diff --git a/.containerignore b/.containerignore new file mode 100644 index 000000000..b6150adb9 --- /dev/null +++ b/.containerignore @@ -0,0 +1,9 @@ +# Konflux uses buildah which first looks up `.containerignore` then, if absent, `.dockerignore`. +# Having this file enables us to have different exclusion list for Konflux builds than in GHA/OSCI. + +# This file is empty because all the items that are ignored in GHA/OSCI need to be present for Konflux builds: +# * `.git` is needed so we can bake build information into the binary. +# * `.gitignore`, `image/bin/` and `bin` are required to avoid a dirty version. + +# If content ever needs to be added here, be sure to borrow the check-generated.sh template from the +# stackrox/stackrox repo to ensure .dockerfile and .containerignore stay in sync. diff --git a/.dockerignore b/.dockerignore index dc8214ccf..311cf2266 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,6 @@ +# NOTE: if adding items here, please implement the check-generated.sh script +# from stackrox/stackrox to keep this file and .containeringore in sync + /.git/ /bin/ /image/bin/ diff --git a/.tekton/scanner-pull-request.yaml b/.tekton/scanner-pull-request.yaml new file mode 100644 index 000000000..3db74f7fb --- /dev/null +++ b/.tekton/scanner-pull-request.yaml @@ -0,0 +1,431 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && (source_branch.contains("rhtap") || source_branch.contains("konflux")) + creationTimestamp: null + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: scanner + pipelines.appstudio.openshift.io/type: build + name: scanner-on-pull-request + namespace: rh-acs-tenant +spec: + + params: + - name: dockerfile + value: image/scanner/rhel/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: '13w' + - name: output-image + value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + - name: prefetch-input + value: '{"type": "gomod", "path": "."}' + - name: build-source-image + value: 'true' + + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineSpec: + + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:29a64be421fdc203cb26c61b746c650e239ae924a73a825ad93bffb9e7ae7214 + - name: kind + value: task + resolver: bundles + + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + + workspaces: + - name: workspace + - name: git-auth + + tasks: + + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b + - name: kind + value: task + resolver: bundles + + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: depth + value: "0" + - name: fetchTags + value: "true" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:b8fddc2d36313a5cde93aba2491205f4a84e6853af6c34ede681f8339b147478 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:0b7bec23b6c08f37138a86e569835842763b3aa42f4455fd70ba3986350e07c7 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace + + - name: fetch-vuln-feed-data + runAfter: + - init + - clone-repository + taskSpec: + steps: + - name: fetch-vuln-feed-data + image: registry.access.redhat.com/ubi8-minimal:latest + script: | + #!/usr/bin/env bash + "$(workspaces.source.path)/source/scripts/konflux/fetch-vuln-feed-data.sh" "$(workspaces.source.path)/source" + workspaces: + - name: source + workspace: workspace + + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + - fetch-vuln-feed-data + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:1ee1d570b3cf7feaf85a22c828076e798a57266ffcfea41c1aa0e9f85b0a885a + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:3ad20adff4aa5cd153695b115133cb7c71c87f095af02fae5932396b1c72eb00 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: + - name: workspace + workspace: workspace + + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:a299ff57d97f3924020634625dfb9bbc66547124ca23a3396e338c645f7b4a8e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:63b42c0fc23d05e26776a0e7c4f0ab00750096ebfe1eed9a7ba96f8b27713fbf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:47515cb119225bba55c593876610bd890f8efcbb66bb57fb0c0881ddd47ce558 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:3a546fe7c07fc24ecf3bddef88a7a9a66b525c4dd53acc8b5ea13069f60c086d + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:bf49861b3bbee2129e8d1b5966fc2a7c3f259d96a5fcef5674d05c9cb21ab540 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + +status: { } + +taskRunTemplate: { } diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml new file mode 100644 index 000000000..dd05d8543 --- /dev/null +++ b/.tekton/scanner-push.yaml @@ -0,0 +1,430 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" + creationTimestamp: null + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: scanner + pipelines.appstudio.openshift.io/type: build + name: scanner-on-push + namespace: rh-acs-tenant +spec: + + params: + - name: dockerfile + value: image/scanner/rhel/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + # TODO(ROX-20230): make release images not expire. + value: '13w' + - name: output-image + value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + - name: prefetch-input + value: '{"type": "gomod", "path": "."}' + - name: build-source-image + value: 'true' + + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineSpec: + + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:82737c8d365c620295fa526d21a481d4614f657800175ddc0ccd7846c54207f8 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:29a64be421fdc203cb26c61b746c650e239ae924a73a825ad93bffb9e7ae7214 + - name: kind + value: task + resolver: bundles + + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + + workspaces: + - name: workspace + - name: git-auth + + tasks: + + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:3d8f01fa59596a998d30dc700fcf7377f09d60008337290eebaeaf604512ce2b + - name: kind + value: task + resolver: bundles + + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: depth + value: "0" + - name: fetchTags + value: "true" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:b8fddc2d36313a5cde93aba2491205f4a84e6853af6c34ede681f8339b147478 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:0b7bec23b6c08f37138a86e569835842763b3aa42f4455fd70ba3986350e07c7 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace + + - name: fetch-vuln-feed-data + runAfter: + - init + - clone-repository + taskSpec: + steps: + - name: fetch-vuln-feed-data + image: registry.access.redhat.com/ubi8-minimal:latest + script: | + #!/usr/bin/env bash + "$(workspaces.source.path)/source/scripts/konflux/fetch-vuln-feed-data.sh" "$(workspaces.source.path)/source" + workspaces: + - name: source + workspace: workspace + + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + - fetch-vuln-feed-data + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:1ee1d570b3cf7feaf85a22c828076e798a57266ffcfea41c1aa0e9f85b0a885a + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:3ad20adff4aa5cd153695b115133cb7c71c87f095af02fae5932396b1c72eb00 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: + - name: workspace + workspace: workspace + + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:a299ff57d97f3924020634625dfb9bbc66547124ca23a3396e338c645f7b4a8e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:63b42c0fc23d05e26776a0e7c4f0ab00750096ebfe1eed9a7ba96f8b27713fbf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:47515cb119225bba55c593876610bd890f8efcbb66bb57fb0c0881ddd47ce558 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:3a546fe7c07fc24ecf3bddef88a7a9a66b525c4dd53acc8b5ea13069f60c086d + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:bf49861b3bbee2129e8d1b5966fc2a7c3f259d96a5fcef5674d05c9cb21ab540 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + +status: { } + +taskRunTemplate: { } diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile new file mode 100644 index 000000000..066fb6dfd --- /dev/null +++ b/image/scanner/rhel/konflux.Dockerfile @@ -0,0 +1,77 @@ +ARG BASE_REGISTRY=registry.access.redhat.com +ARG BASE_IMAGE=ubi8-minimal +ARG BASE_TAG=latest + +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder + +ENV CGO_ENABLED=1 +ENV GOFLAGS="" +ENV CI=1 + +COPY . /src +WORKDIR /src + +RUN scripts/konflux/fail-build-if-git-is-dirty.sh + +RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \ + unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \ + unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions + +RUN echo -n "version: " && scripts/konflux/version.sh && \ + go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(scripts/konflux/version.sh)" -o image/scanner/bin/scanner ./cmd/clair + +# Replace genesis manifests file in the source code with the one generated at +# the point when the dump was taken. This is to avoid discrepancy between other +# files of the dump and the manifest. +COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +LABEL \ + com.redhat.component="rhacs-scanner-container" \ + com.redhat.license_terms="https://www.redhat.com/agreements" \ + description="This image supports image scanning for RHACS" \ + io.k8s.description="This image supports image scanning for RHACS" \ + io.k8s.display-name="scanner" \ + io.openshift.tags="rhacs,scanner,stackrox" \ + maintainer="Red Hat, Inc." \ + name="rhacs-scanner-rhel8" \ + source-location="https://github.com/stackrox/scanner" \ + summary="The image scanner for RHACS" \ + url="https://catalog.redhat.com/software/container-stacks/detail/60eefc88ee05ae7c5b8f041c" \ + # We must set version label to prevent inheriting value set in the base stage. + # TODO(ROX-20236): configure injection of dynamic version value when it becomes possible. + version="0.0.1-todo" + +SHELL ["/bin/sh", "-o", "pipefail", "-c"] + +ENV NVD_DEFINITIONS_DIR="/nvd_definitions" +ENV K8S_DEFINITIONS_DIR="/k8s_definitions" +ENV REPO_TO_CPE_DIR="/repo2cpe" + +COPY --from=builder /src/image/scanner/scripts / +COPY --from=builder /src/image/scanner/bin/scanner ./ +COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/" +COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/" +COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/" +COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./ + +RUN microdnf upgrade --nobest && \ + microdnf install xz && \ + microdnf clean all && \ + # (Optional) Remove line below to keep package management utilities + # We don't uninstall rpm because scanner uses it to get packages installed in scanned images. + rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \ + rm -rf /var/cache/dnf /var/cache/yum && \ + chown -R 65534:65534 /tmp && \ + # The contents of paths mounted as emptyDir volumes in Kubernetes are saved + # by the script `save-dir-contents` during the image build. The directory + # contents are then restored by the script `restore-all-dir-contents` + # during the container start. + chown -R 65534:65534 /etc/pki /etc/ssl && \ + /save-dir-contents /etc/pki/ca-trust /etc/ssl + +# This is equivalent to nobody:nobody. +USER 65534:65534 + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/scripts/konflux/fail-build-if-git-is-dirty.sh b/scripts/konflux/fail-build-if-git-is-dirty.sh new file mode 100755 index 000000000..4ea829b66 --- /dev/null +++ b/scripts/konflux/fail-build-if-git-is-dirty.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +# This script works around the fact that RHTAP modifies Dockerfiles provided to it when prefetching dependencies is on. +# RHTAP changes should stop happening after https://issues.redhat.com/browse/STONEBLD-1847 +# Additionally, the script returns no-zero if it detects any other changes to the git repo. +# +# If this script is not called and does not fail the build, things like `make tag` will produce `-dirty` suffix +# (as in `4.3.x-63-g09e5188ab9-dirty`) which gets embedded as the version attribute in built binaries. +# +# The script MUST be executed only from within the Dockerfile (not outside of it) because binaries are built inside. + +set -euo pipefail + +# When executing in RHTAP (as opposed to the script ran directly), we undo RHTAP changes to Dockerfiles. +# I found no better way to detect RHTAP than by checking the presence of cachi2.env file. +if [[ -f /cachi2/cachi2.env ]]; then + # We can safely restore dockerfiles because the modified version of dockerfile interpreted by docker/buildah stays + # outside, and these are local copies inside of the build context. + git restore "**/konflux.Dockerfile" +fi + +# Next, make sure no other things that make it `-dirty` slipped through. If they did, fail the build. + +echo "Checking that files in git repo are not modified." +echo "If this command fails, you should see the list of modified files below." +echo "You need to find the reason and prevent it because otherwise the build results will be inconsistent." +echo "" + +if git status --porcelain | grep -v "^??" | grep '.' >&2 ; then + >&2 echo "ERROR: Modified files found." + exit 2 +else + echo "No modifications to git repo detected." +fi diff --git a/scripts/konflux/fetch-vuln-feed-data.sh b/scripts/konflux/fetch-vuln-feed-data.sh new file mode 100755 index 000000000..634fea7bc --- /dev/null +++ b/scripts/konflux/fetch-vuln-feed-data.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +set -euo pipefail + +if [[ "$#" < 1 ]]; then + echo "Please pass target directory." + exit 1 +fi + +TARGET_DIR="$1" + +if [[ ! -d "$TARGET_DIR" ]]; then + echo "$TARGET_DIR is not a valid directory" + exit 1 +fi + +blobs=( + nvd-definitions.zip + k8s-definitions.zip + repo2cpe.zip + genesis_manifests.json +) + +for blob in "${blobs[@]}"; do + echo "Downloading https://storage.googleapis.com/definitions.stackrox.io/scanner-data/latest/${blob} > $TARGET_DIR/blob-${blob}" + # TODO(ROX-22130): Assign proper suffix for tagged commits instead of /latest/. + curl --fail -s --show-error --retry 4 --retry-max-time 30 --retry-connrefused \ + --output "$TARGET_DIR/blob-${blob}" \ + "https://storage.googleapis.com/definitions.stackrox.io/scanner-data/latest/${blob}" +done diff --git a/scripts/konflux/version.sh b/scripts/konflux/version.sh new file mode 100755 index 000000000..0a0363753 --- /dev/null +++ b/scripts/konflux/version.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +# This script is used by the Konflux dockerfile to get the correct version to +# compile in to the binary. If HEAD points to a git tag, use that; otherwise +# use `git describe ...`. + +set -euo pipefail + +if [[ -n "$(git tag --contains)" ]]; then + git tag --sort=creatordate --contains | tail -1 +else + git describe --tags --abbrev=10 --dirty --long +fi