You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Options for vulnerability scanning for Besu. There are tools. Lots of tools. 

Dependabot

No current alerts, open or closed: 

https://github.com/hyperledger/besu/security/dependabot

CodeQL analysis

This doesn't provide anything better than sonar cloud.

https://github.com/hyperledger/besu/pull/3324

And it took 19 minutes https://github.com/hyperledger/besu/runs/4933198025?check_suite_focus=true

Trivy

Teku uses Trivy, and scans the develop docker images. So scan results only include runtime dependencies not build or test dependencies. See https://github.com/ConsenSys/teku/blob/master/.circleci/config.yml

NexusIQ

It is from sonatype https://blog.sonatype.com/nexus-vulnerability-scanner-and-vulnerability-analysis but I couldn’t even try it out without agreeing to a whole bunch of stuff on behalf of company so did not proceed.

Has a number of "levels" 1-10. According to the user’s report, there are a number of “level 7” and “level 10” vulnerabilities (details in the ticket).

Snyk

Integrates quite nicely with github

Dependency check gradle plugin

Useful but we don't want to gate PRs on this.

Maven central

And even maven central does an ok job of pointing out some CVEs https://mvnrepository.com/artifact/org.hyperledger.besu.internal/eth/21.10.6 

Disadvantage is it’s only available once the artefact is published, by which time it's a bit late. SNAPSHOT versions don’t get imported into mvnrepository.com

  • No labels