diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index df3b460a4a..333ba10778 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -219,6 +219,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |ARGS| Append arguments.| | | |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 2b2d81c0ff..6d3e869142 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -216,6 +216,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |ARGS| Append arguments.| | | |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 6a115b6691..ee48bad0bd 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -191,6 +191,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| | | +|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md index bfd837141c..f532ef30bb 100644 --- a/pipelines/maven-zip-build-oci-ta/README.md +++ b/pipelines/maven-zip-build-oci-ta/README.md @@ -121,6 +121,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |ARGS| Append arguments.| | | |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md index 403387103a..eb4206aba3 100644 --- a/pipelines/maven-zip-build/README.md +++ b/pipelines/maven-zip-build/README.md @@ -98,6 +98,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| | | +|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | diff --git a/task/sast-snyk-check-oci-ta/0.3/README.md b/task/sast-snyk-check-oci-ta/0.3/README.md index a712c980cb..f414852f01 100644 --- a/task/sast-snyk-check-oci-ta/0.3/README.md +++ b/task/sast-snyk-check-oci-ta/0.3/README.md @@ -13,6 +13,7 @@ See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information |---|---|---|---| |ARGS|Append arguments.|""|false| |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|IGNORE|Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.|""|false| |IMP_FINDINGS_ONLY|Report only important findings. Default is true. To report all findings, specify "false"|true|false| |KFP_GIT_URL|URL from repository to download known false positives files|""|false| |PROJECT_NAME|Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.|""|false| diff --git a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml index 07327d43a0..917cba1e0a 100644 --- a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml @@ -27,6 +27,11 @@ spec: the prefetched dependencies. type: string default: "" + - name: IGNORE + description: Directories or files to be excluded from Snyk scan (Comma-separated). + Useful to split the directories of a git repo across multiple components. + type: string + default: "" - name: IMP_FINDINGS_ONLY description: Report only important findings. Default is true. To report all findings, specify "false" @@ -109,6 +114,8 @@ spec: value: $(params.SNYK_SECRET) - name: ARGS value: $(params.ARGS) + - name: IGNORE + value: $(params.IGNORE) - name: IMP_FINDINGS_ONLY value: $(params.IMP_FINDINGS_ONLY) - name: KFP_GIT_URL @@ -130,7 +137,7 @@ spec: trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT if [[ -z "${PROJECT_NAME}" ]]; then - PROJECT_NAME=${COMPONENT_LABEL} + PROJECT_NAME=${COMPONENT_LABEL} fi echo "The PROJECT_NAME used is: ${PROJECT_NAME}" @@ -157,13 +164,25 @@ spec: echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" exit 0 fi - SNYK_EXIT_CODE=0 SOURCE_CODE_DIR=/var/workdir SEVERITY_THRESHOLD="high" if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then SEVERITY_THRESHOLD="low" fi + + # We ignore files using snyk ignore if the user set up the IGNORE variable + if [[ -n "${IGNORE}" ]]; then + paths='(${IGNORE//,/ })' # Split by comma into an array + command="" + for path in "${paths[@]}"; do + command+="snyk ignore --file-path=source/$path && " + done + command="${command% && }" + # The .snyk ignore file needs to be created in the root folder of the source code + (cd "${SOURCE_CODE_DIR}" && eval "$command") + fi + set +e # We do want to expand ARGS (it can be multiple CLI flags, not just one) # shellcheck disable=SC2086 @@ -176,8 +195,8 @@ spec: if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context - (cd "${SOURCE_CODE_DIR}" && csgrep --mode=json --embed-context=3 "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) | - csgrep --mode=json --strip-path-prefix="source/" \ + (cd "${SOURCE_CODE_DIR}" && csgrep --mode=json --embed-context=3 "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) | + csgrep --mode=json --strip-path-prefix="source/" \ >sast_snyk_check_out_all_findings.json echo "Results:" @@ -226,17 +245,17 @@ spec: coverage_ratio=0 if ((total_files > 0)); then - coverage_ratio=$((supported_files * 100 / total_files)) + coverage_ratio=$((supported_files * 100 / total_files)) fi # embed stats in results file and convert to SARIF csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:"${coverage_ratio}" \ - --set-scan-prop snyk-scanned-files-success:"${supported_files}" \ - --set-scan-prop snyk-scanned-files-total:"${total_files}" \ - filtered_sast_snyk_check_out.json >sast_snyk_check_out.sarif + --set-scan-prop snyk-scanned-files-success:"${supported_files}" \ + --set-scan-prop snyk-scanned-files-total:"${total_files}" \ + filtered_sast_snyk_check_out.json >sast_snyk_check_out.sarif TEST_OUTPUT= - parse_test_output "$(context.task.name)" sarif sast_snyk_check_out.sarif || true + parse_test_output "$(context.task.name)" sarif sast_snyk_check_out.sarif || true # When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation elif [[ "$test_not_skipped" -eq 0 ]]; then @@ -265,17 +284,17 @@ spec: UPLOAD_FILES="sast_snyk_check_out.sarif excluded-findings.json" for UPLOAD_FILE in ${UPLOAD_FILES}; do - if [ ! -f "${UPLOAD_FILE}" ]; then - echo "No ${UPLOAD_FILE} exists. Skipping upload." - continue + if [ ! -f "${UPLOAD_FILE}" ]; then + echo "No ${UPLOAD_FILE} exists. Skipping upload." + continue fi - if [ "${UPLOAD_FILES}" == "excluded-findings.json" ]; then - MEDIA_TYPE=application/json + if [ "${UPLOAD_FILES}" == "excluded-findings.json" ]; then + MEDIA_TYPE=application/json else - MEDIA_TYPE=application/sarif+json + MEDIA_TYPE=application/sarif+json fi - echo "Selecting auth" - select-oci-auth "${IMAGE_URL}" >"${HOME}/auth.json" - echo "Attaching to ${IMAGE_URL}" - oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + echo "Selecting auth" + select-oci-auth "${IMAGE_URL}" >"${HOME}/auth.json" + echo "Attaching to ${IMAGE_URL}" + oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" done diff --git a/task/sast-snyk-check/0.3/README.md b/task/sast-snyk-check/0.3/README.md index 2cfff803f0..61c32a93d5 100644 --- a/task/sast-snyk-check/0.3/README.md +++ b/task/sast-snyk-check/0.3/README.md @@ -10,14 +10,15 @@ Snyk's SAST tool uses a combination of static analysis and machine learning tech ## Params: -| name | description | default value | required | -|-----------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|----------| -| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | true | -| ARGS | Append arguments. | "" | false | -| IMP_FINDINGS_ONLY | Report only important findings. To report all findings, specify "false" | true | true | -| KFP_GIT_URL | Link to the known-false-positives repository. If left blank, results won't be filtered | "" | false | -| PROJECT_NAME | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used. | ${metadata.labels['appstudio.openshift.io/component']} | false | -| RECORD_EXCLUDED | Write excluded records in file. Useful for auditing. | false | false | +| name | description | default value | required | +|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------| +| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | true | +| ARGS | Append arguments. | "" | false | +| IGNORE | Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components. | "" | false | +| IMP_FINDINGS_ONLY | Report only important findings. To report all findings, specify "false" | true | true | +| KFP_GIT_URL | Link to the known-false-positives repository. If left blank, results won't be filtered | "" | false | +| PROJECT_NAME | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used. | "" | false | +| RECORD_EXCLUDED | Write excluded records in file. Useful for auditing. | false | false | ## How to obtain a snyk-token and enable snyk task on the pipeline: diff --git a/task/sast-snyk-check/0.3/sast-snyk-check.yaml b/task/sast-snyk-check/0.3/sast-snyk-check.yaml index 93e188564b..3d5bf5daaa 100644 --- a/task/sast-snyk-check/0.3/sast-snyk-check.yaml +++ b/task/sast-snyk-check/0.3/sast-snyk-check.yaml @@ -57,6 +57,10 @@ spec: type: string description: Write excluded records in file. Useful for auditing (defaults to false). default: "false" + - name: IGNORE + type: string + description: Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components. + default: "" volumes: - name: snyk-secret secret: @@ -87,6 +91,8 @@ spec: value: $(params.SNYK_SECRET) - name: ARGS value: $(params.ARGS) + - name: IGNORE + value: $(params.IGNORE) - name: IMP_FINDINGS_ONLY value: $(params.IMP_FINDINGS_ONLY) - name: KFP_GIT_URL @@ -135,13 +141,25 @@ spec: echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" exit 0 fi - SNYK_EXIT_CODE=0 SOURCE_CODE_DIR=$(workspaces.workspace.path) SEVERITY_THRESHOLD="high" if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then SEVERITY_THRESHOLD="low" fi + + # We ignore files using snyk ignore if the user set up the IGNORE variable + if [[ -n "${IGNORE}" ]]; then + paths='(${IGNORE//,/ })' # Split by comma into an array + command="" + for path in "${paths[@]}"; do + command+="snyk ignore --file-path=source/$path && " + done + command="${command% && }" + # The .snyk ignore file needs to be created in the root folder of the source code + (cd "${SOURCE_CODE_DIR}" && eval "$command") + fi + set +e # We do want to expand ARGS (it can be multiple CLI flags, not just one) # shellcheck disable=SC2086