Skip to content

Commit

Permalink
test(end-to-end): provide CVE information for the tests to consume (#330
Browse files Browse the repository at this point in the history
)

Signed-off-by: Andrei Aaron <[email protected]>
  • Loading branch information
andaaron authored Apr 12, 2023
1 parent f9cafd0 commit 63ff8da
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 6 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/end-to-end-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,13 @@ jobs:
sudo mv cosign /usr/local/bin/cosign
which cosign
cosign version
pushd $(mktemp -d)
curl -L https://github.com/aquasecurity/trivy/releases/download/v0.38.3/trivy_0.38.3_Linux-64bit.tar.gz -o trivy.tar.gz
tar -xzvf trivy.tar.gz
sudo mv trivy /usr/local/bin/trivy
popd
which trivy
trivy version
cd $GITHUB_WORKSPACE
- name: Install go
Expand Down
35 changes: 33 additions & 2 deletions tests/scripts/load_test_data.py
Original file line number Diff line number Diff line change
Expand Up @@ -85,10 +85,41 @@ def pull_modify_push_image(logger, registry, image_name, tag, cosign_password,

with open(metafile) as f:
image_metadata = json.load(f)
image_metadata[image_name][tag]["multiarch"] = multiarch
logger.debug("raw image metadata")
logger.debug(image_metadata)
image_metadata["multiarch"] = multiarch
image_metadata["cves"] = getCVEInfo(image_metadata.pop("trivy"))

logger.debug("processed image metadata")
logger.debug(image_metadata)
return image_metadata

def getCVEInfo(trivy_results):
cve_dict = {}

for result in trivy_results:
for vulnerability in result.get("Vulnerabilities", []):
cve_id = vulnerability["VulnerabilityID"]

package = {
"PackageName": vulnerability.get("PkgName"),
"InstalledVersion": vulnerability.get("InstalledVersion"),
"FixedVersion": vulnerability.get("FixedVersion", "Not Specified")
}

if cve_dict.get(cve_id):
cve_dict[cve_id]["PackageList"].append(package)
else:
cve_dict[cve_id] = {
"ID": cve_id,
"Title": vulnerability.get("Title"),
"Description": vulnerability.get("Description"),
"Severity": vulnerability.get("Severity"),
"PackageList": [package]
}

return cve_dict

def main():
args = parse_args()

Expand Down Expand Up @@ -137,7 +168,7 @@ def main():
image_metadata = pull_modify_push_image(logger, registry, image_name, tag, cosign_password, multiarch, username, password, debug, data_dir)

metadata.setdefault(image_name, {})
metadata[image_name][tag] = image_metadata[image_name][tag]
metadata[image_name][tag] = image_metadata

with open(metadata_file, "w") as f:
json.dump(metadata, f, indent=2)
Expand Down
25 changes: 21 additions & 4 deletions tests/scripts/pull_update_push_image.sh
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,11 @@ function verify_prerequisites {
return 1
fi

if [ ! command -v trivy ] &>/dev/null; then
echo "you need to install trivy as a prerequisite" >&3
return 1
fi

if [ ! command -v jq ] &>/dev/null; then
echo "you need to install jq as a prerequisite" >&3
return 1
Expand Down Expand Up @@ -160,6 +165,7 @@ doc=$(cat ${docker_docs_dir}/${image}/content.md)

local_image_ref_skopeo=oci:${images_dir}:${image}-${tag}
local_image_ref_regtl=ocidir://${images_dir}:${image}-${tag}
local_image_ref_trivy=${images_dir}:${image}-${tag}
remote_src_image_ref=docker://${image}:${tag}
remote_dest_image_ref=${registry}/${image}:${tag}

Expand Down Expand Up @@ -209,21 +215,32 @@ if [ $? -ne 0 ]; then
exit 1
fi

trivy_out_file=trivy-${image}-${tag}.json
if [ ! -z "${multiarch}" ]; then
trivy image --scanners vuln --format json --input ${local_image_ref_trivy} -o ${trivy_out_file}
jq -n --argfile trivy_file ${trivy_out_file} '.trivy=$trivy_file.Results' > ${trivy_out_file}.tmp
mv ${trivy_out_file}.tmp ${trivy_out_file}
else
echo '{"trivy":[]}' > ${trivy_out_file}
fi

# Sign new updated image
COSIGN_PASSWORD=${cosign_password} cosign sign ${remote_dest_image_ref} --key ${cosign_key_path} --allow-insecure-registry
if [ $? -ne 0 ]; then
exit 1
fi

details=$(jq -n \
details_file=details-${image}-${tag}.json

jq -n \
--arg org.opencontainers.image.title "${image}" \
--arg org.opencontainers.image.description " $description" \
--arg org.opencontainers.image.url "${repo}" \
--arg org.opencontainers.image.source "${repo}" \
--arg org.opencontainers.image.licenses "${license}" \
--arg org.opencontainers.image.vendor "${vendor}" \
--arg org.opencontainers.image.documentation "${description}" \
'$ARGS.named'
)
'$ARGS.named' > ${details_file}

jq -n --arg image "${image}" --arg tag "${tag}" --argjson details "${details}" '.[$image][$tag]=$details' > ${metafile}
jq -c -s add ${details_file} ${trivy_out_file} > ${metafile}
rm ${details_file} ${trivy_out_file}

0 comments on commit 63ff8da

Please sign in to comment.