Merge pull request #278 from Nordix/security

Add Security scan tools + fix CVEs

Author: LionelJouin

Makefile

@@ -1,6 +1,7 @@
 
 .PHONY: default
-default: base-image load-balancer proxy tapa ipam nsp ctraffic frontend
+default:
+	$(MAKE) -s $(IMAGES)
 
 .PHONY: all
 all: default
@@ -12,6 +13,8 @@ help: ## Display this help.
 # Variables
 ############################################################################
 
+IMAGES ?= base-image load-balancer proxy tapa ipam nsp ctraffic frontend
+
 # Versions
 VERSION ?= latest
 VERSION_LOAD_BALANCER ?= $(VERSION)
@@ -42,11 +45,14 @@ GINKGO = $(shell pwd)/bin/ginkgo
 MOCKGEN = $(shell pwd)/bin/mockgen
 PROTOC_GEN_GO = $(shell pwd)/bin/protoc-gen-go
 PROTOC_GEN_GO_GRPC = $(shell pwd)/bin/protoc-gen-go-grpc
+NANCY = $(shell pwd)/bin/nancy
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 
 BUILD_DIR ?= build
 BUILD_STEPS ?= build tag push
 
+OUTPUT_DIR ?= _output/
+
 #############################################################################
 # Container: Build, tag, push
 #############################################################################
@@ -67,39 +73,39 @@ push:
 
 .PHONY: base-image
 base-image: ## Build the base-image
-	VERSION=$(VERSION_BASE_IMAGE) IMAGE=base-image $(MAKE) $(BUILD_STEPS)
+	VERSION=$(VERSION_BASE_IMAGE) IMAGE=base-image $(MAKE) -s $(BUILD_STEPS)
 
 .PHONY: debug-image
 debug-image: ## Build the debug-image
 	docker build -t $(DEBUG_IMAGE) -f ./build/debug/Dockerfile .
 
 .PHONY: load-balancer
 load-balancer: ## Build the load-balancer.
-	VERSION=$(VERSION_LOAD_BALANCER) IMAGE=load-balancer $(MAKE) $(BUILD_STEPS)
+	VERSION=$(VERSION_LOAD_BALANCER) IMAGE=load-balancer $(MAKE) -s $(BUILD_STEPS)
 
 .PHONY: proxy
 proxy: ## Build the proxy.
-	VERSION=$(VERSION_PROXY) IMAGE=proxy $(MAKE) $(BUILD_STEPS)
+	VERSION=$(VERSION_PROXY) IMAGE=proxy $(MAKE) -s $(BUILD_STEPS)
 
 .PHONY: tapa
 tapa: ## Build the tapa.
-	VERSION=$(VERSION_TAPA) IMAGE=tapa $(MAKE) $(BUILD_STEPS)
+	VERSION=$(VERSION_TAPA) IMAGE=tapa $(MAKE) -s $(BUILD_STEPS)
 
 .PHONY: ipam
 ipam: ## Build the ipam.
-	VERSION=$(VERSION_IPAM) IMAGE=ipam $(MAKE) $(BUILD_STEPS)
+	VERSION=$(VERSION_IPAM) IMAGE=ipam $(MAKE) -s $(BUILD_STEPS)
 
 .PHONY: nsp
 nsp: ## Build the nsp.
-	VERSION=$(VERSION_NSP) IMAGE=nsp $(MAKE) $(BUILD_STEPS)
+	VERSION=$(VERSION_NSP) IMAGE=nsp $(MAKE) -s $(BUILD_STEPS)
 
 .PHONY: ctraffic
 ctraffic: ## Build the ctraffic.
-	VERSION=$(VERSION_CTRAFFIC) IMAGE=ctraffic $(MAKE) $(BUILD_STEPS)
+	VERSION=$(VERSION_CTRAFFIC) IMAGE=ctraffic $(MAKE) -s $(BUILD_STEPS)
 
 .PHONY: frontend
 frontend: ## Build the frontend.
-	VERSION=$(VERSION_FRONTEND) IMAGE=frontend $(MAKE) $(BUILD_STEPS)
+	VERSION=$(VERSION_FRONTEND) IMAGE=frontend $(MAKE) -s $(BUILD_STEPS)
 
 #############################################################################
 ##@ Testing & Code check
@@ -133,6 +139,38 @@ cover:
 .PHONY: check
 check: lint test ## Run the linter and the Unit tests.
 
+#############################################################################
+##@ Security Scan
+#############################################################################
+
+# https://github.com/anchore/grype
+.PHONY: grype
+grype: ## Run grype scanner on images.
+	@BUILD_STEPS=grype-scan $(MAKE) -s $(IMAGES)
+
+.PHONY: grype-scan
+grype-scan: output-dir
+	docker run --rm \
+	--volume /var/run/docker.sock:/var/run/docker.sock \
+	--name Grype anchore/grype:v0.47.0 \
+	$(REGISTRY)/$(IMAGE):$(VERSION) --add-cpes-if-none > $(OUTPUT_DIR)/grype_$(IMAGE)_$(VERSION).txt
+
+# https://github.com/aquasecurity/trivy
+.PHONY: trivy
+trivy: ## Run trivy scanner on images.
+	@BUILD_STEPS=trivy-scan $(MAKE) -s $(IMAGES)
+
+.PHONY: trivy-scan
+trivy-scan: output-dir
+	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
+    -v $(HOME)/Library/Caches:/root/.cache/ aquasec/trivy:0.31.3 image \
+	$(REGISTRY)/$(IMAGE):$(VERSION) > $(OUTPUT_DIR)/trivy_$(IMAGE)_$(VERSION).txt
+
+# https://github.com/sonatype-nexus-community/nancy
+.PHONY: nancy
+nancy: nancy-tool ## Run nancy scanner on dependencies.
+	go list -json -deps ./... | nancy sleuth
+	
 #############################################################################
 ##@ Code generation
 #############################################################################
@@ -160,6 +198,10 @@ proto: ipam-proto nsp-proto ambassador-proto ## Compile the proto.
 # Tools
 #############################################################################
 
+.PHONY: output-dir
+output-dir:
+	mkdir -p $(OUTPUT_DIR)
+
 .PHONY: golangci-lint
 golangci-lint:
 	$(call go-get-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/[email protected])
@@ -189,6 +231,10 @@ mockgen:
 ginkgo:
 	$(call go-get-tool,$(GINKGO),github.com/onsi/ginkgo/v2/[email protected])
 
+.PHONY: nancy-tool
+nancy-tool:
+	$(call go-get-tool,$(NANCY),github.com/sonatype-nexus-community/[email protected])
+
 # go-get-tool will 'go get' any package $2 and install it to $1.
 define go-get-tool
 @[ -f $(1) ] || { \

build/base-image/Dockerfile

@@ -4,5 +4,5 @@ RUN apk update && apk add iproute2 tcpdump iputils net-tools \
   && setcap 'cap_sys_ptrace,cap_dac_override+ep' /bin/netstat \
   && setcap 'cap_net_raw+ep' /bin/ping \
   && setcap 'cap_net_raw+ep' /usr/bin/tcpdump
-ADD https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/v0.4.2/grpc_health_probe-linux-amd64 /bin/grpc_health_probe
+ADD https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/v0.4.12/grpc_health_probe-linux-amd64 /bin/grpc_health_probe
 RUN chmod a+x /bin/grpc_health_probe