sast-snyk-check: increased version to 0.3 #1359
Conversation
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
9801287
to
38f3878
Compare
|
@jsztuka Would you mind giving a review for this? |
|
@jsztuka Does the 👍🏻 mean that it looks good and nothind needs to be modified? |
|
@jsztuka Could you please approve the 6 workflows that are awaiting approval? |
|
Will update lint problems in following commit adding false positives filtering... |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
a5f8188
to
7d3c6e5
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
3 times, most recently
from
f3a637d
to
2907e70
Compare
|
Although the MR is finished, I will look for ProdSec feedback before taking this out from draft. |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
2907e70
to
70eb685
Compare
There was a problem hiding this comment.
@jperezdealgaba I can see that we still print the full SARIF file into the CI log, which is not much user-friendly and it will cause problems on tasks that produce too much results. I would suggest to invoke csgrep --mode=evtstat instead to provide a useful summary for end users. In case we are filtering false positives we can run the command twice to record the number of findings that were excluded from the results.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
70eb685
to
251cfaf
Compare
@kdudka The SARIF output is no longer shown and the results are shown in |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
7801607
to
227c4ed
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
e85b7e6
to
436e45f
Compare
|
@kdudka I updated the container image, I added the |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
436e45f
to
287fbde
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
287fbde
to
70e2b25
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
7a8c95c
to
95f1282
Compare
| # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context | ||
| (cd "$SOURCE_CODE_DIR" && csgrep --mode=json --embed-context=3 "/var/workdir"/hacbs/"$(context.task.name)"/sast_snyk_check_out.json) | | ||
| csgrep --mode=json --strip-path-prefix="source/" \ | ||
| >sast_snyk_check_out_all_findings.json |
There was a problem hiding this comment.
@kdudka FYI: The missing space in this line is being introduced by the *-ta CI pipeline. It seems that some cases are not covered by the script.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
616ad52
to
aa16856
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
3 times, most recently
from
703089c
to
99ae424
Compare
|
@jperezdealgaba @lcarva @zregvart Why do we maintain two copies of the task description? The first paragraph is identical (although formatted differently). The steps to obtain Snyk token and Snyk binary are in the diff --git a/task/sast-snyk-check-oci-ta/0.3/recipe.yaml b/task/sast-snyk-check-oci-ta/0.3/recipe.yaml
index 4a6e4544..afec045d 100644
--- a/task/sast-snyk-check-oci-ta/0.3/recipe.yaml
+++ b/task/sast-snyk-check-oci-ta/0.3/recipe.yaml
@@ -3,23 +3,6 @@ base: ../../sast-snyk-check/0.3/sast-snyk-check.yaml
add:
- use-source
- use-cachi2
-description: >-
- Scans source code for security vulnerabilities, including common issues such as SQL injection,
- cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application
- Security Testing (SAST) tool.
-
-
- Follow the steps given
- [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)
- to obtain a snyk-token and to enable the snyk task in a Pipeline.
-
-
- The snyk binary used in this Task comes from a container image defined in
- https://github.com/konflux-ci/konflux-test
-
-
- See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk
- tool.
preferStepTemplate: true
removeWorkspaces:
- workspace
diff --git a/task/sast-snyk-check/0.3/sast-snyk-check.yaml b/task/sast-snyk-check/0.3/sast-snyk-check.yaml
index ad0ee3ec..cd82225c 100644
--- a/task/sast-snyk-check/0.3/sast-snyk-check.yaml
+++ b/task/sast-snyk-check/0.3/sast-snyk-check.yaml
@@ -9,7 +9,22 @@ metadata:
name: sast-snyk-check
spec:
description: >-
- Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.
+ Scans source code for security vulnerabilities, including common issues such as SQL injection,
+ cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application
+ Security Testing (SAST) tool.
+
+
+ Follow the steps given
+ [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)
+ to obtain a snyk-token and to enable the snyk task in a Pipeline.
+
+
+ The snyk binary used in this Task comes from a container image defined in
+ https://github.com/konflux-ci/konflux-test
+
+
+ See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk
+ tool.
results:
- description: Tekton task test output.
name: TEST_OUTPUT |
|
@kdudka Just tested it and technically it is possible. It would be one small change to the |
@kdudka because the descriptions often differ, if you do not need to modify the description don't specify it in the |
|
@zregvart Thanks for confirmation! That is exactly what the above patch does. @jperezdealgaba Could you please apply it in this pull request? |
The changes have been added |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
3 times, most recently
from
5c72196
to
51f2f06
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
51f2f06
to
9b42f9f
Compare
|
Just rebased the branch |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
9b42f9f
to
eb205d5
Compare
|
Now is your chance, you can merge it. |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
eb205d5
to
1b11039
Compare
|
@jsztuka I tried to merge it but it seems that I don't have access. |
Solves: https://issues.redhat.com/browse/OSH-737 In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. Also, results are filtered using the newly introduced csfilter-kfp and KFP_GIT_URL variable and known false positives won't be shown.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
1b11039
to
061e7ed
Compare
Resolves: https://issues.redhat.com/browse/OSH-737
In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. This MR needs to be merged after this one: konflux-ci/konflux-test#292
All changes have been discussed in the provided Jira tracker.
@konflux-team , we created this as a draft PR in order to gather feedback from you. Would this be acceptable? Is something else needed? ...
Before you complete this pull request ...
Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.