OCI-attach reports from clair-scan 0.2 Task
#1483
Conversation
zregvart
force-pushed
the
issue/EC-837
branch
from
0ff6e35 to
2078931
Compare
Probably, but Konflux is not setup for this now. |
task/clair-scan/0.2/clair-scan.yaml
Outdated
| echo "Selecting auth" | ||
| select-oci-auth "$IMAGE_URL" > "$HOME/auth.json" | ||
|
|
||
| base_image="${IMAGE_URL/:*/}" |
There was a problem hiding this comment.
Maybe let's call this something like repository? "Base image" has a different meaning that may cause confusion.
task/clair-scan/0.2/clair-scan.yaml
Outdated
| for f in clair-report-*.json; do | ||
| image_ref="${base_image}@$(cat "image-manifest-$(arch "$f").sha")" | ||
| echo "Attaching $f to ${image_ref}" | ||
| oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${image_ref}" "$f:${MEDIA_TYPE}" |
There was a problem hiding this comment.
On the EC side, we can't trust this information since there's no guarantee that the attached data was actually produced by this Task. Anyone with access to the registry can easily fake the report. This data is informative at best.
This Task needs to emit a digest of the expected data.
If we had identity-based signatures (keyless) enabled in Konflux, we would still need to do this since in that case users could still fake a report via some rogue Pipeline. Slightly harder, but not a risk we should take.
There was a problem hiding this comment.
I did remember that after pushing, will run up against the result limit though...
There was a problem hiding this comment.
Yeah, we may have to create a combined result of some sort. You could, for example, put them altogether in an Image Index.
We can choose to use the format, regardless of the attestation being signed or not |
zregvart
force-pushed
the
issue/EC-837
branch
6 times, most recently
from
d94e785 to
c4749cf
Compare
| @@ -214,6 +214,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito | |||
| |name|description|used in params (taskname:taskrefversion:taskparam) | |||
| |---|---|---| | |||
| |IMAGES_PROCESSED| Images processed in the task.| | | |||
| |REPORTS| Mapping of image digests to report digests| | | |||
There was a problem hiding this comment.
Maybe:
| |REPORTS| Mapping of image digests to report digests| | | |
| |REPORT_MAP| Mapping of image digests to report digests| | |
or...
| |REPORTS| Mapping of image digests to report digests| | | |
| |REPORT_REFS| Mapping of image digests to report digests| | |
| |-------------------|------------------------------------------| | ||
| | TEST_OUTPUT | Tekton task test output. | | ||
| | SCAN_OUTPUT | Clair scan result. | | ||
| | REPORTS |Mapping of image digests to report digests| |
There was a problem hiding this comment.
Is it json? Maybe:
| | REPORTS |Mapping of image digests to report digests| | |
| | REPORT_REFS |Mapping of image digests to report digests in JSON format| |
This attaches the "clair"-formatted output of the `clair-action` command to the scanned image. Contrary to the `sast-snyk-check` Task only a single variant of attachment method is supported, based on the registry support. For quay.io OCI Distribution 1.1. Referrers API will be used. The `clair-action` needs to be run twice as the Rego rules executed in the `conftest-vulnerabilities` require the "quay" format, which does not include any date information, whereas the (future) EC policy Rego rules require the "clair" format, which does. Resolves: https://issues.redhat.com/browse/EC-837
The benefit the format would bring is that it links the data to a predicate (image). You are doing that already in the |
For posterity, in the arch meeting it was mentioned that double uploading may cause some issues. The Tasks that were doing it, no longer do it, see c746a25.
I think this one is reasonable since it is a completely custom format. |
|
Last call for discussions:
I'm lazy to take on more work here and I'm hovering over the merge button. Let me know if you feel strongly about any of this. |
|
Im team |
|
Great work, thanks! |
|
Thanks for the reviews/feedback! |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
This attaches the "clair"-formatted output of the
clair-actioncommand to the scanned image. Contrary to thesast-snyk-checkTask only a single variant of attachment method is supported, based on the registry support. For quay.io OCI Distribution 1.1. Referrers API will be used.The
clair-actionneeds to be run twice as the Rego rules executed in theconftest-vulnerabilitiesrequire the "quay" format, which does not include any date information, whereas the (future) EC policy Rego rules require the "clair" format, which does.Resolves: https://issues.redhat.com/browse/EC-837
Notes for reviewers:
application/vnd.redhat.clair-report+jsonthat could be used?