Add trivy fix vulnerability scan (#92)

* add trivy and use latest node-version

* add trivy

* try non-slim base-image

* make test pass?

* -y for update

* re-add chromium

* use --legacy-peer-deps

* TRIVY_JAVA_DB_REPOSITORY

* try slim

* severity to critical, to align with nginx

* keep scan on HIGH but add ignore for known issue in nginx

.github/workflows/trivy.yml

@@ -0,0 +1,26 @@
+name: Run Trivy vulnerability scanner
+
+on: [ push ]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build wis2box-ui
+        run: |
+          docker build -t wis2box-ui:test .
+      - name: Run Trivy vulnerability scanner on wis2box-ui
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          image-ref: 'wis2box-ui:test'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          ignorefile: '.trivyignore'

.trivyignore

@@ -0,0 +1,2 @@
+# not fixed in nginx, does not appear to be a security issue
+CVE-2023-49462

Dockerfile

@@ -1,9 +1,9 @@
-FROM node:14.18.1 as ui-builder
+FROM node:23.1.0-slim as ui-builder
 
 RUN mkdir /usr/src/app
 RUN echo "deb http://archive.debian.org/debian stretch main" > /etc/apt/sources.list \
-    && apt-get update \
-    && apt-get upgrade \
+    && apt-get -y update \
+    && apt-get -y upgrade \
     && apt-get install -y chromium
 
 ENV PATH /usr/src/app/node_modules/.bin:$PATH
@@ -13,7 +13,7 @@ COPY package.json /usr/src/app/package.json
 
 WORKDIR /usr/src/app
 
-RUN npm install && \
+RUN npm install --legacy-peer-deps && \
     npm install -g @vue/cli
 
 COPY . /usr/src/app