Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: stackrox/scanner
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 71899f4733adb2ea0aab457a5b2af875b62db1fb
Choose a base ref
..
head repository: stackrox/scanner
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 52eef4b00b693792566e96eef0e365a427cb0a83
Choose a head ref
Showing with 43 additions and 78 deletions.
  1. +6 −1 .github/workflows/style.yaml
  2. +16 −36 .tekton/scanner-pull-request.yaml
  3. +16 −36 .tekton/scanner-push.yaml
  4. +5 −5 image/scanner/rhtap/Dockerfile
7 changes: 6 additions & 1 deletion .github/workflows/style.yaml
Original file line number Diff line number Diff line change
@@ -12,9 +12,11 @@ on:
- synchronize
jobs:
check-generated-files:
env:
ARTIFACT_DIR: junit-reports/
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -24,5 +26,8 @@ jobs:

- uses: ./.github/actions/job-preamble

- name: Create artifacts dir
run: mkdir -p "$ARTIFACT_DIR"

- name: Check Generated
run: scripts/ci/jobs/check-generated.sh
52 changes: 16 additions & 36 deletions .tekton/scanner-pull-request.yaml
Original file line number Diff line number Diff line change
@@ -211,47 +211,27 @@ spec:
workspaces:
- name: source
workspace: workspace
- name: gen-vuln-feed-data
- name: fetch-vuln-feed-data
runAfter:
- init
- clone-repository
taskSpec:
steps:
- name: gen-vuln-feed-data
computeResources:
requests:
memory: 6Gi
limits:
memory: 6Gi
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
- name: fetch-vuln-feed-data
image: registry.access.redhat.com/ubi8/ubi
script: |
#!/usr/bin/env bash
ROOT="$(workspaces.source.path)/source"
ls -lh $(workspaces.source.path)
ls -lh $(workspaces.source.path)/source
source "$ROOT/scripts/ci/lib.sh"
set -euo pipefail
info "Building updater"
cd $ROOT
make build-updater
info "Generating genesis dump"
mkdir -p $ROOT
"$ROOT/bin/updater" generate-dump --out-file $ROOT/genesis-dump.zip
ls -lrt $ROOT
info "Printing some stats"
"$ROOT/bin/updater" print-stats $ROOT/genesis-dump.zip
info "Extracting dumps"
mkdir -p /tmp/vuln-dump
zip $ROOT/genesis-dump.zip 'nvd/*' --copy --out $ROOT/nvd-definitions.zip
zip $ROOT/genesis-dump.zip 'k8s/*' --copy --out $ROOT/k8s-definitions.zip
zip $ROOT/genesis-dump.zip 'istio/*' --copy --out $ROOT/istio-definitions.zip
zip $ROOT/genesis-dump.zip 'rhelv2/repository-to-cpe.json' --copy --out $ROOT/repo2cpe.zip
unzip $ROOT/genesis-dump.zip 'manifest.json'
mv manifest.json genesis_manifests.json
mkdir -p "$(workspaces.source.path)/source"
blobs=(
nvd-definitions.zip
k8s-definitions.zip
repo2cpe.zip
genesis_manifests.json
)
for blob in "${blobs[@]}"; do
curl --fail --show-error --retry 4 --retry-max-time 30 --retry-connrefused \
--output "$(workspaces.source.path)/source/blob-${blob}" \
"https://storage.googleapis.com/definitions.stackrox.io/scanner-data/latest/${blob}"
done
workspaces:
- name: source
workspace: workspace
@@ -273,7 +253,7 @@ spec:
value: $(tasks.clone-repository.results.commit)
runAfter:
- prefetch-dependencies
- gen-vuln-feed-data
- fetch-vuln-feed-data
taskRef:
params:
- name: name
52 changes: 16 additions & 36 deletions .tekton/scanner-push.yaml
Original file line number Diff line number Diff line change
@@ -208,47 +208,27 @@ spec:
workspaces:
- name: source
workspace: workspace
- name: gen-vuln-feed-data
- name: fetch-vuln-feed-data
runAfter:
- init
- clone-repository
taskSpec:
steps:
- name: gen-vuln-feed-data
computeResources:
requests:
memory: 6Gi
limits:
memory: 6Gi
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
- name: fetch-vuln-feed-data
image: registry.access.redhat.com/ubi8/ubi
script: |
#!/usr/bin/env bash
ROOT="$(workspaces.source.path)/source"
ls -lh $(workspaces.source.path)
ls -lh $(workspaces.source.path)/source
source "$ROOT/scripts/ci/lib.sh"
set -euo pipefail
info "Building updater"
cd $ROOT
make build-updater
info "Generating genesis dump"
mkdir -p $ROOT
"$ROOT/bin/updater" generate-dump --out-file $ROOT/genesis-dump.zip
ls -lrt $ROOT
info "Printing some stats"
"$ROOT/bin/updater" print-stats $ROOT/genesis-dump.zip
info "Extracting dumps"
mkdir -p /tmp/vuln-dump
zip $ROOT/genesis-dump.zip 'nvd/*' --copy --out $ROOT/nvd-definitions.zip
zip $ROOT/genesis-dump.zip 'k8s/*' --copy --out $ROOT/k8s-definitions.zip
zip $ROOT/genesis-dump.zip 'istio/*' --copy --out $ROOT/istio-definitions.zip
zip $ROOT/genesis-dump.zip 'rhelv2/repository-to-cpe.json' --copy --out $ROOT/repo2cpe.zip
unzip $ROOT/genesis-dump.zip 'manifest.json'
mv manifest.json genesis_manifests.json
mkdir -p "$(workspaces.source.path)/source"
blobs=(
nvd-definitions.zip
k8s-definitions.zip
repo2cpe.zip
genesis_manifests.json
)
for blob in "${blobs[@]}"; do
curl --fail --show-error --retry 4 --retry-max-time 30 --retry-connrefused \
--output "$(workspaces.source.path)/source/blob-${blob}" \
"https://storage.googleapis.com/definitions.stackrox.io/scanner-data/latest/${blob}"
done
workspaces:
- name: source
workspace: workspace
@@ -270,7 +250,7 @@ spec:
value: $(tasks.clone-repository.results.commit)
runAfter:
- prefetch-dependencies
- gen-vuln-feed-data
- fetch-vuln-feed-data
taskRef:
params:
- name: name
10 changes: 5 additions & 5 deletions image/scanner/rhtap/Dockerfile
Original file line number Diff line number Diff line change
@@ -11,16 +11,16 @@ ENV CI=1
COPY . /src
WORKDIR /src

RUN unzip -j repo2cpe.zip -d image/scanner/dump/repo2cpe && \
unzip -j k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
unzip -j nvd-definitions.zip -d image/scanner/dump/nvd_definitions
RUN ls -la; git log --oneline | wc -l; unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \
unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions

RUN go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(git describe --tags --abbrev=10 --dirty --long)" -o image/scanner/bin/scanner ./cmd/clair
RUN echo "version: $(git describe --tags --abbrev=10 --dirty --long)"; git status; go build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=$(git describe --tags --abbrev=10 --dirty --long)" -o image/scanner/bin/scanner ./cmd/clair

# Replace genesis manifests file in the source code with the one generated at
# the point when the dump was taken. This is to avoid discrepancy between other
# files of the dump and the manifest.
COPY ./genesis_manifests.json image/scanner/dump/genesis_manifests.json
COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json

FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}