sast: initial task for Coverity Buildless

Solves: https://issues.redhat.com/browse/OSH-740 Initial version of the Coverity Buildless task. In introduces two different tasks: A task checking the availability of Coverity license and authentication token, and a task for scanning the code. The code will be scanned using coverity buildless mode, then the results are processing using csgrep and the results are later filtered using csfilter-kfp.
konflux-ci · Sep 26, 2024 · 9878cfc · 9878cfc
1 parent dc50185
commit 9878cfc
Show file tree

Hide file tree

Showing 7 changed files with 466 additions and 0 deletions.
diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml
@@ -238,6 +238,45 @@ spec:
         value: $(tasks.build-image-index.results.IMAGE_DIGEST)
       - name: image-url
         value: $(tasks.build-image-index.results.IMAGE_URL)
+    - name: coverity-availability-check
+      runAfter:
+        - build-image-index
+      taskRef:
+        # FIXME: This needs testing as it can not be tested on our local instance.
+        name: coverity-availability-check
+        version: "0.1"
+      when:
+        - input: $(params.skip-checks)
+          operator: in
+          values:
+            - "false"
+      workspaces:
+        - name: workspace
+      workspace: workspace
+    - name: sast-coverity-check
+      params:
+        - name: image-digest
+          value: $(tasks.build-container.results.IMAGE_DIGEST)
+        - name: image-url
+          value: $(tasks.build-container.results.IMAGE_URL)
+      runAfter:
+        - coverity-availability-check
+      taskRef:
+        taskRef:
+          # FIXME: This needs testing as it can not be tested on our local instance.
+          name: sast-coverity-check
+          version: "0.1"
+      when:
+        - input: $(params.skip-checks)
+          operator: in
+          values:
+            - "false"
+        - input: $(tasks.coverity-availability-check.results.TASK_OUTPUT)
+          operator: in
+          values: [ "success" ]
+      workspaces:
+        - name: workspace
+          workspace: workspace
     - name: apply-tags
       runAfter:
         - build-image-index

diff --git a/task/coverity-availability-check/0.1/README.md b/task/coverity-availability-check/0.1/README.md
@@ -0,0 +1,25 @@
+# coverity-availability-check task
+
+## Description:
+
+This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.
+
+The characteristics of these tasks are:
+
+- It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled.
+- It will check for a secret called "cov-license" where the Coverity license is stored.
+
+> NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license.
+
+## Params:
+
+| name                        | description                                                                            | default value              | required |
+|-----------------------------|----------------------------------------------------------------------------------------|----------------------------|----------|
+| AUTH_TOKEN_COVERITY_IMAGE   | Name of secret which contains the authentication token for pulling the Coverity image  | auth-token-coverity-image  | yes      | 
+| COV_LICENSE                 | Name of secret which contains the Coverity license                                     | cov-license                | yes      |                                                                    
+
+## Results:
+
+| name        | description              |
+|-------------|--------------------------|
+| TASK_OUTPUT | Tekton task test output. |
diff --git a/task/coverity-availability-check/0.1/coverity-availability-check.yaml b/task/coverity-availability-check/0.1/coverity-availability-check.yaml
@@ -0,0 +1,78 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "konflux"
+  name: sast-coverity-check
+spec:
+  description: >-
+    This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.
+  results:
+    - description: Tekton task result output.
+      name: TASK_OUTPUT
+  params:
+    - name: COV_LICENSE
+      description: Name of secret which contains the Coverity license
+      default: cov-license
+    - name: AUTH_TOKEN_COVERITY_IMAGE
+      description: Name of secret which contains the authentication token for pulling the Coverity image.
+      default: "auth-token-coverity-image"
+  volumes:
+    - name: cov-license
+      secret:
+        secretName: $(params.COV_LICENSE)
+        optional: true
+    - name: auth-token-coverity-image
+      secret:
+        secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE)
+        optional: true
+  steps:
+    - name: coverity-availability-check
+      image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072
+      onError: stopAndFail
+      # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+      # the cluster will set imagePullPolicy to IfNotPresent
+      workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
+      volumeMounts:
+        - name: cov-license
+          mountPath: "/etc/secrets/cov"
+          readOnly: true
+        - name: auth-token-coverity-image
+          mountPath: "/etc/secrets/auth/config.json"
+          subPath: .dockerconfigjson
+      env:
+        - name: COV_LICENSE
+          value: $(params.COV_LICENSE)
+        - name: AUTH_TOKEN_COVERITY_IMAGE
+          value: $(params.AUTH_TOKEN_COVERITY_IMAGE)
+      script: |
+        #!/usr/bin/env bash
+        set -eo pipefail
+        
+        # Checking Coverity license
+        COV_LICENSE_PATH=/etc/secrets/cov/cov-license
+        if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then
+          echo "Coverity license detected!"
+        else
+          echo "No license file for Coverity was detected. Coverity scan won't be executed..."
+          echo "Please, create a secret called "cov-license" with a key called "cov-license" and the value containing the Coverity license."
+          exit 0
+        fi
+        
+        # Checking authentication token for downloading coverity image
+        AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json
+        if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then
+          echo "Authentication token detected!"
+        else
+          echo "No authentication token for downloading Coverity image detected. Coverity scan won't be executed..."
+          echo "Please, create an imagePullSecret named "auth-token-coverity-image" with the authentication token for pulling the Coverity image."
+          exit 0
+        fi
+        
+        echo -n "success" | tee "$(results.TASK_OUTPUT.path)"
+
+  workspaces:
+  - name: workspace
diff --git a/task/coverity-availability-check/OWNERS b/task/coverity-availability-check/OWNERS
@@ -0,0 +1,5 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+approvers:
+  - integration-team
+reviewers:
+  - integration-team
diff --git a/task/sast-coverity-check/0.1/README.md b/task/sast-coverity-check/0.1/README.md
@@ -0,0 +1,47 @@
+# sast-coverity-check task
+
+## Description:
+
+The sast-coverity-check task uses Coverity tool to perform Static Application Security Testing (SAST). In this task, we use the buildless mode, where Coverity has the ability to capture source code without the need of building the product.
+
+The documentation for this mode can be found here: https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html
+
+The characteristics of these tasks are:
+
+- Perform buildless scanning with Coverity
+- The whole source code is scanned (by scanning `$(workspaces.source.path)` )
+- Only important findings are reported by default.  A parameter ( `IMP_FINDINGS_ONLY`) is provided to override this configuration.
+- The csdiff/v1 SARIF fingerprints are provided for all findings
+- A parameter ( `KFP_GIT_URL`) is provided to remove false positives providing a known false positives repository. By default, no repository is provided.
+
+> NOTE: This task is executed only if there is a Coverity license set up in the environment. Please check coverity-availability-check task for more information.
+
+## Params:
+
+| name                        | description                                                                                                                            | default value             | required |                                                                                                                   
+|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| COV_CAPTURE_ARGS            | Append arguments to the Coverity Capture CLI command                                                                                   | ""                        | yes      |
+| COV_ANALYZE_ARGS            | Append arguments to the cov-analyze CLI command                                                                                        | ""                        | yes      |
+| COV_LICENSE                 | Name of secret which contains the Coverity license                                                                                     | cov-license               | yes      |
+| AUTH_TOKEN_COVERITY_IMAGE   | Name of secret which contains the authentication token for pulling the Coverity image                                                  | auth-token-coverity-image | yes      |
+| IMP_FINDINGS_ONLY           | Report only important findings. Default is true. To report all findings, specify "false"                                               | true                      | yes      |
+| KFP_GIT_URL                 | Known False Positives git URL, optionally taking a revision delimited by #; If empty, filtering of known false positives is disabled.  | ""                        | no       |
+| PROJECT_NVR                 | Name-Version-Release (NVR) of the scanned project, used to find path exclusions (it is optional)                                       | ""                        | no       |
+| RECORD_EXCLUDED             | If set to `true`, excluded findings will be written to a file named `excluded-findings.json` for auditing purposes.                    | false                     | no       |
+
+## Results:
+
+| name              | description              |
+|-------------------|--------------------------|
+| TEST_OUTPUT       | Tekton task test output. |
+
+## Source repository for image:
+
+// TODO: Add reference to private repo for the container image once the task is migrated to repo
+
+
+## Additional links:
+
+* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html
+* https://scan.coverity.com/
+* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/cli/topics/options_reference.html