From b7eab181973a6e1efa9cfa164dd5bc21253034d5 Mon Sep 17 00:00:00 2001
From: lwih <louis.hache@beta.gouv.fr>
Date: Wed, 29 May 2024 12:04:43 +0200
Subject: [PATCH 1/3] fix(Trivy): update severity params

---
 .github/workflows/trivy-db.yml |  2 +-
 .github/workflows/trivy.yml    | 25 ++++++++++++++++++++-----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/trivy-db.yml b/.github/workflows/trivy-db.yml
index 7a501559d..da168f1b7 100644
--- a/.github/workflows/trivy-db.yml
+++ b/.github/workflows/trivy-db.yml
@@ -37,7 +37,7 @@ jobs:
           image-ref: "postgres:15.6-alpine"
           format: sarif
           output: "postgres-trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
+          severity: "LOW,MEDIUM,HIGH,CRITICAL"
 
       - name: Upload Postgres Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 7a6fb1202..5f570afe6 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -70,15 +70,30 @@ jobs:
             ENV_PROFILE=${{ env.ENV_PROFILE }}
             GITHUB_SHA=${{ github.sha }}
 
-      - name: Run Trivy on Docker build
+      - name: Run Trivy on OS
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "ghcr.io/mtes-mct/rapportnav2/rapportnav-app:${{ github.sha }}"
           format: sarif
-          output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
+          vuln-type: "os"
+          output: "trivy-results-os.sarif"
+          severity: "LOW,MEDIUM,HIGH,CRITICAL"
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Run Trivy on libraries
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/mtes-mct/rapportnav2/rapportnav-app:${{ github.sha }}"
+          format: sarif
+          vuln-type: "library"
+          output: "trivy-results-libs.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy OS scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results-os.sarif"
+
+      - name: Upload Trivy Library scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: "trivy-results-libs.sarif"

From a2070be63bc7730d8525f52b242ca4a585ad4f9a Mon Sep 17 00:00:00 2001
From: lwih <louis.hache@beta.gouv.fr>
Date: Wed, 29 May 2024 12:11:40 +0200
Subject: [PATCH 2/3] fix(Trivy): bump postgres alpine to 15.7

---
 .github/workflows/trivy-db.yml                                | 2 +-
 .gitlab-ci.yml                                                | 4 ++--
 .../rapportnav/infrastructure/database/AbstractDBTests.kt     | 2 +-
 infra/docker-compose.local.yml                                | 2 +-
 jobs-build-CI/deploiement/docker-compose.yml.j2               | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/trivy-db.yml b/.github/workflows/trivy-db.yml
index da168f1b7..6f0c74f7e 100644
--- a/.github/workflows/trivy-db.yml
+++ b/.github/workflows/trivy-db.yml
@@ -34,7 +34,7 @@ jobs:
       - name: Run Trivy on Postgres image
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "postgres:15.6-alpine"
+          image-ref: "postgres:15.7-alpine"
           format: sarif
           output: "postgres-trivy-results.sarif"
           severity: "LOW,MEDIUM,HIGH,CRITICAL"
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b89d580c7..402557b50 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,7 +12,7 @@ variables:
     value: rapportnav-v2
     description: "Nom du projet à déployer"
   BDD_IAMGE:
-    value: postgres:15.6-alpine
+    value: postgres:15.7-alpine
     description: "Image de la base de données"
   PROJECT_VERSION:
     value: "1.2.0"
@@ -32,7 +32,7 @@ variables:
   FAIL_TRIVY_CONDITION_LIBRARY:
     value: "--severity HIGH,CRITICAL"
     description: "Détermine la commande à passer à Trivy pour bloquer ou non le job. --severity CRITICAL fait échouer le job si Trivy remonte des anomalies critiques."
-  
+
   FAIL_TRIVY_CONDITION_OS:
     value: "--severity LOW,MEDIUM,HIGH,CRITICAL"
     description: "Détermine la commande à passer à Trivy pour bloquer ou non le job. --severity CRITICAL fait échouer le job si Trivy remonte des anomalies critiques."
diff --git a/backend/src/test/kotlin/fr/gouv/gmampa/rapportnav/infrastructure/database/AbstractDBTests.kt b/backend/src/test/kotlin/fr/gouv/gmampa/rapportnav/infrastructure/database/AbstractDBTests.kt
index 7c5f3c6fa..d7c25f2e6 100644
--- a/backend/src/test/kotlin/fr/gouv/gmampa/rapportnav/infrastructure/database/AbstractDBTests.kt
+++ b/backend/src/test/kotlin/fr/gouv/gmampa/rapportnav/infrastructure/database/AbstractDBTests.kt
@@ -19,7 +19,7 @@ abstract class AbstractDBTests {
 
     companion object {
         @JvmStatic
-        val container = PostgreSQLContainer("postgres:15.6-alpine")
+        val container = PostgreSQLContainer("postgres:15.7-alpine")
             .apply {
                 withExposedPorts(5432)
                 withEnv("POSTGRES_DB", "testdb")
diff --git a/infra/docker-compose.local.yml b/infra/docker-compose.local.yml
index 46c9e90eb..4ffa68024 100644
--- a/infra/docker-compose.local.yml
+++ b/infra/docker-compose.local.yml
@@ -27,7 +27,7 @@ services:
       - ../frontend:/tmp/frontend
 
   db:
-    image: postgres:15.6-alpine
+    image: postgres:15.7-alpine
     ports:
       - "5432:5432"
     environment:
diff --git a/jobs-build-CI/deploiement/docker-compose.yml.j2 b/jobs-build-CI/deploiement/docker-compose.yml.j2
index b51a63cef..1638ac49a 100644
--- a/jobs-build-CI/deploiement/docker-compose.yml.j2
+++ b/jobs-build-CI/deploiement/docker-compose.yml.j2
@@ -20,7 +20,7 @@ services:
         max-size: "1024m"
 
   db:
-    image: "{{ nexus_proxy }}/postgres:15.6-alpine"
+    image: "{{ nexus_proxy }}/postgres:15.7-alpine"
     volumes:
       - db:/var/lib/postgresql/data
     restart: always

From faff8d806876b942828eae441448790825e19360 Mon Sep 17 00:00:00 2001
From: lwih <louis.hache@beta.gouv.fr>
Date: Wed, 29 May 2024 12:17:28 +0200
Subject: [PATCH 3/3] fix(Trivy): update trivy analysis upload

---
 .github/workflows/trivy.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 5f570afe6..06f030e93 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -79,6 +79,12 @@ jobs:
           output: "trivy-results-os.sarif"
           severity: "LOW,MEDIUM,HIGH,CRITICAL"
 
+      - name: Upload Trivy OS scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results-os.sarif"
+          category: "trivy-os"
+
       - name: Run Trivy on libraries
         uses: aquasecurity/trivy-action@master
         with:
@@ -88,12 +94,8 @@ jobs:
           output: "trivy-results-libs.sarif"
           severity: "HIGH,CRITICAL"
 
-      - name: Upload Trivy OS scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: "trivy-results-os.sarif"
-
       - name: Upload Trivy Library scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: "trivy-results-libs.sarif"
+          category: "trivy-libs"