From e20e80ebdae722d05cc3b54f2a43423aaddb2111 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 6 Dec 2024 14:57:26 +0100 Subject: [PATCH 1/8] template-build: fix parmeters of sast-coverity-check ... and coverity-availability-check to make the template work with multiarch builds. Fixes: https://github.com/konflux-ci/build-definitions/pull/1411 Resolves: https://issues.redhat.com/browse/OSH-790 Resolves: https://issues.redhat.com/browse/KFLUXSPRT-847 --- .../docker-build-multi-platform-oci-ta/README.md | 8 ++++---- pipelines/docker-build-oci-ta/README.md | 12 ++++++------ pipelines/docker-build/README.md | 12 ++++++------ pipelines/tekton-bundle-builder/README.md | 12 ++++++------ pipelines/template-build/template-build.yaml | 8 ++++---- 5 files changed, 26 insertions(+), 26 deletions(-) diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index c278bf28ce..ecc2ac3f9f 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -184,8 +184,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -253,9 +253,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 1b078292d5..f9b3f8b35f 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -181,8 +181,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -250,16 +250,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 95afc49114..bf5f15cf5d 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -172,8 +172,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -240,16 +240,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 7af3d568ce..650bec2fb3 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -102,8 +102,8 @@ |RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-unicode-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -142,9 +142,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| sast-coverity-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -180,9 +180,9 @@ ### tkn-bundle:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES| ## Workspaces |name|description|optional|used in tasks diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 863f8b6451..096f330785 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -253,9 +253,9 @@ spec: version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) workspaces: - name: workspace workspace: workspace @@ -271,9 +271,9 @@ spec: version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) workspaces: - name: workspace workspace: workspace From 815448b76ab11349efe79502e07e537187328fdd Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 9 Dec 2024 06:36:55 +0100 Subject: [PATCH 2/8] renovate: group .github/workflows/* together We have a custom regex manager for a file in .github/workflows. Group the updates together with other github actions updates. Signed-off-by: Adam Cmiel --- renovate.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/renovate.json b/renovate.json index 176fa6dbe7..eb5db54045 100644 --- a/renovate.json +++ b/renovate.json @@ -139,6 +139,9 @@ "matchManagers": [ "github-actions" ], + "matchFileNames": [ + ".github/workflows/**" + ], "schedule": [ "on monday" ] From b58c040a89455ead6d50fc1b8c5c4c96ade83f79 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 9 Dec 2024 06:42:14 +0100 Subject: [PATCH 3/8] renovate: upgrade appstudio-utils only once a week The appstudio-utils image is built on every push to build-definitions. This creates an infinite loop of Renovate update PRs. The updates are hardly ever relevant. Update the image once a week. Signed-off-by: Adam Cmiel --- renovate.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index eb5db54045..47607284a0 100644 --- a/renovate.json +++ b/renovate.json @@ -18,10 +18,17 @@ ] }, "packageRules": [ + { + "matchPackageNames": [ + "quay.io/konflux-ci/appstudio-utils" + ], + "schedule": [ + "on monday" + ] + }, { "matchPackageNames": [ "quay.io/konflux-ci/pull-request-builds", - "quay.io/konflux-ci/appstudio-utils", "quay.io/konflux-ci/buildah", "quay.io/konflux-ci/source-container-build", "quay.io/redhat-appstudio/e2e-tests", From 27996c92910ff15c28990788f7a7911af9336fbe Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 9 Dec 2024 06:50:53 +0100 Subject: [PATCH 4/8] renovate: remove the 'shared' group It shouldn't match any updates anymore, we group updates by task file paths now. Signed-off-by: Adam Cmiel --- renovate.json | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/renovate.json b/renovate.json index 47607284a0..70af3f8477 100644 --- a/renovate.json +++ b/renovate.json @@ -130,17 +130,6 @@ "task/ecosystem-cert-preflight-checks/**" ] }, - { - "matchPackagePrefixes": [ - "registry.redhat.io", - "registry.access.redhat.com", - "docker.io" - ], - "schedule": [ - "on monday and wednesday" - ], - "groupName": "shared" - }, { "groupName": "github-actions", "matchManagers": [ From 3def877ed54278439312997fee475c9bf48ead92 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 9 Dec 2024 06:44:26 +0100 Subject: [PATCH 5/8] renovate: move scheduled updates to Sunday https://docs.renovatebot.com/configuration-options/#schedule Schedule: "on Monday" pretty much means "submit PRs all throughout Monday". That means if we merge Renovate PRs on Monday morning, we will still get more throughout the day. Instead, send the scheduled PRs on Sunday so that they're ready for merging on Monday. Note: currently, only GH actions and appstudio-utils updates are on a schedule. Others are unscheduled. Signed-off-by: Adam Cmiel --- renovate.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/renovate.json b/renovate.json index 70af3f8477..ec4332c7d7 100644 --- a/renovate.json +++ b/renovate.json @@ -23,7 +23,7 @@ "quay.io/konflux-ci/appstudio-utils" ], "schedule": [ - "on monday" + "on sunday" ] }, { @@ -139,7 +139,7 @@ ".github/workflows/**" ], "schedule": [ - "on monday" + "on sunday" ] }, { From 677c98052756a96e576c1bec9aa1317a778d37cb Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:18 +0100 Subject: [PATCH 6/8] Remove ec-owned tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/tkn-bundle-oci-ta/OWNERS | 5 ----- task/tkn-bundle/OWNERS | 5 ----- task/verify-enterprise-contract/OWNERS | 5 ----- 3 files changed, 15 deletions(-) delete mode 100644 task/tkn-bundle-oci-ta/OWNERS delete mode 100644 task/tkn-bundle/OWNERS delete mode 100644 task/verify-enterprise-contract/OWNERS diff --git a/task/tkn-bundle-oci-ta/OWNERS b/task/tkn-bundle-oci-ta/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/tkn-bundle-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team diff --git a/task/tkn-bundle/OWNERS b/task/tkn-bundle/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/tkn-bundle/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team diff --git a/task/verify-enterprise-contract/OWNERS b/task/verify-enterprise-contract/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/verify-enterprise-contract/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team From f468487373a0cbe21da2e7f0e11249c0315c4bd7 Mon Sep 17 00:00:00 2001 From: arewm Date: Mon, 9 Dec 2024 09:04:59 -0500 Subject: [PATCH 7/8] improve completeness of FBC validation migration Signed-off-by: arewm --- task/fbc-validation/0.2/MIGRATION.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/task/fbc-validation/0.2/MIGRATION.md b/task/fbc-validation/0.2/MIGRATION.md index d56811ed35..804ea7ca1d 100644 --- a/task/fbc-validation/0.2/MIGRATION.md +++ b/task/fbc-validation/0.2/MIGRATION.md @@ -32,8 +32,9 @@ To remove this task from your pipeline please follow these steps: - name: name - value: fbc-validation + value: validate-fbc -- - name: bundle -- value: quay.io/konflux-ci/tekton-catalog/task-validate-fbc:0.1 + - name: bundle +- value: quay.io/konflux-ci/tekton-catalog/task-fbc-validation:0.1 ++ value: quay.io/konflux-ci/tekton-catalog/task-validate-fbc:0.1 - name: kind value: task resolver: bundles From a50d7b3ed81618942ba13fecf0deaa1da0cc512e Mon Sep 17 00:00:00 2001 From: jperezde Date: Thu, 21 Nov 2024 13:10:19 +0100 Subject: [PATCH 8/8] snyk-sast: added stats for Snyk scans Solves: https://issues.redhat.com/browse/OSH-769 Adding the stats to snyk scans in the result's SARIF file of successful scans. --- .../0.3/sast-snyk-check-oci-ta.yaml | 20 ++++++++++++++++++- task/sast-snyk-check/0.3/MIGRATION.md | 1 + task/sast-snyk-check/0.3/sast-snyk-check.yaml | 20 ++++++++++++++++++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml index 654c12373a..8a7799d795 100644 --- a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml @@ -215,7 +215,25 @@ spec: (set -x && csgrep --mode=evtstat filtered_sast_snyk_check_out.json) fi - csgrep --mode=sarif filtered_sast_snyk_check_out.json >sast_snyk_check_out.sarif + # Generation of scan stats + + total_files=$(jq '[.runs[0].properties.coverage[].files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) + supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == "SUPPORTED") | .files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) + + # We make sure the values are 0 if no supported/total files are found + total_files=${total_files:-0} + supported_files=${supported_files:-0} + + coverage_ratio=0 + if ((total_files > 0)); then + coverage_ratio=$((supported_files * 100 / total_files)) + fi + + # embed stats in results file and convert to SARIF + csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:"${coverage_ratio}" \ + --set-scan-prop snyk-scanned-files-success:"${supported_files}" \ + --set-scan-prop snyk-scanned-files-total:"${total_files}" \ + filtered_sast_snyk_check_out.json >sast_snyk_check_out.sarif TEST_OUTPUT= parse_test_output "$(context.task.name)" sarif sast_snyk_check_out.sarif || true diff --git a/task/sast-snyk-check/0.3/MIGRATION.md b/task/sast-snyk-check/0.3/MIGRATION.md index aff3fb726e..366637c525 100644 --- a/task/sast-snyk-check/0.3/MIGRATION.md +++ b/task/sast-snyk-check/0.3/MIGRATION.md @@ -7,6 +7,7 @@ Version 0.3: - There are no default arguments as "--all-projects --exclude=test*,vendor,deps" are ignored by Snyk Code - SARIF produced by Snyk Code is not included in the CI log. - The `KFP_GIT_URL` parameter has been introduced to indicate the repository to filter false positives. If this variable is left empty, the results won't be filtered. At the same time, we can store all excluded findings in a file using the `RECORD_EXCLUDED` parameter and specify a name of project with the `PROJECT_NAME` to use specific filters. +- The stats of the snyk scan are embedded into the result's SARIF file ## Action from users diff --git a/task/sast-snyk-check/0.3/sast-snyk-check.yaml b/task/sast-snyk-check/0.3/sast-snyk-check.yaml index 28e9dbedc8..d26c2e1542 100644 --- a/task/sast-snyk-check/0.3/sast-snyk-check.yaml +++ b/task/sast-snyk-check/0.3/sast-snyk-check.yaml @@ -193,7 +193,25 @@ spec: (set -x && csgrep --mode=evtstat filtered_sast_snyk_check_out.json) fi - csgrep --mode=sarif filtered_sast_snyk_check_out.json > sast_snyk_check_out.sarif + # Generation of scan stats + + total_files=$(jq '[.runs[0].properties.coverage[].files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) + supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == "SUPPORTED") | .files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) + + # We make sure the values are 0 if no supported/total files are found + total_files=${total_files:-0} + supported_files=${supported_files:-0} + + coverage_ratio=0 + if (( total_files > 0 )); then + coverage_ratio=$((supported_files * 100 / total_files)) + fi + + # embed stats in results file and convert to SARIF + csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:"${coverage_ratio}" \ + --set-scan-prop snyk-scanned-files-success:"${supported_files}" \ + --set-scan-prop snyk-scanned-files-total:"${total_files}" \ + filtered_sast_snyk_check_out.json > sast_snyk_check_out.sarif TEST_OUTPUT= parse_test_output "$(context.task.name)" sarif sast_snyk_check_out.sarif || true