search

Sage-Bionetworks / sage-monorepo

Where OpenChallenges, Schematic, and other Sage open source apps are built
https://sage-bionetworks.github.io/sage-monorepo/
Apache License 2.0
21 stars 12 forks source link

feat(model-ad): build and publish MODEL-AD app and mongo images #2710

Closed tschaffter closed 2 weeks ago

tschaffter commented 2 weeks ago

Changelog

Notes

Merging this PR to main will build, scan and publish the image to GHCR.

Preview

Build the image of the app (with SSR)

nx build-image model-ad-app

Scan the image with Trivy

$ nx scan-image model-ad-app

> nx run model-ad-app:scan-image

ghcr.io/sage-bionetworks/model-ad-app:local (alpine 3.18.4)

Total: 17 (UNKNOWN: 0, LOW: 2, MEDIUM: 13, HIGH: 2, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42366 │ MEDIUM   │ fixed  │ 1.36.1-r2         │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                  │
├───────────────┤                │          │        │                   │               │                                                             │
│ busybox-binsh │                │          │        │                   │               │                                                             │
│               │                │          │        │                   │               │                                                             │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2023-5363  │ HIGH     │        │ 3.1.3-r0          │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing      │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-5678  │ MEDIUM   │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or       │
│               │                │          │        │                   │               │ checking excessively long X9.42...                          │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6129  │          │        │                   │ 3.1.4-r3      │ mysql: openssl: POLY1305 MAC implementation corrupts vector │
│               │                │          │        │                   │               │ registers on PowerPC                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public   │
│               │                │          │        │                   │               │ keys                                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-0727  │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-4603  │          │        │                   │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and         │
│               │                │          │        │                   │               │ parameters                                                  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in   │
│               │                │          │        │                   │               │ TLSv1.3                                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                   │
├───────────────┼────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3       │ CVE-2023-5363  │ HIGH     │        │                   │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing      │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-5678  │ MEDIUM   │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or       │
│               │                │          │        │                   │               │ checking excessively long X9.42...                          │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6129  │          │        │                   │ 3.1.4-r3      │ mysql: openssl: POLY1305 MAC implementation corrupts vector │
│               │                │          │        │                   │               │ registers on PowerPC                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public   │
│               │                │          │        │                   │               │ keys                                                        │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-0727  │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                   │
│               ├────────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-4603  │          │        │                   │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and         │
│               │                │          │        │                   │               │ parameters                                                  │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                   │
│               ├────────────────┼──────────┤        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in   │
│               │                │          │        │                   │               │ TLSv1.3                                                     │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                   │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42366 │ MEDIUM   │        │ 1.36.1-r2         │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                             │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                  │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Node.js (node-pkg)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                          Title                           │
├────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ ip (package.json)  │ CVE-2024-29415 │ HIGH     │ affected │ 2.0.0             │               │ node-ip: Incomplete fix for CVE-2023-42282               │
│                    │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-29415               │
│                    ├────────────────┼──────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────┤
│                    │ CVE-2023-42282 │ MEDIUM   │ fixed    │                   │ 2.0.1, 1.1.9  │ nodejs-ip: arbitrary code execution via the isPublic()   │
│                    │                │          │          │                   │               │ function                                                 │
│                    │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42282               │
├────────────────────┼────────────────┤          │          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ tar (package.json) │ CVE-2024-28863 │          │          │ 6.1.15            │ 6.2.1         │ node-tar is a Tar for Node.js. node-tar prior to version │
│                    │                │          │          │                   │               │ 6.2.1 has...                                             │
│                    │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-28863               │
└────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

—————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————

 NX   Successfully ran target scan-image for project model-ad-app (12s)

Start the app with Docker Compose

After building the image,

nx serve-detach model-ad-app

Build, scan, and start the Mongo image

nx build-image model-ad-mongo
nx scan-image model-ad-mongo
nx serve-detach model-ad-mongo
tschaffter commented 2 weeks ago

Build all the MODEL-AD images at once

The following command had been previously added to dev-env.sh to build all the images of the MODEL-AD stack:

$ model-ad-build-images

   ✔  nx run model-ad-app:build:production  [local cache]
   ✔  nx run model-ad-app:server:production  [local cache]
   ✔  nx run model-ad-mongo:build-image (2s)
   ✔  nx run model-ad-app:build-image (2s)