diff --git a/.github/actions/install-tkn/action.yaml b/.github/actions/install-tkn/action.yaml new file mode 100644 index 0000000000..89913628a9 --- /dev/null +++ b/.github/actions/install-tkn/action.yaml @@ -0,0 +1,12 @@ +# yamllint disable-file +--- +name: Install tkn +runs: + using: "composite" + steps: + - run: | + curl -LO "https://github.com/tektoncd/cli/releases/download/v${TKN_CLI_VERSION}/tektoncd-cli-${TKN_CLI_VERSION}_Linux-64bit.deb" + sudo dpkg -i ./tektoncd-cli-${TKN_CLI_VERSION}_Linux-64bit.deb + shell: bash + env: + TKN_CLI_VERSION: 0.38.1 diff --git a/.github/resources/workspace-template.yaml b/.github/resources/workspace-template.yaml new file mode 100644 index 0000000000..2634076cd4 --- /dev/null +++ b/.github/resources/workspace-template.yaml @@ -0,0 +1,7 @@ +--- +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Mi diff --git a/.github/scripts/test_tekton_tasks.sh b/.github/scripts/test_tekton_tasks.sh new file mode 100755 index 0000000000..da0f08e5e4 --- /dev/null +++ b/.github/scripts/test_tekton_tasks.sh @@ -0,0 +1,187 @@ +#!/bin/bash + +set -e +# This script will run task tests for all task directories +# provided either via TEST_ITEMS env var, or as arguments +# when running the script. +# +# Requirements: +# - Connection to a running k8s cluster (e.g. kind) +# - upstream konflux-ci installed on the cluster ( Follow steps from: https://github.com/konflux-ci/konflux-ci?tab=readme-ov-file#bootstrapping-the-cluster) +# - tkn installed +# +# Examples of usage: +# export TEST_ITEMS="task/git-clone/0.1 some/other/dir" +# ./test_tekton_tasks.sh +# +# or +# +# ./test_tekton_tasks.sh task/git-clone/0.1 some/other/dir + +# Define a custom kubectl path if you like +KUBECTL_CMD=${KUBECTL_CMD:-kubectl} + +# yield empty strings for unmatched patterns +shopt -s nullglob + +WORKSPACE_TEMPLATE=${BASH_SOURCE%/*/*}/resources/workspace-template.yaml + +if [[ -z $@ || ${1} == "-h" ]]; then + cat < /dev/null 2>&1; do + echo "DEBUG: Pipeline $TEST_NAME not ready. Waiting 5s..." + sleep 5 + done + + PIPELINERUN=$(tkn p start $TEST_NAME -n ${TEST_NS} -w name=tests-workspace,volumeClaimTemplateFile=$WORKSPACE_TEMPLATE -o json | jq -r '.metadata.name') + echo "INFO: Started pipelinerun: $PIPELINERUN" + sleep 1 # allow a second for the prun object to appear (including a status condition) + while [ "$(${KUBECTL_CMD} get pr $PIPELINERUN -n ${TEST_NS} -o=jsonpath='{.status.conditions[0].status}')" == "Unknown" ]; do + echo "DEBUG: PipelineRun $PIPELINERUN is in progress (status Unknown). Waiting for update..." + sleep 5 + done + tkn pr logs $PIPELINERUN -n ${TEST_NS} + + PR_STATUS=$(${KUBECTL_CMD} get pr $PIPELINERUN -n ${TEST_NS} -o=jsonpath='{.status.conditions[0].status}') + + ASSERT_TASK_FAILURE=$(yq '.metadata.annotations.test/assert-task-failure' < $TEST_PATH) + if [ "$ASSERT_TASK_FAILURE" != "null" ]; then + if [ "$PR_STATUS" == "True" ]; then + echo "INFO: Pipeline $TEST_NAME is succeeded but was expected to fail" + exit 1 + else + echo "DEBUG: Pipeline $TEST_NAME failed (expected). Checking that it failed in task ${ASSERT_TASK_FAILURE}..." + + # Check that the pipelinerun failed on the tested task and not somewhere else + TASKRUN=$(${KUBECTL_CMD} get pr $PIPELINERUN -n ${TEST_NS} -o json|jq -r ".status.childReferences[] | select(.pipelineTaskName == \"${ASSERT_TASK_FAILURE}\") | .name") + if [ -z "$TASKRUN" ]; then + echo "ERROR: Unable to find task $ASSERT_TASK_FAILURE in childReferences of pipelinerun $PIPELINERUN. Pipelinerun failed earlier?" + exit 1 + else + echo "DEBUG: Found taskrun $TASKRUN" + fi + if [ $(${KUBECTL_CMD} get tr $TASKRUN -n ${TEST_NS} -o=jsonpath='{.status.conditions[0].status}') != "False" ]; then + echo "ERROR: Taskrun did not fail - pipelinerun failed later on?" + exit 1 + else + echo "INFO: Taskrun failed as expected" + fi + + fi + else + if [ "$PR_STATUS" == "True" ]; then + echo "INFO: Pipelinerun $TEST_NAME succeeded" + else + echo "ERROR: Pipelinerun $TEST_NAME failed" + exit 1 + fi + fi + + echo "========== Completed: $TEST_PATH ==========" + done + +done \ No newline at end of file diff --git a/.github/workflows/check-buildah-remote.yaml b/.github/workflows/check-buildah-remote.yaml index 8b1b767dab..a8206cb5fd 100644 --- a/.github/workflows/check-buildah-remote.yaml +++ b/.github/workflows/check-buildah-remote.yaml @@ -7,9 +7,9 @@ jobs: name: Check Buildah Remote runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5 with: go-version-file: './task-generator/remote/go.mod' - name: Check buildah remote diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index ee6265d915..cab004a2b1 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -18,7 +18,7 @@ jobs: go-version-file: './${{matrix.path}}/go.mod' cache-dependency-path: ./${{matrix.path}}/go.sum - name: golangci-lint - uses: golangci/golangci-lint-action@eab1d2f3d76f26c09e2ab8c957fe5bb64bf46b89 + uses: golangci/golangci-lint-action@9e66d46e22c9991dbf33ddab82b6b28b69052dec with: working-directory: ${{matrix.path}} args: "--timeout=10m --build-tags='normal periodic'" @@ -84,7 +84,7 @@ jobs: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@3d3d628990a5f99229dd9fa1821cc5a4f31b613b + uses: github/codeql-action/upload-sarif@978ed829bdde7389737ac17d6b144aeed5f9bdad with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml new file mode 100644 index 0000000000..f7937dfaeb --- /dev/null +++ b/.github/workflows/run-task-tests.yaml @@ -0,0 +1,92 @@ +name: Run Task Tests + +"on": + pull_request: + types: + - opened + - synchronize + - reopened + +jobs: + run-task-tests: + runs-on: ubuntu-22.04 + # Skipping it temporarily till we fix this workflow + if: false + steps: + - name: Get all changed files in the PR from task directory + id: changed-dirs + uses: tj-actions/changed-files@v45 + with: + files: | + task/** + dir_names: "true" + dir_names_max_depth: "3" + + - name: Checkout build-defintions Repository + if: steps.changed-dirs.outputs.any_changed == 'true' + uses: actions/checkout@v3 + with: + ref: "${{ github.event.pull_request.head.sha }}" + path: build-definitions + + - name: Install tkn + if: steps.changed-dirs.outputs.any_changed == 'true' + uses: ./build-definitions/.github/actions/install-tkn + + - name: Checkout konflux-ci/konflux-ci Repository + if: steps.changed-dirs.outputs.any_changed == 'true' + uses: actions/checkout@v3 + with: + repository: 'konflux-ci/konflux-ci' + path: konflux-ci + ref: c4630e684e81f71bfd920fff0c9bb2956d3265f4 + + - name: Create k8s Kind Cluster + if: steps.changed-dirs.outputs.any_changed == 'true' + uses: helm/kind-action@v1 + with: + config: konflux-ci/kind-config.yaml + + - name: Show version information + if: steps.changed-dirs.outputs.any_changed == 'true' + run: | + kubectl version + kind version + + - name: Deploying Dependencies + if: steps.changed-dirs.outputs.any_changed == 'true' + run: | + cd $GITHUB_WORKSPACE/konflux-ci + ./deploy-deps.sh + + - name: Wait for the dependencies to be ready + if: steps.changed-dirs.outputs.any_changed == 'true' + run: | + cd $GITHUB_WORKSPACE/konflux-ci + ./wait-for-all.sh + + - name: Deploying Konflux + if: steps.changed-dirs.outputs.any_changed == 'true' + run: | + cd $GITHUB_WORKSPACE/konflux-ci + ./deploy-konflux.sh + + - name: List namespaces + if: steps.changed-dirs.outputs.any_changed == 'true' + run: | + kubectl get namespace + + - name: Deploy test resources + if: steps.changed-dirs.outputs.any_changed == 'true' + run: | + cd $GITHUB_WORKSPACE/konflux-ci + ./deploy-test-resources.sh + + - name: Run the task tests + if: steps.changed-dirs.outputs.any_changed == 'true' + env: + CHANGED_DIRS: ${{ steps.changed-dirs.outputs.all_changed_files }} + run: | + echo "Task Dirs changed in PR: ${CHANGED_DIRS}" + cd $GITHUB_WORKSPACE/build-definitions + ./.github/scripts/test_tekton_tasks.sh ${CHANGED_DIRS} diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 5355879d27..9e4183bcd4 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -40,8 +40,8 @@ spec: taskRef: name: task-switchboard params: - - name: pr_number - value: "{{ pull_request_number }}" + - name: revision + value: $(params.revision) - name: utils_image value: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} - name: expressions diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index 362ebbb1c0..be0b790584 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -30,7 +30,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:4e5e1cded3e2790a328f2c8ce779bd772c602501 + image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:a666fc1761e539cb9ea4f411edc1346430c774ae command: ["/konflux-e2e/konflux-e2e.test"] # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index b818a7868a..9dce078405 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -11,6 +11,15 @@ metadata: spec: description: >- This task can be used to run enterprise contract checks + stepTemplate: + securityContext: + # runAsUser is needed because the different images used in this Task run as different users. Ideally, + # we'd let OpenShift do its thing and set a random UID with a common group ID for *all* containers + # in the namespace, but that is currently disabled so it's wild west. + runAsUser: 0 + env: + - name: HOME + value: /tekton/home steps: - name: gather-tasks image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 @@ -18,9 +27,14 @@ spec: # the cluster will set imagePullPolicy to IfNotPresent workingDir: $(workspaces.source.path)/source script: | + #!/bin/bash + set -euo pipefail + source hack/ec-checks.sh - $(build_tasks_dir build_tasks-ec) - $(all_tasks_dir all_tasks-ec) + + build_tasks_dir build_tasks-ec + all_tasks_dir all_tasks-ec + stepactions_dir stepactions-ec - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe @@ -49,5 +63,20 @@ spec: policy='./policies/build-tasks.yaml' ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} + - name: validate-step-actions + workingDir: "$(workspaces.source.path)/source" + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe + script: | + #!/bin/bash + set -euo pipefail + + # Generate array of file parameters, e.g. --file=foo.yaml --file=bar.yaml + files=( stepactions-ec/*.yaml ) + readarray -t args < <(printf -- '--file=%s\n' "${files[@]}") + echo "[DEBUG] Files parameter: ${args[*]}" + + policy='./policies/step-actions.yaml' + ec validate input --show-successes --policy "${policy}" --output yaml --strict=true "${args[@]}" + workspaces: - name: source diff --git a/.tekton/tasks/task-switchboard.yaml b/.tekton/tasks/task-switchboard.yaml index 8751261052..1ad0d93ae8 100644 --- a/.tekton/tasks/task-switchboard.yaml +++ b/.tekton/tasks/task-switchboard.yaml @@ -12,7 +12,7 @@ spec: description: "Computes a set of expressions based on the changed files in the pipeline, used to determine which tasks to run" params: - - name: pr_number + - name: revision type: string - name: utils_image type: string @@ -46,8 +46,10 @@ spec: ec opa check --v1-compatible "${rules}" + pr_number=$(gh search prs --repo konflux-ci/build-definitions "$(params.revision)" --json number --jq '.[].number') + ec opa eval --v1-compatible --data "${rules}" --input \ - <(gh pr view "https://github.com/konflux-ci/build-definitions/pull/$(params.pr_number)" --json files --jq '[.files.[].path']) \ + <(gh pr view "https://github.com/konflux-ci/build-definitions/pull/${pr_number}" --json files --jq '[.files.[].path']) \ 'data[_]' \ | jq '[.result.[].expressions.[].value | to_entries | .[] | select(.value == true) | .key]' \ | tee "$(results.bindings.path)" diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index b6ccfeb05d..0d5c6b3bd1 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -28,3 +28,6 @@ aliases: - joejstuart - robnester-rh - cuipinghuo + spmm-team: + - ligangty + - yma96 diff --git a/README.md b/README.md index 78c0ca61c9..f90a979965 100644 --- a/README.md +++ b/README.md @@ -132,14 +132,86 @@ Specify the Quay repository using the `QUAY_NAMESPACE` environment variable in t ./hack/test-shellspec.sh` ``` +## Testing Tasks + +When updating tasks, if the tasks doesn't have tests, try to add a few tests. Currently it is not mandatory, but is recommended. +When a pull request is opened, CI will run the tests (if it exists) for the task directories that are being modified. +[Github workflow](https://github.com/konflux-ci/build-definitions/blob/main/.github/workflows/run-task-tests.yaml) runs the tests. + +Tests are defined as Tekton Pipelines inside the `tests` subdirectory of the task directory. The test filenames must match `test-*.yaml` format and +a test file should contain a single Pipeline. + +E.g. to add a test pipeline for `task/git-clone/0.1` task, you can add a pipeline such as `task/git-clone/0.1/tests/test-git-clone-run-with-tag.yaml` + +Refer the task under test in a test pipeline by task name. For example: +``` + - name: run-task + taskRef: + name: git-clone +``` + +### Testing scenarios where the Task is expected to fail + +When testing Tasks, most tests will test a positive outcome. But sometimes it's desirable to test that a Task fails, for example when invalid data is supplied as input for the Task. But if the Task under test fails in the test Pipeline, the whole Pipeline will fail too. So we need a way to tell the test script that the given test Pipeline is expected to fail. + +You can do this by adding the annotation `test/assert-task-failure` to the test pipeline object. This annotation will specify which task `(.spec.tasks[*].name)` in the pipeline is expected to fail. For example: + +``` +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: test-git-clone-fail-for-wrong-url + annotations: + test/assert-task-failure: "run-task" +``` +When this annotation is present, the test script will test that the pipeline fails and also that it fails in the expected task. + +### Adding Workspaces + +Some tasks require one or multiple workspaces. This means that the test pipeline will also have to declare a workspace and bind it to the workspace(s) required by the task under test. + +Currently, the test script will pass a single workspace named `tests-workspace` mapping to a 10Mi volume when starting the pipelinerun. +This workspace can be used in the test pipeline. + +### Test Setup + +Some task tests will require setup on the kind cluster before the test pipeline can be run. Certain things can be done in a setup task step as part of the test pipeline, but others cannot. +In order to achieve this, a `pre-apply-task-hook.sh` script can be created in the `tests` directory for a task. When the CI runs the testing, it will first check for this file. If it is found, it is executed before the test pipeline. + +### Mocking commands executed in task scripts + +Mocking commands is possible similar to the release service catalog repository. +For more details and example, refer [here](https://github.com/konflux-ci/release-service-catalog/blob/development/CONTRIBUTING.md#mocking-commands-executed-in-task-scripts). + +### Prerequisites for running task test locally + +- Upstream [konflux-ci installed](https://github.com/konflux-ci/konflux-ci?tab=readme-ov-file#bootstrapping-the-cluster) on a kind cluster +- [tkn](https://github.com/tektoncd/cli) installed +- jq installed + +You can run the test script locally and to run tests for a particular task, pass the task directories as arguments, e.g. +``` +./.github/scripts/test_tekton_tasks.sh task/git-clone/0.1 +``` +This will install the task and run all test pipelines matching `tests/test-*.yaml` under task directory. + +Another option is to run one or more tests directly by specifying them as arguments: +``` +./.github/scripts/test_tekton_tasks.sh tasks/git-clone/tests/test-git-clone-run-with-tag.yaml +``` +It will then run only the specified test pipeline. + ### Compliance Task definitions must comply with the [Enterprise Contract](https://enterprisecontract.dev/) policies. -Currently, there are two policy configurations. -- The [all-tasks](./policies/all-tasks.yaml) policy -configuration applies to all Task definitions -- The [build-tasks](./policies/build-tasks.yaml) -policy configuration applies only to build Task definitions. - -A build Task, i.e., one that produces a -container image, must abide by both policy configurations. +Currently, there are three policy configurations. + +- The [all-tasks](./policies/all-tasks.yaml) policy configuration applies to all Task definitions. +- The [build-tasks](./policies/build-tasks.yaml) policy configuration applies only to build Task + definitions. +- The [step-actions](./policies/step-actions.yaml) policy configuration applies to all StepAction + definitions. + +A build Task, e.g. one that produces a container image, must abide by both `all-tasks` and +`build-tasks` policy configurations. diff --git a/hack/ec-checks.sh b/hack/ec-checks.sh index 6b963bb6e7..495d1c8b7e 100755 --- a/hack/ec-checks.sh +++ b/hack/ec-checks.sh @@ -58,3 +58,19 @@ function all_tasks_dir { copy_all_task_versions "${task/*\//}" $tasks_dir done } + +function stepactions_dir { + if [[ ! -d $1 ]]; then + mkdir "$1" + fi + local d=$1 + + shopt -s globstar + for f in stepactions/**/*.yaml; do + yq eval -e '.kind == "StepAction"' "${f}" || continue + dest="${f#*/*/}" + dest="${d}/${dest/\//-}" + echo "[DEBUG] Copying ${f} to ${dest}" + cp "${f}" "${dest}" + done +} diff --git a/hack/missing-ta-tasks.sh b/hack/missing-ta-tasks.sh index d4182c9ba8..532000ea81 100755 --- a/hack/missing-ta-tasks.sh +++ b/hack/missing-ta-tasks.sh @@ -22,11 +22,14 @@ todo=( task/buildah-rhtap/0.1/buildah-rhtap.yaml task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml task/fbc-related-image-check/0.1/fbc-related-image-check.yaml + task/fbc-related-image-check/0.2/kustomization.yaml task/fbc-validation/0.1/fbc-validation.yaml + task/fbc-validation/0.2/kustomization.yaml task/gather-deploy-images/0.1/gather-deploy-images.yaml task/generate-odcs-compose/0.2/generate-odcs-compose.yaml task/generate-odcs-compose/0.2/kustomization.yaml task/inspect-image/0.1/inspect-image.yaml + task/inspect-image/0.2/kustomization.yaml task/operator-sdk-generate-bundle/0.1/operator-sdk-generate-bundle.yaml task/opm-get-bundle-version/0.1/opm-get-bundle-version.yaml task/opm-render-bundles/0.1/opm-render-bundles.yaml diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index 6b731b0b18..2ba97a681e 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -80,7 +80,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused, should be removed in next task version.| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### clamav-scan:0.1 task parameters +### clamav-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -88,6 +88,13 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### coverity-availability-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -162,15 +169,62 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | -### sast-snyk-check-oci-ta:0.2 task parameters +### sast-coverity-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| -|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| -|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### sast-shell-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| +### sast-shell-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| +### sast-snyk-check-oci-ta:0.3 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| | | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -198,9 +252,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -218,11 +272,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |REPORTS| Mapping of image digests to report digests| | |SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | -### clamav-scan:0.1 task results +### clamav-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | +### coverity-availability-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|STATUS| Tekton task simple status to be later checked| | +|TEST_OUTPUT| Tekton task result output.| | ### deprecated-image-check:0.4 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -249,8 +308,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.2:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.2:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; coverity-availability-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; coverity-availability-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| ### push-dockerfile-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -261,7 +320,19 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGES_PROCESSED| Images processed in the task.| | |RPMS_DATA| Information about signed and unsigned RPMs| | |TEST_OUTPUT| Tekton task test output.| | -### sast-snyk-check-oci-ta:0.2 task results +### sast-coverity-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-snyk-check-oci-ta:0.3 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 1bc86b739a..e08c152e2d 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -77,7 +77,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused, should be removed in next task version.| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### clamav-scan:0.1 task parameters +### clamav-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -85,6 +85,13 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### coverity-availability-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -159,15 +166,62 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | -### sast-snyk-check-oci-ta:0.2 task parameters +### sast-coverity-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| -|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| -|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### sast-shell-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| +### sast-shell-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| +### sast-snyk-check-oci-ta:0.3 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| | | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -195,16 +249,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -215,11 +269,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |REPORTS| Mapping of image digests to report digests| | |SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | -### clamav-scan:0.1 task results +### clamav-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | +### coverity-availability-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|STATUS| Tekton task simple status to be later checked| | +|TEST_OUTPUT| Tekton task result output.| | ### deprecated-image-check:0.4 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -246,8 +305,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.2:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.2:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; coverity-availability-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; coverity-availability-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| ### push-dockerfile-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -258,7 +317,19 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGES_PROCESSED| Images processed in the task.| | |RPMS_DATA| Information about signed and unsigned RPMs| | |TEST_OUTPUT| Tekton task test output.| | -### sast-snyk-check-oci-ta:0.2 task results +### sast-coverity-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-snyk-check-oci-ta:0.3 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | diff --git a/pipelines/docker-build-oci-ta/patch.yaml b/pipelines/docker-build-oci-ta/patch.yaml index cd41dbb4f5..1fef81319e 100644 --- a/pipelines/docker-build-oci-ta/patch.yaml +++ b/pipelines/docker-build-oci-ta/patch.yaml @@ -30,8 +30,12 @@ # 8 ecosystem-cert-preflight-checks # 9 sast-snyk-check # 10 clamav-scan -# 11 apply-tags -# 12 push-dockerfile +# 11 coverity-availability-check +# 12 sast-coverity-check +# 13 sast-shell-check +# 14 sast-unicode-check +# 15 apply-tags +# 16 push-dockerfile # clone-repository Task - op: replace @@ -127,18 +131,86 @@ - op: remove path: /spec/tasks/9/workspaces/0 -# push-dockerfile +# sast-coverity-check +- op: replace + path: /spec/tasks/11/taskRef/name + value: sast-coverity-check-oci-ta +- op: add + path: /spec/tasks/11/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/11/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/11/workspaces/0 + +# coverity-availability-check - op: replace path: /spec/tasks/12/taskRef/name - value: push-dockerfile-oci-ta + value: coverity-availability-check-oci-ta - op: add path: /spec/tasks/12/params/- value: name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/12/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove path: /spec/tasks/12/workspaces/0 +# sast-shell-check +- op: replace + path: /spec/tasks/13/taskRef/name + value: sast-shell-check-oci-ta +- op: add + path: /spec/tasks/13/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/13/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/13/workspaces/0 + +# sast-unicode-check +- op: replace + path: /spec/tasks/14/taskRef/name + value: sast-shell-check-oci-ta +- op: add + path: /spec/tasks/14/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/14/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/14/workspaces/0 + +# push-dockerfile +- op: replace + path: /spec/tasks/16/taskRef/name + value: push-dockerfile-oci-ta +- op: add + path: /spec/tasks/16/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: remove + path: /spec/tasks/16/workspaces/0 + # Order of finally Tasks from the base docker-build Pipeline: # $ kustomize build pipelines/docker-build | yq .spec.finally.[].name | nl -v 0 # 0 show-sbom diff --git a/pipelines/docker-build-rhtap/README.md b/pipelines/docker-build-rhtap/README.md index a6389e0acb..cb03c8b862 100644 --- a/pipelines/docker-build-rhtap/README.md +++ b/pipelines/docker-build-rhtap/README.md @@ -5,13 +5,13 @@ |---|---|---|---| |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.1:BUILD_ARGS| |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.1:BUILD_ARGS_FILE| -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE| +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| |event-type| Event that triggered the pipeline run, e.g. push, pull_request| push| | |git-url| Source Repository URL| None| clone-repository:0.1:url ; acs-deploy-check:0.1:gitops-repo-url ; update-deployment:0.1:gitops-repo-url| |gitops-auth-secret-name| Secret name to enable this pipeline to update the gitops repo with the new image. | gitops-auth-secret| update-deployment:0.1:gitops-auth-secret-name| |image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| |output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; acs-image-check:0.1:image ; acs-image-scan:0.1:image| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT ; push-dockerfile:0.1:CONTEXT| |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| |stackrox-secret| | rox-api-token| acs-image-check:0.1:rox-secret-name ; acs-image-scan:0.1:rox-secret-name ; acs-deploy-check:0.1:rox-secret-name| @@ -39,6 +39,13 @@ |image-digest| Digest of the image to scan | None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |insecure-skip-tls-verify| When set to `"true"`, skip verifying the TLS certs of the Central endpoint. Defaults to `"false"`. | false| 'true'| |rox-secret-name| Secret containing the StackRox server endpoint and API token with CI permissions under rox-api-endpoint and rox-api-token keys. For example: rox-api-endpoint: rox.stackrox.io:443 ; rox-api-token: eyJhbGciOiJS... | None| '$(params.stackrox-secret)'| +### apply-tags:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### buildah-rhtap:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -78,6 +85,34 @@ |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| |skip-checks| Skip checks against built image| false| | +### push-dockerfile:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | +### sast-unicode-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|FIND_UNICODE_CONTROL_ARGS| arguments for find-unicode-control command.| -p bidi -v -d -t| | +|FIND_UNICODE_CONTROL_GIT_URL| URL from repository to find unicode control.| https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58| | +|KFP_GIT_URL| URL from repository to download known false positives files.| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom-rhdh:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -130,6 +165,20 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | +### push-dockerfile:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | +### sast-unicode-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | ### show-sbom-rhdh:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -139,7 +188,7 @@ |name|description|optional|used in tasks |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### acs-deploy-check:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -155,6 +204,14 @@ |basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| |output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| |ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### push-dockerfile:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| +### sast-unicode-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| ### summary:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 50815a8e52..b7fb2d5e6e 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -75,7 +75,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused, should be removed in next task version.| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### clamav-scan:0.1 task parameters +### clamav-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -83,6 +83,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |docker-auth| unused| | | |image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### coverity-availability-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -154,13 +159,54 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | -### sast-snyk-check:0.2 task parameters +### sast-coverity-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| -|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | -|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### sast-shell-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| +### sast-snyk-check:0.3 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| | | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| +### sast-unicode-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|FIND_UNICODE_CONTROL_ARGS| arguments for find-unicode-control command.| -p bidi -v -d -t| | +|FIND_UNICODE_CONTROL_GIT_URL| URL from repository to find unicode control.| https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58| | +|KFP_GIT_URL| URL from repository to download known false positives files.| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -193,16 +239,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -213,11 +259,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |REPORTS| Mapping of image digests to report digests| | |SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | -### clamav-scan:0.1 task results +### clamav-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | +### coverity-availability-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|STATUS| Tekton task simple status to be later checked| | +|TEST_OUTPUT| Tekton task result output.| | ### deprecated-image-check:0.4 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -250,7 +301,19 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGES_PROCESSED| Images processed in the task.| | |RPMS_DATA| Information about signed and unsigned RPMs| | |TEST_OUTPUT| Tekton task test output.| | -### sast-snyk-check:0.2 task results +### sast-coverity-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-snyk-check:0.3 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-unicode-check:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | @@ -267,12 +330,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.2:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.2:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.1:workspace ; coverity-availability-check:0.1:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### buildah:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |source| Workspace containing the source code to build.| False| workspace| +### coverity-availability-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| @@ -289,7 +356,19 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### sast-snyk-check:0.2 task workspaces +### sast-coverity-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-shell-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-snyk-check:0.3 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-unicode-check:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| | False| workspace| diff --git a/pipelines/docker-build/patch.yaml b/pipelines/docker-build/patch.yaml index f7c6abd104..81ea422c2d 100644 --- a/pipelines/docker-build/patch.yaml +++ b/pipelines/docker-build/patch.yaml @@ -27,8 +27,13 @@ # 8 ecosystem-cert-preflight-checks # 9 sast-snyk-check # 10 clamav-scan -# 11 apply-tags -# 12 push-dockerfile +# 11 sast-coverity-check +# 12 coverity-availability-check +# 13 sast-shell-check +# 14 sast-unicode-check +# 15 apply-tags +# 16 push-dockerfile +# 17 rpms-signature-scan # build-container - op: replace diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 3e0f45985a..8eaa61f29e 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -75,12 +75,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | -### fbc-validation:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|BASE_IMAGE| Fully qualified base image name.| None| '$(tasks.inspect-image.results.BASE_IMAGE)'| -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -110,12 +104,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| |skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| -### inspect-image:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|DOCKER_AUTH| unused, should be removed in next task version| | | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -130,6 +118,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| +### validate-fbc:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ## Results |name|description|value| @@ -143,9 +136,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; inspect-image:0.1:IMAGE_DIGEST ; fbc-validate:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; validate-fbc:0.1:IMAGE_DIGEST| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; apply-tags:0.1:IMAGE ; inspect-image:0.1:IMAGE_URL ; fbc-validate:0.1:IMAGE_URL| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; apply-tags:0.1:IMAGE ; validate-fbc:0.1:IMAGE_URL| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -161,14 +154,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | -### fbc-related-image-check:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|TEST_OUTPUT| Tekton task test output.| | -### fbc-validation:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|TEST_OUTPUT| Tekton task test output.| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -182,42 +167,31 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | -### inspect-image:0.1 task results +### validate-fbc:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|BASE_IMAGE| Base image source image is built from.| fbc-validate:0.1:BASE_IMAGE| -|BASE_IMAGE_REPOSITORY| Base image repository URL.| | +|RELATED_IMAGES_DIGEST| Digest for attached json file containing related images| | +|RELATED_IMAGE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the related images for the FBC fragment.| | |TEST_OUTPUT| Tekton task test output.| | +|TEST_OUTPUT_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the related images for the FBC fragment.| | ## Workspaces |name|description|optional|used in tasks |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth| |netrc| |True| | -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.2:source ; inspect-image:0.1:source ; fbc-validate:0.1:workspace ; fbc-related-image-check:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.2:source| ## Available workspaces from tasks ### buildah:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |source| Workspace containing the source code to build.| False| workspace| -### fbc-related-image-check:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| -### fbc-validation:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| |output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| |ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | -### inspect-image:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|source| | False| workspace| ### summary:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/fbc-builder/patch.yaml b/pipelines/fbc-builder/patch.yaml index 149a0a2529..1366d1d2a1 100644 --- a/pipelines/fbc-builder/patch.yaml +++ b/pipelines/fbc-builder/patch.yaml @@ -51,16 +51,28 @@ # 8 ecosystem-cert-preflight-checks # 9 sast-snyk-check # 10 clamav-scan -# 11 apply-tags -# 12 push-dockerfile -# 13 rpms-signature-scan +# 11 sast-coverity-check +# 12 coverity-availability-check +# 13 sast-shell-check +# 14 sast-unicode-check +# 15 apply-tags +# 16 push-dockerfile +# 17 rpms-signature-scan - op: replace path: /spec/tasks/3/runAfter/0 value: clone-repository - op: remove - path: /spec/tasks/13 # rpms-signature-scan + path: /spec/tasks/17 # rpms-signature-scan - op: remove - path: /spec/tasks/12 # push-dockerfile + path: /spec/tasks/16 # push-dockerfile +- op: remove + path: /spec/tasks/14 # sast-unicode-scan +- op: remove + path: /spec/tasks/13 # sast-shell-scan +- op: remove + path: /spec/tasks/12 # coverity-availability-check +- op: remove + path: /spec/tasks/11 # sast-coverity-check - op: remove path: /spec/tasks/10 # clamav-scan - op: remove @@ -76,7 +88,7 @@ - op: add path: /spec/tasks/- value: - name: inspect-image + name: validate-fbc when: - input: $(params.skip-checks) operator: in @@ -84,52 +96,10 @@ runAfter: - build-image-index taskRef: - name: inspect-image + name: validate-fbc version: "0.1" params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - workspaces: - - name: source - workspace: workspace -- op: add - path: /spec/tasks/- - value: - name: fbc-validate - when: - - input: $(params.skip-checks) - operator: in - values: ["false"] - runAfter: - - inspect-image - taskRef: - name: fbc-validation - version: "0.1" - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: BASE_IMAGE - value: $(tasks.inspect-image.results.BASE_IMAGE) - workspaces: - - name: workspace - workspace: workspace -- op: add - path: /spec/tasks/- - value: - name: fbc-related-image-check - when: - - input: $(params.skip-checks) - operator: in - values: ["false"] - runAfter: - - fbc-validate - taskRef: - name: fbc-related-image-check - version: "0.1" - workspaces: - - name: workspace - workspace: workspace diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md new file mode 100644 index 0000000000..a9870f4dd0 --- /dev/null +++ b/pipelines/maven-zip-build-oci-ta/README.md @@ -0,0 +1,165 @@ +# "maven-zip-build-oci-ta pipeline" + +This pipeline will build the maven zip to oci-artifact while maintaining trust after pipeline customization. + +_Uses `prefetch-dependencies` to fetch all artifacts which will be the content of the maven zip, and then uses `build-maven-zip-oci-ta` to create zip and push it to quay.io as oci-artifact. Information is shared between tasks using OCI artifacts instead of PVCs. +This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-maven-zip-build-oci-ta?tab=tags)_ + +## Parameters + +| name | description | default value | used in (taskname:taskrefversion:taskparam) | +| ------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | +| git-url | Source Repository URL | None | clone-repository:0.1:url | +| image-expires-after | Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER | +| output-image | Fully Qualified Output Image | None | show-summary:0.2:image-url ; init:0.2:image-url ; build-oci-artifact:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE | +| prefetch-input | Build dependencies to be prefetched by Cachi2 | generic | prefetch-dependencies:0.1:input | +| rebuild | Force rebuild oci-artifact | false | init:0.2:rebuild | +| revision | Revision of the Source Repository | | clone-repository:0.1:revision | +| skip-checks | Skip checks | true | init:0.2:skip-checks | + +## Available params from tasks + +### build-maven-zip-oci-ta:0.1 task parameters + +| name | description | default value | already set by | +| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | -------------------------------------------------------- | +| CACHI2_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. | | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)' | +| FILE_NAME | The zip bundle file name of archived artifacts | maven-repository | | +| IMAGE | Reference of the OCI-Artifact this build task will produce. | None | '$(params.output-image)' | +| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | '$(params.image-expires-after)' | +| PREFETCH_ROOT | The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts. | maven-repository | | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | + +### init:0.2 task parameters + +| name | description | default value | already set by | +| ----------- | ---------------------------------- | ------------- | ------------------------ | +| image-url | Image URL for build by PipelineRun | None | '$(params.output-image)' | +| rebuild | Rebuild the image if exists | false | '$(params.rebuild)' | +| skip-checks | Skip checks against built image | false | '$(params.skip-checks)' | + +### git-clone-oci-ta:0.1 task parameters + +| name | description | default value | already set by | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | ------------------------------- | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | +| depth | Perform a shallow clone, fetching only the most recent N commits. | 1 | | +| enableSymlinkCheck | Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true | | +| fetchTags | Fetch all tags for the repo. | false | | +| httpProxy | HTTP proxy server for non-SSL requests. | | | +| httpsProxy | HTTPS proxy server for SSL requests. | | | +| noProxy | Opt out of proxying HTTP/HTTPS requests. | | | +| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire. | | '$(params.image-expires-after)' | +| ociStorage | The OCI repository where the Trusted Artifacts are stored. | None | '$(params.output-image).git' | +| refspec | Refspec to fetch before checking out revision. | | | +| revision | Revision to checkout. (branch, tag, sha, ref, etc...) | | '$(params.revision)' | +| shortCommitLength | Length of short commit SHA | 7 | | +| sparseCheckoutDirectories | Define the directory patterns to match or exclude when performing a sparse checkout. | | | +| sslVerify | Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. | true | | +| submodules | Initialize and fetch git submodules. | true | | +| url | Repository URL to clone from. | None | '$(params.git-url)' | +| userHome | Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home | | +| verbose | Log the commands that are executed during `git-clone`'s operation. | false | | + +### prefetch-dependencies-oci-ta:0.1 task parameters + +| name | description | default value | already set by | +| ----------------------- | --------------------------------------------------------------------------------------------------------------------------- | ------------- | --------------------------------------------------- | +| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | None | '$(tasks.clone-repository.results.SOURCE_ARTIFACT)' | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | +| config-file-content | Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +| dev-package-managers | Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false | | +| input | Configures project packages that will have their dependencies prefetched. | None | '$(params.prefetch-input)' | +| log-level | Set cachi2 log level (debug, info, warning, error) | info | | +| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire. | | '$(params.image-expires-after)' | +| ociStorage | The OCI repository where the Trusted Artifacts are stored. | None | '$(params.output-image).prefetch' | + +### sast-snyk-check-oci-ta:0.2 task parameters + +| name | description | default value | already set by | +| --------------- | ----------------------------------------------------------------------------------- | ------------------------------------------ | -------------------------------------------------------- | +| ARGS | Append arguments. | --all-projects --exclude=test*,vendor,deps | | +| CACHI2_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. | | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)' | +| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | | +| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | None | '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)' | +| image-digest | Image digest to report findings for. | | '$(tasks.build-image-index.results.IMAGE_DIGEST)' | +| image-url | Image URL. | | '$(tasks.build-image-index.results.IMAGE_URL)' | + +### show-sbom:0.1 task parameters + +| name | description | default value | already set by | +| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------------------------------------- | +| CA_TRUST_CONFIG_MAP_KEY | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | +| CA_TRUST_CONFIG_MAP_NAME | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | +| IMAGE_URL | Fully qualified image name to show SBOM for. | None | '$(tasks.build-oci-artifact.results.IMAGE_URL)' | +| PLATFORM | Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64". | linux/amd64 | | + +### Results + +| name | description | value | +| ----------------- | ----------- | ------------------------------------------------ | +| CHAINS-GIT_COMMIT | | $(tasks.clone-repository.results.commit) | +| CHAINS-GIT_URL | | $(tasks.clone-repository.results.url) | +| IMAGE_DIGEST | | $(tasks.build-oci-artifact.results.IMAGE_DIGEST) | +| IMAGE_URL | | $(tasks.build-oci-artifact.results.IMAGE_URL) | + +## Available results from tasks + +### build-maven-zip-oci-ta:0.1 task results + +| name | description | used in params (taskname:taskrefversion:taskparam) | +| ------------- | --------------------------------------------------------------------------------- | -------------------------------------------------- | +| IMAGE_DIGEST | Digest of the OCI-Artifact just built | | +| IMAGE_REF | OCI-Artifact reference of the built OCI-Artifact | | +| IMAGE_URL | OCI-Artifact repository and tag where the built OCI-Artifact was pushed | show-sbom:0.1:IMAGE_URL | +| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | | + +### git-clone-oci-ta:0.1 task results + +| name | description | used in params (taskname:taskrefversion:taskparam) | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------- | +| CHAINS-GIT_COMMIT | The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | +| CHAINS-GIT_URL | The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | +| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | prefetch-dependencies:0.1:SOURCE_ARTIFACT | +| commit | The precise commit SHA that was fetched by this Task. | build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA | +| commit-timestamp | The commit timestamp of the checkout | | +| short-commit | The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters | | +| url | The precise URL that was fetched by this Task. | | + +### init:0.2 task results + +| name | description | used in params (taskname:taskrefversion:taskparam) | +| ----- | ------------------------------------------------------- | -------------------------------------------------- | +| build | Defines if the image in param image-url should be built | | + +### sast-snyk-check-oci-ta:0.2 task results + +| name | description | used in params (taskname:taskrefversion:taskparam) | +| ----------- | ------------------------ | -------------------------------------------------- | +| TEST_OUTPUT | Tekton task test output. | | + +### Workspaces + +| name | description | optional | used in tasks | +| -------- | ----------- | -------- | -------------------------------------------------------------------------- | +| git-auth | | True | clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth | +| netrc | | True | prefetch-dependencies:0.1:netrc | + +## Available workspaces from tasks + +### git-clone-oci-ta:0.1 task workspaces + +| name | description | optional | workspace from pipeline | +| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | +| basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True | git-auth | +| ssh-directory | A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True | | + +### prefetch-dependencies-oci-ta:0.1 task workspaces + +| name | description | optional | workspace from pipeline | +| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | +| git-basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True | git-auth | +| netrc | Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True | netrc | diff --git a/pipelines/maven-zip-build-oci-ta/kustomization.yaml b/pipelines/maven-zip-build-oci-ta/kustomization.yaml new file mode 100644 index 0000000000..45db7b083e --- /dev/null +++ b/pipelines/maven-zip-build-oci-ta/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../maven-zip-build + +patches: +- path: patch.yaml + target: + kind: Pipeline diff --git a/pipelines/maven-zip-build-oci-ta/patch.yaml b/pipelines/maven-zip-build-oci-ta/patch.yaml new file mode 100644 index 0000000000..5114c4b058 --- /dev/null +++ b/pipelines/maven-zip-build-oci-ta/patch.yaml @@ -0,0 +1,94 @@ +--- +- op: add + path: /spec/description + value: | + This pipeline will build the maven zip to oci-artifact while maintaining trust after pipeline customization. + + _Uses `prefetch-dependencies` to fetch all artifacts which will be the content of the maven zip, and then uses `build-maven-zip-oci-ta` to create zip and push it to quay.io as oci-artifact. Information is shared between tasks using OCI artifacts instead of PVCs. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-maven-zip-build-oci-ta?tab=tags)_ +- op: replace + path: /metadata/name + value: maven-zip-build-oci-ta +- op: replace + path: /metadata/labels + value: + "pipelines.openshift.io/used-by": "build-cloud" + "pipelines.openshift.io/runtime": "generic" + "pipelines.openshift.io/strategy": "maven-zip" +# clone-repository Task +- op: replace + path: /spec/tasks/1/taskRef/name + value: git-clone-oci-ta +- op: add + path: /spec/tasks/1/params/- + value: + name: ociStorage + value: $(params.output-image).git +- op: add + path: /spec/tasks/1/params/- + value: + name: ociArtifactExpiresAfter + value: $(params.image-expires-after) +- op: remove + path: /spec/tasks/1/workspaces/0 +# prefetch-dependencies Task +- op: replace + path: /spec/tasks/2/taskRef/name + value: prefetch-dependencies-oci-ta +- op: add + path: /spec/tasks/2/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/2/params/- + value: + name: ociStorage + value: $(params.output-image).prefetch +- op: add + path: /spec/tasks/2/params/- + value: + name: ociArtifactExpiresAfter + value: $(params.image-expires-after) +- op: remove + path: /spec/tasks/2/workspaces/0 +- op: remove + path: /spec/tasks/2/when +# Replace build-maven-zip task by build-maven-zip-oci-ta task +- op: replace + path: /spec/tasks/3/taskRef + value: + name: build-maven-zip-oci-ta + version: "0.1" +- op: add + path: /spec/tasks/3/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/3/workspaces/0 +# sast-snyk-check +- op: replace + path: /spec/tasks/4/taskRef/name + value: sast-snyk-check-oci-ta +- op: add + # In the maven-zip-build Pipeline, the snyk Task does not receive any parameters, so we cannot + # append to it. + path: /spec/tasks/4/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/4/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/4/workspaces/0 +# show-summary +# This Task relies on a shared workspace for some of its functionality. Although optional, it raises +# the question of how valuable this Task actually is. Rather than add Trusted Artifacts support for +# this Task, we are taking the approach of just removing it altogether. Additional context on this +# decision can be found in https://issues.redhat.com/browse/EC-643. +- op: remove + path: /spec/finally/1 diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md new file mode 100644 index 0000000000..6ddcebe8fd --- /dev/null +++ b/pipelines/maven-zip-build/README.md @@ -0,0 +1,183 @@ +# "maven-zip-build pipeline" + +This pipeline will build the maven zip to oci-artifact. + +_Uses `prefetch-dependencies` to fetch all artifacts which will be the content of the maven zip, and then uses `build-maven-zip` to create zip and push it to quay.io as oci-artifact. +This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-maven-zip-build?tab=tags)_ + +## Parameters + +| name | description | default value | used in (taskname:taskrefversion:taskparam) | +| ------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | +| git-url | Source Repository URL | None | clone-repository:0.1:url | +| image-expires-after | Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER | +| output-image | Fully Qualified Output Image | None | show-summary:0.2:image-url ; init:0.2:image-url ; build-oci-artifact:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE | +| prefetch-input | Build dependencies to be prefetched by Cachi2 | generic | prefetch-dependencies:0.1:input | +| rebuild | Force rebuild image | false | init:0.2:rebuild | +| revision | Revision of the Source Repository | | clone-repository:0.1:revision | +| skip-checks | Skip checks against built image | true | init:0.2:skip-checks | + +## Available params from tasks + +### build-maven-zip:0.1 task parameters + +| name | description | default value | already set by | +| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | ------------------------------- | +| FILE_NAME | The zip bundle file name of archived artifacts | maven-repository | | +| IMAGE | Reference of the OCI-Artifact this build task will produce. | None | '$(params.output-image)' | +| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | '$(params.image-expires-after)' | +| PREFETCH_ROOT | The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts. | maven-repository | | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | + +### git-clone:0.1 task parameters + +| name | description | default value | already set by | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | -------------------- | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | +| deleteExisting | Clean out the contents of the destination directory if it already exists before cloning. | true | | +| depth | Perform a shallow clone, fetching only the most recent N commits. | 1 | | +| enableSymlinkCheck | Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true | | +| fetchTags | Fetch all tags for the repo. | false | | +| gitInitImage | Deprecated. Has no effect. Will be removed in the future. | | | +| httpProxy | HTTP proxy server for non-SSL requests. | | | +| httpsProxy | HTTPS proxy server for SSL requests. | | | +| noProxy | Opt out of proxying HTTP/HTTPS requests. | | | +| refspec | Refspec to fetch before checking out revision. | | | +| revision | Revision to checkout. (branch, tag, sha, ref, etc...) | | '$(params.revision)' | +| shortCommitLength | Length of short commit SHA | 7 | | +| sparseCheckoutDirectories | Define the directory patterns to match or exclude when performing a sparse checkout. | | | +| sslVerify | Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. | true | | +| subdirectory | Subdirectory inside the `output` Workspace to clone the repo into. | source | | +| submodules | Initialize and fetch git submodules. | true | | +| url | Repository URL to clone from. | None | '$(params.git-url)' | +| userHome | Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home | | +| verbose | Log the commands that are executed during `git-clone`'s operation. | false | | + +### init:0.2 task parameters + +| name | description | default value | already set by | +| ----------- | ---------------------------------- | ------------- | ------------------------ | +| image-url | Image URL for build by PipelineRun | None | '$(params.output-image)' | +| rebuild | Rebuild the image if exists | false | '$(params.rebuild)' | +| skip-checks | Skip checks against built image | false | '$(params.skip-checks)' | + +### prefetch-dependencies:0.1 task parameters + +| name | description | default value | already set by | +| -------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------- | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | +| config-file-content | Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +| dev-package-managers | Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false | | +| input | Configures project packages that will have their dependencies prefetched. | None | '$(params.prefetch-input)' | +| log-level | Set cachi2 log level (debug, info, warning, error) | info | | + +### sast-snyk-check:0.2 task parameters + +| name | description | default value | already set by | +| ------------ | ----------------------------------------- | ------------------------------------------ | ------------------------------------------------- | +| ARGS | Append arguments. | --all-projects --exclude=test*,vendor,deps | | +| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | | +| image-digest | Image digest to report findings for. | | '$(tasks.build-image-index.results.IMAGE_DIGEST)' | +| image-url | Image URL. | | '$(tasks.build-image-index.results.IMAGE_URL)' | + +### show-sbom:0.1 task parameters + +| name | description | default value | already set by | +| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------------------------------------- | +| CA_TRUST_CONFIG_MAP_KEY | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | +| CA_TRUST_CONFIG_MAP_NAME | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | +| IMAGE_URL | Fully qualified image name to show SBOM for. | None | '$(tasks.build-oci-artifact.results.IMAGE_URL)' | +| PLATFORM | Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64". | linux/amd64 | | + +### summary:0.2 task parameters + +| name | description | default value | already set by | +| ----------------- | ---------------------------------- | ------------- | -------------------------------------------------------------------------------------- | +| build-task-status | State of build task in pipelineRun | Succeeded | '$(tasks.build-oci-artifact.status)' | +| git-url | Git URL | None | '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)' | +| image-url | Image URL | None | '$(params.output-image)' | +| pipelinerun-name | pipeline-run to annotate | None | '$(context.pipelineRun.name)' | + +## Results + +| name | description | value | +| ----------------- | ----------- | ------------------------------------------------ | +| CHAINS-GIT_COMMIT | | $(tasks.clone-repository.results.commit) | +| CHAINS-GIT_URL | | $(tasks.clone-repository.results.url) | +| IMAGE_DIGEST | | $(tasks.build-oci-artifact.results.IMAGE_DIGEST) | +| IMAGE_URL | | $(tasks.build-oci-artifact.results.IMAGE_URL) | + +## Available results from tasks + +### build-maven-zip:0.1 task results + +| name | description | used in params (taskname:taskrefversion:taskparam) | +| ------------- | --------------------------------------------------------------------------------- | -------------------------------------------------- | +| IMAGE_DIGEST | Digest of the OCI-Artifact just built | | +| IMAGE_REF | OCI-Artifact reference of the built OCI-Artifact | | +| IMAGE_URL | OCI-Artifact repository and tag where the built OCI-Artifact was pushed | show-sbom:0.1:IMAGE_URL | +| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | | + +### git-clone:0.1 task results + +| name | description | used in params (taskname:taskrefversion:taskparam) | +| ----------------- | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- | +| CHAINS-GIT_COMMIT | The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | +| CHAINS-GIT_URL | The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | +| commit | The precise commit SHA that was fetched by this Task. | build-image-index:0.1:COMMIT_SHA | +| commit-timestamp | The commit timestamp of the checkout | | +| short-commit | The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters | | +| url | The precise URL that was fetched by this Task. | show-summary:0.2:git-url | + +### init:0.2 task results + +| name | description | used in params (taskname:taskrefversion:taskparam) | +| ----- | ------------------------------------------------------- | -------------------------------------------------- | +| build | Defines if the image in param image-url should be built | | + +### sast-snyk-check:0.2 task results + +| name | description | used in params (taskname:taskrefversion:taskparam) | +| ----------- | ------------------------ | -------------------------------------------------- | +| TEST_OUTPUT | Tekton task test output. | | + +### Workspaces + +| name | description | optional | used in tasks | +| --------- | ----------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| git-auth | | True | clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth | +| netrc | | True | prefetch-dependencies:0.1:netrc | +| workspace | | False | show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.2:workspace | + +## Available workspaces from tasks + +### build-maven-zip:0.1 task workspaces + +| name | description | optional | workspace from pipeline | +| ------ | ---------------------------------------------- | -------- | ----------------------- | +| source | Workspace containing the source code to build. | False | workspace | + +### git-clone:0.1 task workspaces + +| name | description | optional | workspace from pipeline | +| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | +| basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True | git-auth | +| output | The git repo will be cloned onto the volume backing this Workspace. | False | workspace | +| ssh-directory | A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True | | + +### prefetch-dependencies:0.1 task workspaces + +| name | description | optional | workspace from pipeline | +| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | +| git-basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True | git-auth | +| netrc | Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True | netrc | +| source | Workspace with the source code, cachi2 artifacts will be stored on the workspace as well | False | workspace | + +### summary:0.2 task workspaces + +| name | description | optional | workspace from pipeline | +| --------- | -------------------------------------------- | -------- | ----------------------- | +| workspace | The workspace where source code is included. | True | workspace | diff --git a/pipelines/maven-zip-build/kustomization.yaml b/pipelines/maven-zip-build/kustomization.yaml new file mode 100644 index 0000000000..64f7ba8a8b --- /dev/null +++ b/pipelines/maven-zip-build/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../template-build + +patches: +- path: patch.yaml + target: + kind: Pipeline diff --git a/pipelines/maven-zip-build/patch.yaml b/pipelines/maven-zip-build/patch.yaml new file mode 100644 index 0000000000..a05243b9f0 --- /dev/null +++ b/pipelines/maven-zip-build/patch.yaml @@ -0,0 +1,128 @@ +--- +- op: add + path: /spec/description + value: | + This pipeline will build the maven zip to oci-artifact. + + _Uses `prefetch-dependencies` to fetch all artifacts which will be the content of the maven zip, and then uses `build-maven-zip` to create zip and push it to quay.io as oci-artifact. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-maven-zip-build?tab=tags)_ +- op: replace + path: /metadata/name + value: maven-zip-build +- op: replace + path: /metadata/labels + value: + "pipelines.openshift.io/used-by": "build-cloud" + "pipelines.openshift.io/runtime": "generic" + "pipelines.openshift.io/strategy": "maven-zip" +# Remove unused parameters from the template +# $ yq ".spec.params.[].name" pipelines/template-build/template-build.yaml | nl -v 0 +# 0 git-url +# 1 revision +# 2 output-image +# 3 path-context +# 4 dockerfile +# 5 rebuild +# 6 skip-checks +# 7 hermetic +# 8 prefetch-input +# 9 image-expires-after +# 10 build-source-image +# 11 build-image-index + +- op: remove + path: /spec/params/11 # build-image-index +- op: remove + path: /spec/params/10 # build-source-image +- op: remove + path: /spec/params/7 # hermetic +- op: remove + path: /spec/params/4 # dockerfile +- op: remove + path: /spec/params/3 # path-context +# Change default value of prefetch-input +- op: replace + path: /spec/params/5/default + value: "generic" +# Remove unused tasks +# kustomize build pipelines/template-build/ | yq ".spec.tasks.[].name" | nl -v 0 +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 apply-tags +# 12 push-dockerfile +# 13 rpms-signature-scan +- op: remove + path: /spec/tasks/13 # rpms-signature-scan +- op: remove + path: /spec/tasks/12 # push-dockerfile +- op: remove + path: /spec/tasks/11 # apply-tags +- op: remove + path: /spec/tasks/10 # clamav-scan +- op: remove + path: /spec/tasks/8 # ecosystem-cert-preflight-checks +- op: remove + path: /spec/tasks/7 # clair-scan +- op: remove + path: /spec/tasks/6 # deprecated-base-image-check +- op: remove + path: /spec/tasks/5 # build-source-image +- op: remove + path: /spec/tasks/4 # build-image-index +# Replace builda task by build-maven-zip task +- op: replace + path: /spec/tasks/3 + value: + name: build-oci-artifact + params: + - name: IMAGE + value: $(params.output-image) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + runAfter: + - prefetch-dependencies + taskRef: + name: build-maven-zip + version: "0.1" + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace +# Replace the params set and runAfter of sast-snyk-check +- op: replace + path: /spec/tasks/4/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" +- op: replace + path: /spec/tasks/4/params/1/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/tasks/4/runAfter + value: + - build-oci-artifact +# change pipeline results +- op: replace + path: /spec/results/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/results/1/value + value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" +# change finally show result +- op: replace + path: /spec/finally/0/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/finally/1/params/3/value + value: "$(tasks.build-oci-artifact.status)" diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 5cd3595543..cd38c1a6db 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -5,12 +5,12 @@ |---|---|---|---| |build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| |build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| | +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| | |image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-image-index:0.1:IMAGE_EXPIRES_AFTER| |output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-image-index:0.1:IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| @@ -72,6 +72,48 @@ |dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | |input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| |log-level| Set cachi2 log level (debug, info, warning, error)| info| | +### push-dockerfile:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | +### sast-coverity-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### sast-unicode-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|FIND_UNICODE_CONTROL_ARGS| arguments for find-unicode-control command.| -p bidi -v -d -t| | +|FIND_UNICODE_CONTROL_GIT_URL| URL from repository to find unicode control.| https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58| | +|KFP_GIT_URL| URL from repository to download known false positives files.| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -99,9 +141,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| apply-tags:0.1:IMAGE| +|IMAGE_URL| Image repository and tag where the built image was pushed| sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -116,19 +158,37 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | +### push-dockerfile:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | +### sast-coverity-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-unicode-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | ### tkn-bundle:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url| ## Workspaces |name|description|optional|used in tasks |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-coverity-check:0.1:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -142,6 +202,18 @@ |git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| |netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| |source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| +### push-dockerfile:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| +### sast-coverity-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-unicode-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| ### summary:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 9d339b178b..863f8b6451 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -214,7 +214,7 @@ spec: - build-image-index taskRef: name: sast-snyk-check - version: "0.2" + version: "0.3" workspaces: - name: workspace workspace: workspace @@ -232,12 +232,85 @@ spec: - build-image-index taskRef: name: clamav-scan - version: "0.1" + version: "0.2" params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) + - name: sast-coverity-check + when: + - input: $(params.skip-checks) + operator: in + values: ["false"] + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: ["success"] + runAfter: + - coverity-availability-check + taskRef: + name: sast-coverity-check + version: "0.1" + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + workspaces: + - name: workspace + workspace: workspace + - name: coverity-availability-check + when: + - input: $(params.skip-checks) + operator: in + values: ["false"] + runAfter: + - build-image-index + taskRef: + name: coverity-availability-check + version: "0.1" + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + workspaces: + - name: workspace + workspace: workspace + - name: sast-shell-check + when: + - input: $(params.skip-checks) + operator: in + values: ["false"] + runAfter: + - build-image-index + taskRef: + name: sast-shell-check + version: "0.1" + workspaces: + - name: workspace + workspace: workspace + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: sast-unicode-check + when: + - input: $(params.skip-checks) + operator: in + values: ["false"] + runAfter: + - build-image-index + taskRef: + name: sast-unicode-check + version: "0.1" + workspaces: + - name: workspace + workspace: workspace + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) - name: apply-tags runAfter: - build-image-index diff --git a/policies/step-actions.yaml b/policies/step-actions.yaml new file mode 100644 index 0000000000..a3b26258ce --- /dev/null +++ b/policies/step-actions.yaml @@ -0,0 +1,16 @@ +--- +# These policies are meant to be applied to all of the Tasks in this repo. +sources: + - policy: + - github.com/enterprise-contract/ec-policies//policy/lib + - github.com/enterprise-contract/ec-policies//policy/stepaction + data: + - oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data + config: + include: + - stepaction.image + - stepaction.kind + # Support legacy matchers for now + - image + - kind diff --git a/renovate.json b/renovate.json index 83abfda31c..6d2a5ab4f2 100644 --- a/renovate.json +++ b/renovate.json @@ -92,6 +92,15 @@ ], "autoReplaceStringTemplate": "value: {{depName}}{{#if newValue}}:{{newValue}}{{/if}}{{#if newDigest}}@{{newDigest}}{{/if}}", "datasourceTemplate": "docker" + }, + { + "customType": "regex", + "fileMatch": [".github/workflows/run-task-tests.yaml"], + "matchStrings": ["ref:\\s+(?[a-f0-9]{40})"], + "currentValueTemplate": "main", + "depNameTemplate": "konflux-ci", + "packageNameTemplate": "https://github.com/konflux-ci/konflux-ci", + "datasourceTemplate": "git-refs" } ] } diff --git a/task-generator/remote/go.mod b/task-generator/remote/go.mod index 09edaf9f57..0649be0fe2 100644 --- a/task-generator/remote/go.mod +++ b/task-generator/remote/go.mod @@ -5,7 +5,7 @@ go 1.22.0 toolchain go1.23.2 require ( - github.com/tektoncd/pipeline v0.65.2 + github.com/tektoncd/pipeline v0.66.0 k8s.io/api v0.31.0 k8s.io/apimachinery v0.31.0 k8s.io/cli-runtime v0.30.3 diff --git a/task-generator/remote/go.sum b/task-generator/remote/go.sum index c1f6b27a15..a22a7020c2 100644 --- a/task-generator/remote/go.sum +++ b/task-generator/remote/go.sum @@ -320,8 +320,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= -github.com/tektoncd/pipeline v0.65.2 h1:N63Xb9uiunewPVDTz4nGamJOtVg+Q38Cy4LRpvr+2e4= -github.com/tektoncd/pipeline v0.65.2/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= +github.com/tektoncd/pipeline v0.66.0 h1:WLL98YEgWzblSAD2mPbpZN97tkOC50wiftaW+8+6zTY= +github.com/tektoncd/pipeline v0.66.0/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= diff --git a/task-generator/trusted-artifacts/go.mod b/task-generator/trusted-artifacts/go.mod index 20c2daea9a..9ca88c966d 100644 --- a/task-generator/trusted-artifacts/go.mod +++ b/task-generator/trusted-artifacts/go.mod @@ -5,7 +5,7 @@ go 1.22.7 require ( github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.20.2 - github.com/tektoncd/pipeline v0.65.2 + github.com/tektoncd/pipeline v0.66.0 github.com/zregvart/tkn-fmt v0.0.0-20240614122620-a2995427266c k8s.io/api v0.30.1 mvdan.cc/sh/v3 v3.10.0 diff --git a/task-generator/trusted-artifacts/go.sum b/task-generator/trusted-artifacts/go.sum index 06df7536ca..dcbb7636af 100644 --- a/task-generator/trusted-artifacts/go.sum +++ b/task-generator/trusted-artifacts/go.sum @@ -347,8 +347,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= -github.com/tektoncd/pipeline v0.65.2 h1:N63Xb9uiunewPVDTz4nGamJOtVg+Q38Cy4LRpvr+2e4= -github.com/tektoncd/pipeline v0.65.2/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= +github.com/tektoncd/pipeline v0.66.0 h1:WLL98YEgWzblSAD2mPbpZN97tkOC50wiftaW+8+6zTY= +github.com/tektoncd/pipeline v0.66.0/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= diff --git a/task/build-image-index/0.1/build-image-index.yaml b/task/build-image-index/0.1/build-image-index.yaml index 2c185bdde9..48855b7937 100644 --- a/task/build-image-index/0.1/build-image-index.yaml +++ b/task/build-image-index/0.1/build-image-index.yaml @@ -163,7 +163,7 @@ spec: add: - SETFCAP - - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af + - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:f1c07f273536a00fa6539e2aa41b3fddab3bb282a157c9676572858bfd19d7e4 name: create-sbom computeResources: limits: diff --git a/task/build-maven-zip-oci-ta/0.1/README.md b/task/build-maven-zip-oci-ta/0.1/README.md new file mode 100644 index 0000000000..609744c5a6 --- /dev/null +++ b/task/build-maven-zip-oci-ta/0.1/README.md @@ -0,0 +1,25 @@ +# build-maven-zip-oci-ta task + +Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry. +In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool. +Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|FILE_NAME|The zip bundle file name of archived artifacts|maven-repository|false| +|IMAGE|Reference of the OCI-Artifact this build task will produce.||true| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|PREFETCH_ROOT|The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.|maven-repository|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the OCI-Artifact just built| +|IMAGE_REF|OCI-Artifact reference of the built OCI-Artifact| +|IMAGE_URL|OCI-Artifact repository and tag where the built OCI-Artifact was pushed| +|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| + diff --git a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml new file mode 100644 index 0000000000..f212a9fb23 --- /dev/null +++ b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml @@ -0,0 +1,209 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: build-maven-zip-oci-ta + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: maven-build, konflux + labels: + app.kubernetes.io/version: "0.1" + build.appstudio.redhat.com/build_type: maven-zip +spec: + description: |- + Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry. + In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool. + Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task. + params: + - name: CACHI2_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the prefetched dependencies. + type: string + default: "" + - name: FILE_NAME + description: The zip bundle file name of archived artifacts + type: string + default: maven-repository + - name: IMAGE + description: Reference of the OCI-Artifact this build task will produce. + type: string + - name: IMAGE_EXPIRES_AFTER + description: Delete image tag after specified time. Empty means to keep + the image tag. Time values could be something like 1h, 2d, 3w for + hours, days, and weeks, respectively. + type: string + default: "" + - name: PREFETCH_ROOT + description: The root directory of the artifacts under the prefetched + directory. Will be kept in the maven zip as the top directory for + all artifacts. + type: string + default: maven-repository + - name: caTrustConfigMapKey + description: The name of the key in the ConfigMap that contains the + CA bundle data. + type: string + default: ca-bundle.crt + - name: caTrustConfigMapName + description: The name of the ConfigMap to read CA bundle data from. + type: string + default: trusted-ca + results: + - name: IMAGE_DIGEST + description: Digest of the OCI-Artifact just built + - name: IMAGE_REF + description: OCI-Artifact reference of the built OCI-Artifact + - name: IMAGE_URL + description: OCI-Artifact repository and tag where the built OCI-Artifact + was pushed + - name: SBOM_BLOB_URL + description: Reference of SBOM blob digest to enable digest-based verification + from provenance + type: string + volumes: + - name: shared + emptyDir: {} + - name: trusted-ca + configMap: + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + name: $(params.caTrustConfigMapName) + optional: true + - name: workdir + emptyDir: {} + stepTemplate: + env: + - name: FILE_NAME + value: $(params.FILE_NAME) + - name: IMAGE + value: $(params.IMAGE) + - name: IMAGE_EXPIRES_AFTER + value: $(params.IMAGE_EXPIRES_AFTER) + - name: PKG_ROOT + value: $(params.PREFETCH_ROOT) + volumeMounts: + - mountPath: /shared + name: shared + - mountPath: /var/workdir + name: workdir + steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + args: + - use + - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + - name: prepare + image: quay.io/konflux-ci/appstudio-utils@sha256:1f31b6443c7d114cb3b6448136a9ef3730e9c72485e45172fc11c0176a86a267 + workingDir: /var/workdir + script: | + #!/bin/bash + set -euo pipefail + # Generate checksums for all maven artifact files. It will ignore the checksum files + # and signature files if they existed there + pkgpath="/var/workdir/cachi2/output/deps/generic" + if [ -d "$pkgpath/${PKG_ROOT}" ]; then + echo "Generating checksums for artifacts" + while IFS= read -r -d '' f; do + md5sum "$f" | awk '{print $1}' >"$f.md5" + sha1sum "$f" | awk '{print $1}' >"$f.sha1" + sha256sum "$f" | awk '{print $1}' >"$f.sha256" + done < <(find "$pkgpath/${PKG_ROOT}" -type f ! -name "*.md5" \ + ! -name "*.sha1" ! -name "*.sha128" ! -name "*.sha256" \ + ! -name "*.sha512" ! -name "*.asc" -print0) + # Bundle the artifacts and checksums together into a zip file + cd "$pkgpath" + echo "create maven zip to /var/workdir/cachi2/output/${FILE_NAME}.zip" + zip -rq "${FILE_NAME}.zip" "${PKG_ROOT}" + mv "${FILE_NAME}.zip" "/shared/${FILE_NAME}.zip" + else + echo "No ${PKG_ROOT} dir found, can not generate maven zip!" + exit 1 + fi + computeResources: + limits: + cpu: "4" + memory: 8Gi + requests: + cpu: "1" + memory: 2Gi + securityContext: + capabilities: + add: + - SETFCAP + - name: build + image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9 + workingDir: /var/workdir + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + #!/bin/bash + set -euo pipefail + if [ -f "/shared/${FILE_NAME}.zip" ]; then + mv "/shared/${FILE_NAME}.zip" "./${FILE_NAME}.zip" + select-oci-auth "$IMAGE" >auth.json + [ -n "$IMAGE_EXPIRES_AFTER" ] && EXPIRE_LABEL=("--annotation" "quay.expires-after=$IMAGE_EXPIRES_AFTER") + oras push "$IMAGE" \ + --registry-config auth.json \ + "${EXPIRE_LABEL[@]}" \ + --artifact-type application/vnd.maven+zip "${FILE_NAME}.zip" + RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") + echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" | tee "$(results.IMAGE_REF.path)" + else + echo "The maven zip file is not found!" + exit 1 + fi + + # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later + if [ -f "/var/workdir/cachi2/output/bom.json" ]; then + cp -vf "/var/workdir/cachi2/output/bom.json" ./sbom-cyclonedx.json + else + echo "The SBOM file for fetched artifacts is not found!" + exit 1 + fi + computeResources: + limits: + cpu: "4" + memory: 8Gi + requests: + cpu: "1" + memory: 2Gi + securityContext: + capabilities: + add: + - SETFCAP + - name: upload-sbom + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 + workingDir: /var/workdir + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + #!/bin/bash + set -euo pipefail + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_tag="sha256-$( <"$(results.IMAGE_DIGEST.path)" cut -d: -f2).sbom" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}:${sbom_tag}" | tee "$(results.SBOM_BLOB_URL.path)" + computeResources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi diff --git a/task/build-maven-zip-oci-ta/0.1/kustomization.yaml b/task/build-maven-zip-oci-ta/0.1/kustomization.yaml new file mode 100644 index 0000000000..67a215d2a3 --- /dev/null +++ b/task/build-maven-zip-oci-ta/0.1/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- build-maven-zip-oci-ta.yaml diff --git a/task/build-maven-zip-oci-ta/0.1/recipe.yaml b/task/build-maven-zip-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..8cd3b23209 --- /dev/null +++ b/task/build-maven-zip-oci-ta/0.1/recipe.yaml @@ -0,0 +1,14 @@ +--- +base: ../../build-maven-zip/0.1/build-maven-zip.yaml +add: + - use-cachi2 +removeWorkspaces: + - source +replacements: + workspaces.source.path: /var/workdir +regexReplacements: + "/workspace(/.*)": /var/workdir$1 +description: |- + Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry. + In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool. + Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task. diff --git a/task/build-maven-zip-oci-ta/OWNERS b/task/build-maven-zip-oci-ta/OWNERS new file mode 100644 index 0000000000..f6b0d684ad --- /dev/null +++ b/task/build-maven-zip-oci-ta/OWNERS @@ -0,0 +1,5 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - spmm-team +reviewers: + - spmm-team \ No newline at end of file diff --git a/task/build-maven-zip/0.1/README.md b/task/build-maven-zip/0.1/README.md new file mode 100644 index 0000000000..d33d9f7e27 --- /dev/null +++ b/task/build-maven-zip/0.1/README.md @@ -0,0 +1,28 @@ +# build-maven-zip task + +Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry. +In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool. +Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the OCI-Artifact this build task will produce.||true| +|PREFETCH_ROOT|The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.|maven-repository|false| +|FILE_NAME|The zip bundle file name of archived artifacts|maven-repository|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the OCI-Artifact just built| +|IMAGE_URL|OCI-Artifact repository and tag where the built OCI-Artifact was pushed| +|IMAGE_REF|OCI-Artifact reference of the built OCI-Artifact| +|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| \ No newline at end of file diff --git a/task/build-maven-zip/0.1/build-maven-zip.yaml b/task/build-maven-zip/0.1/build-maven-zip.yaml new file mode 100644 index 0000000000..44746710d7 --- /dev/null +++ b/task/build-maven-zip/0.1/build-maven-zip.yaml @@ -0,0 +1,194 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: build-maven-zip + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "maven-build, konflux" + labels: + app.kubernetes.io/version: "0.1" + build.appstudio.redhat.com/build_type: "maven-zip" +spec: + description: |- + Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry. + In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool. + Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task. + params: + - description: Reference of the OCI-Artifact this build task will produce. + name: IMAGE + type: string + - default: "maven-repository" + description: The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts. + name: PREFETCH_ROOT + type: string + - default: "maven-repository" + description: The zip bundle file name of archived artifacts + name: FILE_NAME + type: string + - default: "" + description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + name: IMAGE_EXPIRES_AFTER + type: string + - name: caTrustConfigMapName + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: caTrustConfigMapKey + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt + + results: + - description: Digest of the OCI-Artifact just built + name: IMAGE_DIGEST + - description: OCI-Artifact repository and tag where the built OCI-Artifact was pushed + name: IMAGE_URL + - description: OCI-Artifact reference of the built OCI-Artifact + name: IMAGE_REF + - name: SBOM_BLOB_URL + description: Reference of SBOM blob digest to enable digest-based verification from provenance + type: string + stepTemplate: + env: + - name: IMAGE + value: $(params.IMAGE) + - name: PKG_ROOT + value: $(params.PREFETCH_ROOT) + - name: FILE_NAME + value: $(params.FILE_NAME) + - name: IMAGE_EXPIRES_AFTER + value: $(params.IMAGE_EXPIRES_AFTER) + volumeMounts: + - mountPath: /shared + name: shared + + steps: + - image: quay.io/konflux-ci/appstudio-utils@sha256:1f31b6443c7d114cb3b6448136a9ef3730e9c72485e45172fc11c0176a86a267 + name: prepare + computeResources: + limits: + memory: 8Gi + cpu: '4' + requests: + memory: 2Gi + cpu: '1' + script: | + #!/bin/bash + set -euo pipefail + # Generate checksums for all maven artifact files. It will ignore the checksum files + # and signature files if they existed there + pkgpath="$(workspaces.source.path)/cachi2/output/deps/generic" + if [ -d "$pkgpath/${PKG_ROOT}" ]; then + echo "Generating checksums for artifacts" + while IFS= read -r -d '' f + do + md5sum "$f" | awk '{print $1}'> "$f.md5" + sha1sum "$f" | awk '{print $1}'> "$f.sha1" + sha256sum "$f" | awk '{print $1}'> "$f.sha256" + done < <(find "$pkgpath/${PKG_ROOT}" -type f ! -name "*.md5" \ + ! -name "*.sha1" ! -name "*.sha128" ! -name "*.sha256" \ + ! -name "*.sha512" ! -name "*.asc" -print0) + # Bundle the artifacts and checksums together into a zip file + cd "$pkgpath" + echo "create maven zip to $(workspaces.source.path)/cachi2/output/${FILE_NAME}.zip" + zip -rq "${FILE_NAME}.zip" "${PKG_ROOT}" + mv "${FILE_NAME}.zip" "/shared/${FILE_NAME}.zip" + else + echo "No ${PKG_ROOT} dir found, can not generate maven zip!" + exit 1 + fi + securityContext: + capabilities: + add: + - SETFCAP + workingDir: $(workspaces.source.path) + - image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9 + name: build + computeResources: + limits: + memory: 8Gi + cpu: '4' + requests: + memory: 2Gi + cpu: '1' + script: | + #!/bin/bash + set -euo pipefail + if [ -f "/shared/${FILE_NAME}.zip" ]; then + mv "/shared/${FILE_NAME}.zip" "./${FILE_NAME}.zip" + select-oci-auth "$IMAGE" > auth.json + [ -n "$IMAGE_EXPIRES_AFTER" ] && EXPIRE_LABEL=("--annotation" "quay.expires-after=$IMAGE_EXPIRES_AFTER") + oras push "$IMAGE" \ + --registry-config auth.json \ + "${EXPIRE_LABEL[@]}" \ + --artifact-type application/vnd.maven+zip "${FILE_NAME}.zip" + RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") + echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" | tee "$(results.IMAGE_REF.path)" + else + echo "The maven zip file is not found!" + exit 1 + fi + + # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later + if [ -f "$(workspaces.source.path)/cachi2/output/bom.json" ]; then + cp -vf "$(workspaces.source.path)/cachi2/output/bom.json" ./sbom-cyclonedx.json + else + echo "The SBOM file for fetched artifacts is not found!" + exit 1 + fi + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true + workingDir: $(workspaces.source.path) + - name: upload-sbom + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 + script: | + #!/bin/bash + set -euo pipefail + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_tag="sha256-$(< "$(results.IMAGE_DIGEST.path)" cut -d: -f2).sbom" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}:${sbom_tag}" | tee "$(results.SBOM_BLOB_URL.path)" + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m + volumeMounts: + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true + workingDir: $(workspaces.source.path) + + volumes: + - name: shared + emptyDir: {} + - name: trusted-ca + configMap: + name: $(params.caTrustConfigMapName) + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + optional: true + workspaces: + - name: source + description: Workspace containing the source code to build. diff --git a/task/build-maven-zip/0.1/kustomization.yaml b/task/build-maven-zip/0.1/kustomization.yaml new file mode 100644 index 0000000000..12b56152c0 --- /dev/null +++ b/task/build-maven-zip/0.1/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- build-maven-zip.yaml diff --git a/task/build-maven-zip/OWNERS b/task/build-maven-zip/OWNERS new file mode 100644 index 0000000000..890ac12991 --- /dev/null +++ b/task/build-maven-zip/OWNERS @@ -0,0 +1,5 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - spmm-team +reviewers: + - spmm-team diff --git a/task/buildah-min/0.2/patch.yaml b/task/buildah-min/0.2/patch.yaml index 491c6e4778..b37fcc2707 100644 --- a/task/buildah-min/0.2/patch.yaml +++ b/task/buildah-min/0.2/patch.yaml @@ -14,7 +14,7 @@ - op: replace path: /spec/steps/0/computeResources/requests/cpu value: 100m -# sbom-syft-generate step +# push step - op: replace path: /spec/steps/1/computeResources/limits/memory value: 2Gi @@ -23,24 +23,24 @@ value: 512Mi - op: replace path: /spec/steps/1/computeResources/limits/cpu - value: 1 + value: 500m - op: replace path: /spec/steps/1/computeResources/requests/cpu - value: 50m -# analyse-dependencies-java-sbom step + value: 100m +# sbom-syft-generate step - op: replace path: /spec/steps/2/computeResources/limits/memory - value: 256Mi + value: 2Gi - op: replace path: /spec/steps/2/computeResources/requests/memory - value: 128Mi + value: 512Mi - op: replace path: /spec/steps/2/computeResources/limits/cpu - value: 100m + value: 1 - op: replace path: /spec/steps/2/computeResources/requests/cpu - value: 10m -# prepare-sboms step + value: 50m +# analyse-dependencies-java-sbom step - op: replace path: /spec/steps/3/computeResources/limits/memory value: 256Mi @@ -53,29 +53,29 @@ - op: replace path: /spec/steps/3/computeResources/requests/cpu value: 10m -# inject-sbom-and-push step +# prepare-sboms step - op: replace path: /spec/steps/4/computeResources/limits/memory - value: 2Gi + value: 256Mi - op: replace path: /spec/steps/4/computeResources/requests/memory - value: 512Mi + value: 128Mi - op: replace path: /spec/steps/4/computeResources/limits/cpu - value: 2 + value: 100m - op: replace path: /spec/steps/4/computeResources/requests/cpu - value: 100m + value: 10m # upload-sbom step - op: replace path: /spec/steps/5/computeResources/limits/memory - value: 256Mi + value: 2Gi - op: replace path: /spec/steps/5/computeResources/requests/memory - value: 128Mi + value: 512Mi - op: replace path: /spec/steps/5/computeResources/limits/cpu - value: 100m + value: 2 - op: replace path: /spec/steps/5/computeResources/requests/cpu - value: 10m + value: 100m diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 7a0ecf4764..4e5bdf7c8d 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -7,7 +7,7 @@ metadata: tekton.dev/pipelines.minVersion: 0.12.1 tekton.dev/tags: image-build, konflux labels: - app.kubernetes.io/version: "0.2" + app.kubernetes.io/version: 0.2.1 build.appstudio.redhat.com/build_type: docker spec: description: |- @@ -546,6 +546,75 @@ spec: capabilities: add: - SETFCAP + - name: push + image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + workingDir: /var/workdir + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + script: | + #!/bin/bash + set -e + + retry() { + status=-1 + max_run=5 + sleep_sec=10 + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + "$@" && break || status=$? + done + return $status + } + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)"; then + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + exit 1 + fi + + echo "Pushing to ${IMAGE}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + --digestfile "/var/workdir/image-digest" "$IMAGE" \ + "docker://$IMAGE"; then + echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + exit 1 + fi + + cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + securityContext: + capabilities: + add: + - SETFCAP + runAsUser: 0 - name: sbom-syft-generate image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f workingDir: /var/workdir/source @@ -590,7 +659,7 @@ spec: securityContext: runAsUser: 0 - name: prepare-sboms - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:f1c07f273536a00fa6539e2aa41b3fddab3bb282a157c9676572858bfd19d7e4 workingDir: /var/workdir script: | echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" @@ -602,14 +671,23 @@ spec: mv sbom-temp.json sbom-cyclonedx.json fi - echo "Creating sbom-purl.json" - python3 /scripts/create_purl_sbom.py - echo "Adding base images data to sbom-cyclonedx.json" python3 /scripts/base_images_sbom_script.py \ --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests + + echo "Adding image reference to sbom" + IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")" + IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")" + + python3 /scripts/add_image_reference.py \ + --image-url "$IMAGE_URL" \ + --image-digest "$IMAGE_DIGEST" \ + --input-file sbom-cyclonedx.json \ + --output-file /tmp/sbom-cyclonedx.tmp.json + + mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json computeResources: limits: cpu: 200m @@ -619,31 +697,15 @@ spec: memory: 256Mi securityContext: runAsUser: 0 - - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + - name: upload-sbom + image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 workingDir: /var/workdir volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true script: | #!/bin/bash - set -e - - retry() { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then @@ -652,77 +714,13 @@ spec: update-ca-trust fi - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) - container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE - - echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - "$IMAGE" \ - "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" - exit 1 - fi - - echo "Pushing to ${IMAGE}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - --digestfile "/var/workdir/image-digest" "$IMAGE" \ - "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" - exit 1 - fi - - cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "/var/workdir/image-digest" - } >"$(results.IMAGE_REF.path)" + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" # The SBOM_BLOB_URL is created by `cosign attach sbom`. echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi - securityContext: - capabilities: - add: - - SETFCAP - runAsUser: 0 - - name: upload-sbom - image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 - workingDir: /var/workdir - volumeMounts: - - mountPath: /mnt/trusted-ca - name: trusted-ca - readOnly: true - script: | - ca_bundle=/mnt/trusted-ca/ca-bundle.crt - if [ -f "$ca_bundle" ]; then - echo "INFO: Using mounted CA bundle: $ca_bundle" - cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" computeResources: limits: cpu: 200m diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 954bb01d48..ce75471d4e 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -6,7 +6,7 @@ metadata: tekton.dev/tags: image-build, konflux creationTimestamp: null labels: - app.kubernetes.io/version: "0.2" + app.kubernetes.io/version: 0.2.1 build.appstudio.redhat.com/build_type: docker name: buildah-remote-oci-ta spec: @@ -642,6 +642,79 @@ spec: name: ssh readOnly: true workingDir: /var/workdir + - computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + name: push + script: | + #!/bin/bash + set -e + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE + fi + + retry() { + status=-1 + max_run=5 + sleep_sec=10 + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + "$@" && break || status=$? + done + return $status + } + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)"; then + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + exit 1 + fi + + echo "Pushing to ${IMAGE}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + --digestfile "/var/workdir/image-digest" "$IMAGE" \ + "docker://$IMAGE"; then + echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + exit 1 + fi + + cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" + securityContext: + capabilities: + add: + - SETFCAP + runAsUser: 0 + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + workingDir: /var/workdir - computeResources: limits: cpu: "2" @@ -704,7 +777,7 @@ spec: requests: cpu: 100m memory: 256Mi - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:f1c07f273536a00fa6539e2aa41b3fddab3bb282a157c9676572858bfd19d7e4 name: prepare-sboms script: | #!/bin/bash @@ -722,108 +795,25 @@ spec: mv sbom-temp.json sbom-cyclonedx.json fi - echo "Creating sbom-purl.json" - python3 /scripts/create_purl_sbom.py - echo "Adding base images data to sbom-cyclonedx.json" python3 /scripts/base_images_sbom_script.py \ --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests - securityContext: - runAsUser: 0 - workingDir: /var/workdir - - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - name: inject-sbom-and-push - script: | - #!/bin/bash - set -e - if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then - IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" - export IMAGE - fi - - retry() { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - - ca_bundle=/mnt/trusted-ca/ca-bundle.crt - if [ -f "$ca_bundle" ]; then - echo "INFO: Using mounted CA bundle: $ca_bundle" - cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) - container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi + echo "Adding image reference to sbom" + IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")" + IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")" - buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE + python3 /scripts/add_image_reference.py \ + --image-url "$IMAGE_URL" \ + --image-digest "$IMAGE_DIGEST" \ + --input-file sbom-cyclonedx.json \ + --output-file /tmp/sbom-cyclonedx.tmp.json - echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - "$IMAGE" \ - "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" - exit 1 - fi - - echo "Pushing to ${IMAGE}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - --digestfile "/var/workdir/image-digest" "$IMAGE" \ - "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" - exit 1 - fi - - cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "/var/workdir/image-digest" - } >"$(results.IMAGE_REF.path)" - - # Remove tag from IMAGE while allowing registry to contain a port number. - sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" - # The SBOM_BLOB_URL is created by `cosign attach sbom`. - echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json securityContext: - capabilities: - add: - - SETFCAP runAsUser: 0 - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /mnt/trusted-ca - name: trusted-ca - readOnly: true workingDir: /var/workdir - computeResources: limits: @@ -836,11 +826,7 @@ spec: name: upload-sbom script: | #!/bin/bash - set -e - if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then - IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" - export IMAGE - fi + ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -849,6 +835,12 @@ spec: fi cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 371fac0c1e..9f2c2d0b0e 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -6,7 +6,7 @@ metadata: tekton.dev/tags: image-build, konflux creationTimestamp: null labels: - app.kubernetes.io/version: "0.2" + app.kubernetes.io/version: 0.2.1 build.appstudio.redhat.com/build_type: docker name: buildah-remote spec: @@ -620,6 +620,81 @@ spec: name: ssh readOnly: true workingDir: $(workspaces.source.path) + - computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + name: push + script: | + #!/bin/bash + set -e + if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then + IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" + export IMAGE + fi + + retry () { + status=-1 + max_run=5 + sleep_sec=10 + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + "$@" && break || status=$? + done + return $status + } + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)"; + then + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + exit 1 + fi + + echo "Pushing to ${IMAGE}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ + "docker://$IMAGE"; + then + echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + exit 1 + fi + + cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" + securityContext: + capabilities: + add: + - SETFCAP + runAsUser: 0 + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + workingDir: $(workspaces.source.path) - computeResources: limits: cpu: "2" @@ -682,7 +757,7 @@ spec: requests: cpu: 100m memory: 256Mi - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:f1c07f273536a00fa6539e2aa41b3fddab3bb282a157c9676572858bfd19d7e4 name: prepare-sboms script: | #!/bin/bash @@ -700,110 +775,25 @@ spec: mv sbom-temp.json sbom-cyclonedx.json fi - echo "Creating sbom-purl.json" - python3 /scripts/create_purl_sbom.py - echo "Adding base images data to sbom-cyclonedx.json" python3 /scripts/base_images_sbom_script.py \ --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests - securityContext: - runAsUser: 0 - workingDir: $(workspaces.source.path) - - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - name: inject-sbom-and-push - script: | - #!/bin/bash - set -e - if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then - IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" - export IMAGE - fi - retry () { - status=-1 - max_run=5 - sleep_sec=10 + echo "Adding image reference to sbom" + IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")" + IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")" - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } + python3 /scripts/add_image_reference.py \ + --image-url "$IMAGE_URL" \ + --image-digest "$IMAGE_DIGEST" \ + --input-file sbom-cyclonedx.json \ + --output-file /tmp/sbom-cyclonedx.tmp.json - ca_bundle=/mnt/trusted-ca/ca-bundle.crt - if [ -f "$ca_bundle" ]; then - echo "INFO: Using mounted CA bundle: $ca_bundle" - cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) - container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE - - echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - "$IMAGE" \ - "docker://${IMAGE%:*}:$(context.taskRun.name)"; - then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" - exit 1 - fi - - echo "Pushing to ${IMAGE}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ - "docker://$IMAGE"; - then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" - exit 1 - fi - - cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "$(workspaces.source.path)/image-digest" - } > "$(results.IMAGE_REF.path)" - - # Remove tag from IMAGE while allowing registry to contain a port number. - sbom_repo="${IMAGE%:*}" - sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" - # The SBOM_BLOB_URL is created by `cosign attach sbom`. - echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" + mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json securityContext: - capabilities: - add: - - SETFCAP runAsUser: 0 - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /mnt/trusted-ca - name: trusted-ca - readOnly: true workingDir: $(workspaces.source.path) - computeResources: limits: @@ -816,11 +806,7 @@ spec: name: upload-sbom script: | #!/bin/bash - set -e - if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then - IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" - export IMAGE - fi + ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -829,6 +815,12 @@ spec: fi cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index 4ad54020df..6be68eb10e 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -6,43 +6,49 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. ## Parameters -|name|description|default value|required| -|---|---|---|---| -|IMAGE|Reference of the image buildah will produce.||true| -|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| -|CONTEXT|Path to the directory to use as context.|.|false| -|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| -|HERMETIC|Determines if build will be executed without network access.|false|false| -|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| -|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| -|COMMIT_SHA|The image is built from this commit.|""|false| -|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| -|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| -|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| -|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| -|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| -|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| -|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| -|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| -|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| -|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| -|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| -|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| -|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| -|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| -|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +| name | description | default value | required | +| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | -------- | +| IMAGE | Reference of the image buildah will produce. | | true | +| DOCKERFILE | Path to the Dockerfile to build. | ./Dockerfile | false | +| CONTEXT | Path to the directory to use as context. | . | false | +| TLSVERIFY | Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) | true | false | +| HERMETIC | Determines if build will be executed without network access. | false | false | +| PREFETCH_INPUT | In case it is not empty, the prefetched content should be made available to the build. | "" | false | +| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | "" | false | +| COMMIT_SHA | The image is built from this commit. | "" | false | +| YUM_REPOS_D_SRC | Path in the git repository in which yum repository files are stored | repos.d | false | +| YUM_REPOS_D_FETCHED | Path in source workspace where dynamically-fetched repos are present | fetched.repos.d | false | +| YUM_REPOS_D_TARGET | Target path on the container in which yum repository files should be made available | /etc/yum.repos.d | false | +| TARGET_STAGE | Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage. | "" | false | +| ENTITLEMENT_SECRET | Name of secret which contains the entitlement certificates | etc-pki-entitlement | false | +| ACTIVATION_KEY | Name of secret which contains subscription activation key | activation-key | false | +| ADDITIONAL_SECRET | Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET | does-not-exist | false | +| BUILD_ARGS | Array of --build-arg values ("arg=value" strings) | [] | false | +| BUILD_ARGS_FILE | Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file | "" | false | +| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false | +| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false | +| ADD_CAPABILITIES | Comma separated list of extra capabilities to add when running 'buildah build' | "" | false | +| SQUASH | Squash all new and previous layers added as a part of this build, as per --squash | false | false | +| STORAGE_DRIVER | Storage driver to configure for buildah | vfs | false | +| SKIP_UNUSED_STAGES | Whether to skip stages in Containerfile that seem unused by subsequent stages | true | false | ## Results -|name|description| -|---|---| -|IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository and tag where the built image was pushed| -|IMAGE_REF|Image reference of the built image| -|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| -|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| -|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| +| name | description | +| --------------------------- | --------------------------------------------------------------------------------- | +| IMAGE_DIGEST | Digest of the image just built | +| IMAGE_URL | Image repository and tag where the built image was pushed | +| IMAGE_REF | Image reference of the built image | +| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | +| SBOM_JAVA_COMPONENTS_COUNT | The counting of Java components by publisher in JSON format | +| JAVA_COMMUNITY_DEPENDENCIES | The Java dependencies that came from community sources such as Maven central. | ## Workspaces -|name|description|optional| -|---|---|---| -|source|Workspace containing the source code to build.|false| +| name | description | optional | +| ------ | ---------------------------------------------- | -------- | +| source | Workspace containing the source code to build. | false | + + +## Changes in 0.2.1 +- Added image reference to the SBOM output file. +- Re-arranged steps to push image first and then generate and push SBOM file. +- Remove SBOM file stored in the image under `/root/buildinfo/content_manifests/` diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 9da3a89fc8..3a6a9f70a9 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -2,7 +2,7 @@ apiVersion: tekton.dev/v1 kind: Task metadata: labels: - app.kubernetes.io/version: "0.2" + app.kubernetes.io/version: "0.2.1" build.appstudio.redhat.com/build_type: "docker" annotations: tekton.dev/pipelines.minVersion: "0.12.1" @@ -487,6 +487,79 @@ spec: readOnly: true workingDir: $(workspaces.source.path) + - name: push + image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c + computeResources: + limits: + memory: 4Gi + cpu: '4' + requests: + memory: 1Gi + cpu: '1' + script: | + #!/bin/bash + set -e + + retry () { + status=-1 + max_run=5 + sleep_sec=10 + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec + "$@" && break || status=$? + done + return $status + } + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)"; + then + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + exit 1 + fi + + echo "Pushing to ${IMAGE}" + if ! retry buildah push \ + --tls-verify="$TLSVERIFY" \ + --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ + "docker://$IMAGE"; + then + echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + exit 1 + fi + + cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) + echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" + + securityContext: + runAsUser: 0 + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true + workingDir: $(workspaces.source.path) + - name: sbom-syft-generate image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f # Respect Syft configuration if the user has it in the root of their repository @@ -534,7 +607,7 @@ spec: runAsUser: 0 - name: prepare-sboms - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:f1c07f273536a00fa6539e2aa41b3fddab3bb282a157c9676572858bfd19d7e4 computeResources: limits: memory: 512Mi @@ -552,43 +625,31 @@ spec: mv sbom-temp.json sbom-cyclonedx.json fi - echo "Creating sbom-purl.json" - python3 /scripts/create_purl_sbom.py - echo "Adding base images data to sbom-cyclonedx.json" python3 /scripts/base_images_sbom_script.py \ --sbom=sbom-cyclonedx.json \ --base-images-from-dockerfile=/shared/base_images_from_dockerfile \ --base-images-digests=/shared/base_images_digests + + echo "Adding image reference to sbom" + IMAGE_URL="$(cat "$(results.IMAGE_URL.path)")" + IMAGE_DIGEST="$(cat "$(results.IMAGE_DIGEST.path)")" + + python3 /scripts/add_image_reference.py \ + --image-url "$IMAGE_URL" \ + --image-digest "$IMAGE_DIGEST" \ + --input-file sbom-cyclonedx.json \ + --output-file /tmp/sbom-cyclonedx.tmp.json + + mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json workingDir: $(workspaces.source.path) securityContext: runAsUser: 0 - - name: inject-sbom-and-push - image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - computeResources: - limits: - memory: 4Gi - cpu: '4' - requests: - memory: 1Gi - cpu: '1' + - name: upload-sbom + image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 script: | #!/bin/bash - set -e - - retry () { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then @@ -597,75 +658,14 @@ spec: update-ca-trust fi - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) - container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE - - echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - "$IMAGE" \ - "docker://${IMAGE%:*}:$(context.taskRun.name)"; - then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" - exit 1 - fi - - echo "Pushing to ${IMAGE}" - if ! retry buildah push \ - --tls-verify="$TLSVERIFY" \ - --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ - "docker://$IMAGE"; - then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" - exit 1 - fi - - cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "$(workspaces.source.path)/image-digest" - } > "$(results.IMAGE_REF.path)" + cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" # The SBOM_BLOB_URL is created by `cosign attach sbom`. echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" - securityContext: - runAsUser: 0 - capabilities: - add: - - SETFCAP - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - name: trusted-ca - mountPath: /mnt/trusted-ca - readOnly: true - workingDir: $(workspaces.source.path) - - name: upload-sbom - image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 - script: | - ca_bundle=/mnt/trusted-ca/ca-bundle.crt - if [ -f "$ca_bundle" ]; then - echo "INFO: Using mounted CA bundle: $ca_bundle" - cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" computeResources: limits: memory: 512Mi diff --git a/task/clamav-scan/0.2/MIGRATION.md b/task/clamav-scan/0.2/MIGRATION.md new file mode 100644 index 0000000000..48a794eeb7 --- /dev/null +++ b/task/clamav-scan/0.2/MIGRATION.md @@ -0,0 +1,10 @@ +# Migration from 0.1 to 0.2 + +Version 0.2: + +On this version the sidecar is removed from the task and required tools (jq, oc ..) were added to the Clamav BD container image +this should fix the problem of timing out when task is scanning the database and improve the performance. + +## Action from users + +Renovate bot PR will be created with warning icon for a clamav-scan which is expected, no actions from users are required. diff --git a/task/clamav-scan/0.2/README.md b/task/clamav-scan/0.2/README.md new file mode 100644 index 0000000000..d7dbaf67e3 --- /dev/null +++ b/task/clamav-scan/0.2/README.md @@ -0,0 +1,33 @@ +# clamav-scan task + +## Description: +The clamav-scan task scans files for viruses and other malware using the ClamAV antivirus scanner. +ClamAV is an open-source antivirus engine that can be used to check for viruses, malware, and other malicious content. +The task will extract compiled code to compare it against the latest virus database to identify any potential threats. +The logs will provide both the version of ClamAV and the version of the database used in the comparison scan. + +## Version 0.2: +On this version the sidecard is removed from the task and required tools (jq, oc ..) were added to the Clamav BD container image +this should fix the problem of timing out when task is scanning the database and improve the performance. + +## Params: + +| name | description | default | +|--------------------------|------------------------------------------------------------------------|---------------| +| image-digest | Image digest to scan. | None | +| image-url | Image URL. | None | +| docker-auth | Unused, should be removed in next task version. | | +| ca-trust-config-map-name | The name of the ConfigMap to read CA bundle data from. | trusted-ca | +| ca-trust-config-map-key | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | + +## Results: + +| name | description | +|--------------------|---------------------------| +| TEST_OUTPUT | Tekton task test output. | + +## Source repository for image: +https://github.com/konflux-ci/konflux-test/tree/main/clamav + +## Additional links: +https://docs.clamav.net/ diff --git a/task/clamav-scan/0.2/clamav-scan.yaml b/task/clamav-scan/0.2/clamav-scan.yaml new file mode 100644 index 0000000000..d47dd33dcf --- /dev/null +++ b/task/clamav-scan/0.2/clamav-scan.yaml @@ -0,0 +1,217 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "virus, konflux" + name: clamav-scan +spec: + description: >- + Scans the content of container images for viruses, malware, and other malicious content using ClamAV antivirus scanner. + results: + - name: TEST_OUTPUT + description: Tekton task test output. + - name: IMAGES_PROCESSED + description: Images processed in the task. + params: + - name: image-digest + description: Image digest to scan. + - name: image-url + description: Image URL. + - name: docker-auth + description: unused + default: "" + - name: ca-trust-config-map-name + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: ca-trust-config-map-key + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt + + steps: + - name: extract-and-scan-image + # This image receives daily builds, ensuring we always have access to the latest virus definitions + image: quay.io/konflux-ci/clamav-db:latest + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + workingDir: /work + # need to change user since 'oc image extract' requires more privileges when running as root permissions + # https://bugzilla.redhat.com/show_bug.cgi?id=1969929 + securityContext: + runAsUser: 1000 + env: + - name: HOME + value: /work + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + computeResources: + limits: + memory: 8Gi + cpu: '2' + requests: + memory: 2Gi + cpu: 500m + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + imagewithouttag=$(echo $IMAGE_URL | sed "s/\(.*\):.*/\1/" | tr -d '\n') + + # strip new-line escape symbol from parameter and save it to variable + imageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST) + + # check if image is attestation one, skip the clamav scan in such case + if [[ $imageanddigest == *.att ]] + then + echo "$imageanddigest is an attestation image. Skipping ClamAV scan." + exit 0 + fi + + images_processed_template='{"image": {"pullspec": "'"$IMAGE_URL"'", "digests": [%s]}}' + digests_processed=() + mkdir logs + mkdir content + cd content + echo "Extracting image(s)." + + # Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes + image_manifests=$(get_image_manifests -i ${imageanddigest}) + if [ -n "$image_manifests" ]; then + while read -r arch arch_sha; do + destination=$(echo content-$arch) + mkdir -p "$destination" + arch_imageanddigest=$(echo $imagewithouttag@$arch_sha) + + echo "Running \"oc image extract\" on image of arch $arch" + oc image extract --registry-config ~/.docker/config.json $arch_imageanddigest --path="/:${destination}" --filter-by-os="linux/${arch}" + if [ $? -ne 0 ]; then + echo "Unable to extract image for arch $arch. Skipping ClamAV scan!" + exit 0 + fi + + db_version=$(clamscan --version | sed 's|.*/\(.*\)/.*|\1|') + + echo "Scanning image for arch $arch. This operation may take a while." + clamscan $destination -ri --max-scansize=4095M --max-filesize=4095M \ + --max-scantime=0 --max-files=0 --max-recursion=1000 --max-dir-recursion=20000 --max-embeddedpe=4095M \ + --max-htmlnormalize=10M --max-htmlnotags=4095M --max-scriptnormalize=5M --max-ziptypercg=4095M \ + --max-partitions=50000 --max-iconspe=100000 --max-rechwp3=20000 --pcre-match-limit=100000000 --pcre-recmatch-limit=2000000 \ + --pcre-max-filesize=4095M --alert-exceeds-max=yes \ + --alert-encrypted=yes --alert-encrypted-archive=yes --alert-encrypted-doc=yes --alert-macros=yes \ + --alert-phishing-ssl=yes --alert-phishing-cloak=yes --alert-partition-intersection=yes \ + | tee /work/logs/clamscan-result-$arch.log || true + + echo "Executed-on: Scan was executed on clamscan version - $(clamscan --version) Database version: $db_version" | tee -a "/work/logs/clamscan-result-$arch.log" + + digests_processed+=("\"$arch_sha\"") + + if [[ -e "/work/logs/clamscan-result-$arch.log" ]]; then + # file_suffix=$(basename "$file" | sed 's/clamscan-result-//;s/.log//') + # OPA/EC requires structured data input, add clamAV log into json + jq -Rs '{ output: . }' /work/logs/clamscan-result-$arch.log > /work/logs/clamscan-result-log-$arch.json + + EC_EXPERIMENTAL=1 ec test \ + --namespace required_checks \ + --policy /project/clamav/virus-check.rego \ + -o json \ + /work/logs/clamscan-result-log-$arch.json || true + + # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again + EC_EXPERIMENTAL=1 ec test \ + --namespace required_checks \ + --policy /project/clamav/virus-check.rego \ + -o appstudio \ + /work/logs/clamscan-result-log-$arch.json | tee /work/logs/clamscan-ec-test-$arch.json || true + + cat /work/logs/clamscan-ec-test-$arch.json + fi + done < <(echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"') + fi + + jq -s -rce ' + reduce .[] as $item ({"timestamp":"0","namespace":"","successes":0,"failures":0,"warnings":0,"result":"","note":""}; + { + "timestamp" : (if .timestamp < $item.timestamp then $item.timestamp else .timestamp end), + "namespace" : $item.namespace, + "successes" : (.successes + $item.successes), + "failures" : (.failures + $item.failures), + "warnings" : (.warnings + $item.warnings), + "result" : (if .result == "" or ($item.result == "SKIPPED" and .result == "SUCCESS") or ($item.result == "WARNING" and (.result == "SUCCESS" or .result == "SKIPPED")) or ($item.result == "FAILURE" and .result != "ERROR") or $item.result == "ERROR" then $item.result else .result end), + "note" : (if .result == "" or ($item.result == "SKIPPED" and .result == "SUCCESS") or ($item.result == "WARNING" and (.result == "SUCCESS" or .result == "SKIPPED")) or ($item.result == "FAILURE" and .result != "ERROR") or $item.result == "ERROR" then $item.note else .note end) + })' /work/logs/clamscan-ec-test-*.json | tee $(results.TEST_OUTPUT.path) + + # If the image is an Image Index, also add the Image Index digest to the list. + if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then + digests_processed+=("\"$IMAGE_DIGEST\"") + fi + + digests_processed_string=$(IFS=,; echo "${digests_processed[*]}") + echo "${images_processed_template/\[%s]/[$digests_processed_string]}" | tee $(results.IMAGES_PROCESSED.path) + volumeMounts: + - mountPath: /work + name: work + - name: trusted-ca + mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + subPath: ca-bundle.crt + readOnly: true + - name: upload + image: quay.io/konflux-ci/oras:latest@sha256:7a85f12b14b9122df29450dfa60c6d035b04db1a7372f7b606a0fb74ed716844 + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + workingDir: /work + script: | + #!/usr/bin/env bash + + cd logs + + for UPLOAD_FILE in $(find . -name "clamscan-result*.log"); do + MEDIA_TYPE=text/vnd.clamav + args+=("${UPLOAD_FILE}:${MEDIA_TYPE}") + done + for UPLOAD_FILE in $(find . -name "clamscan-ec-test*.json"); do + MEDIA_TYPE=application/vnd.konflux.test_output+json + args+=("${UPLOAD_FILE}:${MEDIA_TYPE}") + done + + if [ -z "${args}" ]; then + echo "No files found. Skipping upload." + exit 0; + fi + + echo "Selecting auth" + select-oci-auth $IMAGE_URL > $HOME/auth.json + echo "Attaching to ${IMAGE_URL}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type application/vnd.clamav "${IMAGE_URL}" "${args[@]}" + volumeMounts: + - mountPath: /work + name: work + volumes: + - name: dbfolder + emptyDir: {} + - name: work + emptyDir: {} + - name: trusted-ca + configMap: + name: $(params.ca-trust-config-map-name) + items: + - key: $(params.ca-trust-config-map-key) + path: ca-bundle.crt + optional: true diff --git a/task/coverity-availability-check-oci-ta/0.1/README.md b/task/coverity-availability-check-oci-ta/0.1/README.md new file mode 100644 index 0000000000..b7a1adbca4 --- /dev/null +++ b/task/coverity-availability-check-oci-ta/0.1/README.md @@ -0,0 +1,18 @@ +# coverity-availability-check-oci-ta task + +This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE|Name of secret which contains the authentication token for pulling the Coverity image.|auth-token-coverity-image|false| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|COV_LICENSE|Name of secret which contains the Coverity license|cov-license|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| + +## Results +|name|description| +|---|---| +|STATUS|Tekton task simple status to be later checked| +|TEST_OUTPUT|Tekton task result output.| + diff --git a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml new file mode 100644 index 0000000000..cc112db4ef --- /dev/null +++ b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: coverity-availability-check-oci-ta + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: konflux + labels: + app.kubernetes.io/version: "0.1" +spec: + description: This task performs needed checks in order to use Coverity image + in the pipeline. It will check for a Coverity license secret and an authentication + secret for pulling the image. + params: + - name: AUTH_TOKEN_COVERITY_IMAGE + description: Name of secret which contains the authentication token + for pulling the Coverity image. + default: auth-token-coverity-image + - name: CACHI2_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the prefetched dependencies. + type: string + default: "" + - name: COV_LICENSE + description: Name of secret which contains the Coverity license + default: cov-license + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the application source code. + type: string + results: + - name: STATUS + description: Tekton task simple status to be later checked + - name: TEST_OUTPUT + description: Tekton task result output. + volumes: + - name: auth-token-coverity-image + secret: + optional: true + secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE) + - name: cov-license + secret: + optional: true + secretName: $(params.COV_LICENSE) + - name: workdir + emptyDir: {} + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir + steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + - name: coverity-availability-check + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 + workingDir: /var/workdir/source + volumeMounts: + - mountPath: /etc/secrets/cov + name: cov-license + readOnly: true + - mountPath: /etc/secrets/auth/config.json + name: auth-token-coverity-image + subPath: .dockerconfigjson + env: + - name: COV_LICENSE + value: $(params.COV_LICENSE) + - name: AUTH_TOKEN_COVERITY_IMAGE + value: $(params.AUTH_TOKEN_COVERITY_IMAGE) + script: | + #!/usr/bin/env bash + set -eo pipefail + # shellcheck source=/dev/null + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + # Checking Coverity license + COV_LICENSE_PATH=/etc/secrets/cov/cov-license + if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then + echo "Coverity license detected!" + else + echo 'No license file for Coverity was detected. Coverity scan will not be executed...' + echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license' + note="Task $(context.task.name) failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo -n "failed" | tee "$(results.STATUS.path)" + exit 0 + fi + + # Checking authentication token for downloading coverity image + AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json + if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then + echo "Authentication token detected!" + else + echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...' + echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image' + note="Task $(context.task.name) failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo -n "failed" | tee "$(results.STATUS.path)" + exit 0 + fi + + note="Task $(context.task.name) completed: Coverity availability checks under /var/workdir/hacbs/$(context.task.name) finished succesfully." + # shellcheck disable=SC2034 + TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note") + echo -n "success" | tee "$(results.STATUS.path)" + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)" diff --git a/task/coverity-availability-check-oci-ta/0.1/recipe.yaml b/task/coverity-availability-check-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..1627c4de80 --- /dev/null +++ b/task/coverity-availability-check-oci-ta/0.1/recipe.yaml @@ -0,0 +1,12 @@ +--- +base: ../../coverity-availability-check/0.1/coverity-availability-check.yaml +add: + - use-source + - use-cachi2 +preferStepTemplate: true +removeWorkspaces: + - workspace +replacements: + workspaces.workspace.path: /var/workdir +regexReplacements: + hacbs/\$\(context.task.name\): source diff --git a/task/coverity-availability-check-oci-ta/OWNERS b/task/coverity-availability-check-oci-ta/OWNERS new file mode 100644 index 0000000000..4f4bc81c01 --- /dev/null +++ b/task/coverity-availability-check-oci-ta/OWNERS @@ -0,0 +1,6 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - integration-team +reviewers: + - integration-team + - kdudka diff --git a/task/coverity-availability-check/0.1/README.md b/task/coverity-availability-check/0.1/README.md new file mode 100644 index 0000000000..9565f411b1 --- /dev/null +++ b/task/coverity-availability-check/0.1/README.md @@ -0,0 +1,26 @@ +# coverity-availability-check task + +## Description: + +This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. + +The characteristics of these tasks are: + +- It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled. +- It will check for a secret called "cov-license" where the Coverity license is stored. + +> NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license. + +## Params: + +| name | description | default value | required | +|-----------------------------|----------------------------------------------------------------------------------------|----------------------------|----------| +| AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | yes | +| COV_LICENSE | Name of secret which contains the Coverity license | cov-license | yes | + +## Results: + +| name | description | +|-------------|-----------------------------------------------------------------------------------| +| STATUS | Tekton task simple status to be later checked by the sast-coverity-check task | +| TEST_OUTPUT | Tekton task test output. | diff --git a/task/coverity-availability-check/0.1/coverity-availability-check.yaml b/task/coverity-availability-check/0.1/coverity-availability-check.yaml new file mode 100644 index 0000000000..63fc4ac04c --- /dev/null +++ b/task/coverity-availability-check/0.1/coverity-availability-check.yaml @@ -0,0 +1,92 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "konflux" + name: coverity-availability-check +spec: + description: >- + This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. + results: + - description: Tekton task result output. + name: TEST_OUTPUT + - description: Tekton task simple status to be later checked + name: STATUS + params: + - name: COV_LICENSE + description: Name of secret which contains the Coverity license + default: cov-license + - name: AUTH_TOKEN_COVERITY_IMAGE + description: Name of secret which contains the authentication token for pulling the Coverity image. + default: "auth-token-coverity-image" + volumes: + - name: cov-license + secret: + secretName: $(params.COV_LICENSE) + optional: true + - name: auth-token-coverity-image + secret: + secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE) + optional: true + steps: + - name: coverity-availability-check + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) + volumeMounts: + - name: cov-license + mountPath: "/etc/secrets/cov" + readOnly: true + - name: auth-token-coverity-image + mountPath: "/etc/secrets/auth/config.json" + subPath: .dockerconfigjson + env: + - name: COV_LICENSE + value: $(params.COV_LICENSE) + - name: AUTH_TOKEN_COVERITY_IMAGE + value: $(params.AUTH_TOKEN_COVERITY_IMAGE) + script: | + #!/usr/bin/env bash + set -eo pipefail + # shellcheck source=/dev/null + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + # Checking Coverity license + COV_LICENSE_PATH=/etc/secrets/cov/cov-license + if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then + echo "Coverity license detected!" + else + echo 'No license file for Coverity was detected. Coverity scan will not be executed...' + echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license' + note="Task $(context.task.name) failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo -n "failed" | tee "$(results.STATUS.path)" + exit 0 + fi + + # Checking authentication token for downloading coverity image + AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json + if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then + echo "Authentication token detected!" + else + echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...' + echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image' + note="Task $(context.task.name) failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo -n "failed" | tee "$(results.STATUS.path)" + exit 0 + fi + + note="Task $(context.task.name) completed: Coverity availability checks under $(workspaces.workspace.path)/hacbs/$(context.task.name) finished succesfully." + # shellcheck disable=SC2034 + TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note") + echo -n "success" | tee "$(results.STATUS.path)" + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)" + + workspaces: + - name: workspace diff --git a/task/coverity-availability-check/OWNERS b/task/coverity-availability-check/OWNERS new file mode 100644 index 0000000000..4f4bc81c01 --- /dev/null +++ b/task/coverity-availability-check/OWNERS @@ -0,0 +1,6 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - integration-team +reviewers: + - integration-team + - kdudka diff --git a/task/fbc-related-image-check/0.1/fbc-related-image-check.yaml b/task/fbc-related-image-check/0.1/fbc-related-image-check.yaml index 7e004b00d8..5bca8aa149 100644 --- a/task/fbc-related-image-check/0.1/fbc-related-image-check.yaml +++ b/task/fbc-related-image-check/0.1/fbc-related-image-check.yaml @@ -6,6 +6,7 @@ metadata: annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "konflux" + build.appstudio.redhat.com/expires-on: "2025-01-31T00:00:00Z" name: fbc-related-image-check spec: description: >- diff --git a/task/fbc-related-image-check/0.1/kustomization.yaml b/task/fbc-related-image-check/0.1/kustomization.yaml new file mode 100644 index 0000000000..f370168323 --- /dev/null +++ b/task/fbc-related-image-check/0.1/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- fbc-related-image-check.yaml diff --git a/task/fbc-related-image-check/0.2/MIGRATION.md b/task/fbc-related-image-check/0.2/MIGRATION.md new file mode 100644 index 0000000000..3eb059262f --- /dev/null +++ b/task/fbc-related-image-check/0.2/MIGRATION.md @@ -0,0 +1,48 @@ +## Deprecation notice + +This task is deprecated, please remove it from your pipeline. +Deprecation date: 2025-01-31 + +# Migration from 0.1 to 0.2 + +Version 0.2: + +No changes within this version, its only purpose is to provide information on how to remove this task from your pipeline. + +## Action from users + +To remove this task from your pipeline please follow these steps: + +1. Remove the fbc-related-image-check task definition from your FBC pipelines similar to this change: + +```diff +--- a/.tekton/original-pipelinerun.yaml ++++ b/.tekton/new-pipelinerun.yaml +@@ -323,26 +323,6 @@ spec: + workspaces: + - name: workspace + workspace: workspace +- - name: fbc-related-image-check +- runAfter: +- - fbc-validate +- taskRef: +- params: +- - name: name +- value: fbc-related-image-check +- - name: bundle +- value: quay.io/konflux-ci/tekton-catalog/task-fbc-related-image-check:0.1@sha256:0fae84cc832d21c250334ab1d285db92e7e22e916ea342d044e46136c502d2f8 +- - name: kind +- value: task +- resolver: bundles +- when: +- - input: $(params.skip-checks) +- operator: in +- values: +- - "false" +- workspaces: +- - name: workspace +- workspace: workspace + workspaces: + - name: workspace + - name: git-auth +``` diff --git a/task/fbc-related-image-check/0.2/README.md b/task/fbc-related-image-check/0.2/README.md new file mode 100644 index 0000000000..b9b54556e3 --- /dev/null +++ b/task/fbc-related-image-check/0.2/README.md @@ -0,0 +1,18 @@ +# fbc-related-image-check task + +## Description: +The fbc-related-image-check task checks whether all images referenced in file-based catalog (FBC) are valid by using +Skopeo to inspect manifest content. + +## Results: + +| name | description | +|-------------------|---------------------------| +| TEST_OUTPUT | Tekton task test output. | + +## Source repository for image: +https://github.com/konflux-ci/konflux-test + +## Additional links: +https://www.redhat.com/en/topics/containers/what-is-skopeo +https://olm.operatorframework.io/docs/reference/file-based-catalogs/ diff --git a/task/fbc-related-image-check/0.2/kustomization.yaml b/task/fbc-related-image-check/0.2/kustomization.yaml new file mode 100644 index 0000000000..d25d213e21 --- /dev/null +++ b/task/fbc-related-image-check/0.2/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../0.1 + +patches: +- patch: |- + - op: replace + path: /metadata/labels + value: + app.kubernetes.io/version: "0.2" + target: + kind: Task + name: fbc-related-image-check diff --git a/task/fbc-validation/0.1/fbc-validation.yaml b/task/fbc-validation/0.1/fbc-validation.yaml index 815eab7dbf..0b6f41cc99 100644 --- a/task/fbc-validation/0.1/fbc-validation.yaml +++ b/task/fbc-validation/0.1/fbc-validation.yaml @@ -6,6 +6,7 @@ metadata: annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "konflux" + build.appstudio.redhat.com/expires-on: "2025-01-31T00:00:00Z" name: fbc-validation spec: description: >- diff --git a/task/fbc-validation/0.1/kustomization.yaml b/task/fbc-validation/0.1/kustomization.yaml new file mode 100644 index 0000000000..8acf9b308e --- /dev/null +++ b/task/fbc-validation/0.1/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- fbc-validation.yaml diff --git a/task/fbc-validation/0.2/MIGRATION.md b/task/fbc-validation/0.2/MIGRATION.md new file mode 100644 index 0000000000..d56811ed35 --- /dev/null +++ b/task/fbc-validation/0.2/MIGRATION.md @@ -0,0 +1,51 @@ +## Deprecation notice + +This task is deprecated, please remove it from your pipeline and replace it with the new validate-fbc task. +Deprecation date: 2025-01-31 + +# Migration from 0.1 to 0.2 + +Version 0.2: + +No changes within this version, its only purpose is to provide information on how to remove this task from your pipeline. + +## Action from users + +To remove this task from your pipeline please follow these steps: + +1. Remove the fbc-validation task definition from your FBC pipelines similar to this change: + +```diff +--- a/.tekton/original-pipelinerun.yaml ++++ b/.tekton/new-pipelinerun.yaml +@@ -323,26 +323,6 @@ spec: + workspaces: + - name: workspace + workspace: workspace +- - name: fbc-validation ++ - name: validate-fbc +- runAfter: +- - inspect-image ++ - build-image-index + taskRef: + params: + - name: name +- value: fbc-validation ++ value: validate-fbc +- - name: bundle +- value: quay.io/konflux-ci/tekton-catalog/task-validate-fbc:0.1 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" +- workspaces: +- - name: workspace +- workspace: workspace + workspaces: + - name: workspace + - name: git-auth +``` diff --git a/task/fbc-validation/0.2/README.md b/task/fbc-validation/0.2/README.md new file mode 100644 index 0000000000..a93013ee48 --- /dev/null +++ b/task/fbc-validation/0.2/README.md @@ -0,0 +1,30 @@ +# fbc-validation task + +## Description: +Ensures file-based catalog (FBC) components are uniquely linted for proper construction as part of build pipeline. + +For further information on how to use the task, see the USAGE.md file. + +For troubleshooting assistance, see the TROUBLESHOOTING.md file. + +## Params: + +| name | description | +|--------------|----------------------------------| +| IMAGE_DIGEST | Image digest. | +| IMAGE_URL | Fully qualified image name. | +| BASE_IMAGE | Fully qualified base image name. | + +## Results: + +| name | description | +|--------------------|---------------------------| +| TEST_OUTPUT | Tekton task test output. | + +## Source repository for image: +https://github.com/konflux-ci/konflux-test + +## Additional links: +https://olm.operatorframework.io/docs/reference/file-based-catalogs/ +https://github.com/containers/skopeo +https://docs.openshift.com/container-platform/4.12/cli_reference/opm/cli-opm-install.html diff --git a/task/fbc-validation/0.2/kustomization.yaml b/task/fbc-validation/0.2/kustomization.yaml new file mode 100644 index 0000000000..6b668d0daa --- /dev/null +++ b/task/fbc-validation/0.2/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../0.1 + +patches: +- patch: |- + - op: replace + path: /metadata/labels + value: + app.kubernetes.io/version: "0.2" + target: + kind: Task + name: fbc-validation diff --git a/task/git-clone/0.1/tests/test-git-clone-fail-for-wrong-url.yaml b/task/git-clone/0.1/tests/test-git-clone-fail-for-wrong-url.yaml new file mode 100644 index 0000000000..cdeb848d55 --- /dev/null +++ b/task/git-clone/0.1/tests/test-git-clone-fail-for-wrong-url.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: test-git-clone-fail-for-wrong-url + annotations: + test/assert-task-failure: "run-task" +spec: + description: | + Test the git-clone task with tag + workspaces: + - name: tests-workspace + tasks: + - name: run-task + taskRef: + name: git-clone + params: + - name: url + value: https://github.com/user/repo-does-not-exists + workspaces: + - name: output + workspace: tests-workspace diff --git a/task/git-clone/0.1/tests/test-git-clone-run-with-tag.yaml b/task/git-clone/0.1/tests/test-git-clone-run-with-tag.yaml new file mode 100644 index 0000000000..000a4322af --- /dev/null +++ b/task/git-clone/0.1/tests/test-git-clone-run-with-tag.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: test-git-clone-with-tag +spec: + description: | + Test the git-clone task with tag + workspaces: + - name: tests-workspace + tasks: + - name: run-task + taskRef: + name: git-clone + params: + - name: url + value: https://github.com/kelseyhightower/nocode + - name: revision + value: 1.0.0 + workspaces: + - name: output + workspace: tests-workspace + - name: check-result + workspaces: + - name: output + workspace: tests-workspace + taskSpec: + steps: + - name: check-result + image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 + script: | + #!/usr/bin/env sh + set -eux + files=$(find "$(workspaces.output.path)/source/" -mindepth 1 -maxdepth 1) + test -n "$files" + runAfter: + - run-task diff --git a/task/git-clone/0.1/tests/test-git-clone-run-without-args.yaml b/task/git-clone/0.1/tests/test-git-clone-run-without-args.yaml new file mode 100644 index 0000000000..8997dbecbe --- /dev/null +++ b/task/git-clone/0.1/tests/test-git-clone-run-without-args.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: test-git-clone-no-args +spec: + description: | + Test the git-clone task with no arguments + workspaces: + - name: tests-workspace + tasks: + - name: run-task + taskRef: + name: git-clone + params: + - name: url + value: https://github.com/kelseyhightower/nocode + workspaces: + - name: output + workspace: tests-workspace + - name: check-result + workspaces: + - name: output + workspace: tests-workspace + taskSpec: + steps: + - name: check-result + image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8 + script: | + #!/usr/bin/env sh + set -eux + files=$(find "$(workspaces.output.path)/source/" -mindepth 1 -maxdepth 1) + test -n "$files" + runAfter: + - run-task diff --git a/task/inspect-image/0.1/inspect-image.yaml b/task/inspect-image/0.1/inspect-image.yaml index 923fc51c2d..6572ec0fd4 100644 --- a/task/inspect-image/0.1/inspect-image.yaml +++ b/task/inspect-image/0.1/inspect-image.yaml @@ -5,6 +5,7 @@ metadata: labels: app.kubernetes.io/version: "0.1" annotations: + build.appstudio.redhat.com/expires-on: "2025-01-31T00:00:00Z" tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "konflux" name: inspect-image diff --git a/task/inspect-image/0.1/kustomization.yaml b/task/inspect-image/0.1/kustomization.yaml new file mode 100644 index 0000000000..d193876fd8 --- /dev/null +++ b/task/inspect-image/0.1/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- inspect-image.yaml diff --git a/task/inspect-image/0.2/MIGRATION.md b/task/inspect-image/0.2/MIGRATION.md new file mode 100644 index 0000000000..6435f1ec7a --- /dev/null +++ b/task/inspect-image/0.2/MIGRATION.md @@ -0,0 +1,65 @@ +## Deprecation notice + +This task is deprecated, please remove it from your pipeline. +Deprecation date: 2025-01-31 + +# Migration from 0.1 to 0.2 + +Version 0.2: + +No changes within this version, its only purpose is to provide information on how to remove this task from your pipeline. + +## Action from users + +To remove this task from your pipeline please follow these steps: + +1. Remove the inspect-image task definition from your FBC pipelines similar to this change: + +```diff +--- a/.tekton/original-pipelinerun.yaml ++++ b/.tekton/new-pipelinerun.yaml +@@ -271,31 +271,6 @@ spec: + - name: kind + value: task + resolver: bundles +- - name: inspect-image +- params: +- - name: IMAGE_URL +- value: $(tasks.build-image-index.results.IMAGE_URL) +- - name: IMAGE_DIGEST +- value: $(tasks.build-image-index.results.IMAGE_DIGEST) +- runAfter: +- - build-image-index +- taskRef: +- params: +- - name: name +- value: inspect-image +- - name: bundle +- value: quay.io/konflux-ci/tekton-catalog/task-inspect-image:0.1@sha256:c8d7616fba1533637547eccd598314721a106ec0d108dcb5162e234d5d90c755 +- - name: kind +- value: task +- resolver: bundles +- when: +- - input: $(params.skip-checks) +- operator: in +- values: +- - "false" +- workspaces: +- - name: source +- workspace: workspace + - name: fbc-validate + params: + - name: IMAGE_URL +@@ -302,10 +302,8 @@ spec: + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) +- - name: BASE_IMAGE +- value: $(tasks.inspect-image.results.BASE_IMAGE) + runAfter: +- - inspect-image ++ - build-image-index + taskRef: + params: + - name: name +``` diff --git a/task/inspect-image/0.2/README.md b/task/inspect-image/0.2/README.md new file mode 100644 index 0000000000..bd21491419 --- /dev/null +++ b/task/inspect-image/0.2/README.md @@ -0,0 +1,28 @@ +# inspect-image task + +## Description: +The inspect-image task uses Skopeo to inspect and analyze manifest data from the target source image of a +container if it is built from scratch. If the target image has a direct base image, the task will also use Skopeo to inspect +that base image. + +## Params: + +| name | description | +|--------------|-------------------------------------------------| +| IMAGE_URL | Fully qualified image name. | +| IMAGE_DIGEST | Image digest. | +| DOCKER_AUTH | unused, should be removed in next task version. | + +## Results: + +| name | description | +|-----------------------|----------------------------------------| +| BASE_IMAGE | Base image source image is built from. | +| BASE_IMAGE_REPOSITORY | Base image repository URL. | +| TEST_OUTPUT | Tekton task test output. | + +## Source repository for image: +https://github.com/konflux-ci/konflux-test + +## Additional links: +https://www.redhat.com/en/topics/containers/what-is-skopeo diff --git a/task/inspect-image/0.2/kustomization.yaml b/task/inspect-image/0.2/kustomization.yaml new file mode 100644 index 0000000000..f3fc1a7c1a --- /dev/null +++ b/task/inspect-image/0.2/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../0.1 + +patches: +- patch: |- + - op: replace + path: /metadata/labels + value: + app.kubernetes.io/version: "0.2" + target: + kind: Task + name: inspect-image diff --git a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml index a72cff9bdb..977e06a05d 100644 --- a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml +++ b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml @@ -241,7 +241,7 @@ spec: requests: memory: 6Gi - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:f1c07f273536a00fa6539e2aa41b3fddab3bb282a157c9676572858bfd19d7e4 workingDir: /var/workdir script: | cachi2_sbom=./cachi2/output/bom.json diff --git a/task/rpm-ostree/0.2/rpm-ostree.yaml b/task/rpm-ostree/0.2/rpm-ostree.yaml index 164a8afc8a..7491d2976c 100644 --- a/task/rpm-ostree/0.2/rpm-ostree.yaml +++ b/task/rpm-ostree/0.2/rpm-ostree.yaml @@ -222,7 +222,7 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:f1c07f273536a00fa6539e2aa41b3fddab3bb282a157c9676572858bfd19d7e4 script: | cachi2_sbom=./cachi2/output/bom.json if [ -f "$cachi2_sbom" ]; then diff --git a/task/sast-coverity-check-oci-ta/0.1/README.md b/task/sast-coverity-check-oci-ta/0.1/README.md new file mode 100644 index 0000000000..b2ab1b5691 --- /dev/null +++ b/task/sast-coverity-check-oci-ta/0.1/README.md @@ -0,0 +1,26 @@ +# sast-coverity-check-oci-ta task + +Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Coverity. At the moment, this task only uses the buildless mode, which does not build the project in order to analyze it. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE|Name of secret which contains the authentication token for pulling the Coverity image.|auth-token-coverity-image|false| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|COV_ANALYZE_ARGS|Arguments to be appended to the cov-analyze command|--enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096|false| +|COV_LICENSE|Name of secret which contains the Coverity license|cov-license|false| +|IMP_FINDINGS_ONLY|Report only important findings. Default is true. To report all findings, specify "false"|true|false| +|KFP_GIT_URL|URL from repository to download known false positives files|""|false| +|PROJECT_NAME|Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.|""|false| +|RECORD_EXCLUDED|Write excluded records in file. Useful for auditing (defaults to false).|false|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|image-digest|Image digest to report findings for.||true| +|image-url|Image URL.||true| + +## Results +|name|description| +|---|---| +|TEST_OUTPUT|Tekton task test output.| + diff --git a/task/sast-coverity-check-oci-ta/0.1/recipe.yaml b/task/sast-coverity-check-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..d8413063c3 --- /dev/null +++ b/task/sast-coverity-check-oci-ta/0.1/recipe.yaml @@ -0,0 +1,12 @@ +--- +base: ../../sast-coverity-check/0.1/sast-coverity-check.yaml +add: + - use-source + - use-cachi2 +preferStepTemplate: true +removeWorkspaces: + - workspace +replacements: + workspaces.workspace.path: /var/workdir +regexReplacements: + hacbs/\$\(context.task.name\): source diff --git a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml new file mode 100644 index 0000000000..caa7c87a6b --- /dev/null +++ b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml @@ -0,0 +1,297 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: sast-coverity-check-oci-ta + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: konflux + labels: + app.kubernetes.io/version: "0.1" +spec: + description: Scans source code for security vulnerabilities, including common + issues such as SQL injection, cross-site scripting (XSS), and code injection + attacks using Coverity. At the moment, this task only uses the buildless + mode, which does not build the project in order to analyze it. + params: + - name: AUTH_TOKEN_COVERITY_IMAGE + description: Name of secret which contains the authentication token + for pulling the Coverity image. + default: auth-token-coverity-image + - name: CACHI2_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the prefetched dependencies. + type: string + default: "" + - name: COV_ANALYZE_ARGS + description: Arguments to be appended to the cov-analyze command + type: string + default: --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096 + - name: COV_LICENSE + description: Name of secret which contains the Coverity license + default: cov-license + - name: IMP_FINDINGS_ONLY + description: Report only important findings. Default is true. To report + all findings, specify "false" + type: string + default: "true" + - name: KFP_GIT_URL + description: URL from repository to download known false positives files + type: string + default: "" + - name: PROJECT_NAME + description: Name of the scanned project, used to find path exclusions. + By default, the Konflux component name will be used. + type: string + default: "" + - name: RECORD_EXCLUDED + description: Write excluded records in file. Useful for auditing (defaults + to false). + type: string + default: "false" + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the application source code. + type: string + - name: caTrustConfigMapKey + description: The name of the key in the ConfigMap that contains the + CA bundle data. + type: string + default: ca-bundle.crt + - name: caTrustConfigMapName + description: The name of the ConfigMap to read CA bundle data from. + type: string + default: trusted-ca + - name: image-digest + description: Image digest to report findings for. + type: string + - name: image-url + description: Image URL. + type: string + results: + - name: TEST_OUTPUT + description: Tekton task test output. + volumes: + - name: auth-token-coverity-image + secret: + optional: false + secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE) + - name: cov-license + secret: + optional: false + secretName: $(params.COV_LICENSE) + - name: trusted-ca + configMap: + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + name: $(params.caTrustConfigMapName) + optional: true + - name: workdir + emptyDir: {} + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir + steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + - name: sast-coverity-check + image: quay.io/redhat-services-prod/sast/coverity@sha256:0d1b96fb08a901b2d0e340599c7fee7e1de25e2d6ba58f3d95db4983f32b5a3c + workingDir: /var/workdir/source + volumeMounts: + - mountPath: /etc/secrets/cov + name: cov-license + readOnly: true + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + env: + - name: COV_ANALYZE_ARGS + value: $(params.COV_ANALYZE_ARGS) + - name: KFP_GIT_URL + value: $(params.KFP_GIT_URL) + - name: COV_LICENSE + value: $(params.COV_LICENSE) + - name: IMP_FINDINGS_ONLY + value: $(params.IMP_FINDINGS_ONLY) + - name: PROJECT_NAME + value: $(params.PROJECT_NAME) + - name: RECORD_EXCLUDED + value: $(params.RECORD_EXCLUDED) + - name: COMPONENT_LABEL + valueFrom: + fieldRef: + fieldPath: metadata.labels['appstudio.openshift.io/component'] + script: | + #!/usr/bin/env bash + set -eo pipefail + # shellcheck source=/dev/null + . /usr/local/share/konflux-test/utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + echo 'Starting Coverity buildless scan' + + export HOME="/var/tmp/coverity/home" + + if [[ -z "${PROJECT_NAME}" ]]; then + PROJECT_NAME=${COMPONENT_LABEL} + fi + echo "The PROJECT_NAME used is: ${PROJECT_NAME}" + + COVERITY_DIR=/var/tmp/coverity/idir + COVERITY_RESULTS_FILE=/var/workdir/coverity-buildless-results.json + COV_LICENSE_PATH=/etc/secrets/cov/cov-license + SOURCE_CODE_DIR=/var/workdir + + # Installing Coverity license + cp "$COV_LICENSE_PATH" /opt/coverity/bin/license.dat + + # Installation of Red Hat certificates for cloning Red Hat internal repositories + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + # Create configuration file for coverity buildless + echo -e 'capture:\n build-command-inference: false' >"$SOURCE_CODE_DIR"/coverity.yml + + set +e -x + # Buildless scan + # shellcheck disable=SC2086 + env COV_HOST=konflux /opt/coverity/bin/coverity capture --project-dir "$SOURCE_CODE_DIR" --dir "$COVERITY_DIR" + COV_CAPTURE_EXIT_CODE=$? + set -x + + if [[ "$COV_CAPTURE_EXIT_CODE" -eq 0 ]]; then + echo "Coverity capture scan finished successfully" + else + echo "Coverity capture command failed with exit code ${COV_CAPTURE_EXIT_CODE}. Exiting..." + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + exit 1 + fi + + # Analysis phase + set -x + /opt/coverity/bin/cov-manage-emit --dir $COVERITY_DIR reset-host-name + # shellcheck disable=SC2086 + /opt/coverity/bin/cov-analyze $COV_ANALYZE_ARGS --dir="$COVERITY_DIR" + COV_ANALYZE_EXIT_CODE=$? + set +x + + if [[ "$COV_ANALYZE_EXIT_CODE" -eq 0 ]]; then + echo "cov-analyze scan finished successfully" + else + echo "cov-analyze scan failed with exit code ${COV_ANALYZE_EXIT_CODE}. Exiting..." + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + exit 1 + fi + set -e + + /opt/coverity/bin/cov-format-errors --dir="$COVERITY_DIR" --json-output-v10 "$COVERITY_RESULTS_FILE" + # We parse the results, embed context, remove duplicates and store them in SARIF format. + IMP_LEVEL=1 + if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then + IMP_LEVEL=0 + fi + + (cd "$SOURCE_CODE_DIR" && csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --embed-context=3 "$COVERITY_RESULTS_FILE") | + csgrep --mode=json --strip-path-prefix="$SOURCE_CODE_DIR"/source/ | + csgrep --mode=json --strip-path-prefix="$HOME" \ + >sast_coverity_buildless_check_all_findings.json + + echo "Results:" + (set -x && csgrep --mode=evtstat sast_coverity_buildless_check_all_findings.json) + + # We check if the KFP_GIT_URL variable is set to apply the filters or not + if [[ -z "${KFP_GIT_URL}" ]]; then + echo "KFP_GIT_URL variable not defined. False positives won't be filtered" + mv sast_coverity_buildless_check_all_findings.json filtered_sast_coverity_buildless_check_all_findings.json + else + echo "Filtering false positives in results files using csfilter-kfp..." + CMD=( + csfilter-kfp + --verbose + --kfp-git-url="${KFP_GIT_URL}" + --project-nvr="${PROJECT_NAME}" + ) + + if [ "${RECORD_EXCLUDED}" == "true" ]; then + CMD+=(--record-excluded="excluded-findings.json") + fi + + "${CMD[@]}" sast_coverity_buildless_check_all_findings.json >filtered_sast_coverity_buildless_check_all_findings.json + status=$? + if [ "$status" -ne 0 ]; then + echo "Error: failed to filter known false positives" >&2 + return 1 + else + echo "Message: Succeed to filter known false positives" >&2 + fi + + echo "Results after filtering:" + (set -x && csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json) + fi + + csgrep --mode=sarif filtered_sast_coverity_buildless_check_all_findings.json >"/var/workdir"/coverity-results.sarif + + if [[ -z "$(csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json)" ]]; then + note="Task $(context.task.name) success: No finding was detected" + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + else + TEST_OUTPUT= + parse_test_output "$(context.task.name)" sarif "/var/workdir"/coverity-results.sarif || true + note="Task $(context.task.name) failed: For details, check Tekton task log." + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + fi + + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)" + computeResources: + limits: + cpu: "16" + memory: 32Gi + requests: + cpu: "8" + memory: 16Gi + - name: upload + image: quay.io/konflux-ci/oras:latest@sha256:99737f436051e6d3866eb8a8706463c35abf72c87f05090ff42ff642f6729661 + workingDir: /var/workdir + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + script: | + #!/usr/bin/env bash + + if [ -z "${IMAGE_URL}" ] || [ -z "${IMAGE_DIGEST}" ]; then + echo 'No image-url or image-digest param provided. Skipping upload.' + exit 0 + fi + UPLOAD_FILES="coverity-results.sarif excluded-findings.json" + + for UPLOAD_FILE in ${UPLOAD_FILES}; do + if [ ! -f "${UPLOAD_FILE}" ]; then + echo "No ${UPLOAD_FILE} exists. Skipping upload." + continue + fi + if [ "${UPLOAD_FILES}" == "excluded-findings.json" ]; then + MEDIA_TYPE=application/json + else + MEDIA_TYPE=application/sarif+json + fi + + echo "Selecting auth" + select-oci-auth "${IMAGE_URL}" >"${HOME}/auth.json" + echo "Attaching to ${IMAGE_URL}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + done diff --git a/task/sast-coverity-check-oci-ta/OWNERS b/task/sast-coverity-check-oci-ta/OWNERS new file mode 100644 index 0000000000..4f4bc81c01 --- /dev/null +++ b/task/sast-coverity-check-oci-ta/OWNERS @@ -0,0 +1,6 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - integration-team +reviewers: + - integration-team + - kdudka diff --git a/task/sast-coverity-check/0.1/README.md b/task/sast-coverity-check/0.1/README.md new file mode 100644 index 0000000000..3c1ac089da --- /dev/null +++ b/task/sast-coverity-check/0.1/README.md @@ -0,0 +1,45 @@ +# sast-coverity-check task + +## Description: + +The sast-coverity-check task uses Coverity tool to perform Static Application Security Testing (SAST). In this task, we use the buildless mode, where Coverity has the ability to capture source code without the need of building the product. + +The documentation for this mode can be found here: https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html + +The characteristics of these tasks are: + +- Perform buildless scanning with Coverity +- The whole source code is scanned (by scanning `$(workspaces.source.path)` ) +- Only important findings are reported by default. A parameter ( `IMP_FINDINGS_ONLY`) is provided to override this configuration. +- The csdiff/v1 SARIF fingerprints are provided for all findings +- A parameter ( `KFP_GIT_URL`) is provided to remove false positives providing a known false positives repository. By default, no repository is provided. + +> NOTE: This task is executed only if there is a Coverity license set up in the environment. Please check coverity-availability-check task for more information. + +## Params: + +| name | description | default value | required | +|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| COV_ANALYZE_ARGS | Append arguments to the cov-analyze CLI command | "" | no | +| COV_LICENSE | Name of secret which contains the Coverity license | cov-license | no | +| AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | no | +| IMP_FINDINGS_ONLY | Report only important findings. Default is true. To report all findings, specify "false" | true | no | +| KFP_GIT_URL | Known False Positives git URL, optionally taking a revision delimited by #; If empty, filtering of known false positives is disabled. | "" | no | +| PROJECT_NAME | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used. | "" | no | +| RECORD_EXCLUDED | If set to `true`, excluded findings will be written to a file named `excluded-findings.json` for auditing purposes. | false | no | + +## Results: + +| name | description | +|-------------------|--------------------------| +| TEST_OUTPUT | Tekton task test output. | + +## Source repository for image: + +// TODO: Add reference to private repo for the container image once the task is migrated to repo + + +## Additional links: + +* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html +* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/cli/topics/options_reference.html diff --git a/task/sast-coverity-check/0.1/sast-coverity-check.yaml b/task/sast-coverity-check/0.1/sast-coverity-check.yaml new file mode 100644 index 0000000000..368ead8ad1 --- /dev/null +++ b/task/sast-coverity-check/0.1/sast-coverity-check.yaml @@ -0,0 +1,275 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "konflux" + name: sast-coverity-check +spec: + description: >- + Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Coverity. At the moment, this task only uses the buildless mode, which does not build the project in order to analyze it. + results: + - description: Tekton task test output. + name: TEST_OUTPUT + params: + - description: Image URL. + name: image-url + type: string + - description: Image digest to report findings for. + name: image-digest + type: string + - name: caTrustConfigMapName + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: caTrustConfigMapKey + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt + - description: Arguments to be appended to the cov-analyze command + name: COV_ANALYZE_ARGS + type: string + default: "--enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096" + - name: COV_LICENSE + description: Name of secret which contains the Coverity license + default: cov-license + - name: AUTH_TOKEN_COVERITY_IMAGE + description: Name of secret which contains the authentication token for pulling the Coverity image. + default: "auth-token-coverity-image" + - name: IMP_FINDINGS_ONLY + type: string + description: Report only important findings. Default is true. To report all findings, specify "false" + default: "true" + - name: KFP_GIT_URL + type: string + description: URL from repository to download known false positives files + # FIXME: Red Hat internal projects will default to https://gitlab.cee.redhat.com/osh/known-false-positives.git when KONFLUX-4530 is resolved + default: "" + - name: PROJECT_NAME + description: Name of the scanned project, used to find path exclusions. + By default, the Konflux component name will be used. + type: string + default: "" + - name: RECORD_EXCLUDED + type: string + description: Write excluded records in file. Useful for auditing (defaults to false). + default: "false" + volumes: + - name: cov-license + secret: + secretName: $(params.COV_LICENSE) + optional: false + - name: auth-token-coverity-image + secret: + secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE) + optional: false + - name: trusted-ca + configMap: + name: $(params.caTrustConfigMapName) + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + optional: true + steps: + - name: sast-coverity-check + # image: $(steps.secrets-check.results.image) + image: quay.io/redhat-services-prod/sast/coverity@sha256:0d1b96fb08a901b2d0e340599c7fee7e1de25e2d6ba58f3d95db4983f32b5a3c + computeResources: + requests: + memory: "16Gi" + cpu: "8" + limits: + memory: "32Gi" + cpu: "16" + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) + volumeMounts: + - name: cov-license + mountPath: "/etc/secrets/cov" + readOnly: true + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true + env: + - name: COV_ANALYZE_ARGS + value: $(params.COV_ANALYZE_ARGS) + - name: KFP_GIT_URL + value: $(params.KFP_GIT_URL) + - name: COV_LICENSE + value: $(params.COV_LICENSE) + - name: IMP_FINDINGS_ONLY + value: $(params.IMP_FINDINGS_ONLY) + - name: PROJECT_NAME + value: $(params.PROJECT_NAME) + - name: RECORD_EXCLUDED + value: $(params.RECORD_EXCLUDED) + - name: COMPONENT_LABEL + valueFrom: + fieldRef: + fieldPath: metadata.labels['appstudio.openshift.io/component'] + script: | + #!/usr/bin/env bash + set -eo pipefail + # shellcheck source=/dev/null + . /usr/local/share/konflux-test/utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + echo 'Starting Coverity buildless scan' + + export HOME="/var/tmp/coverity/home" + + if [[ -z "${PROJECT_NAME}" ]]; then + PROJECT_NAME=${COMPONENT_LABEL} + fi + echo "The PROJECT_NAME used is: ${PROJECT_NAME}" + + COVERITY_DIR=/var/tmp/coverity/idir + COVERITY_RESULTS_FILE=$(workspaces.workspace.path)/coverity-buildless-results.json + COV_LICENSE_PATH=/etc/secrets/cov/cov-license + SOURCE_CODE_DIR=$(workspaces.workspace.path) + + # Installing Coverity license + cp "$COV_LICENSE_PATH" /opt/coverity/bin/license.dat + + # Installation of Red Hat certificates for cloning Red Hat internal repositories + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + # Create configuration file for coverity buildless + echo -e 'capture:\n build-command-inference: false' > "$SOURCE_CODE_DIR"/coverity.yml + + set +e -x + # Buildless scan + # shellcheck disable=SC2086 + env COV_HOST=konflux /opt/coverity/bin/coverity capture --project-dir "$SOURCE_CODE_DIR" --dir "$COVERITY_DIR" + COV_CAPTURE_EXIT_CODE=$? + set -x + + if [[ "$COV_CAPTURE_EXIT_CODE" -eq 0 ]]; then + echo "Coverity capture scan finished successfully" + else + echo "Coverity capture command failed with exit code ${COV_CAPTURE_EXIT_CODE}. Exiting..." + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + exit 1 + fi + + # Analysis phase + set -x + /opt/coverity/bin/cov-manage-emit --dir $COVERITY_DIR reset-host-name + # shellcheck disable=SC2086 + /opt/coverity/bin/cov-analyze $COV_ANALYZE_ARGS --dir="$COVERITY_DIR" + COV_ANALYZE_EXIT_CODE=$? + set +x + + if [[ "$COV_ANALYZE_EXIT_CODE" -eq 0 ]]; then + echo "cov-analyze scan finished successfully" + else + echo "cov-analyze scan failed with exit code ${COV_ANALYZE_EXIT_CODE}. Exiting..." + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + exit 1 + fi + set -e + + /opt/coverity/bin/cov-format-errors --dir="$COVERITY_DIR" --json-output-v10 "$COVERITY_RESULTS_FILE" + # We parse the results, embed context, remove duplicates and store them in SARIF format. + IMP_LEVEL=1 + if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then + IMP_LEVEL=0 + fi + + (cd "$SOURCE_CODE_DIR" && csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --embed-context=3 "$COVERITY_RESULTS_FILE") \ + | csgrep --mode=json --strip-path-prefix="$SOURCE_CODE_DIR"/source/ \ + | csgrep --mode=json --strip-path-prefix="$HOME" \ + > sast_coverity_buildless_check_all_findings.json + + echo "Results:" + (set -x && csgrep --mode=evtstat sast_coverity_buildless_check_all_findings.json) + + # We check if the KFP_GIT_URL variable is set to apply the filters or not + if [[ -z "${KFP_GIT_URL}" ]]; then + echo "KFP_GIT_URL variable not defined. False positives won't be filtered" + mv sast_coverity_buildless_check_all_findings.json filtered_sast_coverity_buildless_check_all_findings.json + else + echo "Filtering false positives in results files using csfilter-kfp..." + CMD=( + csfilter-kfp + --verbose + --kfp-git-url="${KFP_GIT_URL}" + --project-nvr="${PROJECT_NAME}" + ) + + if [ "${RECORD_EXCLUDED}" == "true" ]; then + CMD+=(--record-excluded="excluded-findings.json") + fi + + "${CMD[@]}" sast_coverity_buildless_check_all_findings.json > filtered_sast_coverity_buildless_check_all_findings.json + status=$? + if [ "$status" -ne 0 ]; then + echo "Error: failed to filter known false positives" >&2 + return 1 + else + echo "Message: Succeed to filter known false positives" >&2 + fi + + echo "Results after filtering:" + (set -x && csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json) + fi + + csgrep --mode=sarif filtered_sast_coverity_buildless_check_all_findings.json > "$(workspaces.workspace.path)"/coverity-results.sarif + + if [[ -z "$(csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json)" ]]; then + note="Task $(context.task.name) success: No finding was detected" + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + else + TEST_OUTPUT= + parse_test_output "$(context.task.name)" sarif "$(workspaces.workspace.path)"/coverity-results.sarif || true + note="Task $(context.task.name) failed: For details, check Tekton task log." + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + fi + + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)" + - name: upload + image: quay.io/konflux-ci/oras:latest@sha256:99737f436051e6d3866eb8a8706463c35abf72c87f05090ff42ff642f6729661 + workingDir: $(workspaces.workspace.path) + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + script: | + #!/usr/bin/env bash + + if [ -z "${IMAGE_URL}" ] || [ -z "${IMAGE_DIGEST}" ]; then + echo 'No image-url or image-digest param provided. Skipping upload.' + exit 0 + fi + UPLOAD_FILES="coverity-results.sarif excluded-findings.json" + + for UPLOAD_FILE in ${UPLOAD_FILES}; do + if [ ! -f "${UPLOAD_FILE}" ]; then + echo "No ${UPLOAD_FILE} exists. Skipping upload." + continue + fi + if [ "${UPLOAD_FILES}" == "excluded-findings.json" ]; then + MEDIA_TYPE=application/json + else + MEDIA_TYPE=application/sarif+json + fi + + echo "Selecting auth" + select-oci-auth "${IMAGE_URL}" > "${HOME}/auth.json" + echo "Attaching to ${IMAGE_URL}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + done + workspaces: + - name: workspace diff --git a/task/sast-coverity-check/OWNERS b/task/sast-coverity-check/OWNERS new file mode 100644 index 0000000000..4f4bc81c01 --- /dev/null +++ b/task/sast-coverity-check/OWNERS @@ -0,0 +1,6 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - integration-team +reviewers: + - integration-team + - kdudka diff --git a/task/sast-unicode-check-oci-ta/0.1/README.md b/task/sast-unicode-check-oci-ta/0.1/README.md new file mode 100644 index 0000000000..b54622633b --- /dev/null +++ b/task/sast-unicode-check-oci-ta/0.1/README.md @@ -0,0 +1,23 @@ +# sast-unicode-check-oci-ta task + +Scans source code for non-printable unicode characters in all text files. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|FIND_UNICODE_CONTROL_ARGS|arguments for find-unicode-control command.|-p bidi -v -d -t|false| +|FIND_UNICODE_CONTROL_GIT_URL|URL from repository to find unicode control.|https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58|false| +|KFP_GIT_URL|URL from repository to download known false positives files.|""|false| +|PROJECT_NAME|Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.|""|false| +|RECORD_EXCLUDED|Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. |false|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|image-url|Image URL.|""|false| + +## Results +|name|description| +|---|---| +|TEST_OUTPUT|Tekton task test output.| + diff --git a/task/sast-unicode-check-oci-ta/0.1/recipe.yaml b/task/sast-unicode-check-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..dd7ca51d31 --- /dev/null +++ b/task/sast-unicode-check-oci-ta/0.1/recipe.yaml @@ -0,0 +1,12 @@ +--- +base: ../../sast-unicode-check/0.1/sast-unicode-check.yaml +add: + - use-source + - use-cachi2 +preferStepTemplate: true +removeWorkspaces: + - workspace +replacements: + workspaces.workspace.path: /var/workdir +regexReplacements: + hacbs/\$\(context.task.name\): source diff --git a/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml new file mode 100644 index 0000000000..6b927e9e8c --- /dev/null +++ b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml @@ -0,0 +1,287 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: sast-unicode-check-oci-ta + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: konflux + labels: + app.kubernetes.io/version: "0.1" +spec: + description: Scans source code for non-printable unicode characters in all + text files. + params: + - name: CACHI2_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the prefetched dependencies. + type: string + default: "" + - name: FIND_UNICODE_CONTROL_ARGS + description: arguments for find-unicode-control command. + type: string + default: -p bidi -v -d -t + - name: FIND_UNICODE_CONTROL_GIT_URL + description: URL from repository to find unicode control. + type: string + default: https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58 + - name: KFP_GIT_URL + description: URL from repository to download known false positives files. + type: string + default: "" + - name: PROJECT_NAME + description: Name of the scanned project, used to find path exclusions. + By default, the Konflux component name will be used. + type: string + default: "" + - name: RECORD_EXCLUDED + description: | + Whether to record the excluded findings (defaults to false). + If `true`, the excluded findings will be stored in `excluded-findings.json`. + type: string + default: "false" + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the application source code. + type: string + - name: caTrustConfigMapKey + description: The name of the key in the ConfigMap that contains the + CA bundle data. + type: string + default: ca-bundle.crt + - name: caTrustConfigMapName + description: The name of the ConfigMap to read CA bundle data from. + type: string + default: trusted-ca + - name: image-url + description: Image URL. + type: string + default: "" + results: + - name: TEST_OUTPUT + description: Tekton task test output. + volumes: + - name: trusted-ca + configMap: + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + name: $(params.caTrustConfigMapName) + optional: true + - name: workdir + emptyDir: {} + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir + steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a83c92fc0a1e2c785937c6612dc8c8237818535543f00ecaf6b3b77a35f76259 + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + - name: sast-unicode-check + image: quay.io/redhat-appstudio/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 + workingDir: /var/workdir/source + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + env: + - name: KFP_GIT_URL + value: $(params.KFP_GIT_URL) + - name: PROJECT_NAME + value: $(params.PROJECT_NAME) + - name: FIND_UNICODE_CONTROL_GIT_URL + value: $(params.FIND_UNICODE_CONTROL_GIT_URL) + - name: FIND_UNICODE_CONTROL_ARGS + value: $(params.FIND_UNICODE_CONTROL_ARGS) + - name: RECORD_EXCLUDED + value: $(params.RECORD_EXCLUDED) + - name: SOURCE_CODE_DIR + value: /var/workdir + - name: COMPONENT_LABEL + valueFrom: + fieldRef: + fieldPath: metadata.labels['appstudio.openshift.io/component'] + script: | + #!/usr/bin/env bash + set -exuo pipefail + + # shellcheck source=/dev/null + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + if [[ -z "${PROJECT_NAME}" ]]; then + PROJECT_NAME=${COMPONENT_LABEL} + fi + + echo "The PROJECT_NAME used is: ${PROJECT_NAME}" + + SCAN_PROP="" + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + # Clone the source code from upstream repo + GIT_URL=$(echo "${FIND_UNICODE_CONTROL_GIT_URL}" | awk -F'#' '{print $1}') + REV=$(echo "${FIND_UNICODE_CONTROL_GIT_URL}" | awk -F'#' '{print $2}') + + # Clone find-unicode-control repository + if ! git clone "${GIT_URL}" find-unicode-control; then + echo "Failed to clone the repository: ${GIT_URL}" >&2 + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 1 + fi + + if [[ -n "${REV}" ]]; then + if ! git -C ./find-unicode-control/ checkout "${REV}"; then + echo "Failed to checkout the repository: ${GIT_URL} to ${REV}" >&2 + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 1 + fi + SCAN_PROP="find-unicode-control-git-url:${FIND_UNICODE_CONTROL_GIT_URL}" + else + git_url_suffix=$(git -C ./find-unicode-control/ rev-parse HEAD) + SCAN_PROP="find-unicode-control-git-url:${FIND_UNICODE_CONTROL_GIT_URL}#${git_url_suffix}" + fi + + # Find unicode control + FUC_EXIT_CODE=0 + + # shellcheck disable=SC2086 + LANG=en_US.utf8 ./find-unicode-control/find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} "${SOURCE_CODE_DIR}/source" \ + >raw_sast_unicode_check_out.txt \ + 2>raw_sast_unicode_check_out.log || + FUC_EXIT_CODE=$? + if [[ "${FUC_EXIT_CODE}" -ne 0 ]] && [[ "${FUC_EXIT_CODE}" -ne 1 ]]; then + echo "Failed to run find-unicode-control command" >&2 + cat raw_sast_unicode_check_out.log + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 1 + fi + + # Translate the output format + if ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\1: warning:\2|' -e 's|^|Error: UNICONTROL_WARNING:\n|'; then + echo "Error: failed to translate the unicontrol output format" >&2 + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 1 + fi + + # Process all results as configured with CSGERP_OPTS + CSGERP_OPTS=( + --mode=json + --remove-duplicates + --embed-context=3 + --set-scan-prop="${SCAN_PROP}" + --strip-path-prefix="${SOURCE_CODE_DIR}"/source/ + ) + # In order to generate csdiff/v1, we need to add the whole path of the source code as + # sast-unicode-check only provides an URI to embed the context + if ! csgrep "${CSGERP_OPTS[@]}" raw_sast_unicode_check_out.txt >processed_sast_unicode_check_out.json 2>processed_sast_unicode_check_out.err; then + echo "Error occurred while running csgrep with CSGERP_OPTS:" + cat processed_sast_unicode_check_out.err + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 1 + fi + + csgrep --mode=evtstat processed_sast_unicode_check_out.json + + # Filter known false positives if KFP_GIT_URL is set + if [ -n "${KFP_GIT_URL}" ]; then + echo "Filtering false positives in results files using ${KFP_GIT_URL}..." >&2 + + # Build initial csfilter-kfp command + csfilter_kfp_cmd=( + csfilter-kfp + --verbose + --kfp-git-url="${KFP_GIT_URL}" + ) + + # Append --project-nvr option if PROJECT_NVR is set + if [[ -n "${PROJECT_NAME}" ]]; then + csfilter_kfp_cmd+=(--project-nvr="${PROJECT_NAME}") + fi + + # Append --record-excluded option if RECORD_EXCLUDED is true + if [[ "${RECORD_EXCLUDED}" == "true" ]]; then + csfilter_kfp_cmd+=(--record-excluded="excluded-findings.json") + fi + + if ! "${csfilter_kfp_cmd[@]}" processed_sast_unicode_check_out.json >sast_unicode_check_out.json 2>sast_unicode_check_out.error; then + echo "Failed to filter known false positives" >&2 + cat sast_unicode_check_out.error + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 1 + fi + else + echo "KFP_GIT_URL is not set. Skipping false positive filtering." >&2 + mv processed_sast_unicode_check_out.json sast_unicode_check_out.json + fi + + # Generate sarif report + csgrep --mode=sarif sast_unicode_check_out.json >sast_unicode_check_out.sarif + if [[ "${FUC_EXIT_CODE}" -eq 0 ]]; then + note="Task $(context.task.name) success: No finding was detected" + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + elif [[ "${FUC_EXIT_CODE}" -eq 1 ]] && [[ ! -s sast_unicode_check_out.sarif ]]; then + note="Task $(context.task.name) success: Some findings were detected, but filtered by known false positive" + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + else + echo "sast-unicode-check test failed because of the following issues:" + cat sast_unicode_check_out.json + TEST_OUTPUT= + parse_test_output "$(context.task.name)" sarif sast_unicode_check_out.sarif || true + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + fi + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)" + - name: upload + image: quay.io/konflux-ci/oras:latest@sha256:7a85f12b14b9122df29450dfa60c6d035b04db1a7372f7b606a0fb74ed716844 + workingDir: /var/workdir/source + env: + - name: IMAGE_URL + value: $(params.image-url) + script: | + #!/usr/bin/env bash + + if [ -z "${IMAGE_URL}" ]; then + echo 'No image-url param provided. Skipping upload.' + exit 0 + fi + + UPLOAD_FILES="sast_unicode_check_out.sarif excluded-findings.json" + for UPLOAD_FILE in ${UPLOAD_FILES}; do + if [ ! -f "${UPLOAD_FILE}" ]; then + echo "No ${UPLOAD_FILE} exists. Skipping upload." + continue + fi + + if [ "${UPLOAD_FILES}" == "excluded-findings.json" ]; then + MEDIA_TYPE=application/json + else + MEDIA_TYPE=application/sarif+json + fi + + echo "Selecting auth" + select-oci-auth "${IMAGE_URL}" >"${HOME}/auth.json" + echo "Attaching to ${IMAGE_URL}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + done diff --git a/task/sast-unicode-check-oci-ta/OWNERS b/task/sast-unicode-check-oci-ta/OWNERS new file mode 100644 index 0000000000..27203edec2 --- /dev/null +++ b/task/sast-unicode-check-oci-ta/OWNERS @@ -0,0 +1,5 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - integration-team +reviewers: + - integration-team diff --git a/task/sast-unicode-check/0.1/README.md b/task/sast-unicode-check/0.1/README.md index 5a295dd68c..a72751d3ef 100644 --- a/task/sast-unicode-check/0.1/README.md +++ b/task/sast-unicode-check/0.1/README.md @@ -11,7 +11,7 @@ The sast-unicode-check task uses [find-unicode-control](https://github.com/siddh | FIND_UNICODE_CONTROL_GIT_URL | URL from repository to find unicode control. | "https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58" | No | | FIND_UNICODE_CONTROL_ARGS | arguments for find-unicode-control command. | "-p bidi -v -d -t" | No | | KFP_GIT_URL | Known False Positives git URL, optionally taking a revision delimited by #; If empty, filtering of known false positives is disabled. | "" | No | -| PROJECT_NVR | Name-Version-Release (NVR) of the scanned project. It is used to find path exclusions (it is optional). | "" | No | +| PROJECT_NAME | Name of the scanned project, used to find path exclusions. If set to an empty string, the Konflux component name will be used. | "" | No | | RECORD_EXCLUDED | Whether to record the excluded findings (defaults to false). If `true`, the the excluded findings will be stored in `excluded-findings.json`. | "false" | No | ## Results: diff --git a/task/sast-unicode-check/0.1/sast-unicode-check.yaml b/task/sast-unicode-check/0.1/sast-unicode-check.yaml index 80a238281e..14562e42e1 100644 --- a/task/sast-unicode-check/0.1/sast-unicode-check.yaml +++ b/task/sast-unicode-check/0.1/sast-unicode-check.yaml @@ -31,17 +31,15 @@ spec: description: URL from repository to download known false positives files. # FIXME: Red Hat internal projects will default to https://gitlab.cee.redhat.com/osh/known-false-positives.git when KONFLUX-4530 is resolved default: "" - - name: PROJECT_NVR + - name: PROJECT_NAME + description: Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used. type: string - description: | - Name-Version-Release (NVR) of the scanned project. - It is used to find path exclusions (it is optional). default: "" - name: RECORD_EXCLUDED type: string description: | Whether to record the excluded findings (defaults to false). - If `true`, the the excluded findings will be stored in `excluded-findings.json`. + If `true`, the excluded findings will be stored in `excluded-findings.json`. default: "false" - name: caTrustConfigMapName type: string @@ -72,16 +70,20 @@ spec: env: - name: KFP_GIT_URL value: $(params.KFP_GIT_URL) + - name: PROJECT_NAME + value: $(params.PROJECT_NAME) - name: FIND_UNICODE_CONTROL_GIT_URL value: $(params.FIND_UNICODE_CONTROL_GIT_URL) - name: FIND_UNICODE_CONTROL_ARGS value: $(params.FIND_UNICODE_CONTROL_ARGS) - - name: PROJECT_NVR - value: $(params.PROJECT_NVR) - name: RECORD_EXCLUDED value: $(params.RECORD_EXCLUDED) - name: SOURCE_CODE_DIR value: $(workspaces.workspace.path) + - name: COMPONENT_LABEL + valueFrom: + fieldRef: + fieldPath: metadata.labels['appstudio.openshift.io/component'] script: | #!/usr/bin/env bash set -exuo pipefail @@ -90,6 +92,12 @@ spec: . /utils.sh trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + if [[ -z "${PROJECT_NAME}" ]]; then + PROJECT_NAME=${COMPONENT_LABEL} + fi + + echo "The PROJECT_NAME used is: ${PROJECT_NAME}" + SCAN_PROP="" ca_bundle=/mnt/trusted-ca/ca-bundle.crt @@ -128,8 +136,9 @@ spec: # Find unicode control FUC_EXIT_CODE=0 - mapfile -t fuc_args <<< "${FIND_UNICODE_CONTROL_ARGS}" - LANG=en_US.utf8 ./find-unicode-control/find_unicode_control.py "${fuc_args[@]}" "${SOURCE_CODE_DIR}/source" \ + + # shellcheck disable=SC2086 + LANG=en_US.utf8 ./find-unicode-control/find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} "${SOURCE_CODE_DIR}/source" \ >raw_sast_unicode_check_out.txt \ 2>raw_sast_unicode_check_out.log \ || FUC_EXIT_CODE=$? @@ -184,8 +193,8 @@ spec: ) # Append --project-nvr option if PROJECT_NVR is set - if [[ -n "${PROJECT_NVR}" ]]; then - csfilter_kfp_cmd+=(--project-nvr="${PROJECT_NVR}") + if [[ -n "${PROJECT_NAME}" ]]; then + csfilter_kfp_cmd+=(--project-nvr="${PROJECT_NAME}") fi # Append --record-excluded option if RECORD_EXCLUDED is true diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index afc5182301..590a027f56 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -114,7 +114,7 @@ spec: | .name + "@" + $matched.digest ' <<<"$sbom" | tee "$BASE_IMAGES_FILE" - name: build - image: quay.io/konflux-ci/source-container-build:latest@sha256:ede15569b2ea539728b315ea9bb60625ebe5823877f1b40aefc058fca06c30c3 + image: quay.io/konflux-ci/source-container-build:latest@sha256:4cf62438b1b147e4a8b4e1c2ba792a8c717f561eeb093ae10129e1e07ce20290 workingDir: /var/workdir env: - name: SOURCE_DIR diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index ff7430a091..ea20634133 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -102,7 +102,7 @@ spec: ' <<< "$sbom" | tee "$BASE_IMAGES_FILE" - name: build - image: quay.io/konflux-ci/source-container-build:latest@sha256:ede15569b2ea539728b315ea9bb60625ebe5823877f1b40aefc058fca06c30c3 + image: quay.io/konflux-ci/source-container-build:latest@sha256:4cf62438b1b147e4a8b4e1c2ba792a8c717f561eeb093ae10129e1e07ce20290 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent computeResources: diff --git a/task/validate-fbc/0.1/README.md b/task/validate-fbc/0.1/README.md new file mode 100644 index 0000000000..537e732596 --- /dev/null +++ b/task/validate-fbc/0.1/README.md @@ -0,0 +1,18 @@ +# validate-fbc task + +Ensures file-based catalog (FBC) components are uniquely linted for proper construction as part of build pipeline. The manifest data of container images is checked using OpenShift Operator Framework's opm CLI tool. The opm binary is extracted from the container's base image, which must come from a trusted source. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE_URL|Fully qualified image name.||true| +|IMAGE_DIGEST|Image digest.||true| + +## Results +|name|description| +|---|---| +|RELATED_IMAGE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the related images for the FBC fragment.| +|TEST_OUTPUT_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the related images for the FBC fragment.| +|TEST_OUTPUT|Tekton task test output.| +|RELATED_IMAGES_DIGEST|Digest for attached json file containing related images| + diff --git a/task/validate-fbc/0.1/TROUBLESHOOTING.md b/task/validate-fbc/0.1/TROUBLESHOOTING.md new file mode 100644 index 0000000000..72674b4ea5 --- /dev/null +++ b/task/validate-fbc/0.1/TROUBLESHOOTING.md @@ -0,0 +1,21 @@ + +## Bundle properties are not permitted in a FBC fragment for OCP version + +Tasks may fail with an error message containing the string `bundle properties are not permitted in a FBC fragment for OCP version`. This means that your fragment needs to utilize the appropriate FBC bundle metadata format which aligns with your target catalog. Failure to do so will result in your package not being displayed in the OpenShift Console. + +For OCP versions: +- _4.16 or earlier_, bundle metadata must use the `olm.bundle.object` format +- _4.17 or later_, bundle metadata must use the `olm.csv.metadata` format + +### If you use `opm` tooling to generate your fragment + +Note: This assumes that opm is version v1.46.0 or later. + +If you generate your FBC using catalog template expansion or migration of existing catalogs, then by default, the tool will output `olm.bundle.object` metadata format. +You can choose to produce `olm.csv.metadata` format by using the `--migrate-level=bundle-object-to-csv-metadata` flag. + +### If you use other tooling to generate your fragment + +Bundle data in `olm.csv.metadata` format contains only information that the OpenShift Console needs which is derived from the package's Cluster Standard Version(CSV). Since the previous `olm.bundle.object` format would include bundle CSV metadata as well as other properties it is possible to convert from `olm.bundle.object` to `olm.csv.metadata`, but not the reverse. + +If you rely on other tooling/processes to produce your fragment and currently use the `olm.bundle.object` bundle metadata format, then you may either adjust your tooling to generate `olm.csv.metadata` format or you may use `opm` to migrate your fragment's bundle metadata by using `opm render --migrate-level=bundle-object-to-csv-metadata [fragment-ref]` (where `fragment-ref` is a pullspec to the fragment or a path to a directory containing the fragment). \ No newline at end of file diff --git a/task/validate-fbc/0.1/USAGE.md b/task/validate-fbc/0.1/USAGE.md new file mode 100644 index 0000000000..1a806b5e92 --- /dev/null +++ b/task/validate-fbc/0.1/USAGE.md @@ -0,0 +1,29 @@ +# validate-fbc task + +## Checks +### Valid base image +To validate the image in build pipeline, Skopeo is used to extract +information from the image itself and then contents are checked using the OpenShift Operator Framework. The binary +used to run the validation is extracted from the base image for the component being tested. Because of this, the +base image must come from a trusted source. Trusted sources are declared in `ALLOWED_BASE_IMAGES` in fbc-validation.yaml. + +### Valid FBC schema +To validate the schema format of the FBC fragment, the test +1. validates that the `operators.operatoframework.io.index.configs.v1` label is present on the image to identify the fragment path +2. extracts the `opm` binary from the base image for the fragment +3. executes `opm validate` over the fragment + +### At least one package in fragment +To validate that at least one package is included in the fragment, the test renders the FBC using `opm` and uses `jq` to count instances of `olm.package` and fails if there are none. + +### Bundle metadata in the appropriate format +To validate bundle metadata, the test evaluates bundle metadata usage against the target OCP version: +- for 4.16 and earlier, fragments must use `olm.bundle.object` (and not use `olm.csv.metadata`) +- for 4.17 and later, fragments must use `olm.csv.metadata` (and not use `olm.bundle.object`) + +## Data output +### Related images + +OPM will be used to render the catalog in order to identify the set of related images for the fragment. +These images will then be saved as an output artifact so that EC can verify that the pullspecs are valid +before releasing the fragment. \ No newline at end of file diff --git a/task/validate-fbc/0.1/validate-fbc.yaml b/task/validate-fbc/0.1/validate-fbc.yaml new file mode 100644 index 0000000000..73cc521361 --- /dev/null +++ b/task/validate-fbc/0.1/validate-fbc.yaml @@ -0,0 +1,473 @@ +# TODO: +# make this task multi-arch aware (i.e. return IMAGES_PROCESSED result). +# make this task fail if a bundle is an image index reference +# change the related-image check to be done in EC with exported related images instead of +# including it in the TEST_OUTPUT result +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "konflux" + name: validate-fbc +spec: + description: >- + Ensures file-based catalog (FBC) components are uniquely linted for proper construction as part of build pipeline. + The manifest data of container images is checked using OpenShift Operator Framework's opm CLI tool. + The opm binary is extracted from the container's base image, which must come from a trusted source. + params: + - name: IMAGE_URL + description: Fully qualified image name. + type: string + - name: IMAGE_DIGEST + description: Image digest. + type: string + results: + - name: RELATED_IMAGE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the related images for the FBC fragment. + - name: TEST_OUTPUT_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the related images for the FBC fragment. + - name: TEST_OUTPUT + description: Tekton task test output. + - name: RELATED_IMAGES_DIGEST + description: Digest for attached json file containing related images + volumes: + - name: shared + emptyDir: {} + - name: workdir + emptyDir: {} + stepTemplate: + env: + - name: IMAGE_URL + value: $(params.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(params.IMAGE_DIGEST) + volumeMounts: + - mountPath: /shared + name: shared + - mountPath: /var/workdir + name: workdir + steps: + - name: inspect-image + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + workingDir: /var/workdir/inspect-image + securityContext: + runAsUser: 0 + capabilities: + add: + - SETFCAP + script: | + #!/usr/bin/env bash + set -euo pipefail + # shellcheck source=/dev/null + source /utils.sh + trap 'handle_error "$(results.TEST_OUTPUT.path)"' EXIT + + IMAGE_INSPECT=image_inspect.json + BASE_IMAGE_INSPECT=base_image_inspect.json + RAW_IMAGE_INSPECT=raw_image_inspect.json + + IMAGE_URL="${IMAGE_URL}@${IMAGE_DIGEST}" + # Given a tag and a the digest in the IMAGE_URL we opt to use the digest alone + # this is because containers/image currently doesn't support image references + # that contain both. See https://github.com/containers/image/issues/1736 + if [[ "${IMAGE_URL}" == *":"*"@"* ]]; then + IMAGE_URL="${IMAGE_URL/:*@/@}" + fi + + status=-1 + max_run=5 + sleep_sec=10 + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep + echo "Inspecting manifest for source image ${IMAGE_URL} (try $run/$max_run)." + skopeo inspect --no-tags docker://"${IMAGE_URL}" > $IMAGE_INSPECT && break || status=$? + done + if [ "$status" -ne 0 ]; then + echo "Failed to inspect image ${IMAGE_URL}" + note="Step inspect-image failed: Encountered errors while inspecting image. For details, check Tekton task log." + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + echo "Image ${IMAGE_URL} metadata:" + cat "$IMAGE_INSPECT" + + run=1 + while [ "$run" -le "$max_run" ]; do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep + echo "Inspecting raw image manifest ${IMAGE_URL} (try $run/$max_run)." + skopeo inspect --no-tags --raw docker://"${IMAGE_URL}" > $RAW_IMAGE_INSPECT || status=$? + + if [ "$status" -eq 0 ] && [ "$(jq 'has("manifests")' ${RAW_IMAGE_INSPECT})" = "true" ]; then + echo "Found an image index, lookup for amd64 manifest" + INDEX_IMAGE_MANIFESTS=$(jq ' .manifests | map ( {(.platform.architecture|tostring|ascii_downcase): .digest} ) | add' "${RAW_IMAGE_INSPECT}" || true) + + AMD64_MANIFEST_DIGEST=$(jq -r '.amd64' <<< "${INDEX_IMAGE_MANIFESTS}" || true ) + if [ -z "$AMD64_MANIFEST_DIGEST" ]; then + # we didn't find amd64 platform, fail horribly as it's the required platform currently for all checks + echo "[ERROR] Could not find amd64 image manifest for image $IMAGE_URL" + note="Step inspect-image failed: Couldn't find amd64 image manifest" + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + # Replace image URL with new digest + IMAGE_URL="${IMAGE_URL/[@:]*/@$AMD64_MANIFEST_DIGEST}" + echo "Setting AMD64 specific image: $IMAGE_URL" + run=1 # reset runs, we are looking another image; new image, new life + else + break + fi + done + + if [ "$status" -ne 0 ]; then + echo "Failed to get raw metadata of image ${IMAGE_URL}" + note="Step inspect-image failed: Encountered errors while inspecting image. For details, check Tekton task log." + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + echo "Image ${IMAGE_URL} raw metadata:" + jq < "$RAW_IMAGE_INSPECT" # jq for readable formatting + + echo "Getting base image manifest for source image ${IMAGE_URL}." + BASE_IMAGE_NAME="$(jq -r ".annotations.\"org.opencontainers.image.base.name\"" $RAW_IMAGE_INSPECT)" + BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $RAW_IMAGE_INSPECT)" + if [ "$BASE_IMAGE_NAME" == 'null' ]; then + echo "Cannot get base image info from annotations." + BASE_IMAGE_NAME="$(jq -r ".Labels.\"org.opencontainers.image.base.name\"" $IMAGE_INSPECT)" + BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $IMAGE_INSPECT)" + if [ "$BASE_IMAGE_NAME" == 'null' ]; then + echo "Cannot get base image info from Labels. For details, check source image ${IMAGE_URL}." + exit 0 + fi + fi + if [ -z "$BASE_IMAGE_NAME" ]; then + echo "Source image ${IMAGE_URL} is built from scratch, so there is no base image." + exit 0 + fi + + BASE_IMAGE="${BASE_IMAGE_NAME%:*}@$BASE_IMAGE_DIGEST" + echo "Detected base image: $BASE_IMAGE" + echo -n "$BASE_IMAGE" > /shared/BASE_IMAGE + + for run in $(seq 1 $max_run); do + status=0 + [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep + echo "Inspecting base image ${BASE_IMAGE} (try $run/$max_run)." + skopeo inspect --no-tags "docker://$BASE_IMAGE" > $BASE_IMAGE_INSPECT && break || status=$? + done + if [ "$status" -ne 0 ]; then + echo "Failed to inspect base image ${BASE_IMAGE}" + note="Step inspect-image failed: Encountered errors while inspecting image. For details, check Tekton task log." + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + BASE_IMAGE_REPOSITORY="$(jq -r '.Name | sub("[^/]+/"; "") | sub("[:@].*"; "")' "$BASE_IMAGE_INSPECT")" + echo "Detected base image repository: $BASE_IMAGE_REPOSITORY" + echo -n "$BASE_IMAGE_REPOSITORY" > /shared/BASE_IMAGE_REPOSITORY + + note="Step inspect-image completed: Check inspected JSON files under /var/workdir/inspect-image." + - name: extract-and-validate + image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + workingDir: /var/workdir/extract-and-validate + securityContext: + runAsUser: 0 + capabilities: + add: + - SETFCAP + computeResources: + limits: + memory: 4Gi + requests: + memory: 512Mi + cpu: 10m + script: | + #!/usr/bin/env bash + set -euo pipefail + source /utils.sh + trap 'handle_error "$(results.TEST_OUTPUT.path)"' EXIT + + BASE_IMAGE=$(cat /shared/BASE_IMAGE) + + declare -a ALLOWED_BASE_IMAGES=( + "registry.redhat.io/openshift4/ose-operator-registry" + "registry.redhat.io/openshift4/ose-operator-registry-rhel9" + "brew.registry.redhat.io/rh-osbs/openshift-ose-operator-registry-rhel9" + ) + + ### FBC base image check + if [ -z "${BASE_IMAGE}" ]; then + echo "Base image is unknown. The file-based catalog must have base image defined. Check inspect-image task log." + note="Step extract-and-validate failed: The file-based catalog must have base image defined. For details, check Tekton task result TEST_OUTPUT in task inspect-image." + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + IMAGE_WITHOUT_TAG=$(echo "${BASE_IMAGE}" | sed "s/:.*$//" | sed "s/@.*$//") + + allowed=false + for value in "${ALLOWED_BASE_IMAGES[@]}" + do + if [[ "${IMAGE_WITHOUT_TAG}" == "${value}" ]]; then + allowed=true + break + fi + done + + if [[ "${allowed}" == false ]]; then + echo "Base image ${BASE_IMAGE} is not allowed for the file based catalog image. Allowed images: ${ALLOWED_BASE_IMAGES}" + note="Step extract-and-validate failed: Base image ${BASE_IMAGE} is not allowed for the file based catalog image. For details, check Tekton task logs" + TEST_OUTPUT=$(make_result_json -r FAILURE -f 1 -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + ### Try to extract binaries with configs > check binaries functionality > check opm validate ### + if [ ! -s ../inspect-image/image_inspect.json ]; then + echo "File /var/workdir/inspect-image/image_inspect.json did not generate correctly. Check inspect-image task log." + note="Step extract-and-validate failed: /var/workdir/inspect-image/image_inspect.json did not generate correctly. For details, check Tekton task result TEST_OUTPUT in task inspect-image." + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + if [ ! -s ../inspect-image/raw_image_inspect.json ]; then + echo "File /var/workdir/inspect-image/raw_image_inspect.json did not generate correctly. Check inspect-image task log." + note="Step extract-and-validate failed: /var/workdir/inspect-image/raw_image_inspect.json did not generate correctly. For details, check Tekton task result TEST_OUTPUT in task inspect-image." + TEST_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + echo "Getting base image for source image ${IMAGE_URL}." + base_image_name="$(jq -r ".annotations.\"org.opencontainers.image.base.name\"" ../inspect-image/raw_image_inspect.json)" || status=$? + if [ "$base_image_name" == 'null' ]; then + echo "Could not get annotations from inspect-image/raw_image_inspect.json. Make sure file exists and it contains this annotation: org.opencontainers.image.base.name" + echo "Try to get base image from label..." + base_image_name="$(jq -r ".Labels.\"org.opencontainers.image.base.name\"" ../inspect-image/image_inspect.json)" || status=$? + if [ "$base_image_name" == 'null' ]; then + echo "Cannot get base image info from Labels. For details, check source image ../inspect-image/image_inspect.json." + TEST_OUTPUT="$(make_result_json -r ERROR)" + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + fi + if [ -z "$base_image_name" ]; then + echo "Source image ${IMAGE_URL} is built from scratch, so there is no base image." + TEST_OUTPUT="$(make_result_json -r ERROR)" + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + status=0 + conffolder=$(jq -r '.Labels ."operators.operatorframework.io.index.configs.v1"' ../inspect-image/image_inspect.json) || status=$? + if [ $status -ne 0 ]; then + echo "Could not get labels from inspect-image/image_inspect.json. Make sure file exists and it contains this label: operators.operatorframework.io.index.configs.v1." + TEST_OUTPUT="$(make_result_json -r ERROR)" + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + mkdir -p /tmp/image-content confdir + pushd /tmp/image-content + image_with_digest="${IMAGE_URL}@${IMAGE_DIGEST}" + + if ! oc image extract --registry-config ~/.docker/config.json "${image_with_digest}" ; then + echo "Unable to extract or validate extracted binaries." + note="Step extract-and-validate failed: Failed to extract image with oc extract command, so it cannot validate extracted binaries. For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + popd + exit 0 + fi + + if [ -z "$(ls -A .$conffolder)" ]; then + echo "$conffolder is missing catalog file." + TEST_OUTPUT="$(make_result_json -r ERROR)" + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + popd + exit 0 + fi + + EXTRACT_DIR="/extracted_base_img" + mkdir "${EXTRACT_DIR}" + if ! oc image extract ${BASE_IMAGE} --path /:"${EXTRACT_DIR}"; then + echo "Unable to extract opm binary" + note="Step extract-and-validate failed: Failed to extract base image with oc extract command, so it cannot validate extracted binaries. For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + exit 0 + fi + + OPM_BINARIES="$(find "${EXTRACT_DIR}" -type f -name opm)" + BINARIES_COUNT=$(wc -l <<< "${OPM_BINARIES}") + if [[ $BINARIES_COUNT -ne "1" ]]; then + note="Step extract-and-validate failed: Expected exactly one opm binary in base image. For details, check Tekton task log" + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + echo "found $BINARIES_COUNT opm binaries:" + echo "${OPM_BINARIES}" + exit 0 + fi + OPM_BINARY=$(echo "${OPM_BINARIES}" | head -n 1) + echo "OPM_BINARY: '${OPM_BINARY}'" + chmod 775 "$OPM_BINARY" + + # We have 9 total checks + check_num=9 + failure_num=0 + TESTPASSED=true + + if [[ ! $(find . -name "grpc_health_probe") ]]; then + echo "!FAILURE! - grpc_health_probe binary presence check failed." + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + + if ! ${OPM_BINARY} validate ."${conffolder}"; then + echo "!FAILURE! - opm validate check failed." + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + + OPM_RENDERED_CATALOG=/tmp/catalog.json + ${OPM_BINARY} render ."${conffolder}" > ${OPM_RENDERED_CATALOG} + if [ ! -f ${OPM_RENDERED_CATALOG} ]; then + echo "!FAILURE! - unable to render the fragment FBC." + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + + if jq -en 'reduce (inputs | select(.schema == "olm.package")) as $obj (0; .+1) < 1' ${OPM_RENDERED_CATALOG}; then + echo "!FAILURE! - There are no olm package entries defined in this FBC fragment." + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + + # examines the base_image_name tag to derive the target OCP version + # assumes this is in the form + # image-path:[v]major-digits.minor-digits[@sha...] + OCP_VER_FROM_BASE=$(echo "${base_image_name}" | sed -e "s/@.*$//" -e "s/^.*://") # strips hash first due to greedy match + # extracts major digits and filters out any leading alphabetic characters, for e.g. 'v4' --> '4' + OCP_VER_MAJOR=$(echo "${OCP_VER_FROM_BASE}" | cut -d '.' -f 1 | sed "s/^[a-zA-Z]*//") + OCP_VER_MINOR=$(echo "${OCP_VER_FROM_BASE}" | cut -d '.' -f 2) + + RUN_OCP_VERSION_VALIDATION="false" + digits_regex='^[0-9]*$' + if [[ ${OCP_VER_MAJOR} =~ $digits_regex ]] && [[ ${OCP_VER_MINOR} =~ $digits_regex ]] ; then + RUN_OCP_VERSION_VALIDATION="true" + fi + + if [ "${RUN_OCP_VERSION_VALIDATION}" == "false" ] ; then + echo "!WARNING! - unable to assess bundle metadata alignment with OCP version because we cannot extract version info from base_image_name: ${base_image_name}" + else + OCP_BUNDLE_METADATA_THRESHOLD_MAJOR=4 + OCP_BUNDLE_METADATA_THRESHOLD_MINOR=17 + OCP_BUNDLE_METADATA_FORMAT="olm.bundle.object" + + if [[ "${OCP_VER_MAJOR}" -ge "${OCP_BUNDLE_METADATA_THRESHOLD_MAJOR}" ]] && [[ "${OCP_VER_MINOR}" -ge "${OCP_BUNDLE_METADATA_THRESHOLD_MINOR}" ]]; then + OCP_BUNDLE_METADATA_FORMAT="olm.csv.metadata" + fi + + # enforce the presence of either olm.csv.metadata or olm.bundle.object based on OCP version + if [[ "${OCP_BUNDLE_METADATA_FORMAT}" = "olm.csv.metadata" ]]; then + if ! jq -en 'reduce( inputs | select(.schema == "olm.bundle" and .properties[].type == "olm.bundle.object")) as $_ (0;.+1) == 0' ${OPM_RENDERED_CATALOG}; then + echo "!FAILURE! - olm.bundle.object bundle properties are not permitted in a FBC fragment for OCP version ${OCP_VER_MAJOR}.${OCP_VER_MINOR}. Fragments must move to olm.csv.metadata bundle metadata." + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + else + if ! jq -en 'reduce( inputs | select(.schema == "olm.bundle" and .properties[].type == "olm.csv.metadata")) as $_ (0;.+1) == 0' ${OPM_RENDERED_CATALOG}; then + echo "!FAILURE! - olm.csv.metadata bundle properties are not permitted in a FBC fragment for OCP version ${OCP_VER_MAJOR}.${OCP_VER_MINOR}. Fragments must only use olm.bundle.object bundle metadata." + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + fi + + # enforce that each bundle has the OCP-version-appropriate bundle metadata. + BUNDLE_COUNT=$(jq -en 'def count(stream): reduce stream as $i (0; .+1); count(inputs|select(.schema=="olm.bundle"))' ${OPM_RENDERED_CATALOG}) + BUNDLE_BO_COUNT=$(jq -en 'def count(stream): reduce stream as $i (0; .+1); count(inputs|select(.schema == "olm.bundle" and .properties[].type == "olm.bundle.object"))' ${OPM_RENDERED_CATALOG}) + BUNDLE_CM_COUNT=$(jq -en 'def count(stream): reduce stream as $i (0; .+1); count(inputs|select(.schema == "olm.bundle" and .properties[].type == "olm.csv.metadata"))' ${OPM_RENDERED_CATALOG}) + + if [[ "${OCP_BUNDLE_METADATA_FORMAT}" = "olm.csv.metadata" ]]; then + if [[ "${BUNDLE_COUNT}" -ne "${BUNDLE_CM_COUNT}" ]]; then + echo "!FAILURE! - every olm.bundle object in the fragment must have a corresponding olm.csv.metadata bundle property" + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + else + if [[ "${BUNDLE_BO_COUNT}" -lt "${BUNDLE_COUNT}" ]]; then + echo "!FAILURE! - every olm.bundle object in the fragment must have at least one olm.bundle.object bundle property" + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + fi + fi + + FAILEDIMAGES="" + catalog="$(opm render ".$conffolder/")" + + # OPM generates catalog file in a way that yaml file could contain stream of JSON objects + # thats why we need jq in for this situation, because yq can't parse this file + # however there is also possibility that catalog.yaml has yaml data in it + + status=0 + echo "Related images detected:" + # We need to see if the images exist first then we can slurp them to format properly + jq '.relatedImages[]? | .image ' <<< "${catalog}" || status=$? + if [ $status -ne 0 ]; then + echo "!FAILURE! - Could not get related images. Make sure catalog.yaml exists in FBC fragment image and it is valid .yaml or .json format." + note="Task $(context.task.name) failed: Could not fetch related images. Make sure you have catalog.yaml or catalog.json formatted correctly in your file-based catalog (FBC) fragment image." + failure_num=$((failure_num + 1)) + TESTPASSED=false + else + jq '.relatedImages[]? | .image ' <<< "${catalog}" | jq --slurp > /shared/related-images.json + fi + + echo -e "These are related images:\n$(jq -cr '.[]' /shared/related-images.json )." + # cycle through those related images and show outputs + jq -cr '.[]' /shared/related-images.json | while read -r image; do + if ! skopeo inspect --no-tags "docker://${image}"; then + echo "Skopeo inspect failed on related image: $image." + FAILEDIMAGES="$FAILEDIMAGES $image," + fi + done + + if [ -n "$FAILEDIMAGES" ]; then + echo "These images failed inspection: $FAILEDIMAGES." + note="Task $(context.task.name) failed: Command skopeo inspect could not inspect images. For details, check Tekton task log." + failure_num=$((failure_num + 1)) + TESTPASSED=false + fi + + note="Step extract-and-validate completed: Check result for task result." + if [ $TESTPASSED == false ]; then + ERROR_OUTPUT=$(make_result_json -r FAILURE -f $failure_num -s $((check_num - failure_num)) -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + else + TEST_OUTPUT=$(make_result_json -r SUCCESS -s $check_num -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + fi + popd + - name: save-related-images + image: quay.io/konflux-ci/oras:latest@sha256:66ccc8c3698304036a42739f6e1836f3399a46645be2d3c5d6d456b9c79fff40 + script: | + #!/usr/bin/env bash + set -euo pipefail + attach-helper --subject "${IMAGE_URL}@${IMAGE_DIGEST}" --media-type-name "related-images+json" --digestfile "$(results.RELATED_IMAGES_DIGEST.path)" \ + /shared/related-images.json diff --git a/task/validate-fbc/OWNERS b/task/validate-fbc/OWNERS new file mode 100644 index 0000000000..06c39544a4 --- /dev/null +++ b/task/validate-fbc/OWNERS @@ -0,0 +1,6 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - integration-team +reviewers: + - integration-team +