From 03c81a805d65666e0def1e02b3dbb2fe6ccd95e9 Mon Sep 17 00:00:00 2001
From: ruzell22 <ruzell.vince.aquino@accenture.com>
Date: Wed, 29 Mar 2023 11:05:52 +0800
Subject: [PATCH] fix(cmd-api-server): mitigate CVE-2022-24434 and
 CVE-2022-24999 #2039

fixes: #2039

related to: #2241

Verified that these changes will fix the vulnerabilities in
cactus-cmd-api-server in addition to the following CVE IDs:
- CVE-2022-24434
- CVE-2022-24999 (express)
- CVE-2022-24999 (qs)

Co-authored-by: Peter Somogyvari <peter.somogyvari@accenture.com>

Signed-off-by: ruzell22 <ruzell.vince.aquino@accenture.com>
Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
---
 .github/workflows/azure-container-scan.yaml   | 38 +++++++++++++++++++
 .../corda-all-in-one/corda-v4_8/Dockerfile    |  4 +-
 2 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/azure-container-scan.yaml

diff --git a/.github/workflows/azure-container-scan.yaml b/.github/workflows/azure-container-scan.yaml
new file mode 100644
index 0000000000..7792af74df
--- /dev/null
+++ b/.github/workflows/azure-container-scan.yaml
@@ -0,0 +1,38 @@
+name: azure-container-image-scan
+
+on:
+  push:
+  pull_request:
+    # Publish `main` as Docker `latest` image.
+    branches:
+      - main
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+
+jobs:
+ build-secure-and-push-8:
+    name: Scan cactus-corda-4-8-all-in-one-obligation image
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2.4.0
+      env:
+          # (Required) The token to use to make API calls to GitHub.
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+    - uses: actions/checkout@v1
+    - name: Login to DockerHub Registry
+      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+
+    - name: Build Images from Dockerfile
+      run: DOCKER_BUILDKIT=1 docker build ./tools/docker/corda-all-in-one/ -f ./tools/docker/corda-all-in-one/corda-v4_8/Dockerfile -t cactus-corda-4-8-all-in-one-obligation
+
+    - uses: Azure/container-scan@v0.1
+      name: Scan image for vulnerabilities
+      id: container-scan
+      continue-on-error: true
+      with:
+       image-name: cactus-corda-4-8-all-in-one-obligation
\ No newline at end of file
diff --git a/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile b/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile
index 549f1bb274..b364d2b5c6 100644
--- a/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile
+++ b/tools/docker/corda-all-in-one/corda-v4_8/Dockerfile
@@ -2,9 +2,9 @@ FROM docker:20.10.2-dind
 
 # cordaVersion=4.8.5
 # cordaCoreVersion=4.8.5
-ARG SAMPLES_KOTLIN_SHA=1504878ce446555bd861bbe4dd3d1154e905a07f
+ARG SAMPLES_KOTLIN_SHA=c70f846b6f3d43fe0a35b6583238944843bf9393
 ARG SAMPLES_KOTLIN_CORDAPP_SUB_DIR_PATH="./Advanced/obligation-cordapp/"
-ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8
+ARG CORDA_TOOLS_SHELL_CLI_VERSION=4.8.9
 
 WORKDIR /