From 91e999b078fe6642c788e10080f7818e3e4b7b40 Mon Sep 17 00:00:00 2001 From: Kyle Lape Date: Mon, 27 Nov 2023 20:35:18 -0600 Subject: [PATCH] Add RHTAP build pipeline A few differences from the standard RHTAP build pipeline: * Use of 6GB buildah image to avoid OOMs during container build task * There is an extra step to fetch the vuln feed data. This is done outside of the build step to make hermetic builds easier. The vuln feed data script pulls the definitions from the Google storage location and writes them to the "source" folder of the "source" workspace which is shared by the build-container task. This task will build using `image/scanner/rhtap/Dockerfile`, which expects the vuln files to be in the buildah working directory. I decided to create a separate dockerfile for RHTAP to avoid any regressions with modifying the existing ones. The dockerfile was created using a combination of the upstream and downstream dockerfiles. Current RHTAP build trigger config: * PRs will only build in RHTAP when "rhtap" is in the branch name * Pushes to master will trigger an RHTAP build --- .containerignore | 9 + .github/actions/job-preamble/action.yaml | 17 + .github/workflows/style.yaml | 28 ++ .tekton/scanner-pull-request.yaml | 435 +++++++++++++++++++++++ .tekton/scanner-push.yaml | 432 ++++++++++++++++++++++ image/scanner/rhtap/Dockerfile | 62 ++++ scripts/ci/jobs/check-generated.sh | 31 ++ 7 files changed, 1014 insertions(+) create mode 100644 .containerignore create mode 100644 .github/actions/job-preamble/action.yaml create mode 100644 .github/workflows/style.yaml create mode 100644 .tekton/scanner-pull-request.yaml create mode 100644 .tekton/scanner-push.yaml create mode 100644 image/scanner/rhtap/Dockerfile create mode 100755 scripts/ci/jobs/check-generated.sh diff --git a/.containerignore b/.containerignore new file mode 100644 index 000000000..d1cc8cef5 --- /dev/null +++ b/.containerignore @@ -0,0 +1,9 @@ +# This file is derived of the .dockerignore +# It is required to pass `.git` to the builder containers on RHTAP so we can bake build information into the binary. +# It is required to pass the `.gitignore` files in `image/bin/` and `bin` to avoid a dirty version. +# RHTAP uses Buildah which first looks up for `.containerignore`, then, if absent, `.dockerignore`. +# Having this file enables us to have different exclusion list for RHTAP builds than in GHA/OSCI. +# To regenerate, replace the below contents with the output of the following command (please keep these comments). +# grep -vF -e '/.git/' -e '/bin/' -e '/image/bin/' .dockerignore + +# currently empty! diff --git a/.github/actions/job-preamble/action.yaml b/.github/actions/job-preamble/action.yaml new file mode 100644 index 000000000..42f59f243 --- /dev/null +++ b/.github/actions/job-preamble/action.yaml @@ -0,0 +1,17 @@ +name: Job Preamble +description: Common steps for most jobs +runs: + using: composite + steps: + - name: Recover docker image cache space + run: | + df --si / + docker system prune --force --all + df --si / + shell: bash + + - name: Ignore dubious repository ownership + run: | + # Prevent fatal error "detected dubious ownership in repository" from recent git. + git config --global --add safe.directory "$(pwd)" + shell: bash diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml new file mode 100644 index 000000000..b12cd9af6 --- /dev/null +++ b/.github/workflows/style.yaml @@ -0,0 +1,28 @@ +name: Style +on: + push: + tags: + - '*' + branches: + - master + pull_request: + types: + - opened + - reopened + - synchronize +jobs: + check-generated-files: + runs-on: ubuntu-latest + container: + image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - uses: ./.github/actions/job-preamble + + - name: Check Generated + run: scripts/ci/jobs/check-generated.sh diff --git a/.tekton/scanner-pull-request.yaml b/.tekton/scanner-pull-request.yaml new file mode 100644 index 000000000..2a0d85fe1 --- /dev/null +++ b/.tekton/scanner-pull-request.yaml @@ -0,0 +1,435 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && source_branch.contains("rhtap") + creationTimestamp: null + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: scanner + pipelines.appstudio.openshift.io/type: build + name: scanner-on-pull-request + namespace: rh-acs-tenant +spec: + params: + - name: dockerfile + value: image/scanner/rhtap/Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:202d3c3385120ea847d8f0a82bd8d9d5e873d67f981d6f8a51fb1706caaf6bef + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:f65a69aaf71cbab382eff685eee522ad35068a4d91d233e76cef7d42ff15a686 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:c35cc37d6f40fef0f2ed614b502b058e13fe7af29c0888bc4799fd625b6f3374 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: fetchTags + value: true + - name: depth + value: 0 + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:b8fddc2d36313a5cde93aba2491205f4a84e6853af6c34ede681f8339b147478 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:9630dd7d50002fdffb4a406fb0c538703ef98bf2f4318249ac3a2c229938dbea + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: fetch-vuln-feed-data + runAfter: + - init + taskSpec: + steps: + - name: fetch-vuln-feed-data + image: registry.access.redhat.com/ubi8/ubi + script: | + #!/usr/bin/env bash + mkdir -p "$(workspaces.source.path)/source" + blobs=( + nvd-definitions.zip + k8s-definitions.zip + repo2cpe.zip + genesis_manifests.json + ) + for blob in "${blobs[@]}"; do + echo "https://storage.googleapis.com/definitions.stackrox.io/scanner-data/latest/${blob} > $(workspaces.source.path)/source/blob-${blob}" + curl --fail -s --show-error --retry 4 --retry-max-time 30 --retry-connrefused \ + --output "$(workspaces.source.path)/source/blob-${blob}" \ + "https://storage.googleapis.com/definitions.stackrox.io/scanner-data/latest/${blob}" + + if [ "$?" != "0" ]; then + echo "Failed to download" + exit 1 + fi + done + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + - fetch-vuln-feed-data + taskRef: + params: + - name: name + value: buildah-6gb + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-6gb:0.1 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:f8c5dec871fb5347eb2fc61d44754bcc101897aecf953b374ab3e8315e1a9804 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: + - name: workspace + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:d87f8c50a674f57527a0c4f3df6d9093941a2ae84739b55368b3c11702ce340c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fbe1ab58531d856fba360060d3884a0606310a966e2d01ba9305da9eb01ab916 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:eee508768b14655275fbcc2f42f9da1ab553b872dcbe113b0896aa9bcf7e1adf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:d72cb58db88289559676676c3db43906718028e07279f70ddb12ed8bdc8e2860 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:717e6e33f02dbe1a28fb743f32699e002c944680c251a50b644f27becb9208e9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + taskRunTemplate: {} + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/scanner-push.yaml b/.tekton/scanner-push.yaml new file mode 100644 index 000000000..dc021a2b1 --- /dev/null +++ b/.tekton/scanner-push.yaml @@ -0,0 +1,432 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/scanner?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" + creationTimestamp: null + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: scanner + pipelines.appstudio.openshift.io/type: build + name: scanner-on-push + namespace: rh-acs-tenant +spec: + params: + - name: dockerfile + value: image/scanner/rhtap/Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: output-image + value: quay.io/redhat-user-workloads/rh-acs-tenant/acs/scanner:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + pipelineSpec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:202d3c3385120ea847d8f0a82bd8d9d5e873d67f981d6f8a51fb1706caaf6bef + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:f65a69aaf71cbab382eff685eee522ad35068a4d91d233e76cef7d42ff15a686 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "true" + description: Skip optional checks, set false if you want to run optional checks + name: skip-optional + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:c35cc37d6f40fef0f2ed614b502b058e13fe7af29c0888bc4799fd625b6f3374 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: fetchTags + value: true + - name: depth + value: 0 + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:b8fddc2d36313a5cde93aba2491205f4a84e6853af6c34ede681f8339b147478 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:9630dd7d50002fdffb4a406fb0c538703ef98bf2f4318249ac3a2c229938dbea + - name: kind + value: task + resolver: bundles + when: + - input: $(params.hermetic) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: fetch-vuln-feed-data + runAfter: + - init + taskSpec: + steps: + - name: fetch-vuln-feed-data + image: registry.access.redhat.com/ubi8/ubi + script: | + #!/usr/bin/env bash + mkdir -p "$(workspaces.source.path)/source" + blobs=( + nvd-definitions.zip + k8s-definitions.zip + repo2cpe.zip + genesis_manifests.json + ) + for blob in "${blobs[@]}"; do + echo "https://storage.googleapis.com/definitions.stackrox.io/scanner-data/latest/${blob} > $(workspaces.source.path)/source/blob-${blob}" + curl --fail -s --show-error --retry 4 --retry-max-time 30 --retry-connrefused \ + --output "$(workspaces.source.path)/source/blob-${blob}" \ + "https://storage.googleapis.com/definitions.stackrox.io/scanner-data/latest/${blob}" + + if [ "$?" != "0" ]; then + echo "Failed to download" + exit 1 + fi + done + workspaces: + - name: source + workspace: workspace + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + runAfter: + - prefetch-dependencies + - fetch-vuln-feed-data + taskRef: + params: + - name: name + value: buildah-6gb + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-6gb:0.1 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:f8c5dec871fb5347eb2fc61d44754bcc101897aecf953b374ab3e8315e1a9804 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: + - name: workspace + workspace: workspace + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.3@sha256:d87f8c50a674f57527a0c4f3df6d9093941a2ae84739b55368b3c11702ce340c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:fbe1ab58531d856fba360060d3884a0606310a966e2d01ba9305da9eb01ab916 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:eee508768b14655275fbcc2f42f9da1ab553b872dcbe113b0896aa9bcf7e1adf + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:d72cb58db88289559676676c3db43906718028e07279f70ddb12ed8bdc8e2860 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:717e6e33f02dbe1a28fb743f32699e002c944680c251a50b644f27becb9208e9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + taskRunTemplate: {} + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/image/scanner/rhtap/Dockerfile b/image/scanner/rhtap/Dockerfile new file mode 100644 index 000000000..65612b5d5 --- /dev/null +++ b/image/scanner/rhtap/Dockerfile @@ -0,0 +1,62 @@ +ARG BASE_REGISTRY=registry.access.redhat.com +ARG BASE_IMAGE=ubi8-minimal +ARG BASE_TAG=latest + +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_1.20 as builder + +ENV CGO_ENABLED=1 +ENV GOFLAGS="" +ENV CI=1 + +COPY . /src +WORKDIR /src + +RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \ + unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \ + unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions + +RUN echo "version: $(git describe --tags --abbrev=10 --dirty --long)"; git status; go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(git describe --tags --abbrev=10 --dirty --long)" -o image/scanner/bin/scanner ./cmd/clair + +# Replace genesis manifests file in the source code with the one generated at +# the point when the dump was taken. This is to avoid discrepancy between other +# files of the dump and the manifest. +COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +LABEL name="scanner" \ + vendor="StackRox" \ + maintainer="support@stackrox.com" \ + summary="Image scanner for the StackRox Kubernetes Security Platform" \ + description="This image supports image scanning in the StackRox Kubernetes Security Platform." + +ENV NVD_DEFINITIONS_DIR="/nvd_definitions" +ENV K8S_DEFINITIONS_DIR="/k8s_definitions" +ENV REPO_TO_CPE_DIR="/repo2cpe" + +COPY --from=builder /src/image/scanner/scripts / +COPY --from=builder /src/image/scanner/bin/scanner ./ +COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${NVD_DEFINITIONS_DIR}/" ".${NVD_DEFINITIONS_DIR}/" +COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${K8S_DEFINITIONS_DIR}/" ".${K8S_DEFINITIONS_DIR}/" +COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/" +COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./ + +RUN microdnf upgrade --nobest && \ + microdnf install xz && \ + microdnf clean all && \ + # (Optional) Remove line below to keep package management utilities + # We don't uninstall rpm because scanner uses it to get packages installed in scanned images. + rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \ + rm -rf /var/cache/dnf /var/cache/yum && \ + chown -R 65534:65534 /tmp && \ + # The contents of paths mounted as emptyDir volumes in Kubernetes are saved + # by the script `save-dir-contents` during the image build. The directory + # contents are then restored by the script `restore-all-dir-contents` + # during the container start. + chown -R 65534:65534 /etc/pki /etc/ssl && /save-dir-contents /etc/pki/ca-trust /etc/ssl && \ + chmod +rx /scanner + +# This is equivalent to nobody:nobody. +USER 65534:65534 + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/scripts/ci/jobs/check-generated.sh b/scripts/ci/jobs/check-generated.sh new file mode 100755 index 000000000..e99d35945 --- /dev/null +++ b/scripts/ci/jobs/check-generated.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../../.. && pwd)" +# shellcheck source=../../../scripts/ci/lib.sh +source "$ROOT/scripts/ci/lib.sh" + +set -euo pipefail + +FAIL_FLAG="/tmp/fail" + +info 'Check .containerignore file is in sync with .dockerignore (If this fails, follow instructions in .containerignore to update it.)' +function check-containerignore-is-in-sync() { + diff \ + --unified \ + --ignore-blank-lines \ + <(grep -v -e '^#' .containerignore) \ + <(grep -vF -e '/.git/' -e '/image/' -e '/bin/' .dockerignore) \ + > diff.txt +} +check-containerignore-is-in-sync || { + info ".containerignore file is not in sync with .dockerignore" + info "$(cat diff.txt)" + git reset --hard HEAD + echo check-containerignore-is-in-sync >> "$FAIL_FLAG" +} + +if [[ -e "$FAIL_FLAG" ]]; then + echo "ERROR: Some generated file checks failed:" + cat "$FAIL_FLAG" + exit 1 +fi