Move patch tests to go integration tests

Co-authored-by: Sertaç Özercan <[email protected]>
Signed-off-by: Brian Goff <[email protected]>

.github/workflows/build.yml

@@ -79,22 +79,22 @@ jobs:
  name: copa_edge_linux_amd64.tar.gz
  path: dist/linux_amd64/release/copa_edge_linux_amd64.tar.gz
  - name: Load test cases for patch testing
- id: load-tests
+ id: load-test-envs-matrix
  shell: bash
- run: echo "include=$(.github/workflows/generate-matrix.sh)" | tee -a "${GITHUB_OUTPUT}"
+ run: echo "buildkitenvs=$(.github/workflows/scripts/buildkit-env-matrix.sh)" | tee -a "${GITHUB_OUTPUT}"
  outputs:
- include: ${{ steps.load-tests.outputs.include }}
+ buildkitenvs: ${{ steps.load-test-envs-matrix.outputs.buildkitenvs }}
 
  test-patch:
  needs: build
- name: Test patch ${{matrix.mode }} ${{ matrix.image }}:${{ matrix.tag }}
+ name: Test patch ${{ matrix.buildkit_mode }}
  runs-on: ubuntu-latest
- timeout-minutes: 10
+ timeout-minutes: 30
  permissions: read-all
  strategy:
  fail-fast: false
  matrix:
- include: ${{ fromJson(needs.build.outputs.include) }}
+ buildkit_mode: ${{fromJson(needs.build.outputs.buildkitenvs)}}
  steps:
  - name: Download copa from build artifacts
  uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@@ -104,7 +104,7 @@ jobs:
  uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: Install required tools
  shell: bash
- run: ./scripts/ci/download-tooling.sh
+ run: .github/workflows/scripts/download-tooling.sh
  - name: Download copa from build artifacts
  uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
  with:
@@ -115,13 +115,12 @@ jobs:
  tar xzf copa_edge_linux_amd64.tar.gz
  ./copa --version
  - name: Set up QEMU
- uses: docker/setup-qemu-action@v2
+ uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
  - name: Run functional test
  shell: bash
  run: |
- echo "[INFO]: Patching ${{ matrix.distro }} image with: ${{ matrix.description}}"
- COPA="$(pwd)/copa" ./scripts/ci/run-functional-tests.sh
- env:
- TEST_BUILDKIT_MODE: ${{ matrix.mode }}
- IMAGE_REF: ${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}
+ set -eu -o pipefail
+ . .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode}}
+ go test -v ./integration --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa"
+
  

.github/workflows/scripts/buildkit-env-matrix.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+
+# Collect all the modes into a bash array
+modes=()
+for i in ${SCRIPT_DIR}/buildkitenvs/*; do
+ base="${i##*/}"
+ for j in "${i}"/*; do
+ modes+=(${base}/${j##*/})
+ done
+done
+
+# Convert bash array to json
+jq -c --null-input '$ARGS.positional' --args -- "${modes[@]}"

integration/main_test.go

@@ -0,0 +1,25 @@
+package integration
+
+import (
+ "flag"
+ "os"
+ "testing"
+)
+
+var (
+ buildkitAddr string
+ copaPath string
+)
+
+func TestMain(m *testing.M) {
+ flag.StringVar(&buildkitAddr, "addr", "", "buildkit address to pass through to copa binary")
+ flag.StringVar(&copaPath, "copa", "./copa", "path to copa binary")
+ flag.Parse()
+
+ if copaPath == "" {
+ panic("missing --copa")
+ }
+
+ ec := m.Run()
+ os.Exit(ec)
+}

integration/patch_test.go

@@ -0,0 +1,152 @@
+package integration
+
+import (
+ _ "embed"
+ "encoding/json"
+ "fmt"
+ "os"
+ "os/exec"
+ "path/filepath"
+ "strconv"
+ "testing"
+
+ "github.com/opencontainers/go-digest"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+var (
+ //go:embed fixtures/test-images.json
+ testImages []byte
+
+ //go:embed fixtures/trivy_ignore.rego
+ trivyIgnore []byte
+)
+
+type testImage struct {
+ Image string `json:"image"`
+ Tag string `json:"tag"`
+ Distro string `json:"distro"`
+ Digest digest.Digest `json:"digest"`
+ Description string `json:"description"`
+}
+
+func TestPatch(t *testing.T) {
+ var images []testImage
+ err := json.Unmarshal(testImages, &images)
+ require.NoError(t, err)
+
+ tmp := t.TempDir()
+ ignoreFile := filepath.Join(tmp, "ignore.rego")
+ err = os.WriteFile(ignoreFile, trivyIgnore, 0o600)
+ require.NoError(t, err)
+
+ for _, img := range images {
+ img := img
+ t.Run(img.Description, func(t *testing.T) {
+ t.Parallel()
+
+ dir := t.TempDir()
+ output := filepath.Join(dir, "output.json")
+ ref := fmt.Sprintf("%s:%s@%s", img.Image, img.Tag, img.Digest)
+ tagPatched := img.Tag + "-patched"
+ patchedRef := fmt.Sprintf("%s:%s", img.Image, tagPatched)
+
+ t.Log("scanning original image")
+ scanner().
+ withIgnoreFile(ignoreFile).
+ withOutput(output).
+ // Do not set a non-zero exit code because we are expecting vulnerabilities.
+ scan(t, ref)
+
+ t.Log("patching image")
+ patch(t, ref, tagPatched, output)
+
+ t.Log("scanning patched image")
+ scanner().
+ withIgnoreFile(ignoreFile).
+ withSkipDBUpdate().
+ // here we want a non-zero exit code because we are expecting no vulnerabilities.
+ withExitCode(1).
+ scan(t, patchedRef)
+ })
+ }
+}
+
+func patch(t *testing.T, ref, patchedTag, scan string) {
+ var addrFl string
+ if buildkitAddr != "" {
+ addrFl = "-a=" + buildkitAddr
+ }
+
+ //#nosec G204
+ cmd := exec.Command(
+ copaPath,
+ "patch",
+ "-i="+ref,
+ "-t="+patchedTag,
+ "-r="+scan,
+ "--timeout=20m",
+ addrFl,
+ )
+ out, err := cmd.CombinedOutput()
+ require.NoError(t, err, string(out))
+}
+
+func scanner() *scannerCmd {
+ return &scannerCmd{}
+}
+
+type scannerCmd struct {
+ output string
+ skipDBUpdate bool
+ ignoreFile string
+ exitCode int
+}
+
+func (s *scannerCmd) scan(t *testing.T, ref string) {
+ args := []string{
+ "trivy",
+ "image",
+ "--vuln-type=os",
+ "--ignore-unfixed",
+ "--scanners=vuln",
+ }
+ if s.output != "" {
+ args = append(args, []string{"-o=" + s.output, "-f=json"}...)
+ }
+ if s.skipDBUpdate {
+ args = append(args, "--skip-db-update")
+ }
+ if s.ignoreFile != "" {
+ args = append(args, "--ignore-policy="+s.ignoreFile)
+ }
+ if s.exitCode != 0 {
+ args = append(args, "--exit-code="+strconv.Itoa(s.exitCode))
+ }
+
+ args = append(args, ref)
+
+ out, err := exec.Command(args[0], args[1:]...).CombinedOutput() //#nosec G204
+ assert.NoError(t, err, string(out))
+}
+
+func (s *scannerCmd) withOutput(p string) *scannerCmd {
+ s.output = p
+ return s
+}
+
+func (s *scannerCmd) withSkipDBUpdate() *scannerCmd {
+ s.skipDBUpdate = true
+ return s
+}
+
+func (s *scannerCmd) withIgnoreFile(p string) *scannerCmd {
+ s.ignoreFile = p
+ return s
+}
+
+func (s *scannerCmd) withExitCode(code int) *scannerCmd {
+ s.exitCode = code
+ return s
+}