feat: NVSHAS-9495 SLSA build

1. Provide cross-platform/standalone Dockerfile 2. release.yml to publish SLSA-capable artifacts 3. Provide build target, test-image, build-image and push-image to sync with rancher. 4. Switch to golang:1.22 as its base image
neuvector · Dec 10, 2024 · aad66f3 · aad66f3
1 parent a129806
commit aad66f3
Show file tree

Hide file tree

Showing 6 changed files with 233 additions and 0 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+data/cvedb filter=lfs diff=lfs merge=lfs -text
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,52 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # write is needed for:
+      # - OIDC for cosign's use in ecm-distro-tools/publish-image.
+      # - Read vault secrets in rancher-eio/read-vault-secrets.
+      id-token: write
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Load Secrets from Vault
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password | DOCKER_PASSWORD ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
+
+    - name: Download vulnerability database
+      run: |
+        VERSION=${{ github.ref_name }}
+        wget https://${{ secrets.VULNDB_SERVER }}/${VERSION#v}/cvedb.regular -O data/cvedb.regular
+    - name: Publish manifest
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      with:
+        image: scanner
+        tag: ${{ github.ref_name }}
+        platforms: linux/amd64,linux/arm64
+
+        public-registry: docker.io
+        public-repo: neuvector
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+
+        prime-registry: ${{ env.PRIME_REGISTRY }}
+        prime-repo: rancher
+        prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
diff --git a/.gitignore b/.gitignore
@@ -29,4 +29,5 @@ _testmain.go
 *.bak
 
 /scanner
+data/cvedb.regular
 /task/scannerTask_test1.go
diff --git a/Makefile b/Makefile
@@ -34,3 +34,104 @@ binary:
 	@echo "Making $@ ..."
 	@docker pull neuvector/build_fleet:${BUILD_IMAGE_TAG}
 	@docker run --rm -ia STDOUT --name build -e VULN_VER=$(VULN_VER) --net=none -v $(CURDIR):/go/src/github.com/neuvector/scanner -w /go/src/github.com/neuvector/scanner --entrypoint ./make_bin.sh neuvector/build_fleet:${BUILD_IMAGE_TAG}
+
+RUNNER := docker
+IMAGE_BUILDER := $(RUNNER) buildx
+MACHINE := neuvector
+BUILDX_ARGS ?= --sbom=true --attest type=provenance,mode=max
+DEFAULT_PLATFORMS := linux/amd64,linux/arm64,linux/x390s,linux/riscv64
+STAGE_DIR=stage
+
+# For scanner, the version is also vulndb version.
+COMMIT = $(shell git rev-parse --short HEAD)
+ifeq ($(VERSION),)
+	# Define VERSION, which is used for image tags or to bake it into the
+	# compiled binary to enable the printing of the application version, 
+	# via the --version flag.
+	CHANGES = $(shell git status --porcelain --untracked-files=no)
+	ifneq ($(CHANGES),)
+		DIRTY = -dirty
+	endif
+
+	GIT_TAG = $(shell git tag -l --contains HEAD | head -n 1)
+
+	COMMIT = $(shell git rev-parse --short HEAD)
+	VERSION = $(COMMIT)$(DIRTY)
+
+	# Override VERSION with the Git tag if the current HEAD has a tag pointing to
+	# it AND the worktree isn't dirty.
+	ifneq ($(GIT_TAG),)
+		ifeq ($(DIRTY),)
+			VERSION = $(GIT_TAG)
+		endif
+	endif
+	VULNDBVER=LATEST
+else
+	VULNDBVER=$(VERSION:1)
+endif
+
+ifeq ($(TAG),)
+	TAG = $(VERSION)
+	ifneq ($(DIRTY),)
+		TAG = dev
+	endif
+endif
+
+TARGET_PLATFORMS ?= linux/amd64,linux/arm64
+REPO ?= neuvector
+IMAGE = $(REPO)/scanner:$(TAG)
+BUILD_ACTION = --load
+
+.PHONY: all copy_scan build
+
+ARCH := $(shell uname -p)
+
+BASE_IMAGE_TAG = latest
+BUILD_IMAGE_TAG = v2
+
+# Keep this as the first
+slsa_all: test build copy_scan_slsa
+
+build:
+	go build -ldflags='-s -w' -buildvcs=false
+	make -C task/
+	make -C monitor/
+
+test:
+	# Only run unit-test on amd64 for now
+	if [ "$(ARCH)" = "x86_64" ]; then go test ./...;fi
+
+STAGE_DIR = stage
+
+copy_scan_slsa:
+	mkdir -p ${STAGE_DIR}/usr/local/bin/
+	mkdir -p ${STAGE_DIR}/etc/neuvector/db
+	#
+	cp monitor/monitor ${STAGE_DIR}/usr/local/bin/
+	cp scanner ${STAGE_DIR}/usr/local/bin/
+	cp task/scannerTask ${STAGE_DIR}/usr/local/bin/
+	cp sigstore-interface/sigstore-interface ${STAGE_DIR}/usr/local/bin/sigstore-interface
+	cp data/cvedb.regular ${STAGE_DIR}/etc/neuvector/db/cvedb
+
+buildx-machine:
+	docker buildx ls
+	@docker buildx ls | grep $(MACHINE) || \
+	docker buildx create --name=$(MACHINE) --platform=$(DEFAULT_PLATFORMS)
+
+test-image:
+	# Instead of loading image, target all platforms, effectivelly testing
+	# the build for the target architectures.
+	$(MAKE) build-image BUILD_ACTION="--platform=$(TARGET_PLATFORMS)"
+
+build-image: buildx-machine ## build (and load) the container image targeting the current platform.
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
+		--builder $(MACHINE) $(IMAGE_ARGS) \
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) -t "$(IMAGE)" $(BUILD_ACTION) .
+	@echo "Built $(IMAGE)"
+
+
+push-image: buildx-machine
+	$(IMAGE_BUILDER) build -f package/Dockerfile \
+		--builder $(MACHINE) $(IMAGE_ARGS) $(IID_FILE_FLAG) $(BUILDX_ARGS) \
+		--build-arg VERSION=$(VERSION) --build-arg COMMIT=$(COMMIT) --build-arg VULNDBVER=$(VULNDBVER) --platform=$(TARGET_PLATFORMS) -t "$(REPO)/scanner:$(TAG)" --push .
+	@echo "Pushed $(IMAGE)"
diff --git a/data/cvedb b/data/cvedb
diff --git a/package/Dockerfile b/package/Dockerfile
@@ -0,0 +1,75 @@
+ARG VULNDB_VERSION=3.592
+ARG VULNDB_CHECKSUM=c19321b848a384bb83dc410faa4a269e7f5d9cc40eb7187d35ada7af70f3a10f
+ARG SIGSTORE_VERSION=86e52391a84c8b9bfceac957de7de4b3177604bf
+#
+# Builder
+#
+FROM registry.suse.com/bci/golang:1.22 AS builder
+ARG VERSION
+ARG VULNDB_CHECKSUM
+ARG SIGSTORE_VERSION
+
+RUN zypper in -y wget
+
+# Build controller
+COPY common/ /src/common
+COPY cvetools/ /src/cvetools
+COPY data/ /src/data
+COPY detectors/ /src/detectors
+COPY monitor/ /src/monitor
+COPY task/ /src/task
+COPY vendor/ /src/vendor
+COPY Makefile go.mod go.sum *.go /src/
+
+WORKDIR /src
+RUN git clone https://github.com/neuvector/sigstore-interface --single-branch sigstore-interface && cd sigstore-interface && git checkout ${SIGSTORE_VERSION} && make
+RUN if [ -f "data/cvedb.regular" ]; then echo "using cvedb.regular"; echo "$VULNDB_CHECKSUM data/cvedb.regular" | sha256sum --check --status; else echo "using cvedb"; cp "data/cvedb" "data/cvedb.regular"; fi
+RUN make slsa_all
+
+#
+# Base images
+#
+FROM registry.suse.com/bci/bci-micro:15.6 AS micro
+FROM registry.suse.com/bci/bci-base:15.6 AS base
+
+COPY --from=micro / /chroot/
+RUN zypper refresh && zypper --installroot /chroot -n in --no-recommends \
+    ca-certificates procps grep && \
+    zypper --installroot /chroot clean -a && \
+    rm -rf /chroot/var/log/
+
+RUN cd /chroot/usr/bin/ && rm -rf basename chcon chgrp chmod chown chroot cksum dd df dircolors dirname du install install-info join locale localedef mkdir mkfifo mknod mktemp paste pathchk readlink realpath sync smidiff smidump smilink smiquery smistrip smixlate tee tiemout tload top truncate unlink watch
+
+RUN mkdir -p /chroot/etc/neuvector/certs/internal/ && mkdir -p /chroot/share && touch /chroot/share/.nvcontainer
+
+#
+# Artifact
+#
+FROM micro
+WORKDIR /
+COPY --from=base /chroot/ /
+COPY --from=builder /src/stage /
+
+ARG COMMIT
+ARG VERSION
+ARG VULNDB_VERSION
+ARG SIGSTORE_VERSION
+
+LABEL name="scanner" \
+      vendor="SUSE Security" \
+      version=${VERSION} \
+      release=${VERSION} \
+      neuvector.image="neuvector/scanner" \
+      neuvector.role="scanner" \
+      neuvector.rev="${COMMIT}" \
+      neuvector.vuln_db="${VULNDB_VERSION}" \
+      neuvector.sigstore="${SIGSTORE_VERSION}" \
+      "io.artifacthub.package.logo-url"=https://avatars2.githubusercontent.com/u/19367275 \
+      "io.artifacthub.package.readme-url"="https://raw.githubusercontent.com/neuvector/scanner/${VERSION}/README.md" \
+      "org.opencontainers.image.description"="SUSE Security Scanner" \
+      "org.opencontainers.image.title"="SUSE Security Scanner" \
+      "org.opencontainers.image.source"="https://github.com/neuvector/scanner/" \
+      "org.opencontainers.image.version"="${VERSION}" \
+      "org.opensuse.reference"="neuvector/scanner:${VERSION}"
+
+ENTRYPOINT ["/usr/local/bin/monitor"]