Skip to content

Commit

Permalink
sast: initial task for Coverity Buildless
Browse files Browse the repository at this point in the history 
Solves: https://issues.redhat.com/browse/OSH-740

Initial version of the Coverity Buildless task. In introduces two different tasks: A task checking the availability of Coverity license and authentication token, and a task for scanning the code. The code will be scanned using coverity buildless mode, then the results are processing using csgrep and the results are later filtered using csfilter-kfp.
  • Loading branch information
@jperezdealgaba
jperezdealgaba committed Sep 27, 2024
1 parent dc50185 commit 79b5ea1
Show file tree
Hide file tree
Showing 7 changed files with 459 additions and 0 deletions.
39 changes: 39 additions & 0 deletions pipelines/template-build/template-build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,45 @@ spec:
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
- name: coverity-availability-check
runAfter:
- build-image-index
taskRef:
# FIXME: This needs testing as it can not be tested on our local instance.
name: coverity-availability-check
version: "0.1"
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
workspaces:
- name: workspace
workspace: workspace
- name: sast-coverity-check
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- coverity-availability-check
taskRef:
taskRef:
# FIXME: This needs testing as it can not be tested on our local instance.
name: sast-coverity-check
version: "0.1"
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
- input: $(tasks.coverity-availability-check.results.TASK_OUTPUT)
operator: in
values: [ "success" ]
workspaces:
- name: workspace
workspace: workspace
- name: apply-tags
runAfter:
- build-image-index
Expand Down
25 changes: 25 additions & 0 deletions task/coverity-availability-check/0.1/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# coverity-availability-check task

## Description:

This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.

The characteristics of these tasks are:

- It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled.
- It will check for a secret called "cov-license" where the Coverity license is stored.

> NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license.
## Params:

| name | description | default value | required |
|-----------------------------|----------------------------------------------------------------------------------------|----------------------------|----------|
| AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | yes |
| COV_LICENSE | Name of secret which contains the Coverity license | cov-license | yes |

## Results:

| name | description |
|-------------|--------------------------|
| TASK_OUTPUT | Tekton task test output. |
78 changes: 78 additions & 0 deletions task/coverity-availability-check/0.1/coverity-availability-check.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: "konflux"
name: sast-coverity-check
spec:
description: >-
This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.
results:
- description: Tekton task result output.
name: TASK_OUTPUT
params:
- name: COV_LICENSE
description: Name of secret which contains the Coverity license
default: cov-license
- name: AUTH_TOKEN_COVERITY_IMAGE
description: Name of secret which contains the authentication token for pulling the Coverity image.
default: "auth-token-coverity-image"
volumes:
- name: cov-license
secret:
secretName: $(params.COV_LICENSE)
optional: true
- name: auth-token-coverity-image
secret:
secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE)
optional: true
steps:
- name: coverity-availability-check
image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072
onError: stopAndFail
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
# the cluster will set imagePullPolicy to IfNotPresent
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
volumeMounts:
- name: cov-license
mountPath: "/etc/secrets/cov"
readOnly: true
- name: auth-token-coverity-image
mountPath: "/etc/secrets/auth/config.json"
subPath: .dockerconfigjson
env:
- name: COV_LICENSE
value: $(params.COV_LICENSE)
- name: AUTH_TOKEN_COVERITY_IMAGE
value: $(params.AUTH_TOKEN_COVERITY_IMAGE)
script: |
#!/usr/bin/env bash
set -eo pipefail
# Checking Coverity license
COV_LICENSE_PATH=/etc/secrets/cov/cov-license
if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then
echo "Coverity license detected!"
else
echo 'No license file for Coverity was detected. Coverity scan won't be executed...'
echo 'Please, create a secret called "cov-license" with a key called "cov-license" and the value containing the Coverity license.'
exit 0
fi
# Checking authentication token for downloading coverity image
AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json
if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then
echo "Authentication token detected!"
else
echo 'No authentication token for downloading Coverity image detected. Coverity scan won't be executed...'
echo 'Please, create an imagePullSecret named "auth-token-coverity-image" with the authentication token for pulling the Coverity image.'
exit 0
fi
echo -n "success" | tee "$(results.TASK_OUTPUT.path)"
workspaces:
- name: workspace
5 changes: 5 additions & 0 deletions task/coverity-availability-check/OWNERS
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# See the OWNERS docs: https://go.k8s.io/owners
approvers:
- integration-team
reviewers:
- integration-team
46 changes: 46 additions & 0 deletions task/sast-coverity-check/0.1/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# sast-coverity-check task

## Description:

The sast-coverity-check task uses Coverity tool to perform Static Application Security Testing (SAST). In this task, we use the buildless mode, where Coverity has the ability to capture source code without the need of building the product.

The documentation for this mode can be found here: https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html

The characteristics of these tasks are:

- Perform buildless scanning with Coverity
- The whole source code is scanned (by scanning `$(workspaces.source.path)` )
- Only important findings are reported by default. A parameter ( `IMP_FINDINGS_ONLY`) is provided to override this configuration.
- The csdiff/v1 SARIF fingerprints are provided for all findings
- A parameter ( `KFP_GIT_URL`) is provided to remove false positives providing a known false positives repository. By default, no repository is provided.

> NOTE: This task is executed only if there is a Coverity license set up in the environment. Please check coverity-availability-check task for more information.
## Params:

| name | description | default value | required |
|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
| COV_CAPTURE_ARGS | Append arguments to the Coverity Capture CLI command | "" | no |
| COV_ANALYZE_ARGS | Append arguments to the cov-analyze CLI command | "" | no |
| COV_LICENSE | Name of secret which contains the Coverity license | cov-license | no |
| AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | no |
| IMP_FINDINGS_ONLY | Report only important findings. Default is true. To report all findings, specify "false" | true | no |
| KFP_GIT_URL | Known False Positives git URL, optionally taking a revision delimited by #; If empty, filtering of known false positives is disabled. | "" | no |
| PROJECT_NVR | Name-Version-Release (NVR) of the scanned project, used to find path exclusions (it is optional) | "" | no |
| RECORD_EXCLUDED | If set to `true`, excluded findings will be written to a file named `excluded-findings.json` for auditing purposes. | false | no |

## Results:

| name | description |
|-------------------|--------------------------|
| TEST_OUTPUT | Tekton task test output. |

## Source repository for image:

// TODO: Add reference to private repo for the container image once the task is migrated to repo


## Additional links:

* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html
* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/cli/topics/options_reference.html
Loading

0 comments on commit 79b5ea1

Please sign in to comment.