ldziedziul
commented
4 months ago Have you compared scan results from this PR branch and master?
@JackPGreen any comment on that?
Closed JackPGreen closed 4 months ago
ldziedziul
commented
4 months ago Have you compared scan results from this PR branch and master?
@JackPGreen any comment on that?
JackPGreen
commented
4 months ago Have you compared scan results from this PR branch and master?
@JackPGreen any comment on that?
Yes, it's fine. Before we were only failing because of Java dependencies, now were passing.
master |
DI-50---Remove-java-artifacts-scanning-from-hazelcast-docker |
|
|---|---|---|
| Trivy | Scans base image, no vulnerabilities Scans JAR contents, finds vulnerabilities | Scans base image, no vulnerabilities |
| Dockle | Fails with: unable to initialize a image struct: failed to initialize source: {...}: requested access to the resource is denied |
Scans base image, finds some (ignored) vulnerabilities |
| Synk | Scans base image, no vulnerabilities Scans JAR contents, finds vulnerabilities | Scans base image, no vulnerabilities |
The vulnerability scan workflow is regularly failing because of false-positive vulnerabilities inside the Hazelcast distribution JAR.
We already scan, manage and catalogue vulnerabilities upstream for the wider Hazelcast product, so this additional layer is not properly managed and ends up failing.
Reworked these checks to only focus on the Docker image, not the Hazelcast distribution, by replacing the Hazelcast distribution with a dummy empty ZIP.
Having got the scanners working, it became apparent we are also affected by https://github.com/goodwithtech/dockle-action/issues/7 - so until my fix is merged upstream, I've moved this action onto using my fixed branch in a fork, instead.
Also refactored duplicated OS + EE job to use a centralised matrix.
Fixes: DI-50