Skip to content

Commit

Permalink
Include latest v4 vulnerability (#1400)
Browse files Browse the repository at this point in the history
Co-authored-by: J. Victor Martins <[email protected]>
  • Loading branch information
daynewlee and jvdm authored Feb 21, 2024
1 parent 1e80f27 commit 0606b0a
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 0 deletions.
10 changes: 10 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -512,3 +512,13 @@ jobs:

- name: upload-dumps-for-downstream
run: ./scripts/ci/jobs/upload-dumps-for-embedding.sh

send-notification:
needs:
- diff-dumps
runs-on: ubuntu-latest
if: failure()
steps:
- name: Send Slack notification on workflow failure
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":"<${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|Workflow ${{ github.workflow }}> failed in repository ${{ github.repository }}: Failed to update offline vulnerabilities"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }}
40 changes: 40 additions & 0 deletions scripts/ci/jobs/diff-dumps.sh
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,47 @@ upload_offline_dump() {
if is_in_PR_context; then
cmd+=(echo "Would do")
fi
curl --silent --show-error --max-time 60 --retry 3 --create-dirs -o out/RELEASE_VERSION.txt https://raw.githubusercontent.com/stackrox/stackrox/master/scanner/updater/version/RELEASE_VERSION
version_file="out/RELEASE_VERSION.txt"
# Use grep to extract X.Y versions, sort them, and get the last one as the latest
latest_version=$(grep -oE '^[0-9]+\.[0-9]+' "$version_file" | sort -V | tail -n 1)

file_to_check="scanner-v4-defs-${latest_version}.zip"

if curl --silent --show-error --max-time 60 --retry 3 -o $file_to_check https://storage.googleapis.com/scanner-v4-test/offline-bundles/$file_to_check; then
# If the file exists, add it to scanner-vuln-updates.zip
zip scanner-vuln-updates.zip "$file_to_check"
echo "$file_to_check added to scanner-vuln-updates.zip"
else
echo "$file_to_check does not exist."
exit 1
fi
"${cmd[@]}" gsutil cp scanner-vuln-updates.zip gs://scanner-support-public/offline/v1/scanner-vuln-updates.zip
}

upload_v4_versioned_vuln() {
info "Uploading v4 offline dump"
cmd=()
if is_in_PR_context; then
cmd+=(echo "Would do")
fi
cd /tmp/offline-dump

cat out/RELEASE_VERSION.txt |
grep -oE '^[0-9]+\.[0-9]+' |
sort -V |
uniq |
while read -r version; do
echo "$version"
if curl --silent --show-error --max-time 60 --retry 3 -o "scanner-v4-defs-${version}.zip" "https://storage.googleapis.com/scanner-v4-test/offline-bundles/scanner-v4-defs-${version}.zip"; then
zip scanner-vulns-${version}.zip scanner-defs.zip k8s-istio.zip scanner-v4-defs-${version}.zip
"${cmd[@]}" gsutil cp scanner-vulns-${version}.zip gs://scanner-support-public/offline/v1/${version}/scanner-vulns-${version}.zip
else
echo "Failed to download scanner-v4-defs-${version}.zip, skipping..."
fi
done
}

diff_dumps() {
info "Starting diff dumps"

Expand All @@ -114,6 +152,8 @@ diff_dumps() {
# Upload offline dump
setup_gcp "${SCANNER_GCP_SERVICE_ACCOUNT_CREDS}"
upload_offline_dump

upload_v4_versioned_vuln
}

diff_dumps "$*"

0 comments on commit 0606b0a

Please sign in to comment.