Add compatibility to trivy scans about kanidm HOT 8 OPEN

I looked into this and trivy doesn't like our containers, and can't realistically handle the Cargo.toml/lock file, because we have multiple due to the workspace. We'd have to build the binaries with cargo-auditable for this to have a hope of working.

from kanidm.

We're probably better off just including the Cargo.lock and Cargo.toml in the container than moving from just building with cargo, and introducing other possible issues.

from kanidm.

I'm happy with either approach. We use cargo-auditable at SUSE for our binaries which works well, but I think it's just as easy for us in containers to ensure the Cargo.lock is installed into the image.

from kanidm.

Hello,
will adding the commnd COPY /Cargo.toml /Cargo.lock /usr/src/kanidm/ to /server/Dockerfile help here. I'd like to get some advice and pick this. Thanks

from kanidm.

Their docs are here, give it a go https://aquasecurity.github.io/trivy/v0.49/docs/coverage/language/rust/

from kanidm.

I went through it and the above discussion. It appeared that including the Cargo.lock and Cargo.toml will help trivy scans. So wished to ask

will adding the commnd COPY /Cargo.toml /Cargo.lock /usr/src/kanidm/ to /server/Dockerfile help here.

is enough to include the files in the image or some more steps will be needed

from kanidm.

I went through it and the above discussion. It appeared that including the Cargo.lock and Cargo.toml will help trivy scans. So wished to ask

will adding the commnd COPY /Cargo.toml /Cargo.lock /usr/src/kanidm/ to /server/Dockerfile help here.

is enough to include the files in the image or some more steps will be needed

You'll have to test it - it's an outside tool we haven't used before - unless @schleichardt knows from experience?

from kanidm.

We do have cargo auditable in opensuse so it wouldn't be hard to add it ....

from kanidm.