From 30359a6e6443ae8bbd73370126ec6dac2b0beee0 Mon Sep 17 00:00:00 2001
From: Daniela Plascencia <daniela.plascencia@canonical.com>
Date: Wed, 9 Oct 2024 05:33:51 +0200
Subject: [PATCH] ci: enable automatic vulnerability reports for existing
 workflow

This commit enables the automatic creation of Github issues when a security
vulnerability is found in the scan jobs that the build-scan-test-publish-rock.yaml
already performs.
The intention of this is to add reporting capabilities to the workflows that
are already using build-scan-test-publish-rock.yaml on_merge, that is, enable automatic
reports of vulnerabilities as Github issues on every merge.

Part of #69
---
 ...-scan-test-report-issue-publish-rock.yaml} |  0
 ...-modified-and-build-scan-test-publish.yaml | 18 +++++-
 .github/workflows/scan-rock.yaml              | 58 ++++++++++++++++---
 3 files changed, 67 insertions(+), 9 deletions(-)
 rename .github/workflows/{build-scan-test-publish-rock.yaml => build-scan-test-report-issue-publish-rock.yaml} (100%)

diff --git a/.github/workflows/build-scan-test-publish-rock.yaml b/.github/workflows/build-scan-test-report-issue-publish-rock.yaml
similarity index 100%
rename from .github/workflows/build-scan-test-publish-rock.yaml
rename to .github/workflows/build-scan-test-report-issue-publish-rock.yaml
diff --git a/.github/workflows/get-rocks-modified-and-build-scan-test-publish.yaml b/.github/workflows/get-rocks-modified-and-build-scan-test-publish.yaml
index 0587af6..6d04137 100644
--- a/.github/workflows/get-rocks-modified-and-build-scan-test-publish.yaml
+++ b/.github/workflows/get-rocks-modified-and-build-scan-test-publish.yaml
@@ -2,7 +2,15 @@ name: Get ROCKs modified and build-scan-test-publish them
 
 on:
   workflow_call:
+    secrets:
+      GH_TOKEN:
+        required: true
     inputs:
+      report-vulnerabilities:
+        description: "Whether to report security vulnerabilities through Github issues."
+        required: false
+        default: false
+        type: boolean
       rockcraft-channel:
         description: "Rockcraft channel e.g. latest/stable"
         required: false
@@ -23,6 +31,12 @@ on:
         default: ""
         required: false
         type: string
+      severity:
+        description: "Comma separated list of severities of vulnerabilities to scanned for and displayed"
+        required: false
+        type: string
+        default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+
 
 jobs:
   get-rock-paths-modified:
@@ -35,11 +49,13 @@ jobs:
       fail-fast: false
       matrix:
         rock-dir: ${{ fromJson(needs.get-rock-paths-modified.outputs.paths) }}
-    uses: ./.github/workflows/build-scan-test-publish-rock.yaml
+    uses: ./.github/workflows/build-scan-test-report-issue-publish-rock.yaml
     secrets: inherit
     with:
+      report-vulnerabilities: ${{ inputs.report-vulnerabilities }}
       rock-dir: ${{ matrix.rock-dir }}
       microk8s-channel: ${{ inputs.microk8s-channel }}
       juju-channel: ${{ inputs.juju-channel }}
       rockcraft-channel: ${{ inputs.rockcraft-channel }}
       python-version: ${{ inputs.python-version }}
+      severity: ${{ inputs.severity }}
diff --git a/.github/workflows/scan-rock.yaml b/.github/workflows/scan-rock.yaml
index 52001a1..b04fe04 100644
--- a/.github/workflows/scan-rock.yaml
+++ b/.github/workflows/scan-rock.yaml
@@ -3,6 +3,11 @@ name: Scan
 on:
   workflow_call:
     inputs:
+      report-vulnerabilities:
+        description: "Whether to report security vulnerabilities through Github issues."
+        required: false
+        default: false
+        type: boolean
       rock-artifact:
         description: "Name of the artifact from which the ROCK will be downloaded."
         required: true
@@ -16,10 +21,19 @@ on:
         description: "Filename of the .rock file"
         required: true
         type: string
+      severity:
+        description: "Comma separated list of severities of vulnerabilities to scanned for and displayed"
+        required: false
+        type: string
+        default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
 jobs:
   scan:
     name: Scan ${{ inputs.rock-reference }}
     runs-on: ubuntu-22.04
+    outputs:
+      image-name: ${{ steps.image-name.outputs.image-name }}
+    strategy:
+      fail-fast: false
     steps:
       # Ideally we'd use self-hosted runners, but this effort is still not stable.
       # This action will remove unused software (dotnet, haskell, android libs, codeql,
@@ -38,7 +52,7 @@ jobs:
       - name: Install Rockcraft
         run: sudo snap install rockcraft --classic --edge
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.rock-artifact }}
 
@@ -48,22 +62,50 @@ jobs:
           sudo rockcraft.skopeo --insecure-policy copy oci-archive:${{ inputs.rock-filename }} docker-daemon:rock:tag
           echo "image=rock:tag" >> "$GITHUB_OUTPUT"
 
+      - name: Set up inputs for scan
+        id: set-up-inputs
+        run: |
+          echo "exit-code=1" >> "$GITHUB_OUTPUT"
+          if ${{ inputs.report-vulnerabilities == false }}; then
+            echo "exit-code=0" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Generate image name
+        id: image-name
+        run: |
+          IMAGE_NAME=$(echo ${{ inputs.rock-reference }} | sed 's/\:/-/g')
+          echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
+
       - name: Scan for vulnerabilities
         id: scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.25.0
+        # Workaround for https://github.com/aquasecurity/trivy-action/issues/389
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
         with:
           scan-type: 'image'
           image-ref: '${{ steps.rock_in_docker.outputs.image }}'
-          format: 'json'
-          output: 'trivy-report-${{ inputs.rock-artifact }}.json'
+          format: 'table'
+          output: 'trivy-report-${{ steps.image-name.outputs.image-name }}.txt'
           ignore-unfixed: true
           timeout: '50m0s'
+          exit-code: ${{ steps.set-up-inputs.outputs.exit-code }}
+          severity: ${{ inputs.severity }}
+          # NOTE: pebble is flagged with a HIGH vuln because of golang.org/x/crypto
+          # CVE-2021-43565, CVE-2022-27191
+          skip-files: '/bin/pebble,/usr/bin/pebble,usr/bin/pebble,bin/pebble'
 
       - name: Print vulnerabilities report
-        run: cat trivy-report-${{ inputs.rock-artifact }}.json
+        # The report should be printed regardless of the success of the previous step
+        if: success() || failure()
+        run: cat trivy-report-${{ steps.image-name.outputs.image-name }}.txt
 
       - name: Upload Trivy reports
-        uses: actions/upload-artifact@v3
+        # The report should be uploaded regardless of the success of the previous steps
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
         with:
-          name: trivy-report-${{ inputs.rock-artifact }}
-          path: trivy-report-${{ inputs.rock-artifact }}.json
+          compression-level: 0
+          name: trivy-report-${{ steps.image-name.outputs.image-name }}
+          path: trivy-report-${{ steps.image-name.outputs.image-name }}.txt