Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRE-2525 ci: Fix Trivy scan upload to the Security tab #15394

Open
wants to merge 2 commits into
base: release/2.6
Choose a base branch
from
Open

SRE-2525 ci: Fix Trivy scan upload to the Security tab #15394

wants to merge 2 commits into from

Conversation

grom72
Copy link
Contributor

@grom72 grom72 commented Oct 25, 2024
edited
Loading

  • Enable write access to the Security section of the Github project

  • Use GHA cache to avoid Trivy scan failures due to overuse of CVEs database results in database download failure
    Upgrade trivy-action to version 0.28.0 where the caching mechanism is enabled by default.
    Enable the debug option in Trivy to be prepared for detailed scan failure analysis

See #15201 for a reference

Before requesting gatekeeper:

  • Two review approvals and any prior change requests have been resolved.
  • Testing is complete and all tests passed or there is a reason documented in the PR why it should be force landed and forced-landing tag is set.
  • Features: (or Test-tag*) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.
  • Commit messages follows the guidelines outlined here.
  • Any tests skipped by the ticket being addressed have been run and passed in the PR.

Gatekeeper:

  • You are the appropriate gatekeeper to be landing the patch.
  • The PR has 2 reviews by people familiar with the code, including appropriate owners.
  • Githooks were used. If not, request that user install them and check copyright dates.
  • Checkpatch issues are resolved. Pay particular attention to ones that will show up on future PRs.
  • All builds have passed. Check non-required builds for any new compiler warnings.
  • Sufficient testing is done. Check feature pragmas and test tags and that tests skipped for the ticket are run and now pass with the changes.
  • If applicable, the PR has addressed any potential version compatibility issues.
  • Check the target branch. If it is master branch, should the PR go to a feature branch? If it is a release branch, does it have merge approval in the JIRA ticket.
  • Extra checks if forced landing is requested
    • Review comments are sufficiently resolved, particularly by prior reviewers that requested changes.
    • No new NLT or valgrind warnings. Check the classic view.
    • Quick-build or Quick-functional is not used.
  • Fix the commit message upon landing. Check the standard here. Edit it to create a single commit. If necessary, ask submitter for a new summary.

@github-actions GitHub Actions
Copy link

Errors are Unable to load ticket data
https://daosio.atlassian.net/browse/SRE-2525

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 25, 2024
View reviewed changes
.github/workflows/trivy.yml Fixed Show fixed Hide fixed
.github/workflows/trivy.yml Fixed Show fixed Hide fixed
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 25, 2024
View reviewed changes
.github/workflows/trivy.yml Fixed Show fixed Hide fixed
.github/workflows/trivy.yml Fixed Show fixed Hide fixed
@grom72 grom72 force-pushed the grom72/2.6/SRE-2525-trivy branch 2 times, most recently from 5a0db99 to 31a8e51 Compare October 28, 2024 07:41
@grom72 grom72 added the release-2.6.2 Targeted for release 2.6.2 label Oct 28, 2024
@grom72 grom72 force-pushed the grom72/2.6/SRE-2525-trivy branch 3 times, most recently from ce8ff5b to 845b59b Compare October 28, 2024 14:06
@grom72
SRE-2525 ci: Fix Trivy scan upload to the Security tab
c5f49fe 
- Enable write access to the Security section of Github project

- Use GHA cache to avoid Trivy scan failures due to overuse of CVEs database results in database download failure
Upgrade `trivy-action` to version 0.28.0 where the caching mechanism is enabled by default.
Enable debug option in Trivy to be prepared for detail scan failures analysis

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72 grom72 marked this pull request as ready for review November 1, 2024 22:11
@grom72 grom72 requested a review from a team as a code owner November 1, 2024 22:11
@grom72 grom72 requested review from brianjmurrell and ryon-jensen and removed request for a team November 1, 2024 22:11
@grom72 grom72 added clean-cherry-pick Cherry-pick from another branch that did not require additional edits doc-only Changes only affect documentation, not code labels Nov 1, 2024
brianjmurrell
brianjmurrell previously approved these changes Nov 4, 2024
View reviewed changes
@grom72
common: enable Trivy debug
7d8c87f 
Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72 grom72 requested a review from a team November 6, 2024 17:09
@grom72
Copy link
Contributor Author

grom72 commented Nov 8, 2024

Dear @daos-stack/daos-gatekeeper please merge this :)

@grom72
Copy link
Contributor Author

grom72 commented Nov 13, 2024

@daos-stack/daos-gatekeeper is there any reason that this PR has not landed yet?

@daltonbohning
Copy link
Contributor

2.6 is currently closed for landings

@grom72
Copy link
Contributor Author

grom72 commented Nov 14, 2024

2.6 is currently closed for landings

This PR does not change anything in DAOS itself; it only enables/fixes the Trivy tool, which is required for the 2.6.2 SDLe process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@janekmi janekmi janekmi approved these changes

@brianjmurrell brianjmurrell brianjmurrell approved these changes

@ryon-jensen ryon-jensen Awaiting requested review from ryon-jensen

Assignees
No one assigned
Labels
clean-cherry-pick Cherry-pick from another branch that did not require additional edits doc-only Changes only affect documentation, not code release-2.6.2 Targeted for release 2.6.2
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@grom72 @daltonbohning @brianjmurrell @janekmi