sast-snyk-check: increased version to 0.3 #1359
Conversation
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
9801287
to
38f3878
Compare
|
@jsztuka Would you mind giving a review for this? |
|
@jsztuka Does the 👍🏻 mean that it looks good and nothind needs to be modified? |
|
@jsztuka Could you please approve the 6 workflows that are awaiting approval? |
|
Will update lint problems in following commit adding false positives filtering... |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
a5f8188
to
7d3c6e5
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
3 times, most recently
from
f3a637d
to
2907e70
Compare
|
Although the MR is finished, I will look for ProdSec feedback before taking this out from draft. |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
2907e70
to
70eb685
Compare
There was a problem hiding this comment.
@jperezdealgaba I can see that we still print the full SARIF file into the CI log, which is not much user-friendly and it will cause problems on tasks that produce too much results. I would suggest to invoke csgrep --mode=evtstat instead to provide a useful summary for end users. In case we are filtering false positives we can run the command twice to record the number of findings that were excluded from the results.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
70eb685
to
251cfaf
Compare
@kdudka The SARIF output is no longer shown and the results are shown in |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
7801607
to
227c4ed
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
e85b7e6
to
436e45f
Compare
|
@kdudka I updated the container image, I added the |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
436e45f
to
287fbde
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
287fbde
to
70e2b25
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
70e2b25
to
5cbddad
Compare
| grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? | ||
|
|
||
| # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context | ||
| csgrep --mode=json --prepend-path-prefix="$SOURCE_CODE_DIR"/ sast_snyk_check_out.json \ |
There was a problem hiding this comment.
I think the extra step with csgrep --prepend-path-prefix=... is unnecessary. It should be sufficient to run csgrep --embed-context=... in the correct directory:
(cd "$SOURCE_CODE_DIR" && csgrep --mode=json --embed-context=3 sast_snyk_check_out.json) \
csgrep --mode=json --strip-path-prefix="source/" \
> sast_snyk_check_out_all_findings.jsonThere was a problem hiding this comment.
Just in case, the path of the sast_snyk_check_out.json file was modified as it couldn't be found after we executed the commands on the SOURCE_CODE_DIR
There was a problem hiding this comment.
Right. I should have used an absolute path to the input file in my example.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
5cbddad
to
cfb0c99
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
4 times, most recently
from
794512c
to
8474024
Compare
Solves: https://issues.redhat.com/browse/OSH-737 In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. Also, results are filtered using the newly introduced csfilter-kfp and KFP_GIT_URL variable and known false positives won't be shown.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
8474024
to
90bf291
Compare
| | IMP_FINDINGS_ONLY | Report only important findings. Default is true. To report all findings, specify "false" | true | yes | | ||
| | KFP_GIT_URL | Link to the known-false-positives repository. If left blank, results won't be filtered | "" | no | | ||
| | PROJECT_NVR | Name-Version-Release (NVR) of the scanned project, used to find path exclusions (it is optional) | "" | no | | ||
| | RECORD_EXCLUDED | Write excluded records in file. Useful for debugging (it is optional). Default is "false" | false | no | |
There was a problem hiding this comment.
This doesn't match the description from the task parameter. I will update it in a bit...
Resolves: https://issues.redhat.com/browse/OSH-737
In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. This MR needs to be merged after this one: konflux-ci/konflux-test#292
All changes have been discussed in the provided Jira tracker.
@konflux-team , we created this as a draft PR in order to gather feedback from you. Would this be acceptable? Is something else needed? ...
Before you complete this pull request ...
Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.