How to check the common vulnerabilities in Fiware orion?

[Anjali-NEC]

@fgalan

I want to check the common vulnerabilities in fiware orion on weekly basis. Is there is any way to check common vulnerabilities of orion or other fiware components?

Please provide some information about how to check the common vulnerabilities in fiware orion. Thanks.

[fgalan]

FIWARE Foundation staff (@flopezag or @wistefan ) may provide information on this.

[chandradeep11]

@fgalan @flopezag @wistefan Not only Fiware-Orion but also how can we check the CVE in all FIWARE GEs like IoT agent, Cygnus, Quantumleap, STH-Comet, Cepheus

[wistefan]

@Anjali-NEC @Chandradeep-NEC Hi, we now do run nightly scans on released containers for GEs in the catalogue: https://github.com/FIWARE/catalogue/actions/workflows/container-scan.yml The results are published here: https://github.com/FIWARE/catalogue/tree/container-scan-results/reports

The job relies on a proper config.json, as mandated by the FIWARE GE contribution requirements: https://fiware-requirements.readthedocs.io/en/latest/docker_templates/index.html#containerization-templates

If a GE is not listed in the container-scan-results, please contact them to add a proper config.json.

[Anjali-NEC]

Hi @wistefan

Please add the below GEs in the container-scan-results: Orion, Cygnus, STH-Comet and Cepheus.

[wistefan]

Hi @Anjali-NEC as mentioned, the report is automatically created based on the config.json, wich is in the responsibiltiy of the ge-maintainers. There are open PRs for them:

• https://github.com/telefonicaid/fiware-orion/pull/3976
• https://github.com/telefonicaid/fiware-cygnus/pull/2100
• https://github.com/telefonicaid/fiware-sth-comet/pull/561

I dont know Cepheus, its not part of the catalogue and therefor will not be covered by the scan.