fix(cmd-api-server): mitigate CVE-2022-24434 and CVE-2022-24999 hyper…

…ledger#2039 fixes: hyperledger#2039 related to: hyperledger#2241 Verified that these changes will fix the vulnerabilities in cactus-cmd-api-server in addition to the following CVE IDs: - CVE-2022-24434 - CVE-2022-24999 (express) - CVE-2022-24999 (qs) Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com> Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com> Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
charellesandig · Apr 20, 2023 · fc7702f · fc7702f
1 parent 1cc9667
commit fc7702f
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml
@@ -0,0 +1,38 @@
+name: azure-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+ build-secure-and-push-8:
+    name: Scan cactus-corda-4-8-all-in-one-obligation image
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2.4.0
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+    - name: Build Images from Dockerfile
+      run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-4-8-all-in-one-obligation
+
+    - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: cactus-corda-4-8-all-in-one-obligation
diff --git a/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile b/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile
@@ -2,9 +2,9 @@ FROM docker:20.10.2-dind
 
 # cordaVersion=4.8.5
 # cordaCoreVersion=4.8.5
-ARG SAMPLES_KOTLIN_SHA=1504878ce446555bd861bbe4dd3d1154e905a07f
+ARG SAMPLES_KOTLIN_SHA=30fd841dd035934bae75ab8910da3b6e3d5d6ee7
 ARG SAMPLES_KOTLIN_CORDAPP_SUB_DIR_PATH="./Advanced/obligation-cordapp/"
-ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8
+ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8.9
 
 WORKDIR /