diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index ecc2ac3f9f..30714c8218 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -88,13 +88,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### coverity-availability-check-oci-ta:0.1 task parameters +### coverity-availability-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| |COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -253,9 +251,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -278,7 +276,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | -### coverity-availability-check-oci-ta:0.1 task results +### coverity-availability-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |STATUS| Tekton task simple status to be later checked| | @@ -309,8 +307,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; coverity-availability-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; coverity-availability-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| ### push-dockerfile-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index f9b3f8b35f..f2c9bc470e 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -85,13 +85,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### coverity-availability-check-oci-ta:0.1 task parameters +### coverity-availability-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| |COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -250,9 +248,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -275,7 +273,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | -### coverity-availability-check-oci-ta:0.1 task results +### coverity-availability-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |STATUS| Tekton task simple status to be later checked| | @@ -306,8 +304,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; coverity-availability-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; coverity-availability-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| ### push-dockerfile-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/docker-build-oci-ta/patch.yaml b/pipelines/docker-build-oci-ta/patch.yaml index 1fef81319e..629d194f00 100644 --- a/pipelines/docker-build-oci-ta/patch.yaml +++ b/pipelines/docker-build-oci-ta/patch.yaml @@ -30,8 +30,8 @@ # 8 ecosystem-cert-preflight-checks # 9 sast-snyk-check # 10 clamav-scan -# 11 coverity-availability-check -# 12 sast-coverity-check +# 11 sast-coverity-check +# 12 coverity-availability-check # 13 sast-shell-check # 14 sast-unicode-check # 15 apply-tags @@ -148,23 +148,6 @@ - op: remove path: /spec/tasks/11/workspaces/0 -# coverity-availability-check -- op: replace - path: /spec/tasks/12/taskRef/name - value: coverity-availability-check-oci-ta -- op: add - path: /spec/tasks/12/params/- - value: - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) -- op: add - path: /spec/tasks/12/params/- - value: - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) -- op: remove - path: /spec/tasks/12/workspaces/0 - # sast-shell-check - op: replace path: /spec/tasks/13/taskRef/name diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index bf5f15cf5d..5d659560da 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -83,7 +83,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### coverity-availability-check:0.1 task parameters +### coverity-availability-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | @@ -240,9 +240,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -265,7 +265,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | -### coverity-availability-check:0.1 task results +### coverity-availability-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |STATUS| Tekton task simple status to be later checked| | @@ -331,16 +331,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.2:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.1:workspace ; coverity-availability-check:0.1:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.2:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.1:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### buildah:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |source| Workspace containing the source code to build.| False| workspace| -### coverity-availability-check:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md index bfd837141c..6f90806bef 100644 --- a/pipelines/maven-zip-build-oci-ta/README.md +++ b/pipelines/maven-zip-build-oci-ta/README.md @@ -26,13 +26,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |PREFETCH_ROOT| The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.| maven-repository| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -### coverity-availability-check-oci-ta:0.1 task parameters +### coverity-availability-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| |COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| ### git-clone-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -149,11 +147,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### build-maven-zip-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| |IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | -|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | -### coverity-availability-check-oci-ta:0.1 task results +### coverity-availability-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |STATUS| Tekton task simple status to be later checked| | @@ -175,8 +173,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-oci-artifact:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; coverity-availability-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; coverity-availability-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-oci-artifact:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT| ### sast-coverity-check-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/maven-zip-build-oci-ta/patch.yaml b/pipelines/maven-zip-build-oci-ta/patch.yaml index a6f7fc2409..924f93d4f4 100644 --- a/pipelines/maven-zip-build-oci-ta/patch.yaml +++ b/pipelines/maven-zip-build-oci-ta/patch.yaml @@ -90,21 +90,6 @@ - op: remove path: /spec/tasks/4/workspaces/0 -# coverity-availability-check -- op: replace - path: /spec/tasks/6/taskRef/name - value: coverity-availability-check-oci-ta -- op: add - path: /spec/tasks/6/params/- - value: - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) -- op: add - path: /spec/tasks/6/params/- - value: - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - # sast-coverity-check - op: replace path: /spec/tasks/5/taskRef/name @@ -121,8 +106,6 @@ value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove path: /spec/tasks/5/workspaces/0 -- op: remove - path: /spec/tasks/6/workspaces/0 # sast-shell-check - op: replace diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md index 403387103a..783e6060cb 100644 --- a/pipelines/maven-zip-build/README.md +++ b/pipelines/maven-zip-build/README.md @@ -25,7 +25,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |PREFETCH_ROOT| The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.| maven-repository| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -### coverity-availability-check:0.1 task parameters +### coverity-availability-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | @@ -143,11 +143,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### build-maven-zip:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| |IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | -|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | -### coverity-availability-check:0.1 task results +### coverity-availability-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |STATUS| Tekton task simple status to be later checked| | @@ -187,16 +187,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.1:workspace ; coverity-availability-check:0.1:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.1:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace| ## Available workspaces from tasks ### build-maven-zip:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |source| Workspace containing the source code to build.| False| workspace| -### coverity-availability-check:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/maven-zip-build/patch.yaml b/pipelines/maven-zip-build/patch.yaml index 1f1fa7e22d..a0e21b2164 100644 --- a/pipelines/maven-zip-build/patch.yaml +++ b/pipelines/maven-zip-build/patch.yaml @@ -125,12 +125,6 @@ path: /spec/tasks/5/params/1/value value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" # Replace the params set and runAfter of coverity-availability-check -- op: replace - path: /spec/tasks/6/params/0/value - value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" -- op: replace - path: /spec/tasks/6/params/1/value - value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" - op: replace path: /spec/tasks/6/runAfter value: diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 096f330785..a208bb6e0c 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -268,15 +268,7 @@ spec: - build-image-index taskRef: name: coverity-availability-check - version: "0.1" - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - workspaces: - - name: workspace - workspace: workspace + version: "0.2" - name: sast-shell-check when: - input: $(params.skip-checks) diff --git a/task/coverity-availability-check/0.2/README.md b/task/coverity-availability-check/0.2/README.md new file mode 100644 index 0000000000..9565f411b1 --- /dev/null +++ b/task/coverity-availability-check/0.2/README.md @@ -0,0 +1,26 @@ +# coverity-availability-check task + +## Description: + +This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. + +The characteristics of these tasks are: + +- It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled. +- It will check for a secret called "cov-license" where the Coverity license is stored. + +> NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license. + +## Params: + +| name | description | default value | required | +|-----------------------------|----------------------------------------------------------------------------------------|----------------------------|----------| +| AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | yes | +| COV_LICENSE | Name of secret which contains the Coverity license | cov-license | yes | + +## Results: + +| name | description | +|-------------|-----------------------------------------------------------------------------------| +| STATUS | Tekton task simple status to be later checked by the sast-coverity-check task | +| TEST_OUTPUT | Tekton task test output. | diff --git a/task/coverity-availability-check/0.2/coverity-availability-check.yaml b/task/coverity-availability-check/0.2/coverity-availability-check.yaml new file mode 100644 index 0000000000..c0b2ea81ec --- /dev/null +++ b/task/coverity-availability-check/0.2/coverity-availability-check.yaml @@ -0,0 +1,88 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "konflux" + name: coverity-availability-check +spec: + description: >- + This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. + results: + - description: Tekton task result output. + name: TEST_OUTPUT + - description: Tekton task simple status to be later checked + name: STATUS + params: + - name: COV_LICENSE + description: Name of secret which contains the Coverity license + default: cov-license + - name: AUTH_TOKEN_COVERITY_IMAGE + description: Name of secret which contains the authentication token for pulling the Coverity image. + default: "auth-token-coverity-image" + volumes: + - name: cov-license + secret: + secretName: $(params.COV_LICENSE) + optional: true + - name: auth-token-coverity-image + secret: + secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE) + optional: true + steps: + - name: coverity-availability-check + image: quay.io/konflux-ci/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + volumeMounts: + - name: cov-license + mountPath: "/etc/secrets/cov" + readOnly: true + - name: auth-token-coverity-image + mountPath: "/etc/secrets/auth/config.json" + subPath: .dockerconfigjson + env: + - name: COV_LICENSE + value: $(params.COV_LICENSE) + - name: AUTH_TOKEN_COVERITY_IMAGE + value: $(params.AUTH_TOKEN_COVERITY_IMAGE) + script: | + #!/usr/bin/env bash + set -eo pipefail + # shellcheck source=/dev/null + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + # Checking Coverity license + COV_LICENSE_PATH=/etc/secrets/cov/cov-license + if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then + echo "Coverity license detected!" + else + echo 'No license file for Coverity was detected. Coverity scan will not be executed...' + echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license' + note="Task $(context.task.name) failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo -n "failed" | tee "$(results.STATUS.path)" + exit 0 + fi + + # Checking authentication token for downloading coverity image + AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json + if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then + echo "Authentication token detected!" + else + echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...' + echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image' + note="Task $(context.task.name) failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo -n "failed" | tee "$(results.STATUS.path)" + exit 0 + fi + + note="Task $(context.task.name) completed: Coverity availability checks finished succesfully." + # shellcheck disable=SC2034 + TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note") + echo -n "success" | tee "$(results.STATUS.path)" + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)"