Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sast: initial task for Coverity Buildless #1411

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions pipelines/template-build/template-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,45 @@ spec:
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
- name: sast-coverity-check
when:
- input: $(params.skip-checks)
operator: in
values: ["false"]
- input: $(tasks.coverity-availability-check.results.STATUS)
operator: in
values: ["success"]
runAfter:
- coverity-availability-check
taskRef:
name: sast-coverity-check
version: "0.1"
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
workspaces:
- name: workspace
workspace: workspace
- name: coverity-availability-check
when:
- input: $(params.skip-checks)
operator: in
values: ["false"]
runAfter:
- build-image-index
taskRef:
name: coverity-availability-check
version: "0.1"
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
workspaces:
- name: workspace
workspace: workspace
- name: clamav-scan
when:
- input: $(params.skip-checks)
Expand Down
18 changes: 18 additions & 0 deletions task/coverity-availability-check-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# sast-coverity-availability-check-oci-ta task

This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.

## Parameters
|name|description|default value|required|
|---|---|---|---|
|AUTH_TOKEN_COVERITY_IMAGE|Name of secret which contains the authentication token for pulling the Coverity image.|auth-token-coverity-image|false|
|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
|COV_LICENSE|Name of secret which contains the Coverity license|cov-license|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|

## Results
|name|description|
|---|---|
|STATUS|Tekton task simple status to be later checked|
|TEST_OUTPUT|Tekton task result output.|

Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: sast-coverity-availability-check-oci-ta
annotations:
tekton.dev/pipelines.minVersion: 0.12.1
tekton.dev/tags: konflux
labels:
app.kubernetes.io/version: "0.1"
spec:
description: This task performs needed checks in order to use Coverity image
in the pipeline. It will check for a Coverity license secret and an authentication
secret for pulling the image.
params:
- name: AUTH_TOKEN_COVERITY_IMAGE
description: Name of secret which contains the authentication token
for pulling the Coverity image.
default: auth-token-coverity-image
- name: CACHI2_ARTIFACT
description: The Trusted Artifact URI pointing to the artifact with
the prefetched dependencies.
type: string
default: ""
- name: COV_LICENSE
description: Name of secret which contains the Coverity license
default: cov-license
- name: SOURCE_ARTIFACT
description: The Trusted Artifact URI pointing to the artifact with
the application source code.
type: string
results:
- name: STATUS
description: Tekton task simple status to be later checked
- name: TEST_OUTPUT
description: Tekton task result output.
volumes:
- name: auth-token-coverity-image
secret:
optional: true
secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE)
- name: cov-license
secret:
optional: true
secretName: $(params.COV_LICENSE)
- name: workdir
emptyDir: {}
stepTemplate:
volumeMounts:
- mountPath: /var/workdir
name: workdir
steps:
- name: use-trusted-artifact
image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
args:
- use
- $(params.SOURCE_ARTIFACT)=/var/workdir/source
- $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
- name: coverity-availability-check
image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072
workingDir: /var/workdir/source
volumeMounts:
- mountPath: /etc/secrets/cov
name: cov-license
readOnly: true
- mountPath: /etc/secrets/auth/config.json
name: auth-token-coverity-image
subPath: .dockerconfigjson
env:
- name: COV_LICENSE
value: $(params.COV_LICENSE)
- name: AUTH_TOKEN_COVERITY_IMAGE
value: $(params.AUTH_TOKEN_COVERITY_IMAGE)
script: |
#!/usr/bin/env bash
set -eo pipefail
# shellcheck source=/dev/null
. /utils.sh
trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT

# Checking Coverity license
COV_LICENSE_PATH=/etc/secrets/cov/cov-license
if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then
echo "Coverity license detected!"
else
echo 'No license file for Coverity was detected. Coverity scan will not be executed...'
echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'
note="Task $(context.task.name) failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license"
TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
echo -n "failed" | tee "$(results.STATUS.path)"
exit 0
fi

# Checking authentication token for downloading coverity image
AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json
if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then
echo "Authentication token detected!"
else
echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'
echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'
note="Task $(context.task.name) failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image"
TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
echo -n "failed" | tee "$(results.STATUS.path)"
exit 0
fi

note="Task $(context.task.name) completed: Coverity availability checks under /var/workdir/hacbs/$(context.task.name) finished succesfully."
# shellcheck disable=SC2034
TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note")
echo -n "success" | tee "$(results.STATUS.path)"
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)"
12 changes: 12 additions & 0 deletions task/coverity-availability-check-oci-ta/0.1/recipe.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
base: ../../coverity-availability-check/0.1/coverity-availability-check.yaml
add:
- use-source
- use-cachi2
preferStepTemplate: true
removeWorkspaces:
- workspace
replacements:
workspaces.workspace.path: /var/workdir
regexReplacements:
hacbs/\$\(context.task.name\): source
6 changes: 6 additions & 0 deletions task/coverity-availability-check-oci-ta/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# See the OWNERS docs: https://go.k8s.io/owners
approvers:
- integration-team
reviewers:
- integration-team
- kdudka
26 changes: 26 additions & 0 deletions task/coverity-availability-check/0.1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# coverity-availability-check task

## Description:

This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.

The characteristics of these tasks are:

- It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled.
- It will check for a secret called "cov-license" where the Coverity license is stored.

> NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license.

## Params:

| name | description | default value | required |
|-----------------------------|----------------------------------------------------------------------------------------|----------------------------|----------|
| AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | yes |
| COV_LICENSE | Name of secret which contains the Coverity license | cov-license | yes |

## Results:

| name | description |
|-------------|-----------------------------------------------------------------------------------|
| STATUS | Tekton task simple status to be later checked by the sast-coverity-check task |
| TEST_OUTPUT | Tekton task test output. |
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: "konflux"
name: sast-coverity-availability-check
spec:
description: >-
This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.
results:
- description: Tekton task result output.
name: TEST_OUTPUT
- description: Tekton task simple status to be later checked
name: STATUS
params:
- name: COV_LICENSE
description: Name of secret which contains the Coverity license
default: cov-license
- name: AUTH_TOKEN_COVERITY_IMAGE
description: Name of secret which contains the authentication token for pulling the Coverity image.
default: "auth-token-coverity-image"
volumes:
- name: cov-license
secret:
secretName: $(params.COV_LICENSE)
optional: true
- name: auth-token-coverity-image
secret:
secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE)
optional: true
steps:
- name: coverity-availability-check
image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
# the cluster will set imagePullPolicy to IfNotPresent
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
volumeMounts:
- name: cov-license
mountPath: "/etc/secrets/cov"
readOnly: true
- name: auth-token-coverity-image
mountPath: "/etc/secrets/auth/config.json"
subPath: .dockerconfigjson
env:
- name: COV_LICENSE
value: $(params.COV_LICENSE)
- name: AUTH_TOKEN_COVERITY_IMAGE
value: $(params.AUTH_TOKEN_COVERITY_IMAGE)
script: |
#!/usr/bin/env bash
set -eo pipefail
# shellcheck source=/dev/null
. /utils.sh
trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT

# Checking Coverity license
COV_LICENSE_PATH=/etc/secrets/cov/cov-license
if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then
echo "Coverity license detected!"
else
echo 'No license file for Coverity was detected. Coverity scan will not be executed...'
echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'
note="Task $(context.task.name) failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license"
TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
echo -n "failed" | tee "$(results.STATUS.path)"
exit 0
hongweiliu17 marked this conversation as resolved.
Show resolved Hide resolved
fi

# Checking authentication token for downloading coverity image
AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json
if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then
echo "Authentication token detected!"
else
echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'
echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'
note="Task $(context.task.name) failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image"
TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
echo -n "failed" | tee "$(results.STATUS.path)"
exit 0
fi

note="Task $(context.task.name) completed: Coverity availability checks under $(workspaces.workspace.path)/hacbs/$(context.task.name) finished succesfully."
# shellcheck disable=SC2034
TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note")
echo -n "success" | tee "$(results.STATUS.path)"
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)"

workspaces:
- name: workspace
6 changes: 6 additions & 0 deletions task/coverity-availability-check/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# See the OWNERS docs: https://go.k8s.io/owners
approvers:
- integration-team
reviewers:
- integration-team
- kdudka
27 changes: 27 additions & 0 deletions task/sast-coverity-check-oci-ta/0.1/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# sast-coverity-check-oci-ta task

Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Coverity. At the moment, this task only uses the buildless mode, which does not build the project in order to analyze it.

## Parameters
|name|description|default value|required|
|---|---|---|---|
|AUTH_TOKEN_COVERITY_IMAGE|Name of secret which contains the authentication token for pulling the Coverity image.|auth-token-coverity-image|false|
|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
|COV_ANALYZE_ARGS|Arguments to be appended to the cov-analyze command|--enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096|false|
|COV_CAPTURE_ARGS|Arguments to be appended to the coverity capture command|""|false|
|COV_LICENSE|Name of secret which contains the Coverity license|cov-license|false|
|IMP_FINDINGS_ONLY|Report only important findings. Default is true. To report all findings, specify "false"|true|false|
|KFP_GIT_URL|URL from repository to download known false positives files|""|false|
|PROJECT_NAME|Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.|""|false|
|RECORD_EXCLUDED|Write excluded records in file. Useful for auditing (defaults to false).|false|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
|image-digest|Image digest to report findings for.||true|
|image-url|Image URL.||true|

## Results
|name|description|
|---|---|
|TEST_OUTPUT|Tekton task test output.|

12 changes: 12 additions & 0 deletions task/sast-coverity-check-oci-ta/0.1/recipe.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
base: ../../sast-coverity-check/0.1/sast-coverity-check.yaml
add:
- use-source
- use-cachi2
preferStepTemplate: true
removeWorkspaces:
- workspace
replacements:
workspaces.workspace.path: /var/workdir
regexReplacements:
hacbs/\$\(context.task.name\): source
Loading
Loading