Options for vulnerability scanning for Besu. There are tools. Lots of tools.
Dependabot
- Dependabot is enabled. No current alerts, open or closed:
https://github.com/hyperledger/besu/security/dependabot
LGTM
is built on top of CodeQL
currently failing (OOM)
CodeQL analysis
This doesn't provide anything better than sonar cloud.
https://github.com/hyperledger/besu/pull/3324
And it took 19 minutes https://github.com/hyperledger/besu/runs/4933198025?check_suite_focus=true
Trivy
Teku uses Trivy, and scans the develop docker images. So scan results only include runtime dependencies not build or test dependencies. See https://github.com/ConsenSys/teku/blob/master/.circleci/config.yml
- Nightly scan of docker image for Besu - sample report https://app.circleci.com/pipelines/github/hyperledger/besu/12961/workflows/dde97a21-0eb3-4345-8767-0d4490a2ee44/jobs/71864
NexusIQ
It is from sonatype https://blog.sonatype.com/nexus-vulnerability-scanner-and-vulnerability-analysis but I couldn’t even try it out without agreeing to a whole bunch of stuff on behalf of company so did not proceed.
Has a number of "levels" 1-10. According to the user’s report, there were a number of “level 7” and “level 10” vulnerabilities (details in the ticket). (These were fixed in 21.10.7)
Snyk
Integrates quite nicely with github but there is a lot of noise.
- Also integrates with DockerHub but only admins can see the report
Dependency check gradle plugin
Useful but we don't want to gate PRs on this.
There is also a homebrew option
Maven central
Maven central does an ok job of pointing out some CVEs https://mvnrepository.com/artifact/org.hyperledger.besu.internal/eth/21.10.6
Disadvantage is it’s only available once the artefact is published, by which time it's a bit late. SNAPSHOT versions don’t get imported into mvnrepository.com