Update documentation

- Add section on how to perform vulnerability scanning locally. Signed-off-by: Wade Barnes <wade@neoterictech.ca>
bcgov · Jun 10, 2024 · 5c223fe · 5c223fe
1 parent c884859
commit 5c223fe
Showing 1 changed file with 50 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -92,3 +92,53 @@ SPLUNK_INDEX
 ### JaCoCo Coverage Report
 1) Run ```mvn clean verify```
 3) Open ```target/site/jacoco/index.html``` in a browser
+
+### Vunerability Scanning - Locally
+1) Run ```docker build --no-cache -t cdds/jag-cdds:test .```
+2) Run ```docker run -it -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy image --insecure cdds/jag-cdds:test```
+
+The above steps build the jag-cdds container and then use the Trivy docker container to scan the resulting images.  The output will look something like this:
+
+```
+cdds/jag-cdds:test (alpine 3.19.1)
+
+Total: 10 (UNKNOWN: 0, LOW: 2, MEDIUM: 8, HIGH: 0, CRITICAL: 0)
+
+┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
+│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
+├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
+│ busybox       │ CVE-2023-42363 │ MEDIUM   │ fixed  │ 1.36.1-r15        │ 1.36.1-r17    │ busybox: use-after-free in awk                            │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42363                │
+│               ├────────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
+│               │ CVE-2023-42366 │          │        │                   │ 1.36.1-r16    │ busybox: A heap-buffer-overflow                           │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
+├───────────────┼────────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
+│ busybox-binsh │ CVE-2023-42363 │          │        │                   │ 1.36.1-r17    │ busybox: use-after-free in awk                            │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42363                │
+│               ├────────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
+│               │ CVE-2023-42366 │          │        │                   │ 1.36.1-r16    │ busybox: A heap-buffer-overflow                           │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
+├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
+│ libcrypto3    │ CVE-2024-4603  │          │        │ 3.1.4-r5          │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and       │
+│               │                │          │        │                   │               │ parameters                                                │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                 │
+│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
+│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
+│               │                │          │        │                   │               │ TLSv1.3                                                   │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
+├───────────────┼────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
+│ libssl3       │ CVE-2024-4603  │ MEDIUM   │        │                   │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and       │
+│               │                │          │        │                   │               │ parameters                                                │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                 │
+│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
+│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
+│               │                │          │        │                   │               │ TLSv1.3                                                   │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
+├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
+│ ssl_client    │ CVE-2023-42363 │ MEDIUM   │        │ 1.36.1-r15        │ 1.36.1-r17    │ busybox: use-after-free in awk                            │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42363                │
+│               ├────────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
+│               │ CVE-2023-42366 │          │        │                   │ 1.36.1-r16    │ busybox: A heap-buffer-overflow                           │
+│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
+└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
+```