feat(ci-cd): add trivy scan instead of synk

add trivy scan instead of synk and refactor the code

GH-151

Author: Vaibhav Bhalla

.github/workflows/trivy.yaml

@@ -0,0 +1,29 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Trivy Scan
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the master branch
+on:
+  pull_request:
+    branches: [master]
+    types: [opened, synchronize, reopened]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "trivy"
+  trivy:
+    # The type of runner that the job will run on
+    runs-on: [self-hosted, linux, codebuild]
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: "fs"
+          scan-ref: "${{ github.workspace }}"
+          trivy-config: "${{ github.workspace }}/trivy.yaml"

README.md

@@ -9,9 +9,6 @@
 <a href="https://sonarcloud.io/summary/overall?id=sourcefuse_loopback4-authorization" target="_blank">
 <img alt="Sonar Quality Gate" src="https://img.shields.io/sonar/quality_gate/sourcefuse_loopback4-authorization?server=https%3A%2F%2Fsonarcloud.io">
 </a>
-<a href="https://app.snyk.io/org/ashishkaushik/reporting?context[page]=issues-detail&project_target=%255B%2522sourcefuse%252Floopback4-authorization%2522%255D&project_origin=%255B%2522github%2522%255D&issue_status=%255B%2522Open%2522%255D&issue_by=Severity&table_issues_detail_cols=SCORE%257CCVE%257CCWE%257CPROJECT%257CEXPLOIT%2520MATURITY%257CAUTO%2520FIXABLE%257CINTRODUCED%257CSNYK%2520PRODUCT&v=1">
-<img alt="Synk Status" src="https://img.shields.io/badge/SYNK_SECURITY-MONITORED-GREEN">
-</a>
 <a href="https://github.com/sourcefuse/loopback4-authorization/graphs/contributors" target="_blank">
 <img alt="GitHub contributors" src="https://img.shields.io/github/contributors/sourcefuse/loopback4-authorization">
 </a>

src/providers/authorization-action.provider.ts

@@ -40,6 +40,9 @@ export class AuthorizeActionProvider implements Provider<AuthorizeFn> {
         await this.requestContext.get(CoreBindings.CONTROLLER_METHOD_NAME);
         return false;
       } catch (error) {
+        // sonarignore:start
+        console.log('API not found', error);
+        // sonarignore:end
         throw new HttpErrors.NotFound('API not found !');
       }
     }

src/providers/casbin-authorization-action.provider.ts

@@ -33,18 +33,11 @@ export class CasbinAuthorizationProvider
     resource: string,
     request?: Request,
   ): Promise<boolean> {
-    let authDecision = false;
     try {
       // fetch decorator metadata
       const metadata: AuthorizationMetadata = await this.getCasbinMetadata();
 
-      if (request && this.checkIfAllowedAlways(request)) {
-        return true;
-      }
-
-      if (metadata?.permissions?.indexOf('*') === 0) {
-        // Return immediately with true, if allowed to all
-        // This is for publicly open routes only
+      if (this.isAlwaysAllowed(request, metadata)) {
         return true;
       }
 
@@ -96,16 +89,15 @@ export class CasbinAuthorizationProvider
         return false;
       }
 
-      // Use casbin enforce method to get authorization decision
-      for (const permission of desiredPermissions) {
-        const decision = await enforcer.enforce(subject, resource, permission);
-        authDecision = authDecision || decision;
-      }
+      return await this.checkPermissions(
+        enforcer,
+        subject,
+        resource,
+        desiredPermissions,
+      );
     } catch (err) {
       throw new HttpErrors.Unauthorized(err.message);
     }
-
-    return authDecision;
   }
 
   // Generate the user name according to the naming convention
@@ -125,6 +117,33 @@ export class CasbinAuthorizationProvider
     }
   }
 
+  isAlwaysAllowed(
+    request?: Request,
+    metadata?: AuthorizationMetadata,
+  ): boolean {
+    if (request && this.checkIfAllowedAlways(request)) {
+      return true;
+    }
+    if (metadata?.permissions?.indexOf('*') === 0) {
+      return true;
+    }
+    return false;
+  }
+
+  async checkPermissions(
+    enforcer: casbin.Enforcer,
+    subject: string,
+    resource: string,
+    permissions: string[],
+  ): Promise<boolean> {
+    for (const permission of permissions) {
+      if (await enforcer.enforce(subject, resource, permission)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   // Create casbin policy for user based on ResourcePermission data provided by extension client
   createCasbinPolicy(
     resPermObj: ResourcePermissionObject[],

trivy.yml

@@ -0,0 +1,16 @@
+format: table
+exit-code: 1
+severity:
+  - HIGH
+  - CRITICAL
+skip-files:
+  - db.env
+security-checks:
+  - vuln
+  - secret
+  - license
+vulnerability:
+  type:
+    - os
+    - library
+  ignore-unfixed: true