Skip to content

FIWARE-Ops/fiware-security

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
cmd
cmd
 
 
common
common
 
 
config
config
 
 
deploy
deploy
 
 
doc
doc
 
 
gomail
gomail
 
 
img
img
 
 
sample-github-actions
sample-github-actions
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Roadmap
Roadmap
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

FIWARE Cybersecurity Analysis


Logo

FIWARE Cybersecurity Analysis of the FIWARE Generic Enablers

Report Bug · Request Feature

Security Scan of FIWARE Catalogue components

This program has been developed to facilitate the Security Scan of the FIWARE Catalogue components and generate a report to facilitate the the resolution of identified issues on them.

Automatically scan a particular local docker image or all local docker containers with Clair Vulnerability Scanner using Clair-Scanner and clair-local-scan together with together with the Docker Bench for Security to check common best-practices around deploying FIWARE Docker containers in production.

The tests are all automated, and are inspired by the CIS Docker Community Edition Benchmark v1.1.0.

The information of the components to be analyzed is maintained in the file enablers.json.

Go installation

To install the Go language, you can follow the instructions detailed in the Go Installation instructions. The following are the steps for Linux installation

  1. Remove any previous Go installation by deleting the /usr/local/go folder (if it exists), then extract the archive you just downloaded into /usr/local, creating a fresh Go tree in /usr/local/go:

    $ rm -rf /usr/local/go && tar -C /usr/local -xzf go1.24.4.linux-amd64.tar.gz

    (You may need to run the command as root or through sudo).

    Do not untar the archive into an existing /usr/local/go tree. This is known to produce broken Go installations.

  2. Add /usr/local/go/bin to the PATH environment variable. You can do this by adding the following line to your $HOME/.profile or /etc/profile (for a system-wide installation):

    export PATH=$PATH:/usr/local/go/bin

    Note: Changes made to a profile file may not apply until the next time you log into your computer. To apply the changes immediately, just run the shell commands directly or execute them from the profile using a command such as source $HOME/.profile.

  3. Verify that you've installed Go by opening a command prompt and typing the following command:

    $ go version

    Confirm that the command prints the installed version of Go.

Update dependencies

To update the current dependencies of the project, execute the following command:

go mod tidy

Compile the program

The command to generate the executable command of the parser is the following:

go build .

It will generate the scan program that we will use to generate the summary of security vulnerabilities of our code.

Run

To execute the scan, just specify the option of check together with the Enabler that we wanted to analyse. The list of available enablers can be found in the enablers.json file. The command should be the following for Keyrock enabler:

scan check Keyrock

It will generate a file in the resultsfolder with the result of the Security Scan Analysis with details of the Date and Time of this scan (e.g., Keyrock_idm_20240411_1254_grype.json) in JSON format.

Furthermore, we can use a other command to summarize the data and visualize the histogram of the different vulnerabilities found in the scan.

scan visualize Keyrock

This provide console output with teh following content:

  • Total count of vulnerabilities
  • Severity test histogram
  • EPSS and risk averages
  • Count of EPSS > 0.9 and Risk > 90

where:

  • Severity: String severity based on CVSS scores and indicate the significance of a vulnerability in levels. This balances concerns such as ease of exploitability, and the potential to affect confidentiality, integrity, and availability of software and services.

  • EPSS: Exploit Prediction Scoring System is a metric expressing the likelihood that a vulnerability will be exploited in the wild over the next 30 days (on a 0–1 scale); higher values signal a greater likelihood of exploitation. The table output shows the EPSS percentile, a one-way transform of the EPSS score showing the proportion of all scored vulnerabilities with an equal or lower probability. Percentiles linearize a heavily skewed distribution, making threshold choice (e.g. “only CVEs above the 90th percentile”) straightforward.

Manual review of the output

You can use jq to check the output generated in JSON format, for example, to get the risk values and the total number of issues associated to a report generated for Orion component, you can execute the following command:

jq '[.matches[].vulnerability.risk] as $risks | {risk: $risks, n: ($risks | length)}' Orion_orion_20250702_1819_grype.json

Roadmap

If you want to take a look to the Roadmap and Refactoring Plan check the content of Refactoring.md file.

License

These scripts are licensed under Apache License 2.0.

About

Security analysis of the FIWARE GEs docker images

Topics

docker ansible ansible-playbook docker-compose openstack-sdk ansible-roles docker-security

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

4 forks
Report repository

Releases 2

v1.1.0 Latest
Nov 3, 2025
+ 1 release

Packages

No packages published

Contributors 5

Languages