Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sre 2505 trivy #61

Merged
merged 17 commits into from
Oct 30, 2024
Merged

Sre 2505 trivy #61

merged 17 commits into from
Oct 30, 2024

Conversation

grom72
Copy link
Owner

@grom72 grom72 commented Oct 30, 2024

Before requesting gatekeeper:

  • Two review approvals and any prior change requests have been resolved.
  • Testing is complete and all tests passed or there is a reason documented in the PR why it should be force landed and forced-landing tag is set.
  • Features: (or Test-tag*) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.
  • Commit messages follows the guidelines outlined here.
  • Any tests skipped by the ticket being addressed have been run and passed in the PR.

Gatekeeper:

  • You are the appropriate gatekeeper to be landing the patch.
  • The PR has 2 reviews by people familiar with the code, including appropriate owners.
  • Githooks were used. If not, request that user install them and check copyright dates.
  • Checkpatch issues are resolved. Pay particular attention to ones that will show up on future PRs.
  • All builds have passed. Check non-required builds for any new compiler warnings.
  • Sufficient testing is done. Check feature pragmas and test tags and that tests skipped for the ticket are run and now pass with the changes.
  • If applicable, the PR has addressed any potential version compatibility issues.
  • Check the target branch. If it is master branch, should the PR go to a feature branch? If it is a release branch, does it have merge approval in the JIRA ticket.
  • Extra checks if forced landing is requested
    • Review comments are sufficiently resolved, particularly by prior reviewers that requested changes.
    • No new NLT or valgrind warnings. Check the classic view.
    • Quick-build or Quick-functional is not used.
  • Fix the commit message upon landing. Check the standard here. Edit it to create a single commit. If necessary, ask submitter for a new summary.

grom72 and others added 17 commits September 26, 2024 14:17
@grom72
Limit scope of changes that are monitored by Trivy scan
766d9e1 
Do not start Trivy scan if changes not related to dependencies.
Run Trivy on daily bases.
Add badge to follow cycle Trivy scans
Enable scans on request

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Fix SPDX license header
c029a80 
Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
fix: restore unnecessary cache backend
3f4c483 
Doc-only: true
Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Merge remote-tracking branch 'origin/master' into grom72/SRE-2505-trivy
f71df83 
Doc-only: true

Required-githooks: true
Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Fix: addjust monitored files list.
7406a75 
https://aquasecurity.github.io/trivy/v0.56/docs/coverage/language/#supported-languages
provides the full list of scanned file in the 'filesystem' scan.

Keep the same condition for PR and merge trigger.

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Fix: documentation
d7c35a2 
Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Fix: simplify triggering rules
1d52932 
Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
SRE-2505 ci: Fix Trivy scan upload to the Security tab
c4fa939 
Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@liuxuezhao
DAOS-16175 container: fix a case for cont_iv_hdl_fetch (daos-stack#15395
947c76d 
)

In reintegrate case, ever hit case that the IC_CONT_CAPA cache is valid locally
but cont open handle invalid (not in dt_cont_hdl_hash). For this case
invalidate local IV cache first and retry again, to avoid in-flight UPDATE's
failure because obj_ioc_init() -> ds_cont_find_hdl() ->
cont_iv_hdl_fetch() failure -
DBUG src/engine/server_iv.c:409 ivc_on_fetch() FETCH: Key [1:7] entry 0x7fb31063b550 valid yes
DBUG src/engine/server_iv.c:1042 iv_op_internal() class_id 7 opc 1 rc 0
ERR  src/object/srv_obj.c:2174 obj_ioc_begin_lite()
Failed to initialize object I/O context.: DER_NO_HDL(-1002): 'Invalid handle'

Signed-off-by: Xuezhao Liu <[email protected]>
@grom72
SRE-2505 ci: Trivy scans tuning
184fabd 
- Use GHA cache to avoid Trivy scan failure
Trivy CVEs database downloads fails often.
The most promissing solution is to use cache and download the
database once a day.
CVEs database is cached during daily build (`schedule`).
Cache is not used if `master` branch cache is not available.
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch

- Avoid Trivy scanners re-initialization
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#skipping-setup-when-calling-trivy-action-multiple-times
The latest available version of `aquasecurity/trivy-action`
is used to be able to use `skip-setup-trivy` parameter.

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Merge remote-tracking branch 'origin/master' into grom72/SRE-2505-trivy
be4449d 
Doc-only: true
Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
SRE-2505 ci: Trivy scans optimization
b68ecaa 
- Use GHA cache to avoid Trivy scan failure
Trivy CVEs database downloads fails often.
The most promissing solution is to use cache and download the
database once a day.
CVEs database is cached during daily build (`schedule`).
Cache is not used if `master` branch cache is not available.
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#updating-caches-in-the-default-branch

- Avoid Trivy scanners re-initialization
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#skipping-setup-when-calling-trivy-action-multiple-times
The latest available version of `aquasecurity/trivy-action`
is used to be able to use `skip-setup-trivy` parameter.

Doc-only: true

Required-githooks: true
Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
common: update workflow documentation
827c067 
Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Make the solution more reliable and more simple
61d8e67 
Use external caching mechanism to ensure PR scan not failing.

Signed-off-by: Tomasz Gromadzki <[email protected]>

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Test
427fe59 
Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Simple PR
632450a 
Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72
Tets
af3a7ec 
Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72 grom72 merged commit e1ffb5d into master Oct 30, 2024
8 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@grom72 @liuxuezhao