Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Add override snapshot revision check #3231

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -410,4 +410,7 @@ install-tool-cosign:
install-tool-opm:
GOFLAGS='' go install github.com/operator-framework/operator-registry/cmd/[email protected]

install-tools: install-tool-sobranch install-tool-skopeo install-tool-generate install-tool-sorhel install-tool-cosign install-tool-opm
install-tool-oras:
GOFLAGS='' go install oras.land/oras/cmd/[email protected]

install-tools: install-tool-sobranch install-tool-skopeo install-tool-generate install-tool-sorhel install-tool-cosign install-tool-opm install-tool-oras
79 changes: 79 additions & 0 deletions hack/generate/override-snapshot.sh
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,40 @@
rm -rf "${tmp_catalog_dir}"
}

function verify_component_snapshot {
local snapshot_file repo revision component repo_revision failed
snapshot_file="${1}/override-snapshot.yaml"
declare -A repo_revision=()

while IFS= read -r json; do
repo="$(echo "$json" | jq -r .source.git.url)"
repo=${repo%".git"} # remove optional .git suffix from repo name
revision="$(echo "$json" | jq -r .source.git.revision)"
component="$(echo "$json" | jq -r .name)"

if [[ ! -v repo_revision[$repo] ]]; then
# no revision for repo so far --> add it to map
repo_revision[$repo]=$revision
else
if [[ "${repo_revision[$repo]}" != "$revision" ]]; then
# revisions don't match
if [[ $component =~ "serverless-bundle" ]]; then
#ignore serverless bundle
continue
fi

echo "Revision for ${component} didn't match. Expected revision ${repo_revision[$repo]} for repo ${repo}, but got ${revision}"
failed="true"
fi
fi

done <<< "$(yq read --tojson "${snapshot_file}" "spec.components[*]")"

if [[ "$failed" == "true" ]]; then
exit 1
fi
}

function create_fbc_snapshots {
local rootdir snapshot_dir so_version
rootdir="$(dirname "$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")")"
Expand Down Expand Up @@ -120,6 +154,51 @@
done <<< "$(yq read "${rootdir}/olm-catalog/serverless-operator/project.yaml" 'requirements.ocpVersion.list[*]')"
}

function print_cves_for_image {
# based on https://github.com/enterprise-contract/ec-cli/blob/main/hack/view-clair-reports.sh
# migrated to parse mostly with JQ and thus being more flexible with the YQ version

IMAGE="${1}"
REPO="$(echo "$IMAGE" | cut -d '@' -f 1)"

CLAIR_REPORT_SHAS=$(
cosign download attestation $IMAGE | jq -r '.payload|@base64d|fromjson|.predicate.buildConfig.tasks[]|select(.name=="clair-scan").results[]|select(.name=="REPORTS").value|fromjson|.[]'

Check warning on line 165 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:165:33: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)
)

# For multi-arch the same report maybe associated with each of the per-arch
# images. Use sort uniq to avoid displaying it multiple times, but still
# support the possibility of different reports
ALL_BLOBS=""

for sha in $CLAIR_REPORT_SHAS; do
blob=$(skopeo inspect --raw docker://$REPO@$sha | jq -r '.layers[].digest')

Check warning on line 174 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:174:42: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)

Check warning on line 174 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:174:48: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)
ALL_BLOBS=$( (echo $ALL_BLOBS; echo $blob) | sort | uniq )

Check warning on line 175 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:175:24: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)

Check warning on line 175 in hack/generate/override-snapshot.sh

View workflow job for this annotation

GitHub Actions / Lint

[shellcheck] reported by reviewdog 🐶 Double quote to prevent globbing and word splitting. Raw Output: ./hack/generate/override-snapshot.sh:175:41: info: Double quote to prevent globbing and word splitting. (ShellCheck.SC2086)
done

for b in $ALL_BLOBS; do
output=$(oras blob fetch "$REPO@$b" --output - | jq '.vulnerabilities[] | select((.normalized_severity=="High") or (.normalized_severity=="Critical")) | pick(.name, .description, .issued, .normalized_severity, .package_name, .fixed_in_version)' | jq -s .)
cve_counter=$(echo "$output" | jq ". | length")

if [ "$cve_counter" -gt "0" ]; then
echo "Found $cve_counter CVEs of High/Critical in $REPO@$b:"
echo "$output" | yq r -P -
echo
fi
done
}

function print_cves {
snapshot_dir="${1}"

echo "CVEs in override-snapshot images:"

for img in $(yq read "$snapshot_dir"/override-snapshot.yaml "spec.components[*].containerImage"); do
print_cves_for_image "$img"
done
}

target_dir="${1:?Provide a target directory for the override snapshots as arg[1]}"
create_component_snapshot "${target_dir}"
verify_component_snapshot "${target_dir}"
create_fbc_snapshots "${target_dir}"
print_cves "${target_dir}"
Loading