konflux-ci · MartinBasti · Nov 18, 2024 · Sep 11, 2024 · Oct 15, 2024 · Oct 30, 2024
@@ -0,0 +1,24 @@
+# sast-shell-check-oci-ta task
+
+The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.
+ShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts.
+
+## Parameters
+|name|description|default value|required|
+|---|---|---|---|
+|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
+|IMP_FINDINGS_ONLY|Whether to include important findings only|true|false|
+|KFP_GIT_URL|git repository to download known false positives files from|""|false|
+|PROJECT_NAME|Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.|""|false|
+|RECORD_EXCLUDED|Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. |false|false|
+|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
+|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
+|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
+|image-digest|Image digest to report findings for.|""|false|
+|image-url|Image URL.|""|false|
+
+## Results
+|name|description|
+|---|---|
+|TEST_OUTPUT|Tekton task test output.|
+
@@ -0,0 +1,16 @@
+---
+base: ../../sast-shell-check/0.1/sast-shell-check.yaml
+add:
+  - use-source
+  - use-cachi2
+preferStepTemplate: true
+removeWorkspaces:
+  - workspace
+replacements:
+  workspaces.workspace.path: /var/workdir
+regexReplacements:
+  hacbs/\$\(context.task.name\): source
+description: >-
+  The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.
+
+  ShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts.
@@ -0,0 +1,235 @@
+---
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: sast-shell-check-oci-ta
+  annotations:
+    tekton.dev/pipelines.minVersion: 0.12.1
+    tekton.dev/tags: konflux
+  labels:
+    app.kubernetes.io/version: "0.1"
+spec:
+  description: |-
+    The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.
+    ShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts.
+  params:
+    - name: CACHI2_ARTIFACT
+      description: The Trusted Artifact URI pointing to the artifact with
+        the prefetched dependencies.
+      type: string
+      default: ""
+    - name: IMP_FINDINGS_ONLY
+      description: Whether to include important findings only
+      type: string
+      default: "true"
+    - name: KFP_GIT_URL
+      description: git repository to download known false positives files
+        from
+      type: string
+      default: ""
+    - name: PROJECT_NAME
+      description: Name of the scanned project, used to find path exclusions.
+        By default, the Konflux component name will be used.
+      type: string
+      default: ""
+    - name: RECORD_EXCLUDED
+      description: |
+        Whether to record the excluded findings (default to false).
+        If `true`, the excluded findings will be stored in `excluded-findings.json`.
+      type: string
+      default: "false"
+    - name: SOURCE_ARTIFACT
+      description: The Trusted Artifact URI pointing to the artifact with
+        the application source code.
+      type: string
+    - name: caTrustConfigMapKey
+      description: The name of the key in the ConfigMap that contains the
+        CA bundle data.
+      type: string
+      default: ca-bundle.crt
+    - name: caTrustConfigMapName
+      description: The name of the ConfigMap to read CA bundle data from.
+      type: string
+      default: trusted-ca
+    - name: image-digest
+      description: Image digest to report findings for.
+      type: string
+      default: ""
+    - name: image-url
+      description: Image URL.
+      type: string
+      default: ""
+  results:
+    - name: TEST_OUTPUT
+      description: Tekton task test output.
+  volumes:
+    - name: trusted-ca
+      configMap:
+        items:
+          - key: $(params.caTrustConfigMapKey)
+            path: ca-bundle.crt
+        name: $(params.caTrustConfigMapName)
+        optional: true
+    - name: workdir
+      emptyDir: {}
+  stepTemplate:
+    volumeMounts:
+      - mountPath: /var/workdir
+        name: workdir
+  steps:
+    - name: use-trusted-artifact
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bc10298bff7805d8bc98211cd4534b9720f365f35ce0ef263dd65802de7ff036
+      args:
+        - use
+        - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+        - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+    - name: sast-shell-check
+      image: quay.io/redhat-appstudio/konflux-test:v1.4.8@sha256:57816753b74ed989771b7cddc1994bc1fa9f4fd454b08bcc97acf2fa718e8c1b
+      workingDir: /var/workdir/source
+      env:
+        - name: KFP_GIT_URL
+          value: $(params.KFP_GIT_URL)
+        - name: PROJECT_NAME
+          value: $(params.PROJECT_NAME)
+        - name: RECORD_EXCLUDED
+          value: $(params.RECORD_EXCLUDED)
+        - name: IMP_FINDINGS_ONLY
+          value: $(params.IMP_FINDINGS_ONLY)
+        - name: COMPONENT_LABEL
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.labels['appstudio.openshift.io/component']
+      script: |
+        #!/usr/bin/env bash
+        set -x
+        # shellcheck source=/dev/null
+        source /utils.sh
+        trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT
+
+        if [[ -z "${PROJECT_NAME}" ]]; then
+          PROJECT_NAME=${COMPONENT_LABEL}
+        fi
+
+        echo "The PROJECT_NAME used is: ${PROJECT_NAME}"
+
+        ca_bundle=/mnt/trusted-ca/ca-bundle.crt
+        if [ -f "$ca_bundle" ]; then
+          echo "INFO: Using mounted CA bundle: $ca_bundle"
+          cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
+          update-ca-trust
+        fi
+
+        PACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\n' ShellCheck)
+
+        OUTPUT_FILE="shellcheck-results.json"
+        SOURCE_CODE_DIR=/var/workdir/source
+
+        # generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/
+        /usr/share/csmock/scripts/run-shellcheck.sh "$SOURCE_CODE_DIR"
+
+        CSGREP_OPTS=(
+          --mode=json
+          --strip-path-prefix="$SOURCE_CODE_DIR"/
+          --remove-duplicates
+          --embed-context=3
+          --set-scan-prop="ShellCheck:${PACKAGE_VERSION}"
+        )
+        if [[ "$IMP_FINDINGS_ONLY" == "true" ]]; then
+          # predefined list of shellcheck important findings
+          CSGREP_EVENT_FILTER='\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'
+          CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'
+          CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\]$'
+          CSGREP_OPTS+=(
+            --event="$CSGREP_EVENT_FILTER"
+          )
+        else
+          CSGREP_OPTS+=(
+            --event="error|warning"
+          )
+        fi
+
+        if ! csgrep "${CSGREP_OPTS[@]}" ./shellcheck-results/*.json >"$OUTPUT_FILE"; then
+          echo "Error occurred while running 'run-shellcheck.sh'"
+          note="Task $(context.task.name) failed: For details, check Tekton task log."
+          ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note")
+          echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
+          exit 1
+        fi
+
+        # Filter known false positives if KFP_GIT_URL is set
+        if [ -n "${KFP_GIT_URL}" ]; then
+          echo "Filtering known false positives using ${KFP_GIT_URL}"
+
+          # build initial csfilter-kfp command
+          csfilter_kfp_cmd=(
+            csfilter-kfp
+            --verbose
+            --kfp-git-url="${KFP_GIT_URL}"
+            --project-nvr="${PROJECT_NAME}"
+          )
+
+          if [[ "${RECORD_EXCLUDED}" == "true" ]]; then
+            csfilter_kfp_cmd+=(--record-excluded="excluded-findings.json")
+          fi
+
+          # Execute the command and capture any errors
+          if ! "${csfilter_kfp_cmd[@]}" "${OUTPUT_FILE}" >"${OUTPUT_FILE}.filtered" 2>"${OUTPUT_FILE}.error"; then
+            echo "Error occurred while filtering known false positives:"
+            cat "${OUTPUT_FILE}.error"
+            note="Task $(context.task.name) failed: For details, check Tekton task log."
+            ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note")
+            echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
+            exit 1
+          else
+            mv "${OUTPUT_FILE}.filtered" "$OUTPUT_FILE"
+            echo "Filtered results saved back to $OUTPUT_FILE"
+          fi
+        else
+          echo "KFP_GIT_URL is not set. Skipping false positive filtering."
+        fi
+
+        echo "ShellCheck results have been saved to $OUTPUT_FILE"
+
+        csgrep --mode=evtstat "$OUTPUT_FILE"
+        csgrep --mode=sarif "$OUTPUT_FILE" >shellcheck-results.sarif
+
+        note="Task $(context.task.name) completed successfully."
+        TEST_OUTPUT=$(make_result_json -r SUCCESS -t "$note")
+        echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
+    - name: upload
+      image: quay.io/konflux-ci/oras:latest@sha256:f4b891ee3038a5f13cd92ff4f473faad5601c2434d1c6b9bccdfc134d9d5f820
+      workingDir: /var/workdir/source
+      env:
+        - name: IMAGE_URL
+          value: $(params.image-url)
+        - name: IMAGE_DIGEST
+          value: $(params.image-digest)
+      script: |
+        #!/usr/bin/env bash
+        set -e
+
+        if [ -z "${IMAGE_URL}" ] || [ -z "${IMAGE_DIGEST}" ]; then
+          echo 'No image-url or image-digest param provided. Skipping upload.'
+          exit 0
+        fi
+
+        UPLOAD_FILES="shellcheck-results.sarif excluded-findings.json"
+
+        for UPLOAD_FILE in ${UPLOAD_FILES}; do
+          if [ ! -f "${UPLOAD_FILE}" ]; then
+            echo "No ${UPLOAD_FILE} exists. Skipping upload."
+            continue
+          fi
+
+          # Determine the media type based on the file extension
+          if [[ "${UPLOAD_FILE}" == *.json ]]; then
+            MEDIA_TYPE="application/json"
+          else
+            MEDIA_TYPE="application/sarif+json"
+          fi
+
+          echo "Selecting auth"
+          select-oci-auth "$IMAGE_URL" >"$HOME/auth.json"
+          echo "Attaching to ${IMAGE_URL}"
+          oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
+        done
@@ -0,0 +1,6 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+approvers:
+  - integration-team
+reviewers:
+  - integration-team
+  - kdudka
@@ -0,0 +1,32 @@
+# sast-shell-check task
+
+## Description:
+
+The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.
+
+ShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts.
+
+## Params:
+
+| Name              | Description                                                                                                                                            | Default Value | Required |
+| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | -------- |
+| KFP_GIT_URL       | Git repository to download known false positives files from.                                                                                           | ""            | No       |
+| PROJECT_NAME      | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.                                        | ""            | No       |
+| RECORD_EXCLUDED   | Whether to record the excluded findings to file, Useful for auditing.<br/>If "true", the excluded findings will be stored in `excluded-findings.json`. | "false"       | No       |
+| IMP_FINDINGS_ONLY | Whether to report only important findings. To report all findings, specify "false".                                                                    | "true"        | No       |
+
+## Results:
+
+| name        | description              |
+| ----------- | ------------------------ |
+| TEST_OUTPUT | Tekton task test output. |
+
+## Source repository for image:
+
+https://github.com/konflux-ci/konflux-test
+
+## Additional links:
+
+* https://www.shellcheck.net/wiki/Home
+* https://github.com/koalaman/shellcheck
+* https://github.com/csutils/csmock