-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sast-snyk-check: increased version to 0.3 #1359
base: main
Are you sure you want to change the base?
sast-snyk-check: increased version to 0.3 #1359
Conversation
9801287
to
38f3878
Compare
@jsztuka Would you mind giving a review for this? |
@jsztuka Does the 👍🏻 mean that it looks good and nothind needs to be modified? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
@jsztuka Could you please approve the 6 workflows that are awaiting approval? |
Will update lint problems in following commit adding false positives filtering... |
a5f8188
to
7d3c6e5
Compare
f3a637d
to
2907e70
Compare
Although the MR is finished, I will look for ProdSec feedback before taking this out from draft. |
2907e70
to
70eb685
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jperezdealgaba I can see that we still print the full SARIF file into the CI log, which is not much user-friendly and it will cause problems on tasks that produce too much results. I would suggest to invoke csgrep --mode=evtstat
instead to provide a useful summary for end users. In case we are filtering false positives we can run the command twice to record the number of findings that were excluded from the results.
70eb685
to
251cfaf
Compare
@kdudka The SARIF output is no longer shown and the results are shown in |
7801607
to
227c4ed
Compare
e85b7e6
to
436e45f
Compare
@kdudka I updated the container image, I added the |
436e45f
to
287fbde
Compare
287fbde
to
70e2b25
Compare
70e2b25
to
5cbddad
Compare
grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? | ||
|
||
# In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context | ||
csgrep --mode=json --prepend-path-prefix="$SOURCE_CODE_DIR"/ sast_snyk_check_out.json \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the extra step with csgrep --prepend-path-prefix=...
is unnecessary. It should be sufficient to run csgrep --embed-context=...
in the correct directory:
(cd "$SOURCE_CODE_DIR" && csgrep --mode=json --embed-context=3 sast_snyk_check_out.json) \
csgrep --mode=json --strip-path-prefix="source/" \
> sast_snyk_check_out_all_findings.json
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modified
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just in case, the path of the sast_snyk_check_out.json
file was modified as it couldn't be found after we executed the commands on the SOURCE_CODE_DIR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. I should have used an absolute path to the input file in my example.
5cbddad
to
cfb0c99
Compare
794512c
to
8474024
Compare
Solves: https://issues.redhat.com/browse/OSH-737 In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. Also, results are filtered using the newly introduced csfilter-kfp and KFP_GIT_URL variable and known false positives won't be shown.
8474024
to
90bf291
Compare
| IMP_FINDINGS_ONLY | Report only important findings. Default is true. To report all findings, specify "false" | true | yes | | ||
| KFP_GIT_URL | Link to the known-false-positives repository. If left blank, results won't be filtered | "" | no | | ||
| PROJECT_NVR | Name-Version-Release (NVR) of the scanned project, used to find path exclusions (it is optional) | "" | no | | ||
| RECORD_EXCLUDED | Write excluded records in file. Useful for debugging (it is optional). Default is "false" | false | no | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't match the description from the task parameter. I will update it in a bit...
Resolves: https://issues.redhat.com/browse/OSH-737
In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. This MR needs to be merged after this one: konflux-ci/konflux-test#292
All changes have been discussed in the provided Jira tracker.
@konflux-team , we created this as a draft PR in order to gather feedback from you. Would this be acceptable? Is something else needed? ...
Before you complete this pull request ...
Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.