From c12d3485fc23f0e9e8206e53cae93cb672b68abb Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Fri, 14 Nov 2025 14:29:12 +0100 Subject: [PATCH 1/2] chore: build and publish container image to ghcr.io Signed-off-by: Ruben Romero Montes --- .github/workflows/push-to-registry.yml | 84 +++++++ docker-image/Dockerfiles/Dockerfile | 44 ++-- docker-image/README.md | 12 +- docker-image/scripts/rhda.sh | 4 +- .../scenarios/maven/expected_stack_html | 4 +- .../redhat-dependency-analytics-report.json | 219 ++++++++++++++++++ 6 files changed, 344 insertions(+), 23 deletions(-) create mode 100644 .github/workflows/push-to-registry.yml create mode 100644 integration/scenarios/maven/redhat-dependency-analytics-report.json diff --git a/.github/workflows/push-to-registry.yml b/.github/workflows/push-to-registry.yml new file mode 100644 index 00000000..4855d427 --- /dev/null +++ b/.github/workflows/push-to-registry.yml @@ -0,0 +1,84 @@ +# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json +--- +name: Push to registry + +on: + push: + branches: + - main + - 'release/*' + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-and-push: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Install node 18 + uses: actions/setup-node@v6 + with: + node-version: 18 + cache: npm + + - name: Install project modules + run: npm ci + + - name: Compile project + run: npm run compile + + - name: Get package version + id: package-version + run: | + VERSION=$(node -p "require('./package.json').version") + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "Package version: $VERSION" + + - name: Get image metadata + id: image-meta + run: | + echo "revision=${{ github.sha }}" >> $GITHUB_OUTPUT + echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=raw,value=${{ steps.package-version.outputs.version }} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + file: ./docker-image/Dockerfiles/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + IMAGE_VERSION=${{ steps.package-version.outputs.version }} + IMAGE_REVISION=${{ steps.image-meta.outputs.revision }} + IMAGE_CREATED=${{ steps.image-meta.outputs.created }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/docker-image/Dockerfiles/Dockerfile b/docker-image/Dockerfiles/Dockerfile index c85bc379..5837821d 100644 --- a/docker-image/Dockerfiles/Dockerfile +++ b/docker-image/Dockerfiles/Dockerfile @@ -4,8 +4,6 @@ FROM registry.access.redhat.com/ubi9/nodejs-20 AS builder # use privilaged user USER root -ARG TRUSTIFY_DA_JAVASCRIPT_API_VERSION='0.2.4-ea.12' - # install Java RUN curl -kL https://download.oracle.com/java/21/archive/jdk-21.0.1_linux-x64_bin.tar.gz -o /tmp/java-package.tar.gz \ && tar xvzf /tmp/java-package.tar.gz -C /usr/ @@ -19,20 +17,27 @@ RUN curl -kL https://go.dev/dl/go1.21.5.linux-amd64.tar.gz -o /tmp/golang-packag && tar xvzf /tmp/golang-package.tar.gz -C /usr/ # install jq JSON formating tool -RUN curl -kL https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 -o /usr/bin/jq +RUN curl -kL https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-linux64 -o /usr/bin/jq -# install Exhort javascript API -RUN npm install --global @trustify-da/trustify-da-javascript-client@${TRUSTIFY_DA_JAVASCRIPT_API_VERSION} +# Copy RHDA script (before changing WORKDIR) +COPY docker-image/scripts/rhda.sh /rhda.sh -# add RHDA script -COPY scripts/rhda.sh /rhda.sh +# Copy project files and install Exhort javascript API locally +WORKDIR /app +COPY package.json package-lock.json ./ +COPY dist ./dist +COPY config ./config +RUN npm install --production \ + && mkdir -p /app/node_modules/.bin \ + && ln -s /app/dist/src/cli.js /app/node_modules/.bin/trustify-da-javascript-client # assign executable permissions to all installed binaries RUN chmod +x /usr/jdk-21.0.1/bin/java \ && chmod +x /usr/apache-maven-3.9.6/bin/mvn \ && chmod +x /usr/go/bin/go \ && chmod +x /usr/bin/jq \ - && chmod +x /opt/app-root/src/.npm-global/bin/trustify-da-javascript-client \ + && chmod +x /app/dist/src/cli.js \ + && chmod +x /app/node_modules/.bin/trustify-da-javascript-client \ && chmod +x /rhda.sh # use default user @@ -41,10 +46,23 @@ USER default # second stage FROM registry.access.redhat.com/ubi9/nodejs-20-minimal +# Build arguments for metadata +ARG IMAGE_VERSION +ARG IMAGE_REVISION +ARG IMAGE_CREATED + +# Open Container Initiative (OCI) metadata labels LABEL org.opencontainers.image.source=https://github.com/guacsec/trustify-da-javascript-client +LABEL org.opencontainers.image.description="Trustify Dependency Analytics JavaScript Client - Container image for dependency analysis and vulnerability scanning supporting Maven, NPM, Golang, and Python ecosystems" +LABEL org.opencontainers.image.licenses=Apache-2.0 +LABEL org.opencontainers.image.title="Trustify Dependency Analytics JavaScript Client" +LABEL org.opencontainers.image.vendor="guacsec" +LABEL org.opencontainers.image.url=https://github.com/guacsec/trustify-da-javascript-client +LABEL org.opencontainers.image.documentation=https://github.com/guacsec/trustify-da-javascript-client#README.md +LABEL org.opencontainers.image.version="${IMAGE_VERSION}" +LABEL org.opencontainers.image.revision="${IMAGE_REVISION}" +LABEL org.opencontainers.image.created="${IMAGE_CREATED}" -# assign rhda source for exhort tracking purposes -ENV RHDA_SOURCE='' # contains pip feeze --all data, base64 encoded ENV TRUSTIFY_DA_PIP_FREEZE='' # contains pip show data for all packages, base64 encoded @@ -65,13 +83,13 @@ COPY --from=builder /usr/go/ /usr/go/ ENV GOLANG_HOME=/usr/go # Update PATH -ENV PATH=$PATH:$JAVA_HOME/bin:$MAVEN_HOME/bin:$GOLANG_HOME/bin +ENV PATH=$PATH:$JAVA_HOME/bin:$MAVEN_HOME/bin:$GOLANG_HOME/bin:/app/node_modules/.bin # Copy jq executable from the builder stage COPY --from=builder /usr/bin/jq /usr/bin/jq -# Copy trustify-da-javascript-client executable from the builder stage -COPY --from=builder /opt/app-root/src/.npm-global/ /opt/app-root/src/.npm-global/ +# Copy trustify-da-javascript-client from the builder stage +COPY --from=builder /app /app # Copy RHDA executable script from the builder stage COPY --from=builder /rhda.sh /rhda.sh diff --git a/docker-image/README.md b/docker-image/README.md index ffb617ba..3fa44fc6 100644 --- a/docker-image/README.md +++ b/docker-image/README.md @@ -1,7 +1,7 @@ -# Exhort Javascript API Docker Images +# Trustify Dependency Analytics Javascript Client Container Images -These dockerfiles provides all nessesary components to generate images for Red Hat Dependency Analytics (RHDA). -These images can be used as base images to set up the necessary environment and dependencies for running the Red Hat Dependency Analytics. +These dockerfiles provides all nessesary components to generate images for Trustify Dependency Analytics. +These images can be used as base images to set up the necessary environment and dependencies for running the Trustify Dependency Analytics. ## Prerequisites Before getting started, ensure that you have one of the following prerequisites installed on your system: @@ -9,13 +9,13 @@ Before getting started, ensure that you have one of the following prerequisites - Docker: [Installation Guide](https://docs.docker.com/get-docker/) - Podman: [Installation Guide](https://podman.io/docs/installation) -Both Docker and Podman are container runtimes that can be used to build and run the Red Hat Dependency Analytics images. You can choose either Docker or Podman based on your preference and the compatibility with your operating system. +Both Docker and Podman are container runtimes that can be used to build and run the Trustify Dependency Analytics images. You can choose either Docker or Podman based on your preference and the compatibility with your operating system. -## Images generated for Exhort Javascript API +## Images generated for Trustify Dependency Analytics Javascript Client Ecosystem | Version | IMAGE | TAG | ------------------------------| ------------------------------------------------------------------ | ----------------------------------------------- |-------------------| -Maven, NPM, Golang | mvn 3.9.6,
npm 10.2.4,
go 1.21.5,
python \ | quay.io/ecosystem-appeng/trustify-da-javascript-client | 0.1.1-ea.26 | +Maven, NPM, Golang | mvn 3.9.6,
npm 10.2.4,
go 1.21.5,
python \ | ghcr.io/guacsec/trustify-da-javascript-client | 0.2.4-ea.12 | ## Usage Notes diff --git a/docker-image/scripts/rhda.sh b/docker-image/scripts/rhda.sh index 5a53dad8..96d24c54 100644 --- a/docker-image/scripts/rhda.sh +++ b/docker-image/scripts/rhda.sh @@ -19,11 +19,11 @@ then # Print stderr message to console error_message=$(sed -n '/^Error:/p' error.log) - printf "\n[ERROR] Red Hat Dependency Analytics failed with exit code $exit_code.\n$error_message" + printf "\n[ERROR] Trustify Dependency Analytics failed with exit code $exit_code.\n$error_message" exit 1 else # In case of success print report summary into console -printf "\nRed Hat Dependency Analytics Report\n" +printf "\nTrustify Dependency Analytics Report\n" printf "=%.0s" {1..50} printf "\n" printf "Dependencies\n" diff --git a/integration/scenarios/maven/expected_stack_html b/integration/scenarios/maven/expected_stack_html index b1249f67..24592baa 100644 --- a/integration/scenarios/maven/expected_stack_html +++ b/integration/scenarios/maven/expected_stack_html @@ -196,7 +196,7 @@ # Transitive Highest CVSS Highest Severity - Red Hat remediation available + Remediation available @@ -563,7 +563,7 @@
- Click either VEX or SBOM to download the corresponding file type. You can also click the package name to view more information in Red Hat's Maven repository. + Click either VEX or SBOM to download the corresponding file type. You can also click the package name to view more information in Trusted Content's Maven repository.
VEX diff --git a/integration/scenarios/maven/redhat-dependency-analytics-report.json b/integration/scenarios/maven/redhat-dependency-analytics-report.json new file mode 100644 index 00000000..f467d5bd --- /dev/null +++ b/integration/scenarios/maven/redhat-dependency-analytics-report.json @@ -0,0 +1,219 @@ +{ + "report": { + "scanned": { + "total": 1, + "direct": 1, + "transitive": 0 + }, + "providers": { + "trusted-content": { + "status": { + "ok": true, + "name": "trusted-content", + "code": 200, + "message": "OK" + }, + "sources": {} + }, + "osv": { + "status": { + "ok": true, + "name": "osv", + "code": 200, + "message": "OK" + }, + "sources": { + "osv": { + "summary": { + "direct": 6, + "transitive": 0, + "total": 6, + "dependencies": 1, + "critical": 3, + "high": 3, + "medium": 0, + "low": 0, + "remediations": 0, + "recommendations": 0, + "unscanned": 0 + }, + "dependencies": [ + { + "ref": "pkg:maven/log4j/log4j@1.2.17", + "issues": [ + { + "id": "CVE-2022-23307", + "title": "Deserialization of Untrusted Data in Apache Log4j", + "source": "osv", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "High", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "cvssScore": 9.8, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-23307" + ], + "unique": false, + "remediation": {} + }, + { + "id": "CVE-2022-23305", + "title": "SQL Injection in Log4j 1.2.x", + "source": "osv", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "High", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "cvssScore": 9.8, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-23305" + ], + "unique": false, + "remediation": {} + }, + { + "id": "CVE-2019-17571", + "title": "Deserialization of Untrusted Data in Log4j", + "source": "osv", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "High", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "cvssScore": 9.8, + "severity": "CRITICAL", + "cves": [ + "CVE-2019-17571" + ], + "unique": false, + "remediation": {} + }, + { + "id": "CVE-2022-23302", + "title": "Deserialization of Untrusted Data in Log4j 1.x", + "source": "osv", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "High", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + "cvssScore": 8.8, + "severity": "HIGH", + "cves": [ + "CVE-2022-23302" + ], + "unique": false, + "remediation": {} + }, + { + "id": "CVE-2021-4104", + "title": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data", + "source": "osv", + "cvss": { + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "Low", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "High", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2021-4104" + ], + "unique": false, + "remediation": {} + }, + { + "id": "CVE-2023-26464", + "title": "Apache Log4j 1.x (EOL) allows Denial of Service (DoS)", + "source": "osv", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "None", + "integrityImpact": "None", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + "cvssScore": 7.5, + "severity": "HIGH", + "cves": [ + "CVE-2023-26464" + ], + "unique": false, + "remediation": { + "fixedIn": [ + "2.0" + ] + } + } + ], + "transitive": [], + "highestVulnerability": { + "id": "CVE-2022-23307", + "title": "Deserialization of Untrusted Data in Apache Log4j", + "source": "osv", + "cvss": { + "attackVector": "Network", + "attackComplexity": "Low", + "privilegesRequired": "None", + "userInteraction": "None", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "High", + "availabilityImpact": "High", + "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + "cvssScore": 9.8, + "severity": "CRITICAL", + "cves": [ + "CVE-2022-23307" + ], + "unique": false, + "remediation": {} + } + } + ] + } + } + } + } + }, + "exit_code": "0" +} From ba279f048f00e53b10e4cb864906bc22d76dca58 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Fri, 14 Nov 2025 14:34:21 +0100 Subject: [PATCH 2/2] chore: add provenance and trigger on tag Signed-off-by: Ruben Romero Montes --- .github/workflows/push-to-registry.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push-to-registry.yml b/.github/workflows/push-to-registry.yml index 4855d427..0f5c3798 100644 --- a/.github/workflows/push-to-registry.yml +++ b/.github/workflows/push-to-registry.yml @@ -7,6 +7,8 @@ on: branches: - main - 'release/*' + tags: + - '*' workflow_dispatch: env: @@ -39,7 +41,14 @@ jobs: - name: Get package version id: package-version run: | - VERSION=$(node -p "require('./package.json').version") + # Use git tag if available (for tag-triggered builds), otherwise use package.json + if [ -n "${{ github.ref_type }}" ] && [ "${{ github.ref_type }}" = "tag" ]; then + # Remove 'v' prefix if present (e.g., v1.0.0 -> 1.0.0) + VERSION="${{ github.ref_name }}" + VERSION="${VERSION#v}" + else + VERSION=$(node -p "require('./package.json').version") + fi echo "version=$VERSION" >> $GITHUB_OUTPUT echo "Package version: $VERSION" @@ -82,3 +91,5 @@ jobs: IMAGE_CREATED=${{ steps.image-meta.outputs.created }} cache-from: type=gha cache-to: type=gha,mode=max + provenance: true + sbom: true