Cli cicd mode

[pbalogh-sa]

Description

Please provide a meaningful description of what this change will do, or is for. Bonus points for including links to
related issues, other PRs, or technical references.

Note that by not including a description, you are asking reviewers to do extra work to understand the context of this
change, which may lead to your PR taking much longer to review, or result in it not being reviewed at all.

Type of Change

[ ] Bug Fix
[ ] New Feature
[ ] Breaking Change
[ ] Refactor
[ ] Documentation
[ ] Other (please describe)

Checklist

• I have read the contributing guidelines
• Existing issues have been referenced (where applicable)
• I have verified this change is not present in other open pull requests
• Functionality is documented
• All code style checks pass
• New code contribution is covered by automated tests
• All new and existing tests pass

[FrimIdan]

what do you mean by input (and input type) for families? it will replace the input from config? is that only for the cicd mode?

[pbalogh-sa]

The input can be a different type in the case of CICD mode. For example, it can be a directory and in the future we have to support container image, container info, and vm image input type. It makes sense only CICD mode because in orchestrated mode we are scanning VMs at the moment.

[ghost]

IMO the input for all this should be the VMClarity CLI input yaml, ideally the CLI should have little to no command line arguments so that backwards compatibility is easier to maintain. For example the yaml could look something like:

asset:
  type: VM
  ...

loadFamilySettingsFromScanConfig: <ID or Name>
  
sbom:
  inputs:
    - type: ROOTFS
       path: /

If we want to provide the option to run VMClarity CLI without a yaml input, then IMO CLI flags we provide should be direct overrides of the options in the yaml "helm style" e.g. --set asset.type=VM

[FrimIdan]

agree, not sure why we need different cli flags for that mode

[ghost]

Not sure why this is "ContainerInfo" and not just container... I think the same for the existing types too... why is it "VMInfo" and not just TargetType: "VM"... :/

[pbalogh-sa]

The new target types were removed now.

[ghost]

I think we need some info about where the container is running and the image that its based on etc right?

[pbalogh-sa]

new targets were removed

[ghost]

If we're adding the other types in the API should make sure they are all covered here otherwise we won't be able to use them

[pbalogh-sa]

new targets were removed

[ghost]

IMO the input for all this should be the VMClarity CLI input yaml, ideally the CLI should have little to no command line arguments so that backwards compatibility is easier to maintain. For example the yaml could look something like:

asset:
  type: VM
  ...

loadFamilySettingsFromScanConfig: <ID or Name>
  
sbom:
  inputs:
    - type: ROOTFS
       path: /

If we want to provide the option to run VMClarity CLI without a yaml input, then IMO CLI flags we provide should be direct overrides of the options in the yaml "helm style" e.g. --set asset.type=VM

[ghost]

We can just query http://169.254.169.254/latest/meta-data/placement/region for the region, then there is no need to post-process it.

[pbalogh-sa]

thx, I missed it somehow.

[ghost]

I don't think there is a need for a new concept here, I think almost everything can be hidden inside the existing state.Manager and presenter.Presenter concepts, if we create a new "CICDStateManagerPresenter" which wraps the VMClarity state manager and presenter, the "WaitForVolumeAttachment" and "IsAborted" functions can be empty.

"MarkInProgress" can:

• Create the Asset as Defined by the user
• Create a Scan with just that Asset defined as the scanned asset
• Create a ScanResult with that Scan ID
• Call the VMClarity state manager MarkInProgress with the ScanResult ID

then "MarkDone" can:

• Call the normal VMClarity state manager MarkDone
• Update the Scan with the summary from the ScanResult and mark it as completed.

All the presenter functions will be passed straight through except the ScanResult ID from MarkInProgress will be injected. This way the work that Erez is doing to allow for incremental status updates etc will still work even in the CI/CD flow.

If we don't need the incremental updates stuff and we don't want a Scan in the system until we've succeeded, we can leave MarkInProgress empty, and then cache all the results as they arrive through our presenter interface, and then do everything we need to do in the "MarkDone".

[pbalogh-sa]

The update was removed from the cli

[ghost]

Why are we changing this in this PR?

[pbalogh-sa]

I changed back

[ghost]

Not sure this belongs in shared, this requires families logic to know about the VMClarity API concepts. If we want to put it anywhere "common" it should be in the VMClarity CLI package, and then the runtime_scan can import it from there.

[ghost]

families logic should only receive a configuration struct from the outside, it should not be doing any loading of configurations itself, that is the responsibility of the CLI.

The CLI code uses viper + yaml, we should not be using environment variables like this anywhere in this flow, and if we want defaults then we should be handling it as part of loading that configuration. E.g. setting a default for rootkits.scannerconfig.chkrootkit.binarypath.

[pbalogh-sa]

I removed from families

[akpsgit]

#334

[chrisgacsal]

I'd not add a separate function just for splitting a string.

Suggested change

	func setValuesFromArgs(values []string) {
	if len(values) == 0 {
	return
	}
	for _, v := range values {
	key, value := splitKeyValue(v)
	viper.SetDefault(key, value)
	}
	}
	func splitKeyValue(value string) (string, string) {
	keyValue := strings.Split(value, "=")
	return keyValue[0], keyValue[1]
	}
	func setValuesFromArgs(values []string) {
	if len(values) == 0 {
	return
	}
	for _, value := range values {
	v := strings.Split(value, "=")
	if len(v) == 2 {
	viper.SetDefault(v[0], v[1])
	} else {
	// do something here?
	}
	}
	}

[chrisgacsal]

I do not see the purpose of having a CreateConfig (which should be really called NewConfig) here. Just make the Config attributes exported.

Suggested change

	type Config struct {
	client *backendclient.BackendClient
	fmConfig *families.Config
	scanConfigID string
	scanConfigName string
	input string
	asset cliconfig.Asset
	}
	func CreateConfig(
	client *backendclient.BackendClient,
	fmConfig *families.Config,
	scanConfigID, scanConfigName, input string,
	asset cliconfig.Asset,
	) Config {
	return Config{
	client: client,
	fmConfig: fmConfig,
	scanConfigID: scanConfigID,
	scanConfigName: scanConfigName,
	input: input,
	asset: asset,
	}
	}
	type Config struct {
	Client *backendclient.BackendClient
	FamiliesConfig *families.Config
	ScanConfigID string
	ScanConfigName string
	Input string
	Asset cliconfig.Asset
	}

[chrisgacsal]

Suggested change

	func newVMClarityInitiator(config Config) (*VMClarityInitiator, error) {
	func New(config Config) (*VMClarityInitiator, error) {

[chrisgacsal]

I'd consolidate these in api/models package as these are used in the scanwatcher controller as well.

[chrisgacsal]

Would it be better to add a new interface to the provider package? Like this:

type Provider interface {
	Kind() models.CloudProvider

	Discoverer
	Scanner
}

type Discoverer interface {
        // Omitted
}

type Scanner interface {
        // Omitted
}

type AssetInformer interface {  // <-- new interface
        AssetInfo(context.Context) (models.TargetType, error) 
}

This way the provider implementations could decide if they want to implement the all the interfaces (e.g. Provider) or just the subset of it.
Personally I avoid having interfaces related to the same infra layer scattered across different packages in the code base.

[chrisgacsal]

This bloats the backendclient unnecessarily https://github.com/openclarity/vmclarity/pull/308/files#diff-189663ef212b0528411bdd1bc250e2c49471f3ae97cf265d63bf6d087212b314R623-R652
(btw, do not get having the GetScanResultSummary either)

[chrisgacsal]

Are these default values? If so, please add Default prefix to their names. Otherwise these do not belong here in my opinion.

[github-actions]

Thank you for your contribution! This PR has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 14 days, if no further activity occurs. If this pull request is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[pbalogh-sa]

implemented in: #500