Skip to content

Commit

Permalink
Add e2e tests to verify vulnerability scanning
Browse files Browse the repository at this point in the history
  • Loading branch information
karanibm6 committed Feb 18, 2024
1 parent 9253c1f commit c2d59a2
Show file tree
Hide file tree
Showing 8 changed files with 402 additions and 4 deletions.
85 changes: 85 additions & 0 deletions test/e2e/v1alpha1/common_cbs_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
// Copyright The Shipwright Contributors
//
// SPDX-License-Identifier: Apache-2.0

package e2e_test

import (
"context"

. "github.com/onsi/gomega"

meta "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait"

buildv1alpha1 "github.com/shipwright-io/build/pkg/apis/build/v1alpha1"
)

type clusterBuildStrategyPrototype struct {
clusterBuildStrategy buildv1alpha1.ClusterBuildStrategy
}

func NewClusterBuildStrategyPrototype() *clusterBuildStrategyPrototype {
return &clusterBuildStrategyPrototype{
clusterBuildStrategy: buildv1alpha1.ClusterBuildStrategy{},
}
}

func (c *clusterBuildStrategyPrototype) Name(name string) *clusterBuildStrategyPrototype {
c.clusterBuildStrategy.ObjectMeta.Name = name
return c
}

func (c *clusterBuildStrategyPrototype) BuildStep(buildStep buildv1alpha1.BuildStep) *clusterBuildStrategyPrototype {
c.clusterBuildStrategy.Spec.BuildSteps = append(c.clusterBuildStrategy.Spec.BuildSteps, buildStep)
return c
}

func (c *clusterBuildStrategyPrototype) Parameter(parameter buildv1alpha1.Parameter) *clusterBuildStrategyPrototype {
c.clusterBuildStrategy.Spec.Parameters = append(c.clusterBuildStrategy.Spec.Parameters, parameter)
return c
}

func (c *clusterBuildStrategyPrototype) Volume(volume buildv1alpha1.BuildStrategyVolume) *clusterBuildStrategyPrototype {
c.clusterBuildStrategy.Spec.Volumes = append(c.clusterBuildStrategy.Spec.Volumes, volume)
return c
}

func (c *clusterBuildStrategyPrototype) Create() (cbs *buildv1alpha1.ClusterBuildStrategy, err error) {
ctx := context.Background()

_, err = testBuild.
BuildClientSet.
ShipwrightV1alpha1().
ClusterBuildStrategies().
Create(ctx, &c.clusterBuildStrategy, meta.CreateOptions{})

if err != nil {
return nil, err
}

err = wait.PollImmediate(pollCreateInterval, pollCreateTimeout, func() (done bool, err error) {
cbs, err = testBuild.BuildClientSet.ShipwrightV1alpha1().ClusterBuildStrategies().Get(ctx, c.clusterBuildStrategy.Name, meta.GetOptions{})
if err != nil {
return false, err
}

return true, nil
})

return
}

func (c *clusterBuildStrategyPrototype) TestMe(f func(clusterBuildStrategy *buildv1alpha1.ClusterBuildStrategy)) {
cbs, err := c.Create()
Expect(err).ToNot(HaveOccurred())

f(cbs)

Expect(testBuild.
BuildClientSet.
ShipwrightV1alpha1().
ClusterBuildStrategies().
Delete(context.Background(), cbs.Name, meta.DeleteOptions{}),
).To(Succeed())
}
5 changes: 5 additions & 0 deletions test/e2e/v1alpha1/common_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,11 @@ func (b *buildPrototype) OutputImage(image string) *buildPrototype {
return b
}

func (b *buildPrototype) OutputVulnerabilitySettings(settings buildv1alpha1.VulnerabilityScanOptions) *buildPrototype {
b.build.Spec.Output.VulnerabilityScan = &settings
return b
}

func (b *buildPrototype) determineParameterIndex(name string) int {
index := -1
for i, paramValue := range b.build.Spec.ParamValues {
Expand Down
107 changes: 107 additions & 0 deletions test/e2e/v1alpha1/e2e_vulnerability_scanning_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
// Copyright The Shipwright Contributors
//
// SPDX-License-Identifier: Apache-2.0

package e2e_test

import (
"fmt"
"os"
"strings"

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"

corev1 "k8s.io/api/core/v1"
"k8s.io/utils/pointer"

buildv1alpha1 "github.com/shipwright-io/build/pkg/apis/build/v1alpha1"
)

var _ = Describe("Vulnerability Scanning", func() {
var testID string
var err error
var buildRun *buildv1alpha1.BuildRun
var cbs *clusterBuildStrategyPrototype
var insecure bool

AfterEach(func() {
testBuild.DeleteBR(buildRun.Name)
})

Context("Scanning for vulnerabilities in container images", func() {
var outputImage string
BeforeEach(func() {
testID = generateTestID("vuln")
outputImage = fmt.Sprintf("%s/%s:%s",
os.Getenv(EnvVarImageRepo),
testID,
"latest",
)

// Assume we use secure registry unless it is a cluster
// internal registry used as part of the test setup
insecure = strings.Contains(outputImage, "cluster.local")
cbs = NewClusterBuildStrategyPrototype().
Name("crane-pull-" + testID).
BuildStep(buildv1alpha1.BuildStep{
Container: corev1.Container{
Name: "crane-pull",
Image: "gcr.io/go-containerregistry/crane:latest",
WorkingDir: "$(params.shp-source-root)",
SecurityContext: &corev1.SecurityContext{
RunAsUser: pointer.Int64(1000),
RunAsGroup: pointer.Int64(1000),
},
Env: []corev1.EnvVar{
{Name: "DOCKER_CONFIG", Value: "/tekton/home/.docker"},
{Name: "HOME", Value: "/tekton/home"},
},
Command: []string{"crane"},
Args: []string{
"pull",
"--format=tarball",
"python:3.4-alpine",
"$(params.shp-output-directory)/image.tar",
},
},
})
})

It("should find vulnerabilities in an image", func() {
cbs.TestMe(func(cbs *buildv1alpha1.ClusterBuildStrategy) {
buildRun, err = NewBuildRunPrototype().
Namespace(testBuild.Namespace).
Name(testID).
WithBuildSpec(NewBuildPrototype().
ClusterBuildStrategy(cbs.Name).
Namespace(testBuild.Namespace).
Name(testID).
OutputImage(outputImage).
OutputImageCredentials(os.Getenv(EnvVarImageRepoSecret)).
OutputImageInsecure(insecure).
OutputVulnerabilitySettings(buildv1alpha1.VulnerabilityScanOptions{
Enabled: true,
FailOnFinding: true,
IgnoreOptions: &buildv1alpha1.VulnerabilityIgnoreOptions{
Issues: []string{"CVE-2018-20843", "CVE-2019-15903"},
Severity: "high",
Unfixed: true,
},
}).
BuildSpec()).
Create()
Expect(err).ToNot(HaveOccurred())
validateBuildRunToFail(testBuild, buildRun)
buildRun, err = testBuild.GetBR(buildRun.Name)
Expect(err).To(BeNil())
Expect(buildRun).ToNot(BeNil())
Expect(buildRun.Status).ToNot(BeNil())
Expect(buildRun.Status.Output).ToNot(BeNil())
Expect(buildRun.Status.Output.Vulnerabilities).ToNot(BeNil())
Expect(len(buildRun.Status.Output.Vulnerabilities)).ToNot(BeZero())

})
})
})
})
7 changes: 5 additions & 2 deletions test/e2e/v1alpha1/validators_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,10 +214,13 @@ func validateBuildRunResultsFromBundleSource(testBuildRun *buildv1alpha1.BuildRu
func validateBuildRunToFail(testBuild *utils.TestBuild, testBuildRun *buildv1alpha1.BuildRun) {
trueCondition := corev1.ConditionTrue
falseCondition := corev1.ConditionFalse
var err error

// Ensure the BuildRun has been created
err := testBuild.CreateBR(testBuildRun)
Expect(err).ToNot(HaveOccurred(), "Failed to create BuildRun")
if _, err := testBuild.GetBR(testBuildRun.Name); err != nil {
Expect(testBuild.CreateBR(testBuildRun)).
ToNot(HaveOccurred(), "Failed to create BuildRun")
}

// Ensure a BuildRun eventually moves to a succeeded FALSE status
nextStatusLog := time.Now().Add(60 * time.Second)
Expand Down
85 changes: 85 additions & 0 deletions test/e2e/v1beta1/common_cbs_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
// Copyright The Shipwright Contributors
//
// SPDX-License-Identifier: Apache-2.0

package e2e_test

import (
"context"

. "github.com/onsi/gomega"

meta "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait"

buildv1beta1 "github.com/shipwright-io/build/pkg/apis/build/v1beta1"
)

type clusterBuildStrategyPrototype struct {
clusterBuildStrategy buildv1beta1.ClusterBuildStrategy
}

func NewClusterBuildStrategyPrototype() *clusterBuildStrategyPrototype {
return &clusterBuildStrategyPrototype{
clusterBuildStrategy: buildv1beta1.ClusterBuildStrategy{},
}
}

func (c *clusterBuildStrategyPrototype) Name(name string) *clusterBuildStrategyPrototype {
c.clusterBuildStrategy.ObjectMeta.Name = name
return c
}

func (c *clusterBuildStrategyPrototype) BuildStep(buildStep buildv1beta1.Step) *clusterBuildStrategyPrototype {
c.clusterBuildStrategy.Spec.Steps = append(c.clusterBuildStrategy.Spec.Steps, buildStep)
return c
}

func (c *clusterBuildStrategyPrototype) Parameter(parameter buildv1beta1.Parameter) *clusterBuildStrategyPrototype {
c.clusterBuildStrategy.Spec.Parameters = append(c.clusterBuildStrategy.Spec.Parameters, parameter)
return c
}

func (c *clusterBuildStrategyPrototype) Volume(volume buildv1beta1.BuildStrategyVolume) *clusterBuildStrategyPrototype {
c.clusterBuildStrategy.Spec.Volumes = append(c.clusterBuildStrategy.Spec.Volumes, volume)
return c
}

func (c *clusterBuildStrategyPrototype) Create() (cbs *buildv1beta1.ClusterBuildStrategy, err error) {
ctx := context.Background()

_, err = testBuild.
BuildClientSet.
ShipwrightV1beta1().
ClusterBuildStrategies().
Create(ctx, &c.clusterBuildStrategy, meta.CreateOptions{})

if err != nil {
return nil, err
}

err = wait.PollImmediate(pollCreateInterval, pollCreateTimeout, func() (done bool, err error) {
cbs, err = testBuild.BuildClientSet.ShipwrightV1beta1().ClusterBuildStrategies().Get(ctx, c.clusterBuildStrategy.Name, meta.GetOptions{})
if err != nil {
return false, err
}

return true, nil
})

return
}

func (c *clusterBuildStrategyPrototype) TestMe(f func(clusterBuildStrategy *buildv1beta1.ClusterBuildStrategy)) {
cbs, err := c.Create()
Expect(err).ToNot(HaveOccurred())

f(cbs)

Expect(testBuild.
BuildClientSet.
ShipwrightV1beta1().
ClusterBuildStrategies().
Delete(context.Background(), cbs.Name, meta.DeleteOptions{}),
).To(Succeed())
}
5 changes: 5 additions & 0 deletions test/e2e/v1beta1/common_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,11 @@ func (b *buildPrototype) OutputImage(image string) *buildPrototype {
return b
}

func (b *buildPrototype) OutputVulnerabilitySettings(settings buildv1beta1.VulnerabilityScanOptions) *buildPrototype {
b.build.Spec.Output.VulnerabilityScan = &settings
return b
}

func (b *buildPrototype) determineParameterIndex(name string) int {
index := -1
for i, paramValue := range b.build.Spec.ParamValues {
Expand Down
Loading

0 comments on commit c2d59a2

Please sign in to comment.