Usage of vulnerability scanners - Besu - LF Decentralized Trust Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window) PreferencesOnly necessaryAccept all LF Decentralized Trust LF Decentralized Trust Spaces Apps Templates Create Besu All content Shortcuts Meetings Meetings  This trigger is hidden How-to articles How-to articles  This trigger is hidden Content Results will update as you type. Code of Conduct Contributing Developing and Conventions Besu CLI Style Guide Coding Conventions Changelog Testing Debugging Besu in IntelliJ Releasing Bug Triage Process Policies Plugin Services Tools we use Code coverage Gradle Verification Metadata Usage of SonarQube Usage of vulnerability scanners Advanced Repositories and other projects Archive (Dev) Changelog Improvement Proposal Logging Building from source Documentation Community Governance Programs & Grants Meetings Design Documents Security Audits Start Here Performance & Stability How-to articles Incident Reports Besu Roadmap & Planning How to Contribute You‘re viewing this with anonymous access, so some content might be blocked. Close Besu / Usage of vulnerability scanners More actions Usage of vulnerability scanners Sally MacFarlane Ry Jones Owned by Sally MacFarlane Last updated: Feb 23, 2025 2 min read Options for vulnerability scanning for Besu. There are tools. Lots of tools.  Dependabot Dependabot is currently enabled. No current alerts, open or closed:  https://github.com/hyperledger/besu/security/dependabot Github code scanning running on PRs CodeQL analysis Added here https://github.com/hyperledger/besu/pull/3774 Running on main Note for some reason this is running correctly in the sandbox repo but besu repo is reporting a config error. Trivy Teku uses Trivy, and scans the develop docker images. So scan results only include runtime dependencies not build or test dependencies. See https://github.com/ConsenSys/teku/blob/master/.circleci/config.yml Nightly scan of docker image for Besu - sample report https://app.circleci.com/pipelines/github/hyperledger/besu/12961/workflows/dde97a21-0eb3-4345-8767-0d4490a2ee44/jobs/71864 NexusIQ It is from sonatype https://blog.sonatype.com/nexus-vulnerability-scanner-and-vulnerability-analysis but I couldn’t even try it out without agreeing to a whole bunch of stuff on behalf of company so did not proceed. Has a number of "levels" 1-10. According to the user’s report, there were a number of “level 7� and “level 10� vulnerabilities (details in the ticket). (These were fixed in 21.10.7) Snyk Integrates quite nicely with github but there is a lot of noise.  Also integrates with DockerHub but only admins can see the report Open Dependency check gradle plugin Gradle - Plugin: org.owasp.dependencycheck eg web3signer runs this in CI Useful but we don't want to gate PRs on this. There is also a homebrew option to run locally Maven central Maven central does an ok job of pointing out some CVEs https://mvnrepository.com/artifact/org.hyperledger.besu.internal/eth/21.10.6  Disadvantage is it’s only available once the artefact is published, by which time it's a bit late. SNAPSHOT versions don’t get imported into mvnrepository.com , multiple selections available, Related content More info Collapse Bug Triage Process Bug Triage Process Besu More like this Usage of SonarQube Usage of SonarQube Besu More like this Debugging Besu in IntelliJ Debugging Besu in IntelliJ Besu More like this DRAFT - Besu Software Component Map DRAFT - Besu Software Component Map Besu More like this Using Hive Test Suite Using Hive Test Suite Besu More like this Besu - Community Support Besu - Community Support Besu More like this Atlassian Intelligence {"serverDuration": 33, "requestCorrelationId": "156b47543bbd4fcfb2ee65d776bc516c"}