Skip to content

Commit

Permalink
sast-snyk-check: increased version to 0.3
Browse files Browse the repository at this point in the history 
Solves: https://issues.redhat.com/browse/OSH-737

In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. Also, results are filtered using the newly introduced csfilter-kfp and KFP_GIT_URL variable and known false positives won't be shown.
  • Loading branch information
@jperezdealgaba
jperezdealgaba committed Sep 27, 2024
1 parent d42191e commit 90bf291
Show file tree
Hide file tree
Showing 3 changed files with 286 additions and 0 deletions.
13 changes: 13 additions & 0 deletions task/sast-snyk-check/0.3/MIGRATION.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Migration from 0.2 to 0.3

Version 0.3:

- The `IMP_FINDINGS_ONLY` parameter has been introduced and enabled by default with "true" value. Only high or critical vulnerabilities will be shown. This behavior can be disabled with "false" value.
- The scan results uploaded in the SARIF format now additionally contain source code snippets and `csdiff/v1` fingerprints for each finding.
- There are no default arguments as "--all-projects --exclude=test*,vendor,deps" are ignored by Snyk Code
- SARIF produced by Snyk Code is not included in the CI log.
- The `KFP_GIT_URL` parameter has been introduced to indicate the repository to filter false positives. If this variable is left empty, the results won't be filtered. At the same time, we can store all excluded findings in a file using the `RECORD_EXCLUDED` parameter and specify a NVR with the `PROJECT_NVR`

## Action from users

Renovate bot PR will be created with warning icon for a sast-snyk-check which is expected, no action from users are required.
39 changes: 39 additions & 0 deletions task/sast-snyk-check/0.3/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# sast-snyk-check task

## Description:

The sast-snyk-check task uses Snyk Code tool to perform Static Application Security Testing (SAST) for Snyk, a popular cloud-native application security platform.

Snyk's SAST tool uses a combination of static analysis and machine learning techniques to scan an application's source code for potential security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks.

> NOTE: This task is executed only if the user provides a Snyk token stored in a secret in their namespace. The name of the secret then needs to be supplied in the `snyk-secret` pipeline parameter.
## Params:

| name | description | default value | required |
|-------------------|--------------------------------------------------------------------------------------------------|---------------|----------|
| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | yes |
| ARGS | Append arguments. | "" | no |
| IMP_FINDINGS_ONLY | Report only important findings. Default is true. To report all findings, specify "false" | true | yes |
| KFP_GIT_URL | Link to the known-false-positives repository. If left blank, results won't be filtered | "" | no |
| PROJECT_NVR | Name-Version-Release (NVR) of the scanned project, used to find path exclusions (it is optional) | "" | no |
| RECORD_EXCLUDED | Write excluded records in file. Useful for debugging (it is optional). Default is "false" | false | no |

## How to obtain a snyk-token and enable snyk task on the pipeline:

Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)

## Results:

| name | description |
|---------------|----------------------------|
| TEST_OUTPUT | Tekton task test output. |

## Source repository for image:

https://github.com/konflux-ci/konflux-test

## Additional links:

* https://snyk.io/product/snyk-code/
* https://snyk.io/
234 changes: 234 additions & 0 deletions task/sast-snyk-check/0.3/sast-snyk-check.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,234 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
labels:
app.kubernetes.io/version: "0.3"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: "konflux"
name: sast-snyk-check
spec:
description: >-
Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.
results:
- description: Tekton task test output.
name: TEST_OUTPUT
params:
- name: SNYK_SECRET
description: Name of secret which contains Snyk token.
default: snyk-secret
- name: ARGS
type: string
description: Append arguments.
default: ""
- description: Image URL.
name: image-url
type: string
# In a future 0.4 version of the task, drop the default to make this required
default: ""
- description: Image digest to report findings for.
name: image-digest
type: string
# In a future 0.4 version of the task, drop the default to make this required
default: ""
- name: caTrustConfigMapName
type: string
description: The name of the ConfigMap to read CA bundle data from.
default: trusted-ca
- name: caTrustConfigMapKey
type: string
description: The name of the key in the ConfigMap that contains the CA bundle data.
default: ca-bundle.crt
- name: IMP_FINDINGS_ONLY
type: string
description: Report only important findings. Default is true. To report all findings, specify "false"
default: "true"
- name: KFP_GIT_URL
type: string
description: URL from repository to download known false positives files
default: "" # FIXME: Red Hat internal projects will default to https://gitlab.cee.redhat.com/osh/known-false-positives.git when KONFLUX-4530 is resolved
- name: PROJECT_NVR
type: string
description: Name-Version-Release (NVR) of the scanned project, used to find path exclusions (it is optional)
default: ""
- name: RECORD_EXCLUDED
type: string
description: Write excluded records in file. Useful for auditing (defaults to false).
default: "false"
volumes:
- name: snyk-secret
secret:
secretName: $(params.SNYK_SECRET)
optional: true
- name: trusted-ca
configMap:
name: $(params.caTrustConfigMapName)
items:
- key: $(params.caTrustConfigMapKey)
path: ca-bundle.crt
optional: true
steps:
- name: sast-snyk-check
image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
# the cluster will set imagePullPolicy to IfNotPresent
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
volumeMounts:
- name: snyk-secret
mountPath: "/etc/secrets"
readOnly: true
- name: trusted-ca
mountPath: /mnt/trusted-ca
readOnly: true
env:
- name: SNYK_SECRET
value: $(params.SNYK_SECRET)
- name: ARGS
value: $(params.ARGS)
- name: IMP_FINDINGS_ONLY
value: $(params.IMP_FINDINGS_ONLY)
- name: KFP_GIT_URL
value: $(params.KFP_GIT_URL)
- name: PROJECT_NVR
value: $(params.PROJECT_NVR)
- name: RECORD_EXCLUDED
value: $(params.RECORD_EXCLUDED)
script: |
#!/usr/bin/env bash
set -euo pipefail
. /utils.sh
trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT
# Installation of Red Hat certificates for cloning Red Hat internal repositories
ca_bundle=/mnt/trusted-ca/ca-bundle.crt
if [ -f "$ca_bundle" ]; then
echo "INFO: Using mounted CA bundle: $ca_bundle"
cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
update-ca-trust
fi
SNYK_TOKEN_PATH="/etc/secrets/snyk_token"
if [ -f "${SNYK_TOKEN_PATH}" ] && [ -s "${SNYK_TOKEN_PATH}" ]; then
# SNYK token is provided
SNYK_TOKEN="$(cat ${SNYK_TOKEN_PATH})"
export SNYK_TOKEN
else
to_enable_snyk='[here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)'
note="Task $(context.task.name) skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key "snyk_token" containing the Snyk token by following the steps given ${to_enable_snyk}"
TEST_OUTPUT=$(make_result_json -r SKIPPED -t "$note")
echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
exit 0
fi
SNYK_EXIT_CODE=0
SOURCE_CODE_DIR=$(workspaces.workspace.path)
# shellcheck disable=SC2086
# We do want to expand ARGS (it can be multiple CLI flags, not just one)
SEVERITY_THRESHOLD="high"
if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
SEVERITY_THRESHOLD="low"
fi
set +e
snyk code test $ARGS --severity-threshold="$SEVERITY_THRESHOLD" "$SOURCE_CODE_DIR" --max-depth=1 --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt
SNYK_EXIT_CODE=$?
set -e
test_not_skipped=0
SKIP_MSG="We found 0 supported files"
grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$?
# In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context
(cd "$SOURCE_CODE_DIR" && csgrep --mode=json --embed-context=3 $(workspaces.workspace.path)/hacbs/$(context.task.name)/sast_snyk_check_out.json) \
| csgrep --mode=json --strip-path-prefix="source/" \
> sast_snyk_check_out_all_findings.json
echo "Results:"
(set -x; csgrep --mode=evtstat sast_snyk_check_out_all_findings.json)
# We check if the KFP_GIT_URL variable is set to apply the filters or not
if [[ -z "${KFP_GIT_URL}" ]]; then
echo "KFP_GIT_URL variable not defined. False positives won't be filtered"
mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json
else
echo "Filtering false positives in results files using csfilter-kfp..."
CMD=(
csfilter-kfp
--verbose
--kfp-git-url="${KFP_GIT_URL}"
)
if [[ -n "${PROJECT_NVR}" ]]; then
CMD+=(--project-nvr="${PROJECT_NVR}")
fi
if [ "${RECORD_EXCLUDED}" == "true" ]; then
CMD+=(--record-excluded="excluded-findings.json")
fi
set +e
"${CMD[@]}" sast_snyk_check_out_all_findings.json > filtered_sast_snyk_check_out.json
status=$?
set -e
if [ "$status" -ne 0 ]; then
echo "Error: failed to filter known false positives" >&2
return 1
else
echo "Message: Succeed to filter known false positives" >&2
SCAN_RESULT="filtered_sast_unicode_check_out.json"
fi
echo "Results after filtering:"
(set -x; csgrep --mode=evtstat filtered_sast_snyk_check_out.json)
fi
csgrep --mode=sarif filtered_sast_snyk_check_out.json > sast_snyk_check_out.sarif
if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then
TEST_OUTPUT=
parse_test_output '$(context.task.name)' sarif sast_snyk_check_out.sarif || true
# When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation
elif [[ "$test_not_skipped" -eq 0 ]]; then
note="Task $(context.task.name) success: Snyk code test found zero supported files."
ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note")
else
echo "sast-snyk-check test failed because of the following issues:"
cat stdout.txt
note="Task $(context.task.name) failed: For details, check Tekton task log."
ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note")
fi
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
- name: upload
image: quay.io/konflux-ci/oras:latest@sha256:f4b891ee3038a5f13cd92ff4f473faad5601c2434d1c6b9bccdfc134d9d5f820
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
env:
- name: IMAGE_URL
value: $(params.image-url)
- name: IMAGE_DIGEST
value: $(params.image-digest)
script: |
#!/usr/bin/env bash
UPLOAD_FILES="sast_snyk_check_out.sarif excluded-findings.json"
for UPLOAD_FILE in ${UPLOAD_FILES}; do
if [ ! -f "${UPLOAD_FILE}" ]; then
echo "No ${UPLOAD_FILE} exists. Skipping upload."
continue
fi
if [ "${UPLOAD_FILES}" == "excluded-findings.json" ]; then
MEDIA_TYPE=application/json
else
MEDIA_TYPE=application/sarif+json
fi
echo "Selecting auth"
select-oci-auth "${IMAGE_URL}" > "${HOME}/auth.json"
echo "Attaching to ${IMAGE_URL}"
oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
done
workspaces:
- name: workspace

0 comments on commit 90bf291

Please sign in to comment.