Merge pull request #645 from opendevstack/feature/add-trivy-scanner

Feature/add trivy scanner
opendevstack · Jan 5, 2023 · e2538b9 · e2538b9
2 parents e1f14e4 + cfbbcc5
commit e2538b9
Show file tree

Hide file tree

Showing 27 changed files with 476 additions and 213 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        image: ["buildah", "finish", "go-toolset", "gradle-toolset", "helm", "sonar", "start", "pipeline-manager", "python-toolset", "node16-npm-toolset"]
+        image: ["package-image", "finish", "go-toolset", "gradle-toolset", "helm", "sonar", "start", "pipeline-manager", "python-toolset", "node16-npm-toolset"]
     steps:
       -
         name: Checkout
@@ -53,7 +53,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-images
     env:
-      IMAGES: buildah finish go-toolset gradle-toolset helm sonar start pipeline-manager python-toolset node16-npm-toolset
+      IMAGES: package-image finish go-toolset gradle-toolset helm sonar start pipeline-manager python-toolset node16-npm-toolset
     steps:
       -
         name: Download image artifacts

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -30,7 +30,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        image: ["buildah", "finish", "go-toolset", "gradle-toolset", "helm", "sonar", "start", "pipeline-manager", "python-toolset", "node16-npm-toolset"]
+        image: ["package-image", "finish", "go-toolset", "gradle-toolset", "helm", "sonar", "start", "pipeline-manager", "python-toolset", "node16-npm-toolset"]
     permissions:
       contents: read
       packages: write

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,5 @@
 # Changelog
+
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
@@ -9,6 +10,10 @@ listed in the changelog.
 
 ## [Unreleased]
 
+### Added
+
+- Add trivy security scanner CLI for SBOM generation ([#592](https://github.com/opendevstack/ods-pipeline/issues/592))
+
 ### Changed
 
 - Normalize K8s manifests to exclude style differences from Helm diff output. The change is applied to both the helm execution in the `ods-deploy-helm` task and in the install script. See [#591](https://github.com/opendevstack/ods-pipeline/issues/591).
@@ -19,8 +24,11 @@ listed in the changelog.
 - Update go-junit-report to 2.0.0 ([#625](https://github.com/opendevstack/ods-pipeline/issues/625))
 - Enable build skipping by default ([#642](https://github.com/opendevstack/ods-pipeline/issues/642))
 - Remove secrets from installation Helm chart. Secrets are now managed when running the `install.sh` script. See ([#629](https://github.com/opendevstack/ods-pipeline/issues/629))
+- Change name of `buildah` task to `package-image` ([#592](https://github.com/opendevstack/ods-pipeline/issues/592))
+- Package image task now skips creating an image if the image artifact exists (as opposed to checking for an image in the registry) ([#592](https://github.com/opendevstack/ods-pipeline/issues/592))
 
 ### Fixed
+
 - Errors during output collection of binaries such as `buildah`, `aqua-scanner` are not handled ([#611](https://github.com/opendevstack/ods-pipeline/issues/611))
 - STDOUT and STDERR is not interleaved as expected ([#613](https://github.com/opendevstack/ods-pipeline/issues/613))
 

diff --git a/Makefile b/Makefile
@@ -148,7 +148,7 @@ endif
 ##@ OpenShift
 
 start-ods-builds: ## Start builds for each ODS BuildConfig
-	oc start-build ods-buildah
+	oc start-build ods-package-image
 	oc start-build ods-finish
 	oc start-build ods-go-toolset
 	oc start-build ods-gradle-toolset

diff --git a/build/package/Dockerfile.buildah → build/package/Dockerfile.package-image b/build/package/Dockerfile.buildah → build/package/Dockerfile.package-image
@@ -10,17 +10,18 @@ RUN go mod download
 COPY cmd cmd
 COPY internal internal
 COPY pkg pkg
-RUN cd cmd/build-push-image && CGO_ENABLED=0 go build -o /usr/local/bin/ods-build-push-image
+RUN cd cmd/package-image && CGO_ENABLED=0 go build -o /usr/local/bin/ods-package-image
 
 # Final image
 # Based on https://catalog.redhat.com/software/containers/detail/5dca3d76dd19c71643b226d5?container-tabs=dockerfile&tag=8.4
 # and https://github.com/containers/buildah/blob/main/contrib/buildahimage/stable/Dockerfile.
 FROM registry.access.redhat.com/ubi8:8.4
 
 ENV BUILDAH_VERSION=1.27 \
-    SKOPEO_VERSION=1.9
+    SKOPEO_VERSION=1.9 \
+    TRIVY_VERSION=0.36.0
 
-COPY --from=builder /usr/local/bin/ods-build-push-image /usr/local/bin/ods-build-push-image
+COPY --from=builder /usr/local/bin/ods-package-image /usr/local/bin/ods-package-image
 
 # Don't include container-selinux and remove directories used by yum that are just taking up space.
 RUN useradd -u 1001 build \
@@ -47,6 +48,9 @@ RUN echo -e "build:1:1000\nbuild:1002:64535" > /etc/subuid \
     && mkdir -p /home/build/.local/share/containers \
     && chown -R build:build /home/build
 
+# Install Trivy
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "v${TRIVY_VERSION}"
+
 VOLUME /var/lib/containers
 VOLUME /home/build/.local/share/containers
 

diff --git a/cmd/deploy-helm/skopeo.go b/cmd/deploy-helm/skopeo.go
@@ -12,7 +12,7 @@ import (
 func (d *deployHelm) copyImage(imageArtifact artifact.Image, destRegistryToken string, outWriter, errWriter io.Writer) error {
 	imageStream := imageArtifact.Name
 	d.logger.Infof("Copying image %s ...", imageStream)
-	srcImageURL := imageArtifact.Image
+	srcImageURL := imageArtifact.Ref
 	// If the source registry should be TLS verified, the destination
 	// should be verified by default as well.
 	destRegistryTLSVerify := d.opts.srcRegistryTLSVerify
@@ -61,6 +61,6 @@ func getImageDestURL(registryHost, releaseNamespace string, imageArtifact artifa
 	if registryHost != "" {
 		return fmt.Sprintf("%s/%s/%s:%s", registryHost, releaseNamespace, imageArtifact.Name, imageArtifact.Tag)
 	} else {
-		return strings.Replace(imageArtifact.Image, "/"+imageArtifact.Repository+"/", "/"+releaseNamespace+"/", -1)
+		return strings.Replace(imageArtifact.Ref, "/"+imageArtifact.Repository+"/", "/"+releaseNamespace+"/", -1)
 	}
 }
diff --git a/cmd/deploy-helm/steps_test.go b/cmd/deploy-helm/steps_test.go
@@ -60,7 +60,7 @@ func TestGetImageURLs(t *testing.T) {
 	srcHost := "image-registry.openshift-image-registry.svc:5000"
 	destHost := "default-route-openshift-image-registry.apps.example.com"
 	imgArtifact := artifact.Image{
-		Image:      fmt.Sprintf("%s/foo/bar:baz", srcHost),
+		Ref:        fmt.Sprintf("%s/foo/bar:baz", srcHost),
 		Repository: "foo", Name: "bar", Tag: "baz",
 	}
 	tests := map[string]struct {

diff --git a/cmd/build-push-image/aqua.go → cmd/package-image/aqua.go b/cmd/build-push-image/aqua.go → cmd/package-image/aqua.go
diff --git a/cmd/build-push-image/aqua_test.go → cmd/package-image/aqua_test.go b/cmd/build-push-image/aqua_test.go → cmd/package-image/aqua_test.go
diff --git a/cmd/build-push-image/buildah.go → cmd/package-image/buildah.go b/cmd/build-push-image/buildah.go → cmd/package-image/buildah.go
@@ -19,16 +19,31 @@ const (
 
 // buildahBuild builds a local image using the Dockerfile and context directory
 // given in opts, tagging the resulting image with given tag.
-func buildahBuild(opts options, tag string, outWriter, errWriter io.Writer) error {
-	args, err := buildahBuildArgs(opts, tag)
+func (p *packageImage) buildahBuild(outWriter, errWriter io.Writer) error {
+	args, err := p.buildahBuildArgs(p.image.Ref)
 	if err != nil {
 		return fmt.Errorf("assemble build args: %w", err)
 	}
 	return command.Run(buildahBin, args, []string{}, outWriter, errWriter)
 }
 
+// buildahPush pushes a local image to a OCI formatted directory for trivy image scans.
+func (p *packageImage) buildahPushTar(outWriter, errWriter io.Writer) error {
+	args := []string{
+		fmt.Sprintf("--storage-driver=%s", p.opts.storageDriver),
+		"push",
+		fmt.Sprintf("--digestfile=%s", filepath.Join(p.opts.checkoutDir, "image-digest")),
+	}
+	if p.opts.debug {
+		args = append(args, "--log-level=debug")
+	}
+	args = append(args, p.image.Ref, fmt.Sprintf("oci:%s", filepath.Join(p.opts.checkoutDir, p.image.Name)))
+	return command.Run(buildahBin, args, []string{}, outWriter, errWriter)
+}
+
 // buildahPush pushes a local image to the given imageRef.
-func buildahPush(opts options, workingDir, imageRef string, outWriter, errWriter io.Writer) error {
+func (p *packageImage) buildahPush(outWriter, errWriter io.Writer) error {
+	opts := p.opts
 	extraArgs, err := shlex.Split(opts.buildahPushExtraArgs)
 	if err != nil {
 		log.Printf("could not parse extra args (%s): %s", opts.buildahPushExtraArgs, err)
@@ -38,22 +53,23 @@ func buildahPush(opts options, workingDir, imageRef string, outWriter, errWriter
 		"push",
 		fmt.Sprintf("--tls-verify=%v", opts.tlsVerify),
 		fmt.Sprintf("--cert-dir=%s", opts.certDir),
-		fmt.Sprintf("--digestfile=%s", filepath.Join(workingDir, "image-digest")),
+		fmt.Sprintf("--digestfile=%s", filepath.Join(opts.checkoutDir, "image-digest")),
 	}
 	args = append(args, extraArgs...)
 	if opts.debug {
 		args = append(args, "--log-level=debug")
 	}
-	args = append(args, imageRef, fmt.Sprintf("docker://%s", imageRef))
+	args = append(args, p.image.Ref, fmt.Sprintf("docker://%s", p.image.Ref))
 	return command.Run(buildahBin, args, []string{}, outWriter, errWriter)
 }
 
 // buildahBuildArgs assembles the args to be passed to buildah based on
 // given options and tag.
-func buildahBuildArgs(opts options, tag string) ([]string, error) {
+func (p *packageImage) buildahBuildArgs(tag string) ([]string, error) {
 	if tag == "" {
 		return nil, errors.New("tag must not be empty")
 	}
+	opts := p.opts
 	extraArgs, err := shlex.Split(opts.buildahBuildExtraArgs)
 	if err != nil {
 		return nil, fmt.Errorf("parse extra args (%s): %w", opts.buildahBuildExtraArgs, err)
@@ -70,7 +86,7 @@ func buildahBuildArgs(opts options, tag string) ([]string, error) {
 		fmt.Sprintf("--tag=%s", tag),
 	}
 	args = append(args, extraArgs...)
-	nexusArgs, err := nexusBuildArgs(opts)
+	nexusArgs, err := p.nexusBuildArgs()
 	if err != nil {
 		return nil, fmt.Errorf("add nexus build args: %w", err)
 	}
@@ -85,8 +101,9 @@ func buildahBuildArgs(opts options, tag string) ([]string, error) {
 // nexusBuildArgs computes --build-arg parameters so that the Dockerfile
 // can access nexus as determined by the options nexus related
 // parameters.
-func nexusBuildArgs(opts options) ([]string, error) {
+func (p *packageImage) nexusBuildArgs() ([]string, error) {
 	args := []string{}
+	opts := p.opts
 	if strings.TrimSpace(opts.nexusURL) != "" {
 		nexusUrl, err := url.Parse(opts.nexusURL)
 		if err != nil {

diff --git a/cmd/build-push-image/buildah_test.go → cmd/package-image/buildah_test.go b/cmd/build-push-image/buildah_test.go → cmd/package-image/buildah_test.go
@@ -69,7 +69,8 @@ func TestBuildahBuildArgs(t *testing.T) {
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			got, err := buildahBuildArgs(tc.opts, tc.tag)
+			p := packageImage{opts: tc.opts}
+			got, err := p.buildahBuildArgs(tc.tag)
 			if err != nil {
 				if tc.wantErr != err.Error() {
 					t.Fatalf("want err: '%s', got err: %s", tc.wantErr, err)
@@ -141,7 +142,8 @@ func TestNexusBuildArgs(t *testing.T) {
 				nexusUsername: tc.nexusUsername,
 				nexusPassword: tc.nexusPassword,
 			}
-			args, err := nexusBuildArgs(opts)
+			p := packageImage{opts: opts}
+			args, err := p.nexusBuildArgs()
 			if err != nil {
 				t.Fatal(err)
 			}