level 10” vulnerabilities (details in the ticket). (These were fixed in 21.10.7)
Snyk
Integrates quite nicely with github but there is a lot of noise.
Dependency check gradle plugin
Useful but we don't want to gate PRs on this.
Maven central
And even maven Maven central does an ok job of pointing out some CVEs https://mvnrepository.com/artifact/org.hyperledger.besu.internal/eth/21.10.6
...