added owasp-juice-shop-scan-container-with-trivy

Author: networkandcode

_posts/owaspjuiceshop/2021-07-08-owasp-juice-shop-scan-container-with-trivy.md

@@ -0,0 +1,95 @@
+---
+title: owasp juice shop > scan container with trivy
+categories: owasp juice shop
+---
+
+In this post, we would be using an opensource container scanning tool called Trivy, developed by 
+Aquasecurity to scan the juice shop container image. You need to have some familiarity with jq to 
+follow along.
+
+Let's first install Trivy and its dependencies, I am using ubuntu, so the installation instructions 
+may vary, if you are on a non debian system.
+
+Install dependencies and update repos.
+```
+$ sudo apt-get update -y
+$ sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+$ echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+```
+
+Update the system again, and install Trivy.
+```
+$ sudo apt-get update -y
+$ sudo apt-get install trivy -y
+```
+
+Trivy should now be installed, we can check its version.
+```
+$ trivy -v
+Version: 0.19.2
+```
+
+We can now scan the image in dockerhub.
+```
+$ trivy image bkimminich/juice-shop
+---TRUNCATED---
+------------------------------------------+
+|               | CVE-2021-32804      |          |                   | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: arbitrary File                   |
+|               |                     |          |                   |                             | Creation/Overwrite vulnerability             |
+|               |                     |          |                   |                             | via insufficient symlink protection          |
+|               |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32804        |
++---------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
+```
+
+We can fetch the result in JSON to filter it with jq.
+```
+$ trivy image --format json --output /tmp/audit.json bkimminich/juice-shop
+2021-08-07T17:55:14.342+0530	INFO	Detected OS: alpine
+2021-08-07T17:55:14.343+0530	INFO	Detecting Alpine vulnerabilities...
+2021-08-07T17:55:14.343+0530	INFO	Number of language-specific files: 2
+2021-08-07T17:55:14.343+0530	INFO	Detecting npm vulnerabilities...
+2021-08-07T17:55:14.378+0530	WARN	DEPRECATED: the current JSON schema is deprecated, check https://github.com/aquasecurity/trivy/discussions/1050 for more information.
+```
+
+The warning above w.r.t the JSON format can be overcome with an env variable TRIVY_NEW_JSON_SCHEMA.
+```
+$ TRIVY_NEW_JSON_SCHEMA=true trivy image --format json --output /tmp/audit.json bkimminich/juice-shop
+2021-08-07T17:59:54.006+0530	INFO	Detected OS: alpine
+2021-08-07T17:59:54.006+0530	INFO	Detecting Alpine vulnerabilities...
+2021-08-07T17:59:54.007+0530	INFO	Number of language-specific files: 2
+2021-08-07T17:59:54.007+0530	INFO	Detecting npm vulnerabilities...
+```
+
+We can parse this with jq. Lets try a few commands.
+```
+$ cat /tmp/audit.json | jq 'keys'
+[
+  "ArtifactName",
+  "ArtifactType",
+  "Metadata",
+  "Results",
+  "SchemaVersion"
+]
+
+
+$ cat /tmp/audit.json | jq '.Metadata'
+{
+  "OS": {
+    "Family": "alpine",
+    "Name": "3.11.11"
+  },
+  "RepoTags": [
+    "bkimminich/juice-shop:latest"
+  ],
+  "RepoDigests": [
+    "bkimminich/juice-shop@sha256:8abf7e5b28b5b0e3e2a88684ecac9dc9740643b46e17a4edc9fc16141289869b"
+  ]
+}
+
+```
+
+So, we have seen how to install Trivy and how to use it to scan the juice shop container image. Thank 
+you for reading.
+
+--end-of-post--

_posts/owaspjuiceshop/2021-08-07-owasp-juice-shop-npm-audit.md

@@ -215,9 +215,9 @@ high and 3 critical vulnerabilites.
 
 # Fix
 
-In certain cases, its possible to give an automatic fix using npm with `npm audit fix` command fix 
-vulnerabilities. Its not possible always though as in our case, we can simulate this with the 
---dry-run flag to foresee what really happens.
+In certain cases, its possible to give an automatic fix using npm with `npm audit fix` command. Its not 
+possible always though as in our case, we can simulate this with the --dry-run flag to foresee what 
+really happens.
 ```
 networkandcode@ubuntu20:~/juice-shop$ npm audit fix --dry-run
 npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.2 (node_modules/jest-haste-map/node_modules/fsevents):
@@ -234,11 +234,11 @@ fixed 0 of 25 vulnerabilities in 2005 scanned packages
   (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
 ```
 
-So it clearly says no vulnerabilities are fixed, and could also lead to breaking changes if the fix is 
-forced. We have to then go through the recommendation for each vulnerability and try and fix it 
+So it clearly says no vulnerabilities could be fixed, and could also lead to breaking changes if the 
+fix is forced. We have to then go through the recommendation for each vulnerability and try to fix it 
 manually after reviewing that it doesnt break other packages.
 
 Thats the end of this post, we saw how to perform few commands in the npm audit family, and how the exit
- code can be checked to see if failed auditing or not.
+ code can be checked to see if it failed auditing or not.
 
 --end-of-post--