From 8d9980a7d1e89806909b7d429abd173d13e639a2 Mon Sep 17 00:00:00 2001
From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com>
Date: Mon, 28 Apr 2025 15:23:43 +0000
Subject: [PATCH 1/2] check scan result properly

---
 .../scripts/check_ecr_image_scan_results.sh   | 30 ++++++++++++++-----
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/.github/scripts/check_ecr_image_scan_results.sh b/.github/scripts/check_ecr_image_scan_results.sh
index 1b13306..1a65671 100755
--- a/.github/scripts/check_ecr_image_scan_results.sh
+++ b/.github/scripts/check_ecr_image_scan_results.sh
@@ -1,4 +1,5 @@
-#!/bin/bash
+#!/usr/bin/env bash
+set -e
 
 if [ -z "${REPOSITORY_NAME}" ]; then
   echo "REPOSITORY_NAME not set"
@@ -17,12 +18,14 @@ function wait_for_scan() {
     echo "SCAN IS NOT YET COMPLETE..."
     sleep 3
   done
+  echo "Final sleep to ensure suppressions are applied correctly"
+  sleep 5
 }
 
 function check_for_high_critical_vuln() {
   scan_results=$(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}")
-  high=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.HIGH)
-  critical=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.CRITICAL)
+  high=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "HIGH" and .status != "SUPPRESSED")')
+  critical=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "CRITICAL" and .status != "SUPPRESSED")')
 }
 
 function return_scan_results() {
@@ -35,7 +38,7 @@ function return_error() {
     echo -e "\n**********************************************************"
     echo "**********************************************************"
     echo "**********************************************************"
-    echo "ERROR: There are CRITICAL/HIGH vulnerabilties. Stopping build."
+    echo "ERROR: There are CRITICAL/HIGH vulnerabilities. Stopping build."
     echo "**********************************************************"
     echo "**********************************************************"
     echo "**********************************************************"
@@ -43,12 +46,23 @@ function return_error() {
 }
 
 function analyze_scan_results() {
-  if [[ $critical -gt 0 ]]; then
-    echo "ERROR: There are CRITICAL vulnerabilties. Stopping build."
+  if [[ -n "$critical" ]]; then
+    echo "ERROR: There are CRITICAL vulnerabilities. Stopping build."
+
+    echo "=== BEGIN CRITICAL IMAGE SCAN RESULTS ==="
+    echo "$critical"
+    echo "=== END CRITICAL IMAGE SCAN RESULTS ==="
+
     return_scan_results
+
     return_error
-  elif [[ $high -gt 0 ]]; then
-    echo "ERROR: There are HIGH vulnerabilties. Stopping build."
+  elif [[ -n "$high" ]]; then
+    echo "ERROR: There are HIGH vulnerabilities. Stopping build."
+
+    echo "=== BEGIN HIGH IMAGE SCAN RESULTS ==="
+    echo "$high"
+    echo "=== END HIGH IMAGE SCAN RESULTS ==="
+
     return_scan_results
     return_error
   else

From aa911b2723ff4fbde0f32bd35b90b3c5304c1c28 Mon Sep 17 00:00:00 2001
From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com>
Date: Mon, 28 Apr 2025 15:34:23 +0000
Subject: [PATCH 2/2] remove vulnerable node

---
 docker/Dockerfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 18318da..af2a9fb 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -34,7 +34,6 @@ RUN asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git
 # install some common node versions that are used in builds to speed things up
 RUN asdf install nodejs 20.19.1
 RUN asdf install nodejs 23.9.0
-RUN asdf install nodejs 20.17.0
 RUN asdf install nodejs 20.19.0
 RUN asdf install nodejs 22.12.0