fix(security): vulnerabilities found in corda-4-8-all-in-one

[zondervancalvez]

List of vulnerabilities found in corda-4-8-all-in-one image during Azure Container scan. <html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

VULNERABILITY ID | PACKAGE NAME | SEVERITY -- | -- | -- CVE-2021-36159 | apk-tools | CRITICAL CVE-2021-30139 | apk-tools | HIGH CVE-2022-28391 | busybox | CRITICAL CVE-2021-28831 | busybox | HIGH CVE-2021-42378 | busybox | HIGH CVE-2018-15756 | org.springframework:spring-core | HIGH CVE-2022-22970 | org.springframework:spring-core | HIGH CVE-2022-22965 | org.springframework:spring-webmvc | CRITICAL CVE-2020-5398 | org.springframework:spring-webmvc | HIGH CVE-2017-18640 | org.yaml:snakeyaml | HIGH CVE-2017-18640 | org.yaml:snakeyaml | HIGH CVE-2017-18640 | org.yaml:snakeyaml | HIGH CVE-2017-18640 | org.yaml:snakeyaml | HIGH

Depends on #2621

[petermetz]

P4 because the Corda AIO images are not meant to be used in production.

[charellesandig]

Hi Peter! I'd like to work on this ticket, thank you.

[aldousalvarez]

Hello @jagpreetsinghsasan I am also currently helping on this one.

[github-actions[bot]]

This PR/issue depends on:

• hyperledger/cacti#2621 By Dependent Issues (🤖). Happy coding!

[adrianbatuto]

The vulnerability issues found on the Trivy scan had to do with the Corda jar files. I'll raise a ticket to corda giving them the list of vulnerabilities we have found so they can fix it. Will update this ticket with the issue ticket raised to corda once I have it.

[petermetz]

@adrianbatuto Could you please make the issue title unique (CVE ID or IDs of the most severe vulnerabilities is my go-to in these cases - while keeping in mind the maximum length for the commit linter at the same time)

[petermetz]

We've retired the corda v4.8 AIO image. Also, we'll pause fixes of CVEs in test tools as they are not getting deployed into production.