Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Print CVEs when override snapshot is generated #3220

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -410,4 +410,7 @@ install-tool-cosign:
install-tool-opm:
GOFLAGS='' go install github.com/operator-framework/operator-registry/cmd/[email protected]

install-tools: install-tool-sobranch install-tool-skopeo install-tool-generate install-tool-sorhel install-tool-cosign install-tool-opm
install-tool-oras:
GOFLAGS='' go install oras.land/oras/cmd/[email protected]

install-tools: install-tool-sobranch install-tool-skopeo install-tool-generate install-tool-sorhel install-tool-cosign install-tool-opm install-tool-oras
44 changes: 44 additions & 0 deletions hack/generate/override-snapshot.sh
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,50 @@
done <<< "$(yq read "${rootdir}/olm-catalog/serverless-operator/project.yaml" 'requirements.ocpVersion.list[*]')"
}

function print_cves_for_image {
# based on https://github.com/enterprise-contract/ec-cli/blob/main/hack/view-clair-reports.sh
# migrated to parse mostly with JQ and thus being more flexible with the YQ version

IMAGE="${1}"
REPO="$(echo "$IMAGE" | cut -d '@' -f 1)"

CLAIR_REPORT_SHAS=$(
cosign download attestation $IMAGE | jq -r '.payload|@base64d|fromjson|.predicate.buildConfig.tasks[]|select(.name=="clair-scan").results[]|select(.name=="REPORTS").value|fromjson|.[]'

Check warning on line 131 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:131:33: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)
)

# For multi-arch the same report maybe associated with each of the per-arch
# images. Use sort uniq to avoid displaying it multiple times, but still
# support the possibility of different reports
ALL_BLOBS=""

for sha in $CLAIR_REPORT_SHAS; do
blob=$(skopeo inspect --raw docker://$REPO@$sha | jq -r '.layers[].digest')

Check warning on line 140 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:140:42: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)

Check warning on line 140 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:140:48: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)
ALL_BLOBS=$( (echo $ALL_BLOBS; echo $blob) | sort | uniq )

Check warning on line 141 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:141:24: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)

Check warning on line 141 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:141:41: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)
done

for b in $ALL_BLOBS; do
output=$(oras blob fetch "$REPO@$b" --output - | jq '.vulnerabilities[] | select((.normalized_severity=="High") or (.normalized_severity=="Critical")) | pick(.name, .description, .issued, .normalized_severity, .package_name, .fixed_in_version)' | jq -s .)
cve_counter=$(echo "$output" | jq ". | length")

if [ "$cve_counter" -gt "0" ]; then
echo "Found $cve_counter CVEs of High/Critical in $REPO@$b:"
echo "$output" | yq r -P -
echo
fi
done
}

function print_cves {
snapshot_dir="${1}"

echo "CVEs in override-snapshot images:"

for img in $(yq read "$snapshot_dir"/override-snapshot.yaml "spec.components[*].containerImage"); do
print_cves_for_image "$img"
done
}

target_dir="${1:?Provide a target directory for the override snapshots as arg[1]}"
create_component_snapshot "${target_dir}"
create_fbc_snapshots "${target_dir}"
print_cves "${target_dir}"
Loading