Skip to content

Commit

Permalink
feat: NVSHAS-9495 SLSA build
Browse files Browse the repository at this point in the history
1. Provide cross-platform/standalone Dockerfile
2. release.yml to publish SLSA-capable artifacts
3. Provide build target, test-image, build-image and push-image to sync
   with rancher.
4. Switch to golang:1.22 as its base image
  • Loading branch information
holyspectral committed Dec 10, 2024
1 parent a129806 commit 176464d
Show file tree
Hide file tree
Showing 6 changed files with 245 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
data/cvedb filter=lfs diff=lfs merge=lfs -text
64 changes: 64 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Release

on:
push:
tags:
- 'v*'

jobs:

publish:
runs-on: ubuntu-latest
permissions:
contents: read
# write is needed for:
# - OIDC for cosign's use in ecm-distro-tools/publish-image.
# - Read vault secrets in rancher-eio/read-vault-secrets.
id-token: write

steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Load Secrets from Vault
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
- name: Parse target tag
run: |
TARGET=${{ github.ref_name }}
echo "TAG=${TARGET#v}" >> $GITHUB_ENV
- name: Download vulnerability database
run: |
wget https://${{ secrets.VULNDB_SERVER }}/${TAG}/cvedb.regular -O data/cvedb.regular
- name: Publish manifest
uses: rancher/ecm-distro-tools/actions/publish-image@master
with:
image: neuvector-scanner
tag: ${{ env.TAG }}
platforms: linux/amd64,linux/arm64

public-registry: docker.io
public-repo: neuvector
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}

prime-registry: ${{ env.PRIME_REGISTRY }}
prime-repo: rancher
prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
- name: Login to registry
uses: docker/login-action@v3
with:
registry: docker.io
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Publish neuvector
run: |
docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/neuvector-scanner:6 docker.io/${{ github.repository_owner }}/neuvector-scanner:${TAG}
docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:${TAG} docker.io/${{ github.repository_owner }}/neuvector-scanner:${TAG}
docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:6 docker.io/${{ github.repository_owner }}/neuvector-scanner:6
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,5 @@ _testmain.go
*.bak

/scanner
data/cvedb.regular
/task/scannerTask_test1.go
101 changes: 101 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,104 @@ binary:
@echo "Making $@ ..."
@docker pull neuvector/build_fleet:${BUILD_IMAGE_TAG}
@docker run --rm -ia STDOUT --name build -e VULN_VER=$(VULN_VER) --net=none -v $(CURDIR):/go/src/github.com/neuvector/scanner -w /go/src/github.com/neuvector/scanner --entrypoint ./make_bin.sh neuvector/build_fleet:${BUILD_IMAGE_TAG}

RUNNER := docker
IMAGE_BUILDER := $(RUNNER) buildx
MACHINE := neuvector
BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64
STAGE_DIR=stage

# For scanner, the version is also vulndb version.
COMMIT = $(shell git rev-parse --short HEAD)
ifeq ($(VERSION),)
# Define VERSION, which is used for image tags or to bake it into the
# compiled binary to enable the printing of the application version,
# via the --version flag.
CHANGES = $(shell git status --porcelain --untracked-files=no)
ifneq ($(CHANGES),)
DIRTY = -dirty
endif

GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)

COMMIT = $(shell git rev-parse --short HEAD)
VERSION = $(COMMIT)$(DIRTY)

# Override VERSION with the Git tag if the current HEAD has a tag pointing to
# it AND the worktree isn't dirty.
ifneq ($(GIT_TAG),)
ifeq ($(DIRTY),)
VERSION = $(GIT_TAG)
endif
endif
VULNDBVER=LATEST
else
VULNDBVER=$(VERSION:1)
endif

ifeq ($(TAG),)
TAG = $(VERSION)
ifneq ($(DIRTY),)
TAG = dev
endif
endif

TARGET_PLATFORMS ?= linux/amd64,linux/arm64
REPO ?= neuvector
IMAGE = $(REPO)/scanner:$(TAG)
BUILD_ACTION = --load

.PHONY: all copy_scan build

ARCH := $(shell uname -p)

BASE_IMAGE_TAG = latest
BUILD_IMAGE_TAG = v2

# Keep this as the first
slsa_all: test build copy_scan_slsa

build:
go build -ldflags='-s -w' -buildvcs=false
make -C task/
make -C monitor/

test:
# Only run unit-test on amd64 for now
if [ "$(ARCH)" = "x86_64" ]; then go test ./...;fi

STAGE_DIR = stage

copy_scan_slsa:
mkdir -p ${STAGE_DIR}/usr/local/bin/
mkdir -p ${STAGE_DIR}/etc/neuvector/db
#
cp monitor/monitor ${STAGE_DIR}/usr/local/bin/
cp scanner ${STAGE_DIR}/usr/local/bin/
cp task/scannerTask ${STAGE_DIR}/usr/local/bin/
cp sigstore-interface/sigstore-interface ${STAGE_DIR}/usr/local/bin/sigstore-interface
cp data/cvedb.regular ${STAGE_DIR}/etc/neuvector/db/cvedb

buildx-machine:
docker buildx ls
@docker buildx ls | grep $(MACHINE) || \
docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)

test-image:
# Instead of loading image, target all platforms, effectivelly testing
# the build for the target architectures.
$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"

build-image: buildx-machine ## build (and load) the container image targeting the current platform.
$(IMAGE_BUILDER) build -f package/Dockerfile \
--builder $(MACHINE) $(IMAGE_ARGS) \
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) .
@echo "Built $(IMAGE)"


push-image: buildx-machine
$(IMAGE_BUILDER) build -f package/Dockerfile \
--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --build-arg VULNDBVER=$(VULNDBVER) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/neuvector-scanner:$(TAG)" --push .
@echo "Pushed $(IMAGE)"
3 changes: 3 additions & 0 deletions data/cvedb
Git LFS file not shown
75 changes: 75 additions & 0 deletions package/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
ARG VULNDB_VERSION=3.592
ARG VULNDB_CHECKSUM=c19321b848a384bb83dc410faa4a269e7f5d9cc40eb7187d35ada7af70f3a10f
ARG SIGSTORE_VERSION=86e52391a84c8b9bfceac957de7de4b3177604bf
#
# Builder
#
FROM registry.suse.com/bci/golang:1.22 AS builder
ARG VERSION
ARG VULNDB_CHECKSUM
ARG SIGSTORE_VERSION

RUN zypper in -y wget

# Build controller
COPY common/ /src/common
COPY cvetools/ /src/cvetools
COPY data/ /src/data
COPY detectors/ /src/detectors
COPY monitor/ /src/monitor
COPY task/ /src/task
COPY vendor/ /src/vendor
COPY Makefile go.mod go.sum *.go /src/

WORKDIR /src
RUN git clone https://github.com/neuvector/sigstore-interface --single-branch sigstore-interface && cd sigstore-interface && git checkout ${SIGSTORE_VERSION} && make
RUN if [ -f "data/cvedb.regular" ]; then echo "using cvedb.regular"; echo "$VULNDB_CHECKSUM data/cvedb.regular" | sha256sum --check --status; else echo "using cvedb"; cp "data/cvedb" "data/cvedb.regular"; fi
RUN make slsa_all

#
# Base images
#
FROM registry.suse.com/bci/bci-micro:15.6 AS micro
FROM registry.suse.com/bci/bci-base:15.6 AS base

COPY --from=micro / /chroot/
RUN zypper refresh && zypper --installroot /chroot -n in --no-recommends \
ca-certificates procps grep && \
zypper --installroot /chroot clean -a && \
rm -rf /chroot/var/log/

RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch

RUN mkdir -p /chroot/etc/neuvector/certs/internal/ && mkdir -p /chroot/share && touch /chroot/share/.nvcontainer

#
# Artifact
#
FROM micro
WORKDIR /
COPY --from=base /chroot/ /
COPY --from=builder /src/stage /

ARG COMMIT
ARG VERSION
ARG VULNDB_VERSION
ARG SIGSTORE_VERSION

LABEL name="scanner" \
vendor="SUSE Security" \
version=${VERSION} \
release=${VERSION} \
neuvector.image="neuvector/scanner" \
neuvector.role="scanner" \
neuvector.rev="${COMMIT}" \
neuvector.vuln_db="${VULNDB_VERSION}" \
neuvector.sigstore="${SIGSTORE_VERSION}" \
"io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
"io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/scanner/${VERSION}/README.md" \
"org.opencontainers.image.description"="SUSE Security Scanner" \
"org.opencontainers.image.title"="SUSE Security Scanner" \
"org.opencontainers.image.source"="https://github.com/neuvector/scanner/" \
"org.opencontainers.image.version"="${VERSION}" \
"org.opensuse.reference"="neuvector/scanner:${VERSION}"

ENTRYPOINT ["/usr/local/bin/monitor"]

0 comments on commit 176464d

Please sign in to comment.