From 8856e8cf75eef1a7915c5bfa378220636f131e12 Mon Sep 17 00:00:00 2001 From: "v.oleynikov" Date: Mon, 19 Aug 2024 15:21:33 +0300 Subject: [PATCH] [CI] Add Trivy vulnerables check Signed-off-by: v.oleynikov --- .github/workflows/trivy_check.yaml | 32 +++++++++++++++++ images/csi-nfs/patches/0002-fix-go-mod.patch | 38 ++++++++++++++++++++ images/csi-nfs/patches/README.md | 6 ++++ trivy.yaml | 2 ++ 4 files changed, 78 insertions(+) create mode 100644 .github/workflows/trivy_check.yaml create mode 100644 images/csi-nfs/patches/0002-fix-go-mod.patch create mode 100644 images/csi-nfs/patches/README.md create mode 100644 trivy.yaml diff --git a/.github/workflows/trivy_check.yaml b/.github/workflows/trivy_check.yaml new file mode 100644 index 00000000..49015cda --- /dev/null +++ b/.github/workflows/trivy_check.yaml @@ -0,0 +1,32 @@ +name: Trivy check for sub repos + +on: + pull_request: + push: + branches: + - main + +jobs: + test: + name: Trivy check for sub repos + runs-on: [self-hosted, regular] + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Prepare sub repo + run: | + version=`grep "version :=" images/csi-nfs/werf.inc.yaml | awk -F'"' '{ print $2}'` + git clone --depth 1 --branch $version ${{ secrets.SOURCE_REPO }}/kubernetes-csi/csi-driver-nfs.git ./csi-driver-nfs + cp -R ./images/csi-nfs/patches ./csi-driver-nfs + cd ./csi-driver-nfs + for patchfile in ./patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done + cd .. + + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: trivy.yaml diff --git a/images/csi-nfs/patches/0002-fix-go-mod.patch b/images/csi-nfs/patches/0002-fix-go-mod.patch new file mode 100644 index 00000000..4f26e9d5 --- /dev/null +++ b/images/csi-nfs/patches/0002-fix-go-mod.patch @@ -0,0 +1,38 @@ +Subject: [PATCH] Fix go.mod +--- +Index: go.mod +IDEA additional info: +Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP +<+>UTF-8 +=================================================================== +diff --git a/go.mod b/go.mod +--- a/go.mod (revision d774c858aa291b744ab83d9cf315dfea1056f1ce) ++++ b/go.mod (revision 6a23511b5c0f26227f0fc78479ce4bd18bcedfd2) +@@ -16,7 +16,7 @@ + k8s.io/apimachinery v0.28.9 + k8s.io/client-go v0.28.9 + k8s.io/klog/v2 v2.120.1 +- k8s.io/kubernetes v1.28.9 ++ k8s.io/kubernetes v1.28.12 + k8s.io/mount-utils v0.29.4 + k8s.io/pod-security-admission v0.0.0 + k8s.io/utils v0.0.0-20230726121419-3b25d923346b +Index: go.sum +IDEA additional info: +Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP +<+>UTF-8 +=================================================================== +diff --git a/go.sum b/go.sum +--- a/go.sum (revision d774c858aa291b744ab83d9cf315dfea1056f1ce) ++++ b/go.sum (revision 6a23511b5c0f26227f0fc78479ce4bd18bcedfd2) +@@ -692,8 +692,8 @@ + k8s.io/kubectl v0.28.9/go.mod h1:ip/zTUr1MM/H2M+YbPHnSKLt0x6kb85SJtRSjwEGDfs= + k8s.io/kubelet v0.28.9 h1:76v00fFLeniz27kXhGGUIxONdwa9LKcD2Jd5cXYAZko= + k8s.io/kubelet v0.28.9/go.mod h1:46P39DFjI+E59nU2OgpatyS3oWy58ClulKO6riZ/97o= +-k8s.io/kubernetes v1.28.9 h1:I4sYGQJOuxEo4/QWoY7M8kDB7O0HcH266t6o6mR6ogg= +-k8s.io/kubernetes v1.28.9/go.mod h1:chlmcCDBnOA/y+572cw8dO0Rci1wiA8bm5+zhPdFLCk= ++k8s.io/kubernetes v1.28.12 h1:DtWB8ZjoYiN/PXD4qDXFppf9IouVUavn6r3S+3NMUkU= ++k8s.io/kubernetes v1.28.12/go.mod h1:chlmcCDBnOA/y+572cw8dO0Rci1wiA8bm5+zhPdFLCk= + k8s.io/mount-utils v0.29.4 h1:tW/URea4gtXlaVW7VObr52NQhS+z3SXTg1GUaFZjRL4= + k8s.io/mount-utils v0.29.4/go.mod h1:SHUMR9n3b6tLgEmlyT36cL6fV6Sjwa5CJhc0guCXvb0= + k8s.io/pod-security-admission v0.28.9 h1:towoNqSp7aU7gF8T89zftCuQUfliyib3ds20Kz/hysg= diff --git a/images/csi-nfs/patches/README.md b/images/csi-nfs/patches/README.md new file mode 100644 index 00000000..eb4016d1 --- /dev/null +++ b/images/csi-nfs/patches/README.md @@ -0,0 +1,6 @@ +## Patches + +### Fix go.mod + +It fixes https://avd.aquasec.com/nvd/2024/cve-2024-5321/ +MUST BE removed after switching to v4.9.0 diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 00000000..75925afa --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,2 @@ +format: table +exit-code: 1