ci: add Grype CVE scanning workflow, clean up vulnerable deps#1605
Open
coopernetes wants to merge 1 commit into
Open
ci: add Grype CVE scanning workflow, clean up vulnerable deps#1605coopernetes wants to merge 1 commit into
coopernetes wants to merge 1 commit into
Conversation
✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.
|
✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.
|
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF ScorecardScorecard details
Scanned Files
|
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1605 +/- ##
==========================================
+ Coverage 85.38% 85.51% +0.12%
==========================================
Files 83 83
Lines 7878 7878
Branches 1312 1312
==========================================
+ Hits 6727 6737 +10
+ Misses 1123 1114 -9
+ Partials 28 27 -1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
coopernetes
force-pushed
the
chore/cve-ci
branch
8 times, most recently
from
87413d8 to
089b270
Compare
Adds a Grype CVE scanning workflow that runs on push, PR, and weekly schedule. Scans package-lock.json (not the working directory) to avoid false positives from CI runner tooling. Uploads SARIF to the Security tab and a table report as an artifact. Fails on high severity with a fix available. Dependency bumps (all same-major, no breaking changes): - concurrently 9.2.1 → 9.2.3 (shell-quote critical: GHSA-w7jw-789q-3m8p) - vitest 3.2.4 → 3.2.6 (critical: arbitrary file read) - @vitest/coverage-v8 3.2.4 → 3.2.6 (depends on vitest) - vite 7.3.1 → 7.3.5 (high: GHSA-fx2h-pf6j-xcff) - cypress 15.9.0 → 15.17.0 (tmp, qs, uuid transitives) - react-router-dom 6.30.3 → 6.30.4 (moderate: GHSA-2j2x-hqr9-3h42) Overrides for transitive deps whose parents haven't released fixes: - form-data 4.0.5 → 4.0.6 (high: GHSA-hmw2-7cc7-3qxx) - tmp 0.2.5 → 0.2.6 (high: path traversal) Reduces total vulnerabilities from 19 to 7 (0 critical, 0 high).
coopernetes
force-pushed
the
chore/cve-ci
branch
from
089b270 to
b4018f5
Compare
coopernetes
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds CVE scanning via Grype and fixes all high/critical vulnerabilities in the main project's dependencies.
Note that the OpenSSF scorecard is flagging a number of existing vulnerabilities. Also, for some reason (oversight?), Dependabot alerts are disabled.
Dependency review remains and will catch any new dependencies being added. The CVE scan workflow is more complete and also adds a scheduled scan every Monday morning for ongoing hygiene. Not a required check for PRs so should be fine to introduce — audit the findings then action them accordingly.
Alternatively, this PR can be closed and Dependabot alerts can just be enabled since the version bumping is already handled by Dependabot anyways. This will require intervention from FINOS and agreement on if Dependabot is the tool of choice for generating alerts.
Findings available here: https://github.com/finos/git-proxy/security/code-scanning?query=is%3Aopen+pr%3A1605
The new workflow will also output the results (has to scan twice unfortunately) to a table format for quick review in the workflow logs.
CVE scanning workflow
--only-fixed(only reports CVEs that have a fix available)--fail-on high)./experimental/**excluded —li-cliandlicense-inventoryhave their own dependency trees with unrelated vulnerabilities. The exclude can be removed once those packages are updated.Dependency bumps
All same-major, no breaking changes (🤞):
concurrentlyshell-quoteGHSA-w7jw-789q-3m8pvitest@vitest/coverage-v8vitecypresstmp,qs,uuidtransitivesreact-router-domnpm overrides
For transitive deps whose direct parents are already at latest and haven't released fixes:
form-datatmpform-datais pinned to^4.0.5in cypress's own resolutions.tmpis a direct dependency of cypress at~0.2.4. Both overrides can be removed when cypress releases a version that bumps these.Result
Total vulnerabilities: 19 → 7 (0 critical, 0 high). The remaining 7 are moderate/low in
nyc(requires major 17→18),@babel/core(low), andbrace-expansion(moderate viac8).