-
Notifications
You must be signed in to change notification settings - Fork 140
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
216 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# sast-shell-check task | ||
|
||
## Description: | ||
|
||
The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. | ||
|
||
ShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. | ||
|
||
## Params: | ||
|
||
| Name | Description | Default Value | Required | | ||
|-------------------|----------------------------------------------------------------------------------------------|---------------|----------| | ||
| KFP_GIT_URL | Git repository to download known false positives files from. | "" | No | | ||
| PROJECT_NVR | Name-Version-Release (NVR) of the scanned project, used to find path exclusion. | "" | No | | ||
| RECORD_EXCLUDED | Whether to record the excluded findings to file, Useful for auditing.<br/>If "true", the excluded findings will be stored in `excluded-findings.json`. | "false" | No | | ||
| IMP_FINDINGS_ONLY | Whether to report only important findings. To report all findings, specify "false". | "true" | No | | ||
|
||
## Results: | ||
|
||
| name | description | | ||
|-----------------------|--------------------------| | ||
| TEST_OUTPUT | Tekton task test output. | | ||
|
||
## Source repository for image: | ||
|
||
https://github.com/konflux-ci/konflux-test | ||
|
||
## Additional links: | ||
|
||
* https://www.shellcheck.net/wiki/Home | ||
* https://github.com/koalaman/shellcheck | ||
* https://github.com/csutils/csmock |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,179 @@ | ||
apiVersion: tekton.dev/v1 | ||
kind: Task | ||
metadata: | ||
labels: | ||
app.kubernetes.io/version: "0.1" | ||
annotations: | ||
tekton.dev/pipelines.minVersion: "0.12.1" | ||
tekton.dev/tags: "konflux" | ||
name: sast-shell-check | ||
spec: | ||
description: >- | ||
ShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. | ||
results: | ||
- description: Tekton task test output. | ||
name: TEST_OUTPUT | ||
params: | ||
- name: image-url | ||
description: Image URL. | ||
type: string | ||
default: "" | ||
- name: image-digest | ||
description: Image digest to report findings for. | ||
type: string | ||
default: "" | ||
- name: KFP_GIT_URL | ||
description: git repository to download known false positives files from | ||
type: string | ||
# FIXME: Red Hat internal projects will default to https://gitlab.cee.redhat.com/osh/known-false-positives.git | ||
# when KONFLUX-4530 is resolved | ||
default: "" | ||
- name: PROJECT_NVR | ||
description: Name-Version-Release (NVR) of the scanned project, used to find path exclusions | ||
type: string | ||
default: "" | ||
- name: RECORD_EXCLUDED | ||
type: string | ||
description: | | ||
Whether to record the excluded findings (default to false). | ||
If `true`, the excluded findings will be stored in `excluded-findings.json`. | ||
default: "false" | ||
- name: IMP_FINDINGS_ONLY | ||
type: string | ||
description: Whether to include important findings only | ||
default: "true" | ||
steps: | ||
- name: sast-shell-check | ||
image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 | ||
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting | ||
# the cluster will set imagePullPolicy to IfNotPresent | ||
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) | ||
env: | ||
- name: KFP_GIT_URL | ||
value: $(params.KFP_GIT_URL) | ||
- name: PROJECT_NVR | ||
value: $(params.PROJECT_NVR) | ||
- name: RECORD_EXCLUDED | ||
value: $(params.RECORD_EXCLUDED) | ||
- name: IMP_FINDINGS_ONLY | ||
value: $(params.IMP_FINDINGS_ONLY) | ||
script: | | ||
#!/usr/bin/env bash | ||
set -x | ||
. /utils.sh | ||
# FIXME: once https://github.com/konflux-ci/konflux-test/pull/303 is available in latest image, | ||
# work around below is no longer needed | ||
microdnf install -y ShellCheck | ||
microdnf download csmock-plugin-shellcheck && rpm -ivh --nodeps ./csmock-plugin-shellcheck-*.rpm && rm -f ./csmock-plugin-shellcheck-*.rpm | ||
OUTPUT_FILE="shellcheck-results.json" | ||
SOURCE_CODE_DIR=$(workspaces.workspace.path)/source | ||
# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/ | ||
/usr/share/csmock/scripts/run-shellcheck.sh "$SOURCE_CODE_DIR" | ||
CSGREP_OPTS=( | ||
--mode=json | ||
--strip-path-prefix="$SOURCE_CODE_DIR"/ | ||
--event='error|warning' | ||
--remove-duplicates | ||
--embed-context=3 | ||
) | ||
csgrep "${CSGREP_OPTS[@]}" ./shellcheck-results/*.json > "$OUTPUT_FILE" | ||
if [ $? -ne 0 ]; then | ||
echo "Error occurred while running 'run-shellcheck.sh'" | ||
note="Task $(context.task.name) failed: For details, check Tekton task log." | ||
ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") | ||
echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" | ||
exit 1 | ||
fi | ||
# Filter known false positives if KFP_GIT_URL is set | ||
if [ -n "${KFP_GIT_URL}" ]; then | ||
echo "Filtering known false positives using ${KFP_GIT_URL}" | ||
# build initial csfilter-kfp command | ||
csfilter_cmd="csfilter-kfp --verbose --kfp-git-url=${KFP_GIT_URL}" | ||
# Append --project-nvr option if PROJECT_NVR is set | ||
if [ -n "${PROJECT_NVR}" ]; then | ||
csfilter_cmd+=" --project-nvr=${PROJECT_NVR}" | ||
fi | ||
if [[ "${RECORD_EXCLUDED}" == "true" ]]; then | ||
csfilter_cmd+=" --record-excluded=excluded-findings.json" | ||
fi | ||
# Execute the command and capture any errors | ||
if ! "${csfilter_cmd[@]}" "$OUTPUT_FILE" > "${OUTPUT_FILE}.filtered" 2> "${OUTPUT_FILE}.error"; then | ||
echo "Error occurred while filtering known false positives:" | ||
cat "${OUTPUT_FILE}.error" | ||
note="Task $(context.task.name) failed: For details, check Tekton task log." | ||
ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") | ||
echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" | ||
rm -f "${OUTPUT_FILE}.filtered" "${OUTPUT_FILE}.error" | ||
exit 1 | ||
else | ||
mv "${OUTPUT_FILE}.filtered" "$OUTPUT_FILE" | ||
echo "Filtered results saved back to $OUTPUT_FILE" | ||
fi | ||
else | ||
echo "KFP_GIT_URL is not set. Skipping false positive filtering." | ||
fi | ||
if [[ "$IMP_FINDINGS_ONLY" == "true" ]]; then | ||
CSGREP_EVENT_FILTER='\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|' | ||
CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|' | ||
CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\]$' | ||
csgrep --mode=json --event "$CSGREP_EVENT_FILTER" "$OUTPUT_FILE" > "$OUTPUT_FILE" | ||
fi | ||
echo "ShellCheck results have been saved to $OUTPUT_FILE" | ||
csgrep --mode=evtstat "$OUTPUT_FILE" | ||
csgrep --mode=sarif "$OUTPUT_FILE" > shellcheck-results.sarif | ||
note="Task $(context.task.name) completed successfully." | ||
TEST_OUTPUT=$(make_result_json -r SUCCESS -t "$note") | ||
echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" | ||
- name: upload | ||
image: quay.io/konflux-ci/oras:latest@sha256:f4b891ee3038a5f13cd92ff4f473faad5601c2434d1c6b9bccdfc134d9d5f820 | ||
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) | ||
env: | ||
- name: IMAGE_URL | ||
value: $(params.image-url) | ||
- name: IMAGE_DIGEST | ||
value: $(params.image-digest) | ||
script: | | ||
#!/usr/bin/env bash | ||
set -e | ||
if [ -z "${IMAGE_URL}" ] || [ -z "${IMAGE_DIGEST}" ]; then | ||
echo 'No image-url or image-digest param provided. Skipping upload.' | ||
exit 0 | ||
fi | ||
UPLOAD_FILES="shellcheck-results.sarif excluded-findings.json" | ||
for UPLOAD_FILE in ${UPLOAD_FILES}; do | ||
if [ ! -f "${UPLOAD_FILE}" ]; then | ||
echo "No ${UPLOAD_FILE} exists. Skipping upload." | ||
continue | ||
fi | ||
# Determine the media type based on the file extension | ||
if [[ "${UPLOAD_FILE}" == *.json ]]; then | ||
MEDIA_TYPE="application/json" | ||
else | ||
MEDIA_TYPE="application/sarif+json" | ||
fi | ||
echo "Selecting auth" | ||
select-oci-auth "$IMAGE_URL" > "$HOME/auth.json" | ||
echo "Attaching to ${IMAGE_URL}" | ||
oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" | ||
done | ||
workspaces: | ||
- name: workspace |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# See the OWNERS docs: https://go.k8s.io/owners | ||
approvers: | ||
- integration-team | ||
reviewers: | ||
- integration-team |