Merge pull request #87 from timoa/develop

Refactor with AES-256-GCM + Node 16.x + deps update

Author: timoa

.eslintignore

@@ -1 +1 @@
-node_modules
+node_modules

.github/renovate.json

@@ -7,9 +7,12 @@
   "platformAutomerge": true,
   "branchPrefix": "fix/deps/",
   "addLabels": [
-    "dependencies",
+    "deps",
     "security"
   ],
+  "assignees": [
+    "timoa"
+  ],
   "packageRules": [
     {
       "description": "Automerge renovate minor and patch updates",

.github/workflows/codeql-analysis.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -29,15 +29,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@e2cc7cc006b87d43538b16d71752753e7b85224d # tag=v1.1.8
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@e2cc7cc006b87d43538b16d71752753e7b85224d # tag=v1.1.8
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -51,4 +51,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@e2cc7cc006b87d43538b16d71752753e7b85224d # tag=v1.1.8

.github/workflows/nodejs.yml

@@ -7,42 +7,51 @@ jobs:
   # -- TESTS ------------------------------------------------------------------
   tests:
     runs-on: ubuntu-latest
-  
+
     strategy:
       matrix:
-        node-version: [12.x]
+        node: ['16']
+        mongodb: ['5.0']
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
 
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+      - name: Setup Node.js ${{ matrix.node }}
+        uses: actions/setup-node@56337c425554a6be30cdef71bf441f15be286854 # tag=v3
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: ${{ matrix.node }}
+          check-latest: true
 
       - name: Install dependencies
         run: npm install
 
+      - name: Start MongoDB
+        uses: supercharge/mongodb-github-action@e815fd8a9dfede09fd6e6c144f2c9f4875e933df # tag=1.7.0
+        with:
+          mongodb-version: ${{ matrix.mongodb }}
+          mongodb-db: encryptionAPI
+
       - name: Run Unit-Tests + Code Coverage
         run: npm run test:coverage
 
       - name: Save Code Coverage
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
         with:
           name: code-coverage
           path: coverage
 
-  sonarcloud:
+  # -- SONARCLOUD -------------------------------------------------------------
+  code-quality:
     runs-on: ubuntu-latest
     needs: tests
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-      
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+
       - name: Download Code Coverage
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
         with:
           name: code-coverage
           path: coverage
@@ -66,7 +75,7 @@ jobs:
 
   #     - name: Build docker image
   #       run: docker build -t timoa/nodejs-encryption-api-example .
-      
+
   #     - name: Start Docker container
   #       run: docker-compose up -d
 
@@ -78,25 +87,92 @@ jobs:
 
   #     - name: Run Functional tests
   #       run: npm run test:functional
-      
+
   #     - name: Stop Docker container
   #       run: docker-compose down
 
+  # -- SAST SCAN --------------------------------------------------------------
+  code-security:
+    runs-on: ubuntu-latest
+    needs: tests
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # tag=v3
+
+      - name: Perform Scan
+        uses: ShiftLeftSecurity/scan-action@master
+
+        env:
+          WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SCAN_ANNOTATE_PR: true
+
+      - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
+        with:
+          name: reports
+          path: reports
+
+  # -- RELEASE ----------------------------------------------------------------
+  release:
+    runs-on: ubuntu-latest
+    needs:
+      - code-quality
+      - code-security
+    if: github.ref == 'refs/heads/master'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # tag=v3
+
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@v3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   # -- BUILD ------------------------------------------------------------------
   build:
     runs-on: ubuntu-latest
-    needs: tests
+    needs: release
     if: github.ref == 'refs/heads/master'
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
 
-      - name: Docker Build
-        uses: docker/build-push-action@v1
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@e5622373a38e60fb6d795a4421e56882f2d7a681 # tag=v3.6.2
+        with:
+          images: ${{ github.repository }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+            type=raw,value=latest
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # tag=v1.2.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # tag=v1.6.0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # tag=v1.14.1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-          repository: timoa/nodejs-encryption-api-example
-          tags: latest
 
+      - name: Build and push
+        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # tag=v2.10.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.nvmrc

@@ -0,0 +1 @@
+16

.nycrc

@@ -0,0 +1,22 @@
+{
+    "check-coverage": true,
+    "lines": 0,
+    "statements": 0,
+    "functions": 0,
+    "branches": 0,
+    "reporter": [
+      "lcov",
+      "text-summary"
+    ],
+    "include": [
+      "src/*.js",
+      "src/**/*.js"
+    ],
+    "exclude": [
+      "test/*.spec.js",
+      "coverage/**",
+      "src/swagger/*.js",
+      "data/**/*"
+    ],
+    "all": true
+  }

.prettierrc

@@ -9,4 +9,4 @@
   "jsxBracketSameLine": true,
   "fluid": false,
   "arrowParens": "always"
-}
+}

Dockerfile

@@ -1,5 +1,4 @@
-ARG nodeVersion=12.16.1
-FROM node:${nodeVersion}-alpine
+FROM node:16.14.2-alpine3.15@sha256:28bed508446db2ee028d08e76fb47b935defa26a84986ca050d2596ea67fd506
 ARG appPort=3000
 # ARG microScannerToken
 
@@ -33,7 +32,8 @@ RUN \
 #   date
 
 WORKDIR /opt/app/
-COPY ./ /opt/app/
+COPY ./package.json ./
+COPY ./src ./src
 
 HEALTHCHECK --interval=15s --timeout=5s --start-period=30s \
       CMD npm run docker:status

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities. Which versions are eligible
+receiving such patches depend on the CVSS v3.0 Rating:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| > 1.0.0 | :white_check_mark: |
+| < 1.0.0 | :x:                |
+
+## Reporting a Vulnerability
+
+Please report (suspected) security vulnerabilities to **[issue board](https://github.com/timoa/nodejs-encryption-api-example/issues)**
+with the label **vulnerability**. If the issue is confirmed, we will release a patch as soon as possible depending on complexity,
+but historically within a few days.

docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.3'
 
 services:
   api:
-    image: timoa/nodejs-encryption-api-example:latest
+    image: timoa/nodejs-encryption-api-example:latest@sha256:7348a5690fde457457ef0b171c992ae877af7e2084e6b384c096c85047188f78
     environment:
       - NODE_ENV=production
       - NODE_HOST=0.0.0.0
@@ -17,7 +17,7 @@ services:
       - mongo
   mongo:
     container_name: mongo
-    image: mongo
+    image: mongo@sha256:1e72fdd16fc769e5200dad77eff5b2316730d42473c281d8192872698e1f8689
     volumes:
       - ./data:/data/db
     ports: