Add options for vulnerability scanning

- Add vulnerability scanning options in build and buildrun types in v1alpha1 and v1beta1 - Changes for conversion to v1beta1
shipwright-io · Feb 7, 2024 · aa5adf5 · aa5adf5
1 parent bb255d0
commit aa5adf5
Show file tree

Hide file tree

Showing 10 changed files with 711 additions and 3 deletions.
diff --git a/deploy/crds/shipwright.io_buildruns.yaml b/deploy/crds/shipwright.io_buildruns.yaml
diff --git a/deploy/crds/shipwright.io_builds.yaml b/deploy/crds/shipwright.io_builds.yaml
@@ -100,6 +100,38 @@ spec:
                     description: Labels references the additional labels to be applied
                       on the image
                     type: object
+                  vulnerabilityScan:
+                    description: VulnerabilityScan references the options for vulnerability
+                      scanning
+                    properties:
+                      enabled:
+                        description: Enabled indicates whether to run vulnerability
+                          scan for image
+                        type: boolean
+                      fail:
+                        description: FailPush indicates whether to push the image
+                          if the vulnerability scan fails
+                        type: boolean
+                      ignore:
+                        description: IgnoreOptions refers to ignore options for vulnerability
+                          scan
+                        properties:
+                          issues:
+                            description: Issues references the security issues to
+                              be ignored in vulnerability scan
+                            items:
+                              type: string
+                            type: array
+                          severity:
+                            description: Severity indicates the severities of security
+                              issues to be ignored (comma separated)
+                            type: string
+                          unfixed:
+                            description: IgnoreUnfixed indicates flag to display only
+                              fixed vulnerabilities
+                            type: boolean
+                        type: object
+                    type: object
                 required:
                 - image
                 type: object
@@ -252,6 +284,38 @@ spec:
                     description: Labels references the additional labels to be applied
                       on the image
                     type: object
+                  vulnerabilityScan:
+                    description: VulnerabilityScan references the options for vulnerability
+                      scanning
+                    properties:
+                      enabled:
+                        description: Enabled indicates whether to run vulnerability
+                          scan for image
+                        type: boolean
+                      fail:
+                        description: FailPush indicates whether to push the image
+                          if the vulnerability scan fails
+                        type: boolean
+                      ignore:
+                        description: IgnoreOptions refers to ignore options for vulnerability
+                          scan
+                        properties:
+                          issues:
+                            description: Issues references the security issues to
+                              be ignored in vulnerability scan
+                            items:
+                              type: string
+                            type: array
+                          severity:
+                            description: Severity indicates the severities of security
+                              issues to be ignored (comma separated)
+                            type: string
+                          unfixed:
+                            description: IgnoreUnfixed indicates flag to display only
+                              fixed vulnerabilities
+                            type: boolean
+                        type: object
+                    type: object
                 required:
                 - image
                 type: object
@@ -2324,6 +2388,38 @@ spec:
                     description: Describes the secret name for pushing a container
                       image.
                     type: string
+                  vulnerabilityScan:
+                    description: VulnerabilityScan references the options for vulnerability
+                      scanning
+                    properties:
+                      enabled:
+                        description: Enabled indicates whether to run vulnerability
+                          scan for image
+                        type: boolean
+                      fail:
+                        description: FailPush indicates whether to push the image
+                          if the vulnerability scan fails
+                        type: boolean
+                      ignore:
+                        description: IgnoreOptions refers to ignore options for vulnerability
+                          scan
+                        properties:
+                          issues:
+                            description: Issues references the security issues to
+                              be ignored in vulnerability scan
+                            items:
+                              type: string
+                            type: array
+                          severity:
+                            description: Severity indicates the severities of security
+                              issues to be ignored (comma separated)
+                            type: string
+                          unfixed:
+                            description: IgnoreUnfixed indicates flag to display only
+                              fixed vulnerabilities
+                            type: boolean
+                        type: object
+                    type: object
                 required:
                 - image
                 type: object

diff --git a/pkg/apis/build/v1alpha1/build_types.go b/pkg/apis/build/v1alpha1/build_types.go
@@ -5,6 +5,9 @@
 package v1alpha1
 
 import (
+	"encoding/json"
+
+	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -208,6 +211,50 @@ func (buildSpec *BuildSpec) StrategyName() string {
 	return buildSpec.Strategy.Name
 }
 
+// VulnerabilityIgnoreOptions refers to ignore options for vulnerability scan
+type VulnerabilityIgnoreOptions struct {
+
+	// Issues references the security issues to be ignored in vulnerability scan
+	Issues []string `json:"issues,omitempty"`
+
+	// Severity indicates the severities of security issues to be ignored (comma separated)
+	Severity string `json:"severity,omitempty"`
+
+	// IgnoreUnfixed indicates flag to display only fixed vulnerabilities
+	Unfixed bool `json:"unfixed,omitempty"`
+}
+
+// VulnerabilityScanOptions references the options for vulnerability scanning
+type VulnerabilityScanOptions struct {
+
+	// Enabled indicates whether to run vulnerability scan for image
+	Enabled bool `json:"enabled,omitempty"`
+
+	// FailPush indicates whether to push the image if the vulnerability scan fails
+	FailPush bool `json:"fail,omitempty"`
+
+	// IgnoreOptions refers to ignore options for vulnerability scan
+	IgnoreOptions *VulnerabilityIgnoreOptions `json:"ignore,omitempty"`
+}
+
+var _ pflag.Value = &VulnerabilityScanOptions{}
+
+func (v *VulnerabilityScanOptions) Set(s string) error {
+	return json.Unmarshal([]byte(s), v)
+}
+
+func (v *VulnerabilityScanOptions) String() string {
+	data, err := json.Marshal(*v)
+	if err != nil {
+		panic(err.Error())
+	}
+	return string(data)
+}
+
+func (v *VulnerabilityScanOptions) Type() string {
+	return "vulnerability-scan-settings"
+}
+
 // Image refers to an container image with credentials
 type Image struct {
 	// Image is the reference of the image.
@@ -233,6 +280,11 @@ type Image struct {
 	//
 	// +optional
 	Labels map[string]string `json:"labels,omitempty"`
+
+	// VulnerabilityScan references the options for vulnerability scanning
+	//
+	// +optional
+	VulnerabilityScan *VulnerabilityScanOptions `json:"vulnerabilityScan,omitempty"`
 }
 
 // BuildStatus defines the observed state of Build

diff --git a/pkg/apis/build/v1alpha1/buildrun_types.go b/pkg/apis/build/v1alpha1/buildrun_types.go
@@ -138,13 +138,24 @@ type GitSourceResult struct {
 	BranchName string `json:"branchName,omitempty"`
 }
 
+// Vulnerability defines a vulnerability by its ID and severity
+type Vulnerability struct {
+	VulnerabilityID string `json:"vulnerabilityID,omitempty"`
+	Severity        string `json:"severity,omitempty"`
+}
+
 // Output holds the results emitted from the output step (build-and-push)
 type Output struct {
 	// Digest holds the digest of output image
 	Digest string `json:"digest,omitempty"`
 
 	// Size holds the compressed size of output image
 	Size int64 `json:"size,omitempty"`
+
+	// Vulnerabilities holds the list of vulnerabilities detected in the image
+	//
+	// +optional
+	Vulnerabilities []Vulnerability `json:"vulnerabilities,omitempty"`
 }
 
 // BuildRunStatus defines the observed state of BuildRun

diff --git a/pkg/apis/build/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/build/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/build/v1beta1/build_conversion.go b/pkg/apis/build/v1beta1/build_conversion.go
@@ -195,6 +195,20 @@ func (dest *BuildSpec) ConvertFrom(orig *v1alpha1.BuildSpec) error {
 	dest.Output.Annotations = orig.Output.Annotations
 	dest.Output.Labels = orig.Output.Labels
 
+	if orig.Output.VulnerabilityScan != nil {
+		dest.Output.VulnerabilityScan = &VulnerabilityScanOptions{
+			Enabled:  orig.Output.VulnerabilityScan.Enabled,
+			FailPush: orig.Output.VulnerabilityScan.FailPush,
+		}
+		if orig.Output.VulnerabilityScan.IgnoreOptions != nil {
+			dest.Output.VulnerabilityScan.IgnoreOptions = &VulnerabilityIgnoreOptions{
+				Issues:   orig.Output.VulnerabilityScan.IgnoreOptions.Issues,
+				Severity: orig.Output.VulnerabilityScan.IgnoreOptions.Severity,
+				Unfixed:  orig.Output.VulnerabilityScan.IgnoreOptions.Unfixed,
+			}
+		}
+	}
+
 	// Handle BuildSpec Timeout
 	dest.Timeout = orig.Timeout
 
@@ -286,6 +300,19 @@ func (dest *BuildSpec) ConvertTo(bs *v1alpha1.BuildSpec) error {
 	}
 	bs.Output.Annotations = dest.Output.Annotations
 	bs.Output.Labels = dest.Output.Labels
+	if dest.Output.VulnerabilityScan != nil {
+		bs.Output.VulnerabilityScan = &v1alpha1.VulnerabilityScanOptions{
+			Enabled:  dest.Output.VulnerabilityScan.Enabled,
+			FailPush: dest.Output.VulnerabilityScan.FailPush,
+		}
+		if dest.Output.VulnerabilityScan.IgnoreOptions != nil {
+			bs.Output.VulnerabilityScan.IgnoreOptions = &v1alpha1.VulnerabilityIgnoreOptions{
+				Issues:   dest.Output.VulnerabilityScan.IgnoreOptions.Issues,
+				Severity: dest.Output.VulnerabilityScan.IgnoreOptions.Severity,
+				Unfixed:  dest.Output.VulnerabilityScan.IgnoreOptions.Unfixed,
+			}
+		}
+	}
 
 	// Handle BuildSpec Timeout
 	bs.Timeout = dest.Timeout