Skip to content

Commit

Permalink
feat: azure linux 3 support (#815)
Browse files Browse the repository at this point in the history
Signed-off-by: Sertac Ozercan <[email protected]>
  • Loading branch information
sozercan authored Oct 24, 2024
1 parent 6dd5b5e commit cdee476
Show file tree
Hide file tree
Showing 20 changed files with 213 additions and 3,006 deletions.
14 changes: 7 additions & 7 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ on:
workflow_dispatch:

env:
TRIVY_VERSION: 0.44.0
BUILDKIT_VERSION: 0.12.0
TRIVY_VERSION: 0.56.2
BUILDKIT_VERSION: 0.16.0

jobs:
unit-test:
Expand All @@ -41,7 +41,7 @@ jobs:
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true
- name: Add containerd-snapshotter to docker daemon
run: |
Expand Down Expand Up @@ -74,7 +74,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true
- name: Build copa
shell: bash
Expand Down Expand Up @@ -112,7 +112,7 @@ jobs:
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true
- name: Install required tools
shell: bash
Expand Down Expand Up @@ -154,7 +154,7 @@ jobs:
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true
- name: Install required tools
shell: bash
Expand Down Expand Up @@ -192,7 +192,7 @@ jobs:
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true
- name: Install scanner-plugin-template
shell: bash
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/check-deps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true
- name: Check go.mod
shell: bash
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ jobs:

- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true

# Initializes the CodeQL tools for scanning.
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,6 @@ jobs:
steps:
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true
- uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
4 changes: 2 additions & 2 deletions .github/workflows/golangci-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@ jobs:

- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true

- name: lint
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
version: v1.54.1
version: v1.61.0
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:

- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
go-version: "1.23"
check-latest: true

- uses: anchore/sbom-action/download-syft@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4
Expand Down
2 changes: 1 addition & 1 deletion .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ linters:
disable-all: true
enable:
- errcheck
- exportloopref
- copyloopvar
- forcetypeassert
- gocritic
- goconst
Expand Down
30 changes: 27 additions & 3 deletions integration/fixtures/test-images.json
Original file line number Diff line number Diff line change
Expand Up @@ -95,23 +95,47 @@
"tag": "2.0.20240112",
"digest": "sha256:60323975ec3aabe1840920a65237950a54c5fef6ffc811a5d26bb6bd130f1cc3",
"distro": "Mariner",
"description": "Valid rpm DB, no dnf, yum & rpm present",
"description": "Valid rpm DB, tdnf, yum & rpm present",
"ignoreErrors": false
},
{
"image": "mcr.microsoft.com/cbl-mariner/base/core",
"tag": "2.0.20240112-arm64",
"digest": "sha256:c85680df0ddccfd5bf0cd60ff7d0c07b0ea783bcee9ce5dc748b68c0d36e280a",
"distro": "Mariner",
"description": "Valid rpm DB, no dnf, yum & rpm present, arm64 cross-arch",
"description": "Valid rpm DB, tdnf, yum & rpm present, arm64 cross-arch",
"ignoreErrors": false
},
{
"image": "mcr.microsoft.com/cbl-mariner/distroless/base",
"tag": "2.0.20220527",
"digest": "sha256:f550c5428df17b145851ad75983aca6d613ad4b51ca7983b2a83e67d0ac91a5d",
"distro": "Mariner Distroless",
"description": "Custom rpmmanifest files, no yum/dnf/microdnf/rpm",
"description": "Custom rpmmanifest files, no yum/tdnf/dnf/microdnf/rpm",
"ignoreErrors": false
},
{
"image": "mcr.microsoft.com/azurelinux/base/core",
"tag": "3.0.20240727",
"digest": "sha256:02004412d6133fba772fd88dd45ea99b61258722bfc796c156937df4a5d75c6c",
"distro": "Azure Linux",
"description": "Valid rpm DB, tdnf & rpm present, no dnf or yum",
"ignoreErrors": false
},
{
"image": "mcr.microsoft.com/azurelinux/base/core",
"tag": "3.0.20240727-arm64",
"digest": "sha256:5975d2ba45e7d256d4eb4e2b3df3aefbaddf25f14fa300fa126fb93b9f082d33",
"distro": "Azure Linux",
"description": "Valid rpm DB, tdnf & rpm present, no dnf or yum, arm64 cross-arch",
"ignoreErrors": false
},
{
"image": "mcr.microsoft.com/azurelinux/distroless/base",
"tag": "3.0.20240727",
"digest": "sha256:50c24841324cdb36a268bb1288dd6f8bd5bcf19055c24f6aaa750a740a8be62d",
"distro": "Azure Linux Distroless",
"description": "Custom rpmmanifest files, no yum/tdnf/dnf/microdnf/rpm",
"ignoreErrors": false
},
{
Expand Down
23 changes: 21 additions & 2 deletions integration/patch_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,13 +47,15 @@ func TestPatch(t *testing.T) {
require.NoError(t, err)

for _, img := range images {
img := img
// Oracle tends to throw false positives with Trivy
// See https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400
if !reportFile && !strings.Contains(img.Image, "oracle") {
img.IgnoreErrors = false
}

// download the trivy db before running the tests
downloadDB(t)

t.Run(img.Description, func(t *testing.T) {
t.Parallel()

Expand Down Expand Up @@ -81,6 +83,7 @@ func TestPatch(t *testing.T) {
scanner().
withIgnoreFile(ignoreFile).
withOutput(scanResults).
withSkipDBUpdate().
// Do not set a non-zero exit code because we are expecting vulnerabilities.
scan(t, ref, img.IgnoreErrors)
}
Expand Down Expand Up @@ -109,6 +112,7 @@ func TestPatch(t *testing.T) {
t.Log("scanning patched image")
scanner().
withIgnoreFile(ignoreFile).
withSkipDBUpdate().
// here we want a non-zero exit code because we are expecting no vulnerabilities.
withExitCode(1).
scan(t, patchedRef, img.IgnoreErrors)
Expand Down Expand Up @@ -232,11 +236,26 @@ type scannerCmd struct {
exitCode int
}

func downloadDB(t *testing.T) {
args := []string{
"trivy",
"image",
"--download-db-only",
"--db-repository=ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db",
}
cmd := exec.Command(args[0], args[1:]...) //#nosec G204
cmd.Env = append(cmd.Env, os.Environ()...)
cmd.Env = append(cmd.Env, dockerDINDAddress.env()...)
out, err := cmd.CombinedOutput()
require.NoError(t, err, string(out))
}

func (s *scannerCmd) scan(t *testing.T, ref string, ignoreErrors bool) {
args := []string{
"trivy",
"image",
"--vuln-type=os",
"--quiet",
"--pkg-types=os",
"--ignore-unfixed",
"--scanners=vuln",
}
Expand Down
Loading

0 comments on commit cdee476

Please sign in to comment.