diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 914f6958..eb732fc1 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -72,7 +72,6 @@ jobs: image-ref: 'pulsar-functions-java-runner:latest' format: 'table' exit-code: '0' - output: '${{ github.workspace }}/scan-java-runner_output.txt' - name: Run Trivy vulnerability scanner for python id: scan-python-runner @@ -81,7 +80,6 @@ jobs: image-ref: 'pulsar-functions-python-runner:latest' format: 'table' exit-code: '0' - output: '${{ github.workspace }}/scan-python-runner_output.txt' - name: Run Trivy vulnerability scanner for go id: scan-go-runner @@ -90,7 +88,6 @@ jobs: image-ref: 'pulsar-functions-go-runner:latest' format: 'table' exit-code: '0' - output: '${{ github.workspace }}/scan-go-runner_output.txt' - name: Run Trivy vulnerability scanner for java with pulsarctl id: scan-java-pulsarctl-runner @@ -99,7 +96,6 @@ jobs: image-ref: 'pulsar-functions-pulsarctl-java-runner:latest' format: 'table' exit-code: '0' - output: '${{ github.workspace }}/scan-java-pulsarctl-runner_output.txt' - name: Run Trivy vulnerability scanner for python with pulsarctl id: scan-python-pulsarctl-runner @@ -108,7 +104,6 @@ jobs: image-ref: 'pulsar-functions-pulsarctl-python-runner:latest' format: 'table' exit-code: '0' - output: '${{ github.workspace }}/scan-python-pulsarctl-runner_output.txt' - name: Run Trivy vulnerability scanner for go with pulsarctl id: scan-go-pulsarctl-runner @@ -117,7 +112,6 @@ jobs: image-ref: 'pulsar-functions-pulsarctl-go-runner:latest' format: 'table' exit-code: '0' - output: '${{ github.workspace }}/scan-go-pulsarctl-runner_output.txt' # Comment on PR with the scan output since the action won't fail with CVEs - name: Comment on PR @@ -139,12 +133,12 @@ jobs: // Combine outputs from different steps const outputs = [ - { label: 'Java Runner', output: getOutput('scan-java-runner') }, - { label: 'Python Runner', output: getOutput('scan-python-runner') }, - { label: 'Go Runner', output: getOutput('scan-go-runner') }, - { label: 'Java Runner with Pulsarctl', output: getOutput('scan-java-pulsarctl-runner') }, - { label: 'Python Runner with Pulsarctl', output: getOutput('scan-python-pulsarctl-runner') }, - { label: 'Go Runner with Pulsarctl', output: getOutput('scan-go-pulsarctl-runner') }, + { label: 'Java Runner', output: '${{ steps.scan-java-runner.outputs.result }}'; }, + { label: 'Python Runner', output: '${{ steps.scan-python-runner.outputs.result }}' }, + { label: 'Go Runner', output: '${{ steps.scan-go-runner.outputs.result }}' }, + { label: 'Java Runner with Pulsarctl', output: '${{ steps.scan-java-pulsarctl-runner.outputs.result }}' }, + { label: 'Python Runner with Pulsarctl', output: '${{ steps.scan-python-pulsarctl-runner.outputs.result }}' }, + { label: 'Go Runner with Pulsarctl', output: '${{ steps.scan-go-pulsarctl-runner.outputs.result }}' }, ].filter(item => item.output !== ''); // Format the combined message diff --git a/images/pulsar-functions-base-runner/Dockerfile b/images/pulsar-functions-base-runner/Dockerfile index 811e4975..665c8261 100644 --- a/images/pulsar-functions-base-runner/Dockerfile +++ b/images/pulsar-functions-base-runner/Dockerfile @@ -51,6 +51,9 @@ COPY --from=pulsar --chown=$UID:$GID /pulsar/conf /pulsar/conf COPY --from=pulsar --chown=$UID:$GID /pulsar/bin /pulsar/bin COPY --from=pulsar --chown=$UID:$GID /pulsar/lib /pulsar/lib +# remove the vertx jar since it's not need ans has a cve +RUN rm -rf /pulsar/lib/io.vertx-vertx-core-*.jar || true + # remove presto dependencies because they are not needed RUN rm -rf /pulsar/lib/presto || true RUN rm -rf /pulsar/conf/presto || true diff --git a/images/pulsar-functions-base-runner/pulsarctl.Dockerfile b/images/pulsar-functions-base-runner/pulsarctl.Dockerfile index 123cba40..fe6deecc 100644 --- a/images/pulsar-functions-base-runner/pulsarctl.Dockerfile +++ b/images/pulsar-functions-base-runner/pulsarctl.Dockerfile @@ -20,7 +20,7 @@ RUN mkdir -p /pulsar/bin/ \ && chown -R $UID:$GID /pulsar \ && chmod -R g=u /pulsar \ && apk update && apk add --no-cache wget bash \ - && wget https://github.com/streamnative/pulsarctl/releases/latest/download/pulsarctl-amd64-linux.tar.gz -P /pulsar/bin/ \ + && wget wget https://github.com/streamnative/pulsarctl/releases/download/v3.2.2.6/pulsarctl-amd64-linux.tar.gz -P /pulsar/bin/ \ && tar -xzf /pulsar/bin/pulsarctl-amd64-linux.tar.gz -C /pulsar/bin/ \ && rm -rf /pulsar/bin/pulsarctl-amd64-linux.tar.gz \ && chmod +x /pulsar/bin/pulsarctl-amd64-linux/pulsarctl \ diff --git a/images/pulsar-functions-java-runner/pulsarctl.Dockerfile b/images/pulsar-functions-java-runner/pulsarctl.Dockerfile index 29992a90..a34c6dc6 100644 --- a/images/pulsar-functions-java-runner/pulsarctl.Dockerfile +++ b/images/pulsar-functions-java-runner/pulsarctl.Dockerfile @@ -37,6 +37,9 @@ COPY --from=pulsar --chown=$UID:$GID /pulsar/lib /pulsar/lib COPY --from=pulsar --chown=$UID:$GID /pulsar/instances/java-instance.jar /pulsar/instances/java-instance.jar COPY --from=pulsar --chown=$UID:$GID /pulsar/instances/deps /pulsar/instances/deps +# remove the vertx jar since it's not need ans has a cve +RUN rm -rf /pulsar/lib/io.vertx-vertx-core-*.jar || true + # remove presto dependencies because they are not needed RUN rm -rf /pulsar/lib/presto || true RUN rm -rf /pulsar/conf/presto || true diff --git a/images/pulsar-functions-python-runner/Dockerfile b/images/pulsar-functions-python-runner/Dockerfile index f160602d..a2c5875f 100644 --- a/images/pulsar-functions-python-runner/Dockerfile +++ b/images/pulsar-functions-python-runner/Dockerfile @@ -41,6 +41,6 @@ RUN rm -rf /pulsar/instances/python-instance/pulsar/ \ USER $USER # a temp solution from https://github.com/apache/pulsar/pull/15846 to fix python protobuf version error -RUN pip3 install protobuf==3.20.1 --user +RUN pip3 install protobuf==3.20.2 --user # to make the python runner could print json logs RUN pip3 install python-json-logger --user diff --git a/images/pulsar-functions-python-runner/pulsarctl.Dockerfile b/images/pulsar-functions-python-runner/pulsarctl.Dockerfile index 24106d63..29dbc58c 100644 --- a/images/pulsar-functions-python-runner/pulsarctl.Dockerfile +++ b/images/pulsar-functions-python-runner/pulsarctl.Dockerfile @@ -36,6 +36,6 @@ WORKDIR /pulsar USER $USER # a temp solution from https://github.com/apache/pulsar/pull/15846 to fix python protobuf version error -RUN pip3 install protobuf==3.20.1 --user +RUN pip3 install protobuf==3.20.2 --user # to make the python runner could print json logs RUN pip3 install python-json-logger --user