Added Trivy scan in CI/CD pipeline

[Naveen-Pal]

Resolves #1205

[coderabbitai]

Summary by CodeRabbit

• New Features

  • Integrated automated vulnerability scanning into the deployment pipeline to verify images dedicated for staging and production before deployment.

• Chores

  • Updated the ordering of pipeline tasks to ensure scans occur prior to deployment.
  • Renamed a pipeline task for improved clarity.

Walkthrough

The changes introduce two new GitHub Actions jobs, scan-staging-images and scan-production-images, into the CI/CD pipeline defined in the workflow file. Both jobs leverage the Trivy security scanner to check backend and frontend Docker images for vulnerabilities—specifically those of 'HIGH' or 'CRITICAL' severity—after the corresponding build jobs complete. Additionally, the deployment jobs for staging and production are configured to depend on the successful execution of these scan jobs.

Changes

File	Change Summary
.github/.../run-ci-cd.yaml	Renamed job build-docker-staging-images to build-staging-images, added two new jobs (scan-staging-images and scan-production-images) that scan Docker images using Trivy for vulnerabilities, and updated deployment job dependencies.

Assessment against linked issues

Objective	Addressed	Explanation
Integrate Trivy vulnerability scanning into CI/CD pipeline (#1205)	✅

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 05aba8b and 8350e1d.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/run-ci-cd.yaml

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Run frontend unit tests
• GitHub Check: Run frontend e2e tests

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.github/workflows/run-ci-cd.yaml (4)

231-255: Approve and Suggest: New Scan Job for Staging Images

The new scan-staging-images job is well integrated. It correctly logs in to Docker Hub and invokes the Trivy action to scan both the backend and frontend staging images for vulnerabilities, exiting with code 1 if any 'HIGH' or 'CRITICAL' issues are detected. Consider externalizing the exit-code and severity values into environment variables or job parameters to simplify future adjustments.

---

268-268: Dependency Update: Staging Deployment Job

Adding scan-staging-images as a dependency for the deploy-staging-nest job is a good move. This ensures that deployment will only proceed if the staging images pass the Trivy scan, thereby enforcing a higher security standard.

---

400-424: Approve and Suggest: New Scan Job for Production Images

The scan-production-images job mirrors the staging scan effectively. It logs in to Docker Hub and uses the Trivy action to scan the production backend and frontend images with the appropriate severity thresholds. As with the staging job, consider parameterizing the exit-code and severity settings for easier future maintenance.

---

436-437: Dependency Update: Production Deployment Job

Incorporating scan-production-images as a dependency for the deploy-production-nest job ensures that production deployments only occur after a successful vulnerability scan—this is a solid security enhancement.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee53ac6 and 05aba8b.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Run frontend e2e tests

[Naveen-Pal]

@arkid15r Please let me know if you had anything else in mind.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[arkid15r]

LGTM

[Naveen-Pal]

@coderabbitai suggest the possible way to fix these vulnerability found by trivy.

│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
│ libldap-2.5-0 │ CVE-2023-2953 │ HIGH │ affected │ 2.5.13+dfsg-5 │ │ openldap: null pointer dereference in ber_memalloc_x │
function │
https://avd.aquasec.com/nvd/cve-2023-2953 │
│ perl-base │ CVE-2023-31484 │ │ │ 5.36.0-7+deb12u1 │ │ perl: CPAN.pm does not verify TLS certificates when │
downloading distributions over HTTPS... │
https://avd.aquasec.com/nvd/cve-2023-31484 │
│ zlib1g │ CVE-2023-45853 │ CRITICAL │ will_not_fix │ 1:1.2.13.dfsg-1 │ │ zlib: integer overflow and resultant heap-based buffer │
overflow in zipOpenNewFileInZip4_6 │
https://avd.aquasec.com/nvd/cve-2023-45853 │

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

@Naveen-Pal Based on the vulnerabilities found by Trivy, here are the recommended ways to address each issue:

1. libldap-2.5-0 (CVE-2023-2953) - HIGH

Fix options:

• Update to a patched version: This vulnerability has been fixed in newer Debian packages. Update your Dockerfile to use a newer version of the base image, or update this package specifically with:

  RUN apt-get update && apt-get install -y --only-upgrade libldap-2.5-0

• If you're using a specific Debian version that doesn't have the update, consider switching to a newer Debian release or Ubuntu LTS version.

2. perl-base (CVE-2023-31484)

Fix options:

• This vulnerability affects CPAN.pm's TLS certificate verification. If you're not using CPAN in your container, you can add this to your Trivy configuration to ignore this vulnerability:

  ignoreCves:
    - CVE-2023-31484

• If CPAN is required, ensure you're using the latest perl-base package available for your distribution.

3. zlib1g (CVE-2023-45853) - CRITICAL with "will_not_fix" status

Fix options:

• The "will_not_fix" status suggests the Debian maintainers have decided not to patch this in the current release. This could be because:

  • The vulnerability affects an optional component (minizip) that may not be in use
  • The risk is lower in certain contexts than the CVE rating suggests

  Your options are:

  • If you're not using the zipOpenNewFileInZip4_6 function (part of minizip), you can safely ignore this or add an exception in your Trivy configuration
  • Implement a multistage Docker build to avoid including zlib development files in your final image
  • Use a different base image that either has a patched version or doesn't include this component

General recommendations:

1. Implement vulnerability scanning during development to catch issues earlier
2. Use distroless or minimal base images where possible
3. Configure Trivy to ignore specific vulnerabilities when appropriate:

   # .trivyignore or trivy.yaml
   ignoreCves:
     - CVE-2023-45853  # Not using minizip component

Would you like me to provide more specific advice for your Docker setup or help configure Trivy to handle these findings?

---

🏁 Script executed:

#!/bin/bash
# Check if there's a Dockerfile in the repository to understand the base image and package installation
find . -name "Dockerfile*" | head -n 5

Length of output: 186

---

🌐 Web query:

CVE-2023-2953 libldap vulnerability fix in Debian

💡 Result:

CVE-2023-2953 is a high-severity vulnerability (CVSS 7.5) affecting OpenLDAP's libldap library in Debian systems, caused by a null pointer dereference in the ber_memalloc_x() function. This remote vulnerability allows unauthenticated attackers to trigger denial-of-service conditions or potential code execution through crafted LDAP requests[1][2][6].

Affected Debian Versions

• Bullseye (Debian 11): OpenLDAP 2.4.57+dfsg-3+deb11u1 (vulnerable)
• Bookworm (Debian 12): OpenLDAP 2.5.13+dfsg-5 (vulnerable)
• Trixie/Sid (Testing/Unstable): Fixed in 2.5.16+dfsg-1 (Trixie) and 2.6.9+dfsg-2 (Sid)[4][16]

Fix Implementation

Debian has addressed this in newer releases:

1. Stable Releases (Bullseye/Bookworm):

   • No official security update yet (marked as for minor issues)[4]
   • Monitor for future openldap updates via apt upgrade
   • Consider backported fixes if available from third-party repositories

2. Testing/Unstable (Trixie/Sid):

   sudo apt update && sudo apt upgrade openldap

   Automatically updates to patched versions[4][8]

Workarounds (For Unpatched Systems)

• Limit LDAP service exposure to trusted networks
• Use firewall rules to restrict access to port 389
• Monitor logs for unexpected LDAP connection attempts

Vulnerability Verification

Check installed version:

dpkg -l | grep 'openldap'

Vulnerable if output shows:

• 2.4.57+dfsg-3+deb11u1 (Bullseye)
• 2.5.13+dfsg-5 (Bookworm)[4][6]

Debian maintainers have committed fixes in upstream versions 2.5.14+ and 2.6.4+, with backport commits available in the Debian Security Tracker[4][16]. Users requiring immediate mitigation should consider upgrading to Trixie/Sid or compiling from patched sources until official updates are released for stable branches.

Citations:

• 1: https://vulert.com/vuln-db/bitnami-libldap-2-5-0-137932
• 2: https://www.tenable.com/plugins/nessus/226077
• 3: https://security.snyk.io/vuln/SNYK-DEBIAN11-OPENLDAP-5660622
• 4: https://security-tracker.debian.org/tracker/CVE-2023-2953
• 5: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2953
• 6: https://ubuntu.com/security/CVE-2023-2953
• 7: CVE-2023-31484, CVE-2023-2953, CVE-2023-50387 bitnami/containers#67070
• 8: https://security.snyk.io/vuln/SNYK-DEBIANUNSTABLE-OPENLDAP-5660619
• 9: https://alas.aws.amazon.com/cve/html/CVE-2023-2953.html
• 10: https://security.snyk.io/vuln/SNYK-UBUNTU2204-OPENLDAP-5661784
• 11: https://www.tenable.com/plugins/nessus/226077/changelog
• 12: https://www.suse.com/security/cve/CVE-2023-2953.html
• 13: https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2023-2953/
• 14: Remediate security vulnerabilities on 4.1.0 kubernetes/git-sync#857
• 15: https://access.redhat.com/security/cve/cve-2023-2953
• 16: https://linux.debian.bugs.dist.narkive.com/vRo15b2B/bug-1036995-openldap-cve-2023-2953
• 17: https://security-tracker.debian.org/tracker/source-package/openldap

---

🌐 Web query:

CVE-2023-31484 perl-base vulnerability fix in Debian

💡 Result:

CVE-2023-31484 is a high-severity vulnerability (CVSS 8.1) in Perl's CPAN.pm module that fails to verify TLS certificates when downloading distributions over HTTPS, enabling man-in-the-middle attacks and potential code execution. Here's how to address it in Debian systems:

Fixed Versions by Debian Release

Debian Version	Minimum Secure Version
Bullseye (11)	5.32.1-4+deb11u4
Bookworm (12)	5.36.0-7+deb12u1
Unstable/Sid	5.38.2-2 or newer

Remediation Steps

1. Update package lists:

sudo apt-get update

2. Upgrade perl-base:

sudo apt-get install --only-upgrade perl-base

3. Verify installation:

dpkg -l perl-base | grep "5.32.1-4+deb11u4"  # For Bullseye
dpkg -l perl-base | grep "5.36.0-7+deb12u1"  # For Bookworm

The vulnerability was patched in CPAN.pm 2.35+ by adding mandatory TLS certificate verification through HTTP::Tiny's verify_SSL parameter[2][4]. Debian backported this fix to their stable releases through security advisories DLA-3926-1 (Bullseye) and subsequent updates[3][4].

Systems running older Debian releases like Buster (10) won't receive official fixes and should upgrade to a supported OS version. Cloud/container users should rebuild images using patched base layers from official Debian repositories[6][8].

Citations:

• 1: https://vulert.com/vuln-db/CVE-2023-31484
• 2: https://lists.openembedded.org/g/openembedded-core/topic/patch_perl_fix/99345985
• 3: https://www.tenable.com/plugins/nessus/209443
• 4: https://security-tracker.debian.org/tracker/CVE-2023-31484
• 5: https://www.rapid7.com/db/vulnerabilities/debian-cve-2023-31484/
• 6: CVE-2023-31484, CVE-2023-2953, CVE-2023-50387 bitnami/containers#67070
• 7: Trivy still detect a CVE after installing version tagged as fixed by library maintainer aquasecurity/trivy#6059
• 8: CVE-2023-31484 mitigation on ubuntu 22.04 Azure/AKS#3712
• 9: security issue in redis latest images bitnami/containers#70396
• 10: https://launchpad.net/debian/+source/perl/+changelog
• 11: https://www.tenable.com/plugins/nessus/226562
• 12: https://alas.aws.amazon.com/cve/html/CVE-2023-31484.html
• 13: https://bugs.launchpad.net/bugs/2085500
• 14: https://security.snyk.io/vuln/SNYK-DEBIAN11-PERL-5489191
• 15: double free or corruption (fasttop) during compilation phase on Perl one liner Perl/perl5#21661
• 16: https://access.redhat.com/security/cve/cve-2023-31484

---

🌐 Web query:

CVE-2023-45853 zlib1g vulnerability "will_not_fix" status meaning and workarounds

💡 Result:

CVE-2023-45853 in zlib1g's "will_not_fix" status indicates the maintainers have determined no patch will be released for this vulnerability in the current packaging configuration. This decision typically occurs when:

Key reasons for "will_not_fix" status:

1. Unsupported components - MiniZip isn't officially part of zlib in Debian builds ([7][15])
2. Risk/rebalance assessment - Maintainers deem existing safeguards sufficient ([2][12])
3. Build configuration - Vulnerable code isn't included in distributed packages ([7][15])

Workaround strategies

For systems showing this status in Trivy/Grype scans:

Approach	Implementation	Source
VEX documentation	Create CycloneDX VEX file marking status as not_affected with justification: code_not_reachable	[6][12][18]
Input validation	Sanitize zip filenames/comments to < 65,535 bytes	[3][5]
Dependency analysis	Check if pyminizip/other MiniZip-dependent packages are actually used	[1][3]
Compensating controls	Implement WAF rules blocking oversized zip metadata	[3][19]

Debian maintainers assert zlib1g isn't vulnerable in standard configurations because:

• MiniZip components aren't built in Debian's zlib packages ([7][15])
• Affected functions exist only in source code not used in binary distributions ([7])

When overriding "will_not_fix" status is appropriate

Upgrade paths exist for specific implementations:

# For Chainguard-based systems
apk upgrade 'zlib>=1.3-r1'

# Python environments using vulnerable zlib versions
conda install -c conda-forge python=3.12.1  # Contains backported fix

Monitor: Track upstream zlib developments while maintaining current mitigations[1][3]. Security teams should periodically reassess the risk profile using EPSS scores (current 0.6% exploit probability)[5].

Citations:

• 1: https://www.twingate.com/blog/tips/cve-2023-45853
• 2: https://www.endorlabs.com/learn/how-cyclonedx-vex-makes-your-sbom-useful
• 3: https://www.ogma.in/mitigation-strategies-for-cve-2023-45853-integer-overflow-in-minizip
• 4: https://zenn.dev/zenogawa/articles/k8s_security_trivy
• 5: https://security.snyk.io/vuln/SNYK-CHAINGUARDLATEST-ZLIB-6023888
• 6: https://www.aquasec.com/cloud-native-academy/vulnerability-management/vulnerability-exploitability-exchange/
• 7: https://security-tracker.debian.org/tracker/CVE-2023-45853
• 8: https://learn.microsoft.com/en-us/answers/questions/1526211/are-dbghelp-dll-and-msdia-dll-impacted-by-zlib-vul
• 9: https://gitlab.com/gitlab-org/gitlab/-/issues/423954
• 10: https://community.anaconda.cloud/t/zlib-cve-2023-45853/73249
• 11: https://nvd.nist.gov/vuln/detail/cve-2023-45853
• 12: https://sbom.observer/academy/docs/getting-started/policies
• 13: https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2023-45853/
• 14: Please release 1.3.1 to fix CVE-2023-45853 (9.8 CRITICAL) madler/zlib#868
• 15: Debian Bookworm CVE-2023-45853 in zlib 1:1.2.13.dfsg-1 has been marked as ignored, but trivy still shows it as a vulnerability aquasecurity/trivy#6722
• 16: https://discourse.nixos.org/t/fixing-zlib-cve-2023-45853-in-a-nix-fied-java-app-docker-container/51949
• 17: https://my.f5.com/manage/s/article/K000149884
• 18: https://aquasecurity.github.io/trivy/v0.47/docs/configuration/filtering/
• 19: https://flexerasoftware.my.site.com/flexera/s/article/cve-2023-45853-zlib-vulnerability-impact-on-installshield
• 20: https://aquasecurity.github.io/trivy/v0.44/docs/configuration/filtering/

---

@Naveen-Pal Thanks for sharing these Trivy scan results. Let me provide solutions for each vulnerability:

1. libldap-2.5-0 (CVE-2023-2953) - HIGH

This is a null pointer dereference vulnerability in OpenLDAP's ber_memalloc_x() function affecting Debian systems.

Fix options:

• Update packages: Add this to your Dockerfile:

  RUN apt-get update && apt-get install -y --only-upgrade libldap-2.5-0

• Use a newer base image: If you're using Debian, consider upgrading to Debian Trixie/Sid where this is fixed in version 2.5.16+dfsg-1
• Apply security patches: For production systems, ensure you're applying security updates regularly

2. perl-base (CVE-2023-31484)

Interesting - your installed version (5.36.0-7+deb12u1) should already be the fixed version for Debian 12 (Bookworm). This could be a false positive in Trivy scanning.

Fix options:

• Verify the fix: Check if CPAN.pm is actually used in your application
• Trivy exception: Add this to your .trivyignore file:

  CVE-2023-31484
  

• If you're using Ubuntu instead of Debian, ensure you have the latest updates

3. zlib1g (CVE-2023-45853) - CRITICAL with "will_not_fix" status

The "will_not_fix" status exists because the vulnerable component (MiniZip) isn't included in standard Debian zlib packages, according to Debian maintainers.

Fix options:

• Document exception: Create a VEX document marking this as not_affected with reason code_not_reachable
• Add Trivy exception:

  # .trivyignore
  CVE-2023-45853
  

• Verify usage: Check if your application uses MiniZip functionality (unlikely in most web applications)
• Implement input validation: If you do process ZIP files, validate input sizes

General recommendations:

1. Add a Trivy config file to your repo:

   # trivy.yaml
   vulnerability:
     ignoreUnfixed: true  # Skip vulnerabilities with no fixed version
     ignoreCves:
       - CVE-2023-45853  # Minizip not included in Debian zlib package

2. Use multi-stage builds to minimize the attack surface in your final image

3. Implement regular scanning in your development workflow

Would you like me to help with implementing any of these solutions in your specific Dockerfiles?

Code Analysis Tools

Tool Analysis Results

CodeRabbit ran static analysis tools on your files and found the following:

No specific issues were found in your files. You can proceed with your changes.

[Naveen-Pal]

@arkid15r,
given coderabbit response,
should we consider adding ignore or config file for trivy?

[arkid15r]

@arkid15r, given coderabbit response, should we consider adding ignore or config file for trivy?

I prefer more flexible solution -- use trivy.yaml. Please also migrate CI/CD trivy jobs other options to the config if possible.
Thank you!