Skip to content

Commit

Permalink
feat: add cve information on the release note
Browse files Browse the repository at this point in the history
  • Loading branch information
@jason1028kr
jason1028kr committed Jan 30, 2025
1 parent 2fb3440 commit b1e4bed
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 3 deletions.
21 changes: 21 additions & 0 deletions vhdbuilder/packer/trivy-scan.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ set -euxo pipefail
TRIVY_REPORT_DIRNAME=/opt/azure/containers
TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json
TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt
CVE_DIFF_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-diff.txt
TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db"

TRIVY_VERSION="0.57.0"
Expand Down Expand Up @@ -40,6 +41,8 @@ export SYSTEM_COLLECTIONURI=${26}
export SYSTEM_TEAMPROJECT=${27}
export BUILD_BUILDID=${28}
export IMAGE_VERSION=${29}
CVE_DIFF_UPLOAD_REPORT_NAME=${30}
SCAN_RESOURCE_PREFIX=${31}

retrycmd_if_failure() {
retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
Expand Down Expand Up @@ -131,6 +134,7 @@ rm "trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz"
chmod a+x trivy

# pull vuln-to-kusto binary
MODULE_VERSION="v0.0.3-a60608e7896"
az storage blob download --auth-mode login --account-name ${ACCOUNT_NAME} -c vuln-to-kusto \
--name ${MODULE_VERSION}/${MODULE_NAME}_linux_${GO_ARCH} \
--file ./${MODULE_NAME}
Expand Down Expand Up @@ -187,13 +191,30 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
fi
done

./vuln-to-kusto-vhd query-report query-diff 24h \
--vhd-vhdname=${VHD_ARTIFACT_NAME} \
--vhd-nodeimageversion=${IMAGE_VERSION} \
--severity="HIGH" \
--scan-resource-prefix=${SCAN_RESOURCE_PREFIX} \
--kusto-endpoint=${KUSTO_ENDPOINT} \
--kusto-database=${KUSTO_DATABASE} \
--kusto-table=${KUSTO_TABLE} \
--kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH}

rm ./trivy

chmod a+r "${CVE_DIFF_QUERY_OUTPUT_PATH}"
chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}"
chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}"

login_with_user_assigned_managed_identity ${AZURE_MSI_RESOURCE_STRING}

az storage blob upload --file ${CVE_DIFF_QUERY_OUTPUT_PATH} \
--container-name ${SIG_CONTAINER_NAME} \
--name ${CVE_DIFF_UPLOAD_REPORT_NAME} \
--account-name ${STORAGE_ACCOUNT_NAME} \
--auth-mode login

az storage blob upload --file ${TRIVY_REPORT_ROOTFS_JSON_PATH} \
--container-name ${SIG_CONTAINER_NAME} \
--name ${TRIVY_UPLOAD_REPORT_NAME} \
Expand Down
22 changes: 19 additions & 3 deletions vhdbuilder/packer/vhd-scanning.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,12 @@ VHD_IMAGE="$MANAGED_SIG_ID"
SIG_CONTAINER_NAME="vhd-scans"
SCAN_VM_ADMIN_USERNAME="azureuser"

RELEASE_NOTES_FILEPATH="$(pwd)/release-notes.txt"
if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
echo "${RELEASE_NOTES_FILEPATH} does not exist"
exit 1
fi

# we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs
SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning"
if [ -z "$(az network vnet subnet show --ids $SCANNING_SUBNET_ID | jq -r '.id')" ]; then
Expand Down Expand Up @@ -51,10 +57,11 @@ function cleanup() {
echo "Deleting resource group ${RESOURCE_GROUP_NAME}"
az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait
}
trap cleanup EXIT
# trap cleanup EXIT
capture_benchmark "${SCRIPT_NAME}_set_variables_and_create_scan_resource_group"

VM_OPTIONS="--size Standard_D8ds_v5"
# VM_OPTIONS="--size Standard_D8ds_v5"
VM_OPTIONS="--size Standard_DS1_v2"
if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then
VM_OPTIONS="--size Standard_D8pds_v5"
fi
Expand Down Expand Up @@ -97,6 +104,7 @@ TRIVY_SCRIPT_PATH="$CDIR/$TRIVY_SCRIPT_PATH"
TIMESTAMP=$(date +%s%3N)
TRIVY_UPLOAD_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json"
TRIVY_UPLOAD_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt"
CVE_DIFF_UPLOAD_REPORT_NAME="cve-diff-${BUILD_ID}-${TIMESTAMP}.txt"

# Extract date, revision from build number
BUILD_RUN_NUMBER=$(echo $BUILD_RUN_NUMBER | cut -d_ -f 1)
Expand Down Expand Up @@ -140,17 +148,25 @@ az vm run-command invoke \
"SYSTEM_COLLECTIONURI"=${SYSTEM_COLLECTIONURI} \
"SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
"BUILDID"=${BUILD_ID} \
"IMAGE_VERSION"=${IMAGE_VERSION}
"IMAGE_VERSION"=${IMAGE_VERSION} \
"CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME} \
"SCAN_RESOURCE_PREFIX"=${SCAN_RESOURCE_PREFIX}

capture_benchmark "${SCRIPT_NAME}_run_az_scan_command"

az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --file trivy-report.json --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --file trivy-images-table.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --file cve-diff.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login

az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --auth-mode login
az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --auth-mode login
az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --auth-mode login

capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs"

echo "=== CVEs fixed in version: ${IMAGE_VERSION}" >> ${RELEASE_NOTES_FILEPATH}
cat cve-diff.txt >> ${RELEASE_NOTES_FILEPATH}

echo -e "Trivy Scan Script Completed\n\n\n"
capture_benchmark "${SCRIPT_NAME}_overall" true
process_benchmarks

0 comments on commit b1e4bed

Please sign in to comment.