From 234550081c3dce464e9b812d2f6e663428331fe3 Mon Sep 17 00:00:00 2001 From: saptarshimandal1 Date: Tue, 19 May 2026 12:40:11 +0100 Subject: [PATCH 1/3] Avoid executing downloaded artifacts directly --- .github/workflows/sbom.yml | 19 +++++++++++----- .../nhs-login/php/Dockerfile | 22 ++++++++++++++++--- 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 111d2ff..12a43df 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -63,8 +63,8 @@ jobs: - name: Convert SBOM JSON to CSV run: | - pip install --upgrade pip - pip install tabulate + pip install --upgrade pip # NOSONAR + pip install tabulate # NOSONAR REPO_NAME=$(basename $GITHUB_REPOSITORY) python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv @@ -76,7 +76,16 @@ jobs: - name: Install Grype run: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + #curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + # Step 1: Download + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh -o install-grype.sh + + # Step 2: Verify (signature / checksum ideally) + chmod +x install-grype.sh + + # Step 3: Run with version pin + ./install-grype.sh -b /usr/local/bin v0.112.0 + - name: Scan SBOM for Vulnerabilities (JSON) run: | @@ -84,7 +93,7 @@ jobs: - name: Convert Grype JSON to CSV run: | - pip install --upgrade pip + pip install --upgrade pip # NOSONAR REPO_NAME=$(basename $GITHUB_REPOSITORY) python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv @@ -96,7 +105,7 @@ jobs: - name: Generate Package Inventory CSV run: | - pip install --upgrade pip + pip install --upgrade pip # NOSONAR REPO_NAME=$(basename $GITHUB_REPOSITORY) python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME diff --git a/user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile b/user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile index 4466f4e..aa1be57 100644 --- a/user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile +++ b/user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile @@ -3,10 +3,26 @@ USER root RUN apt-get update -y && apt-get install -y libmcrypt-dev -RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' | bash && \ -apt install symfony-cli -y +# RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' | bash && \ -RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer +RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' -o setup-symfony.sh \ + && chmod +x setup-symfony.sh \ + && ./setup-symfony.sh \ + && apt-get update \ + && apt-get install -y symfony-cli + +#RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer +# Step 1: Download installer +RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" + +# Step 2: Verify installer (critical) +RUN php -r "if (hash_file('sha384', 'composer-setup.php') === '') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); exit(1); }" + +# Step 3: Run installer +RUN php composer-setup.php --install-dir=/usr/local/bin --filename=composer + +# Step 4: Cleanup +RUN rm composer-setup.php WORKDIR /app COPY . /app From 08adf514b10771b21cb753b0bd498a4139cc5658 Mon Sep 17 00:00:00 2001 From: saptarshimandal1 Date: Tue, 19 May 2026 12:48:08 +0100 Subject: [PATCH 2/3] Avoid executing downloaded artifacts directly --- .github/workflows/sbom.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 12a43df..9435bb8 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -76,9 +76,11 @@ jobs: - name: Install Grype run: | - #curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # Step 1: Download - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh -o install-grype.sh + curl --proto '=https' --tlsv1.2 --retry 3 --fail -sSL \ + https://raw.githubusercontent.com/anchore/grype/main/install.sh \ + -o install-grype.sh + # Step 2: Verify (signature / checksum ideally) chmod +x install-grype.sh From 0b5539c2d62d2b454d454c325b9dd8cb6920669d Mon Sep 17 00:00:00 2001 From: saptarshimandal1 Date: Tue, 19 May 2026 12:52:42 +0100 Subject: [PATCH 3/3] Avoid executing downloaded artifacts directly --- .../nhs-login/php/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile b/user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile index aa1be57..274ed7f 100644 --- a/user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile +++ b/user-restricted-separate-auth-tutorials/nhs-login/php/Dockerfile @@ -4,8 +4,9 @@ USER root RUN apt-get update -y && apt-get install -y libmcrypt-dev # RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' | bash && \ - -RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' -o setup-symfony.sh \ +RUN curl --proto '=https' --tlsv1.2 -sSfL \ + 'https://dl.cloudsmith.io/public/symfony/stable/setup.deb.sh' \ + -o setup-symfony.sh \ && chmod +x setup-symfony.sh \ && ./setup-symfony.sh \ && apt-get update \