Merge pull request #2052 from consideRatio/pr/vuln-scan-fixes

vuln-scan: fix all fixable vulns, and bugfix automation, and bump singleuser-sample

.github/workflows/vuln-scan.yaml

@@ -74,7 +74,6 @@ jobs:
           format: json # ref: https://github.com/aquasecurity/trivy#save-the-results-as-json
           output: tmp/scan_1.json
           ignore-unfixed: true
-          severity: "CRITICAL,HIGH"
           exit-code: "1"
         # Keep running the subsequent steps of the job, they are made to
         # explicitly adjust based on this step's outcome.
@@ -98,7 +97,6 @@ jobs:
           format: json # ref: https://github.com/aquasecurity/trivy#save-the-results-as-json
           output: tmp/scan_2.json
           ignore-unfixed: true
-          severity: "CRITICAL,HIGH"
 
       # Analyze the scan reports. If they differ, we want to proceed and create
       # or update a PR. We use a hash from the final scan report as an
@@ -107,6 +105,8 @@ jobs:
         id: analyze
         if: steps.rebuild.outcome == 'success'
         run: |
+          echo "::set-output name=utc_time::$(date --utc +'%F_%T')"
+
           json_to_misc() {
               # Count vulnerabilities
               VULNERABILITY_COUNT="$(cat tmp/scan_$1.json | jq -r '[.[].Vulnerabilities | select(type == "array") | add] | select(. != null) | length')"
@@ -155,7 +155,6 @@ jobs:
           image-ref: rebuilt-image
           format: table
           ignore-unfixed: true
-          severity: "CRITICAL,HIGH"
 
       - name: Decision to not proceed
         if: steps.analyze.outputs.proceed == 'no'
@@ -168,13 +167,13 @@ jobs:
       # -----------------------------------------------------------------------
 
       # ref: https://github.com/jacobtomlinson/gha-find-replace
-      - name: Update VULN_SCAN_HASH in Dockerfile
+      - name: Update VULN_SCAN_TIME in Dockerfile
         if: steps.analyze.outputs.proceed == 'yes'
         uses: jacobtomlinson/gha-find-replace@0.1.2
         with:
           include: "images/${{ matrix.image_ref }}/Dockerfile"
-          find: "#.*VULN_SCAN_HASH=.*"
-          replace: "# VULN_SCAN_HASH=${{ steps.analyze.outputs.hash_2 }}"
+          find: "#.*VULN_SCAN_TIME=.*"
+          replace: "# VULN_SCAN_TIME=${{ steps.analyze.outputs.utc_time }}"
 
       # The create-pull-request action is smart enough to only create/update a
       # PR if there is a change to anything not .gitignored. A change will be
@@ -194,7 +193,6 @@ jobs:
 
             ## About
             This scan for known vulnerabilities has been made by [aquasecurity/trivy](https://github.com/aquasecurity/trivy). Trivy was configured to filter the vulnerabilities with the following settings:
-            - severity:       `CRITICAL,HIGH`
             - ignore-unfixed: `true`
 
             ## Before

images/hub/Dockerfile

@@ -1,6 +1,6 @@
 FROM ubuntu:20.04
 
-# VULN_SCAN_HASH=
+# VULN_SCAN_TIME=
 
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8

images/image-awaiter/Dockerfile

@@ -1,7 +1,7 @@
 # compile the code to an executable using an intermediary image
 FROM golang:1.15
 
-# VULN_SCAN_HASH=
+# VULN_SCAN_TIME=
 
 RUN mkdir -p /build/
 COPY *.mod *.go *.sum /build/

images/network-tools/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:3
 
-# VULN_SCAN_HASH=1fad1460fc
+# VULN_SCAN_TIME=1fad1460fc
 
 RUN apk add --no-cache iptables

images/secret-sync/Dockerfile

@@ -1,6 +1,6 @@
 FROM python:3.8-alpine
 
-# VULN_SCAN_HASH=1fad1460fc
+# VULN_SCAN_TIME=
 
 # Note that we use tini-static, it embeds dependencies missing in alpine
 RUN wget -qO /tini https://github.com/krallin/tini/releases/download/v0.19.0/tini-static \

images/singleuser-sample/Dockerfile

@@ -1,9 +1,9 @@
-FROM jupyter/base-notebook:45bfe5a474fa
+FROM jupyter/base-notebook:016833b15ceb
 # Built from... https://hub.docker.com/r/jupyter/base-notebook/
 #               https://github.com/jupyter/docker-stacks/blob/master/base-notebook/Dockerfile
 # Built from... Ubuntu 18.04
 
-# VULN_SCAN_HASH=
+# VULN_SCAN_TIME=
 
 # The jupyter/docker-stacks images contains jupyterhub, jupyterlab and the
 # jupyterlab-hub extension already.