Options for vulnerability scanning for Besu. There are tools. Lots of tools. 

Dependabot

• Dependabot is enabled. No current alerts, open or closed: 

https://github.com/hyperledger/besu/security/dependabot

LGTM

running on PRs

CodeQL analysis

• Added here https://github.com/hyperledger/besu/pull/3774

Running on main

Trivy

Teku uses Trivy, and scans the develop docker images. So scan results only include runtime dependencies not build or test dependencies. See https://github.com/ConsenSys/teku/blob/master/.circleci/config.yml

• Nightly scan of docker image for Besu - sample report https://app.circleci.com/pipelines/github/hyperledger/besu/12961/workflows/dde97a21-0eb3-4345-8767-0d4490a2ee44/jobs/71864

NexusIQ

It is from sonatype https://blog.sonatype.com/nexus-vulnerability-scanner-and-vulnerability-analysis but I couldn’t even try it out without agreeing to a whole bunch of stuff on behalf of company so did not proceed.

Has a number of "levels" 1-10. According to the user’s report, there were a number of “level 7” and “level 10” vulnerabilities (details in the ticket). (These were fixed in 21.10.7)

Snyk

Integrates quite nicely with github but there is a lot of noise. 

• Also integrates with DockerHub but only admins can see the report

Dependency check gradle plugin

Useful but we don't want to gate PRs on this.

There is also a homebrew option

Maven central

Maven central does an ok job of pointing out some CVEs https://mvnrepository.com/artifact/org.hyperledger.besu.internal/eth/21.10.6 

Disadvantage is it’s only available once the artefact is published, by which time it's a bit late. SNAPSHOT versions don’t get imported into mvnrepository.com