Options for vulnerability scanning for Besu. There are tools. Lots of tools. 

Dependabot

https://github.com/hyperledger/besu/security/dependabot

Github code scanning

running on PRs

CodeQL analysis

Running on main

Note for some reason this is running correctly in the sandbox repo but besu repo is reporting a config error.

Trivy

Teku uses Trivy, and scans the develop docker images. So scan results only include runtime dependencies not build or test dependencies. See https://github.com/ConsenSys/teku/blob/master/.circleci/config.yml

NexusIQ

It is from sonatype https://blog.sonatype.com/nexus-vulnerability-scanner-and-vulnerability-analysis but I couldn’t even try it out without agreeing to a whole bunch of stuff on behalf of company so did not proceed.

Has a number of "levels" 1-10. According to the user’s report, there were a number of “level 7” and “level 10” vulnerabilities (details in the ticket). (These were fixed in 21.10.7)

Snyk

Integrates quite nicely with github but there is a lot of noise. 

Open

Dependency check gradle plugin

Gradle - Plugin: org.owasp.dependencycheck

eg web3signer runs this in CI

Useful but we don't want to gate PRs on this.

There is also a homebrew option to run locally

Maven central

Maven central does an ok job of pointing out some CVEs https://mvnrepository.com/artifact/org.hyperledger.besu.internal/eth/21.10.6 

Disadvantage is it’s only available once the artefact is published, by which time it's a bit late. SNAPSHOT versions don’t get imported into mvnrepository.com