Feature/otc 218 enhance post quote partyIdInfo with extension list (m…

…ojaloop#190) * Added the extension list under the partyidinfo obj * OTC-218 Changes: Enhanced Post Quotes on quoting service to handle extension lists under partyId info Updated dependencies Postponed audit issue * OTC-218 Changes: Enhanced Post Quotes on quoting service to handle extension lists under partyId info
vessels-tech · Apr 13, 2020 · 96c761c · 96c761c
1 parent fa615b3
commit 96c761c
Show file tree

Hide file tree

Showing 7 changed files with 1,864 additions and 630 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -213,21 +213,20 @@ jobs:
           prefix: licenses
 
   image-scan:
-    # executor: anchore/anchore_engine
-    executor: default-docker
+    executor: anchore/anchore_engine
     steps:
       - setup_remote_docker
       - checkout
+      - run:
+          name: Install docker dependencies for anchore
+          command: |
+            apk add --update py-pip docker python-dev libffi-dev openssl-dev gcc libc-dev make jq npm
       - run:
           name: Install general dependencies
           command: *defaults_Dependencies
       - run:
           name: Install AWS CLI dependencies
           command: *defaults_awsCliDependencies
-      - run:
-          name: Install docker dependencies for anchore
-          command: |
-            apk add --update py-pip docker python-dev libffi-dev openssl-dev gcc libc-dev make jq
       - attach_workspace:
           at: /tmp
       - run:

diff --git a/README.md b/README.md
@@ -11,24 +11,26 @@ The Quoting service is now part of the Mojaloop project and deployment.
 The service provided by the API resource /quotes is calculation of possible fees and FSP commission involved in performing an interoperable financial transaction. 
 Both the Payer and Payee FSP should calculate their part of the quote to be able to get a total view of all the fees and FSP commission involved in the transaction.
 
-### Contents:
+## Contents:
 
 - [Services Sequence overview](#services-sequence-overview)
-- [Local Deployment](#local-deployment)
+- [Running Locally](#running-locally)
+- [Auditing Dependencies](#auditing-dependencies)
+- [Container Scans](#container-scans)
 
 ## Services Sequence overview
 
 ![Quoting Service Sequence diagram](diagrams/quotingServiceSequences.svg)
 
 * [Quoting Service Sequence diagram](diagrams/quotingServiceSequences.puml)
 
-## Local Deployment
+## Running Locally
 
 Please follow the instruction in [Onboarding Document](onboarding.md) to setup and run the service locally.
 
 ## Auditing Dependencies
 
-We use `npm-audit-resolver` along with `npm audit` to check dependencies for vulnerabilities, and keep track of resolved dependencies with an `audit-resolv.json` file.
+We use `npm-audit-resolver` along with `npm audit` to check dependencies for node vulnerabilities, and keep track of resolved dependencies with an `audit-resolve.json` file.
 
 To start a new resolution process, run:
 ```bash
@@ -41,3 +43,14 @@ npm run audit:check
 ```
 
 And commit the changed `audit-resolv.json` to ensure that CircleCI will build correctly.
+
+## Container Scans
+
+As part of our CI/CD process, we use anchore-cli to scan our built docker container for vulnerabilities upon release.
+
+If you find your release builds are failing, refer to the [container scanning](https://github.com/mojaloop/ci-config#container-scanning) in our shared Mojaloop CI config repo. There is a good chance you simply need to update the `mojaloop-policy-generator.js` file and re-run the circleci workflow.
+
+For more information on anchore and anchore-cli, refer to:
+- [Anchore CLI](https://github.com/anchore/anchore-cli)
+- [Circle Orb Registry](https://circleci.com/orbs/registry/orb/anchore/anchore-engine)
+