diff --git a/task/clair-scan/0.2/clair-scan.yaml b/task/clair-scan/0.2/clair-scan.yaml index c68c565b6b..81e3a00cee 100644 --- a/task/clair-scan/0.2/clair-scan.yaml +++ b/task/clair-scan/0.2/clair-scan.yaml @@ -92,14 +92,24 @@ spec: value: $(params.image-url) - name: IMAGE_DIGEST value: $(params.image-digest) + workingDir: /tekton/home script: | #!/usr/bin/env bash + set -o errexit + set -o nounset + set -o pipefail + imagewithouttag=$(echo -n $IMAGE_URL | sed "s/\(.*\):.*/\1/") images_processed_template='{"image": {"pullspec": "'"$IMAGE_URL"'", "digests": [%s]}}' digests_processed=() - for sha_file in /tekton/home/image-manifest-*.sha; do + clair_report() { + { clair-action report --image-ref="$1" --db-path=/tmp/matcher.db --format=quay | tee clair-result-$arch.json; } && \ + { clair-action report --image-ref="$1" --db-path=/tmp/matcher.db --format=clair > clair-report-$arch.json; } + } + + for sha_file in image-manifest-*.sha; do if [ -e "$sha_file" ]; then arch_sha=$(cat "$sha_file") arch=$(basename "$sha_file" | sed 's/image-manifest-//;s/.sha//') @@ -107,7 +117,7 @@ spec: echo "Running clair-action on $arch image manifest." # run the scan for each image manifest in the image index - clair-action report --image-ref=$arch_specific_digest --db-path=/tmp/matcher.db --format=quay | tee /tekton/home/clair-result-$arch.json || true + clair_report "$arch_specific_digest" || true digests_processed+=("\"$arch_sha\"") fi @@ -117,7 +127,42 @@ spec: # add the image_index to the processed digests list and store the result in a file images_processed=$(echo "${images_processed_template/\[%s]/[$digests_processed_string]}") - echo "$images_processed" > /tekton/home/images-processed.json + echo "$images_processed" > images-processed.json + - name: oci-attach-report + image: quay.io/konflux-ci/oras:latest@sha256:56589c1c9132aeaccffad2fc2fd1c3b612741b961e177a91abeb81cb0d859ff2 + workingDir: /tekton/home + env: + - name: IMAGE_URL + value: $(params.image-url) + script: | + #!/usr/bin/env bash + + set -o errexit + set -o nounset + set -o pipefail + + if ! compgen -G "clair-report-*.json" > /dev/null; then + echo 'No Clair reports generated. Skipping upload.' + exit 0 + fi + + echo "Selecting auth" + select-oci-auth $IMAGE_URL > $HOME/auth.json + + base_image="${IMAGE_URL/:*/}" + + arch() { + report_file="$1" + arch="${report_file/*-}" + echo "${arch/.json/}" + } + + MEDIA_TYPE='application/vnd.redhat.clair-report+json' + for f in clair-report-*.json; do + image_ref="${base_image}@$(cat image-manifest-$(arch "$f").sha)" + echo "Attaching $f to ${image_ref}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${image_ref}" "$f:${MEDIA_TYPE}" + done - name: conftest-vulnerabilities image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting diff --git a/task/clair-scan/0.2/spec/clair_scan_spec.sh b/task/clair-scan/0.2/spec/clair_scan_spec.sh new file mode 100644 index 0000000000..20bca9b9f1 --- /dev/null +++ b/task/clair-scan/0.2/spec/clair_scan_spec.sh @@ -0,0 +1,156 @@ +#!/bin/env bash + +set -o errexit +set -o pipefail +set -o nounset + +eval "$(shellspec - -c) exit 1" + +task_path=clair-scan.yaml + +if [[ -f "../${task_path}" ]]; then + task_path="../${task_path}" +fi + + +extract_script() { + script="$(mktemp --tmpdir script_XXXXXXXXXX.sh)" + yq -r ".spec.steps[] | select(.name == \"$1\").script" "${task_path}" > "${script}" + chmod +x "${script}" + + echo "${script}" +} + +# array containing files/directories to remove on test exit +cleanup=() +trap 'rm -rf "${cleanup[@]}"' EXIT + +# Extract the get-vulnerabilities Step script so we can test it +get_vulnerabilities_script="$(extract_script get-vulnerabilities)" +cleanup+=("${get_vulnerabilities_script}") + +testdir() { + testdir="$(mktemp -d)" && cleanup+=("${testdir}") && cd "${testdir}" + + AfterEach 'rm -rf "$testdir"' +} + +Describe "get vulnerabilities" + BeforeEach testdir + + export IMAGE_URL=registry.io/repository/image:tag + export IMAGE_DIGEST=sha256:f0cacc1a + + It "generates reports and images-processed.json" + Mock clair-action + clair_action_args+=("$*") + %preserve clair_action_args + # expecting the --format parameter to be the last one + echo "report in ${clair_action_args[-1]#*--format=} format" + End + echo "sha256:f0cacc1a" > image-manifest-amd64.sha + + When call "${get_vulnerabilities_script}" + The output should eq "Running clair-action on amd64 image manifest. +report in quay format" + The contents of file "images-processed.json" should equal '{"image": {"pullspec": "registry.io/repository/image:tag", "digests": ["sha256:f0cacc1a"]}}' + The contents of file "clair-result-amd64.json" should equal 'report in quay format' + The contents of file "clair-report-amd64.json" should equal 'report in clair format' + The variable clair_action_args[@] should eq "report --image-ref=registry.io/repository/image@sha256:f0cacc1a --db-path=/tmp/matcher.db --format=quay "\ +"report --image-ref=registry.io/repository/image@sha256:f0cacc1a --db-path=/tmp/matcher.db --format=clair" + End + + It "fails in clair-action quay report" + Mock clair-action + clair_action_args+=("$*") + %preserve clair_action_args + [[ "$*" == *--format=quay* ]] && echo "didn't work out" && exit 1 + End + echo "sha256:f0cacc1a" > image-manifest-amd64.sha + + When call "${get_vulnerabilities_script}" + The output should eq "Running clair-action on amd64 image manifest. +didn't work out" + The contents of file "images-processed.json" should equal '{"image": {"pullspec": "registry.io/repository/image:tag", "digests": ["sha256:f0cacc1a"]}}' + The contents of file "clair-result-amd64.json" should equal "didn't work out" + The file "clair-report-amd64.json" should not exist + The variable clair_action_args[@] should eq "report --image-ref=registry.io/repository/image@sha256:f0cacc1a --db-path=/tmp/matcher.db --format=quay" + End +End + +# Extract the oci-attach-report Step script so we can test it +oci_attach_report_script="$(extract_script oci-attach-report)" +cleanup+=("${oci_attach_report_script}") + +oras_attach() { + echo "attach --no-tty --registry-config $HOME/auth.json --artifact-type application/vnd.redhat.clair-report+json registry.io/repository/image@$1 $2:application/vnd.redhat.clair-report+json" +} + +Describe "OCI attach report" + BeforeEach testdir + + export IMAGE_URL=registry.io/repository/image:tag + + It "skips attachments if no reports generated" + Mock select-oci-auth + echo select-oci-auth should not be called + End + + Mock oras + echo oras should not be called + End + + When call "${oci_attach_report_script}" + The output should eq "No Clair reports generated. Skipping upload." + End + + It "attaches for single architecture" + export HOME="${testdir}" + + Mock select-oci-auth + echo selected auth + End + + Mock oras + oras_args+=("$*") + %preserve oras_args + End + + echo "sha256:f0cacc1a" > image-manifest-amd64.sha + touch clair-report-amd64.json + + When call "${oci_attach_report_script}" + The output should eq "Selecting auth +Attaching clair-report-amd64.json to registry.io/repository/image@sha256:f0cacc1a" + The contents of file "auth.json" should equal "selected auth" + The variable oras_args[@] should eq "$(oras_attach sha256:f0cacc1a clair-report-amd64.json)" + End + + It "attaches for multiple architecture" + export HOME="${testdir}" + + Mock select-oci-auth + echo selected auth + End + + Mock oras + oras_args+=("$*") + %preserve oras_args + End + + echo "sha256:f0cacc1a" > image-manifest-amd64.sha + echo "sha256:cc1af0ca" > image-manifest-arm64.sha + echo "sha256:f01acacc" > image-manifest-ppc64le.sha + touch clair-report-{amd64,arm64,ppc64le}.json + + When call "${oci_attach_report_script}" + The output should eq "Selecting auth +Attaching clair-report-amd64.json to registry.io/repository/image@sha256:f0cacc1a +Attaching clair-report-arm64.json to registry.io/repository/image@sha256:cc1af0ca +Attaching clair-report-ppc64le.json to registry.io/repository/image@sha256:f01acacc" + The contents of file "auth.json" should equal "selected auth" + The variable oras_args[@] should eq "$(oras_attach sha256:f0cacc1a clair-report-amd64.json) "\ +"$(oras_attach sha256:cc1af0ca clair-report-arm64.json) "\ +"$(oras_attach sha256:f01acacc clair-report-ppc64le.json)" + End +End \ No newline at end of file