Vulnerability Scanning Implementation for container images #1489
Conversation
openshift-ci
bot
added
the
do-not-merge/release-note-label-needed
pull-request-size
bot
added
the
size/XXL
|
/kind feature |
openshift-ci
bot
added
the
kind/feature
karanibm6
force-pushed
the
add-vulnerability-scanning
branch
8 times, most recently
from
c5ea814
to
a8fd62f
Compare
pkg/image/vulnerability_scan.go
Outdated
| ) | ||
|
|
||
| const ( | ||
| VulnerabilityCountLimit = 50 // Number of vulnerabilities to be added to buildrun output. |
There was a problem hiding this comment.
Nit: Would be nice to have it configurable for downstream projects to adapt to their needs.
There was a problem hiding this comment.
@HeavyWombat Shall I add it as another field for vulnerabilityScanOptions ? or Can I set it as an environment variable in some config or in the image-processing container ?
There was a problem hiding this comment.
My initial feeling would be an environment variable.
There was a problem hiding this comment.
Should be in config.go which reads from environment variables.
karanibm6
force-pushed
the
add-vulnerability-scanning
branch
3 times, most recently
from
eaddddc
to
476489d
Compare
openshift-ci
bot
added
release-note
karanibm6
force-pushed
the
add-vulnerability-scanning
branch
from
476489d
to
204320b
Compare
pkg/image/vulnerability_scan.go
Outdated
| ) | ||
|
|
||
| const ( | ||
| VulnerabilityCountLimit = 50 // Number of vulnerabilities to be added to buildrun output. |
There was a problem hiding this comment.
My initial feeling would be an environment variable.
pkg/image/vulnerability_scan.go
Outdated
| ) | ||
|
|
||
| const ( | ||
| VulnerabilityCountLimit = 50 // Number of vulnerabilities to be added to buildrun output. |
There was a problem hiding this comment.
Should be in config.go which reads from environment variables.
pkg/reconciler/buildrun/buildrun.go
Outdated
| return reconcile.Result{}, resources.UpdateConditionWithFalseStatus(ctx, r.client, buildRun, fmt.Sprintf("Vulnerabilities have been found in the output image. For detailed information, see kubectl --namespace %s logs %s --container step-image-processing", | ||
| buildRun.Namespace, | ||
| lastTaskRun.Status.PodName, | ||
| ), "VulnerabilitiesFound") |
There was a problem hiding this comment.
In the message, should we say "check the BuildRun status, or see kubectl ..." ?
Can we put VulnerabilitiesFound into a constant ? Would be nearby here:
| @@ -145,6 +145,12 @@ type GitSourceResult struct { | |||
| BranchName string `json:"branchName,omitempty"` | |||
| } | |||
|
|
|||
| // Vulnerability defines a vulnerability by its ID and severity | |||
| type Vulnerability struct { | |||
| VulnerabilityID string `json:"vulnerabilityID,omitempty"` | |||
There was a problem hiding this comment.
The section is called vulnerabilities, then no nead to call it vulnerabilityID insight of it.
| VulnerabilityID string `json:"vulnerabilityID,omitempty"` | |
| ID string `json:"id,omitempty"` |
There was a problem hiding this comment.
I did that because it was easy to map it with the result from Trivy scan. I will create a different struct for trivy result.
|
|
||
| // Ensure the BuildRun has been created | ||
| err := testBuild.CreateBR(testBuildRun) | ||
| Expect(err).ToNot(HaveOccurred(), "Failed to create BuildRun") | ||
| if _, err := testBuild.GetBR(testBuildRun.Name); err != nil { |
There was a problem hiding this comment.
I do not understand that check. Why do we need to check if the BuildRun exists ?
There was a problem hiding this comment.
Because in my tests, I have already created the buildrun, otherwise I had to create a new function for running buildruns.
This condition is also present in validateBuildRunToSucceed function.
cmd/image-processing/main.go
Outdated
| if img != nil { | ||
| entries, err := os.ReadDir(flagValues.push) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| imagePath = filepath.Join(imagePath, entries[0].Name()) | ||
| } |
There was a problem hiding this comment.
Please add a comment, took me while to understand that img != nil is the condition for a single image in a tar file.
There was a problem hiding this comment.
what u mean with a single image tar, how we can get N tars? lacking of context on the topic
karanibm6
force-pushed
the
add-vulnerability-scanning
branch
from
6ddd690
to
313ea2d
Compare
cmd/image-processing/main_test.go
Outdated
| "--vuln-count-limit", "10", | ||
| )).ToNot(HaveOccurred()) | ||
| output := filecontent(filename) | ||
| Expect(strings.Contains(output, "CVE-2019-8457")).To(BeTrue()) |
There was a problem hiding this comment.
Will produce a better output in case substring is not found:
| Expect(strings.Contains(output, "CVE-2019-8457")).To(BeTrue()) | |
| Expect(output).To(ContainSubstring("CVE-2019-8457")) |
cmd/image-processing/main_test.go
Outdated
| "--vuln-settings", vulnSettings.String(), | ||
| "--result-file-image-vulnerabilities", filename, | ||
| )).ToNot(HaveOccurred()) | ||
| Expect(strings.Contains(filecontent(filename), "CVE-2019-8457")).To(BeTrue()) |
There was a problem hiding this comment.
| Expect(strings.Contains(filecontent(filename), "CVE-2019-8457")).To(BeTrue()) | |
| output := filecontent(filename) | |
| Expect(output).To(ContainSubstring("CVE-2019-8457")) |
cmd/image-processing/main_test.go
Outdated
| "--vuln-settings", vulnSettings.String(), | ||
| "--result-file-image-vulnerabilities", filename, | ||
| )).To(HaveOccurred()) | ||
| Expect(strings.Contains(filecontent(filename), "CVE-2019-8457")).To(BeTrue()) |
There was a problem hiding this comment.
| Expect(strings.Contains(filecontent(filename), "CVE-2019-8457")).To(BeTrue()) | |
| output := filecontent(filename) | |
| Expect(output).To(ContainSubstring("CVE-2019-8457")) |
cmd/image-processing/main_test.go
Outdated
| }) | ||
| }) | ||
|
|
||
| It("should run vulnerability scanning on a image if it is already pushed by the strategy", func() { |
There was a problem hiding this comment.
| It("should run vulnerability scanning on a image if it is already pushed by the strategy", func() { | |
| It("should run vulnerability scanning on an image that is already pushed by the strategy", func() { |
cmd/image-processing/main_test.go
Outdated
| "--vuln-settings", vulnSettings.String(), | ||
| "--result-file-image-vulnerabilities", filename, | ||
| )).ToNot(HaveOccurred()) | ||
| Expect(strings.Contains(filecontent(filename), "CVE-2019-12900")).To(BeTrue()) |
There was a problem hiding this comment.
| Expect(strings.Contains(filecontent(filename), "CVE-2019-12900")).To(BeTrue()) | |
| output := filecontent(filename) | |
| Expect(output).To(ContainSubstring("CVE-2019-12900")) |
pkg/config/config.go
Outdated
| @@ -103,6 +106,7 @@ type Config struct { | |||
| Controllers Controllers | |||
| KubeAPIOptions KubeAPIOptions | |||
| GitRewriteRule bool | |||
| VulnerabilityCountLimit string | |||
There was a problem hiding this comment.
This should be a number. The error returned by SetConfigFromEnv will cause the controller to panic and that's the desired behavior for invalid values.
pkg/image/vulnerability_scan.go
Outdated
| cmd := exec.CommandContext(ctx, "trivy", trivyArgs...) | ||
|
|
||
| // Print the command to be executed | ||
| log.Println(cmd.String()) |
There was a problem hiding this comment.
This would print the password, correct? If so, is a no-go.
|
|
||
| if failedContainer.Name == "step-image-processing" && exitCode == 22 { | ||
| reason = buildv1beta1.BuildRunStateVulnerabilitiesFound | ||
| message = fmt.Sprintf("Vulnerabilities have been found in the image which can be seen in the buildrun status. For detailed information,see kubectl --namespace %s logs %s --container=%s", |
There was a problem hiding this comment.
Will there be reasonable output in the container logs?
There was a problem hiding this comment.
Not really, just the vulnerabilities list. In case trivy command fails, it will print an error, but in that case exit code won't be 22.
| // Generate a pod with the status to be evicted | ||
| failedTaskRunEvictedPod := corev1.Pod{ |
pkg/validate/output.go
Outdated
| severityStr := *b.Build.Spec.Output.VulnerabilityScan.Ignore.Severity | ||
| if !isValidSeverity(severityStr) { | ||
| b.Build.Status.Reason = build.BuildReasonPtr(build.VulnerabilityScanSeverityNotValid) | ||
| b.Build.Status.Message = pointer.String("output vulnerability scan severity is invalid, must be a comma separated combination of these values: low | medium | high | critical") |
karanibm6
force-pushed
the
add-vulnerability-scanning
branch
from
313ea2d
to
9badf96
Compare
- Add vulnerability scanning options in build and buildrun types in v1alpha1 and v1beta1 - Changes for conversion to v1beta1
karanibm6
force-pushed
the
add-vulnerability-scanning
branch
from
9badf96
to
6aaee06
Compare
- implement vulnerability scanning using trivy - list vulnerabilities in buildrun output fix failure details
karanibm6
force-pushed
the
add-vulnerability-scanning
branch
from
6aaee06
to
4cdc36e
Compare
|
Looks mostly good @karanibm6. I put a few small changes in karanibm6#37. Please check. |
…scanning Sascha add vulnerability scanning
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SaschaSchwarze0 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Changes
Implementation of this SHIP : https://github.com/shipwright-io/community/blob/main/ships/0033-build-output-vulnerability-scanning.md#build-output-vulnerability-scanning
Fixes #1394
Submitter Checklist
See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.
Release Notes