sast: initial task for Coverity Buildless

[jperezdealgaba]

Initial version of the Coverity Buildless task. The code will be scanned using coverity buildless mode, then the results are processuing using csgrep and the results are later filtered using csfilter-kfp.

This is a draft request and this can not be merged in this repository. It will be merged in a newly created repository.
Things pending to do:

• Move this MR to a new and private repo - Not needed anymore
• Remove installation of csdiff package once the container image is updated
• Speak on how to store license in a secure place
• Show results on UI
• Enhanced Readme with private information - Not needed anymore

Apart from that, the MR can be reviewed as the funcionality will remain the same

[jperezdealgaba]

Results are parsed and shown in the UI:

Here we have an example pipeline: https://konflux.apps.stone-prod-p02.hjvn.p1.openshiftapps.com/application-pipeline/workspaces/jperezde/applications/test-coverity/pipelineruns/ec-cli-on-pull-request-292mf

[jperezdealgaba]

Thanks for the thorough review @kdudka !

[kdudka]

@jperezdealgaba Please close the review threads that have been resolved. I do not have sufficient permission to do it myself.

[jperezdealgaba]

Solved all comments and added new changes. I will also apply the changes (the record excluded and update the upload task) to the snyk code task

[jperezdealgaba]

Hey! @kdudka I just did a new MR with all the discussed changes:

• 2 different tasks. If the coverity-availability-check finishes successfully, the coverity scan is executed. If not, it will be skipped.
• Added standarized parameters.
  Example failed pipeline: https://konflux.apps.stone-prod-p02.hjvn.p1.openshiftapps.com/application-pipeline/workspaces/jperezde/applications/test-coverity/pipelineruns/osh-cli-container-konflux-test-2-on-pull-request-lzhbq
  Example succesful pipeline: https://konflux.apps.stone-prod-p02.hjvn.p1.openshiftapps.com/application-pipeline/ns/jperezde-tenant/pipelinerun/osh-cli-container-konflux-test-2-on-pull-request-bskx7
  (NOTE: In the proposed MR, coverity-availabillity-check is run after build-image-index task)

The relationship between the two tasks are defined in the following file: pipelines/template-build/template-build.yaml
This is a big MR so I guess we should have Konflux eyes here

[hongweiliu17]

LGTM

[kdudka]

/ok-to-test

[kdudka]

@hongweiliu17 @14rcole Could you please check what failed at https://github.com/konflux-ci/build-definitions/pull/1411/checks?check_run_id=32513757072? I do not have permissions to access the logs myself.

[hongweiliu17]

@hongweiliu17 @14rcole Could you please check what failed at https://github.com/konflux-ci/build-definitions/pull/1411/checks?check_run_id=32513757072? I do not have permissions to access the logs myself.

I can see error message on https://console.redhat.com/application-pipeline/ns/konflux-ci/pipelinerun/build-definitions-pull-request-hvsz9/logs/ec-task-checks, it looks I need permission too.

Unable to load pipeline run build-definitions-pull-request-hvsz9
Invalid token. Are you working with Prod SSO token?

But I can see error from plr log from cluster and paste them to https://privatebin.corp.redhat.com/?19308e48ca84a494#7wxyCvDRWnqSiuU9BUdhiqCmsie4KKCb6vT3Dzhzc74o

[kdudka]

/ok-to-test

[jperezdealgaba]

@kdudka I just rebased the branch. Would you mind retesting?

[tnevrlka]

/ok-to-test

[kdudka]

It seems that ec-task-checks failed again with:

• result: RPMS_DATA
  task: rpms-signature-scan
  success: false

I am not able to access the task log myself: https://console.redhat.com/application-pipeline/ns/konflux-ci/pipelinerun/build-definitions-pull-request-6xts4/logs/ec-task-checks

[jperezdealgaba]

@tnevrlka Thanks for the resteting. This PR should be failing by something out of our control as we are not allow to see those tasks/logs. Would you mind adding some guidance so we can fix this?

[14rcole]

/ok-to-test

[jperezdealgaba]

@14rcole @ralphbean The MR has been updated and it already contains needed changes. With the two tasks coverity-availability-check and sast-coverity-check users should be able to scan the code using the documentation that I already created.
The previous code was already approved but I added changes to the template-build.yaml file that should be reviewed as that would affect all future automatically generated pipelines.
Regarding the failed MR, after applying the script, no file is generated/updated so not really sure how to act there:

/usr/bin/python3 /Users/jperezde/Documents/Red_Hat/Dev/Repos/mine/build-definitions/hack/generate-pipelines-readme.py 
Subprocess: oc kustomize --output /var/folders/5j/42ytb9_91f3350drn6_blcfw0000gn/T/tmp_hk7cz7h ./pipelines/
oc failed:
STDOUT:

STDERR:
error: accumulating resources: accumulation err='accumulating resources from 'docker-build-oci-ta': '/Users/jperezde/Documents/Red_Hat/Dev/Repos/mine/build-definitions/pipelines/docker-build-oci-ta' must resolve to a file': recursed accumulation of path '/Users/jperezde/Documents/Red_Hat/Dev/Repos/mine/build-definitions/pipelines/docker-build-oci-ta': remove operation does not apply: doc is missing path: "/spec/tasks/12/workspaces/0": missing value

Apart from that, no other work from our side is needed

cc/ @kdudka