diff --git a/deploy/crds/shipwright.io_buildruns.yaml b/deploy/crds/shipwright.io_buildruns.yaml index d3cb6e5b2e..c858254c44 100644 --- a/deploy/crds/shipwright.io_buildruns.yaml +++ b/deploy/crds/shipwright.io_buildruns.yaml @@ -114,6 +114,38 @@ spec: description: Labels references the additional labels to be applied on the image type: object + vulnerabilityScan: + description: VulnerabilityScan references the options for + vulnerability scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for + vulnerability scan + properties: + issues: + description: Issues references the security issues + to be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of + security issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display + only fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -272,6 +304,38 @@ spec: description: Labels references the additional labels to be applied on the image type: object + vulnerabilityScan: + description: VulnerabilityScan references the options for + vulnerability scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for + vulnerability scan + properties: + issues: + description: Issues references the security issues + to be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of + security issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display + only fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -2351,6 +2415,38 @@ spec: description: Labels references the additional labels to be applied on the image type: object + vulnerabilityScan: + description: VulnerabilityScan references the options for vulnerability + scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for vulnerability + scan + properties: + issues: + description: Issues references the security issues to + be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of security + issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display only + fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -4124,6 +4220,38 @@ spec: description: Labels references the additional labels to be applied on the image type: object + vulnerabilityScan: + description: VulnerabilityScan references the options for + vulnerability scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for + vulnerability scan + properties: + issues: + description: Issues references the security issues + to be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of + security issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display + only fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -4282,6 +4410,38 @@ spec: description: Labels references the additional labels to be applied on the image type: object + vulnerabilityScan: + description: VulnerabilityScan references the options for + vulnerability scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for + vulnerability scan + properties: + issues: + description: Issues references the security issues + to be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of + security issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display + only fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -6298,6 +6458,19 @@ spec: description: Size holds the compressed size of output image format: int64 type: integer + vulnerabilities: + description: Vulnerabilities holds the list of vulnerabilities + detected in the image + items: + description: Vulnerability defines a vulnerability by its ID + and severity + properties: + severity: + type: string + vulnerabilityID: + type: string + type: object + type: array type: object sources: description: Sources holds the results emitted from the step definition @@ -6543,6 +6716,38 @@ spec: description: Describes the secret name for pushing a container image. type: string + vulnerabilityScan: + description: VulnerabilityScan references the options + for vulnerability scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the + image if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options + for vulnerability scan + properties: + issues: + description: Issues references the security issues + to be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities + of security issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display + only fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -8677,6 +8882,38 @@ spec: description: Describes the secret name for pushing a container image. type: string + vulnerabilityScan: + description: VulnerabilityScan references the options for vulnerability + scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for vulnerability + scan + properties: + issues: + description: Issues references the security issues to + be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of security + issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display only + fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -10539,6 +10776,38 @@ spec: description: Describes the secret name for pushing a container image. type: string + vulnerabilityScan: + description: VulnerabilityScan references the options for + vulnerability scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for + vulnerability scan + properties: + issues: + description: Issues references the security issues + to be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of + security issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display + only fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -12523,6 +12792,19 @@ spec: description: Size holds the compressed size of output image format: int64 type: integer + vulnerabilities: + description: Vulnerabilities holds the list of vulnerabilities + detected in the image + items: + description: Vulnerability defines a vulnerability by its ID + and severity + properties: + severity: + type: string + vulnerabilityID: + type: string + type: object + type: array type: object source: description: Source holds the results emitted from the source step diff --git a/deploy/crds/shipwright.io_builds.yaml b/deploy/crds/shipwright.io_builds.yaml index a76781a66f..f4ca425c73 100644 --- a/deploy/crds/shipwright.io_builds.yaml +++ b/deploy/crds/shipwright.io_builds.yaml @@ -100,6 +100,38 @@ spec: description: Labels references the additional labels to be applied on the image type: object + vulnerabilityScan: + description: VulnerabilityScan references the options for vulnerability + scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for vulnerability + scan + properties: + issues: + description: Issues references the security issues to + be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of security + issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display only + fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -252,6 +284,38 @@ spec: description: Labels references the additional labels to be applied on the image type: object + vulnerabilityScan: + description: VulnerabilityScan references the options for vulnerability + scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for vulnerability + scan + properties: + issues: + description: Issues references the security issues to + be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of security + issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display only + fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object @@ -2324,6 +2388,38 @@ spec: description: Describes the secret name for pushing a container image. type: string + vulnerabilityScan: + description: VulnerabilityScan references the options for vulnerability + scanning + properties: + enabled: + description: Enabled indicates whether to run vulnerability + scan for image + type: boolean + fail: + description: FailPush indicates whether to push the image + if the vulnerability scan fails + type: boolean + ignore: + description: IgnoreOptions refers to ignore options for vulnerability + scan + properties: + issues: + description: Issues references the security issues to + be ignored in vulnerability scan + items: + type: string + type: array + severity: + description: Severity indicates the severities of security + issues to be ignored (comma separated) + type: string + unfixed: + description: IgnoreUnfixed indicates flag to display only + fixed vulnerabilities + type: boolean + type: object + type: object required: - image type: object diff --git a/pkg/apis/build/v1alpha1/build_types.go b/pkg/apis/build/v1alpha1/build_types.go index e9f3789079..eb74bd520e 100644 --- a/pkg/apis/build/v1alpha1/build_types.go +++ b/pkg/apis/build/v1alpha1/build_types.go @@ -5,6 +5,9 @@ package v1alpha1 import ( + "encoding/json" + + "github.com/spf13/pflag" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -208,6 +211,50 @@ func (buildSpec *BuildSpec) StrategyName() string { return buildSpec.Strategy.Name } +// VulnerabilityIgnoreOptions refers to ignore options for vulnerability scan +type VulnerabilityIgnoreOptions struct { + + // Issues references the security issues to be ignored in vulnerability scan + Issues []string `json:"issues,omitempty"` + + // Severity indicates the severities of security issues to be ignored (comma separated) + Severity string `json:"severity,omitempty"` + + // IgnoreUnfixed indicates flag to display only fixed vulnerabilities + Unfixed bool `json:"unfixed,omitempty"` +} + +// VulnerabilityScanOptions references the options for vulnerability scanning +type VulnerabilityScanOptions struct { + + // Enabled indicates whether to run vulnerability scan for image + Enabled bool `json:"enabled,omitempty"` + + // FailPush indicates whether to push the image if the vulnerability scan fails + FailPush bool `json:"fail,omitempty"` + + // IgnoreOptions refers to ignore options for vulnerability scan + IgnoreOptions *VulnerabilityIgnoreOptions `json:"ignore,omitempty"` +} + +var _ pflag.Value = &VulnerabilityScanOptions{} + +func (v *VulnerabilityScanOptions) Set(s string) error { + return json.Unmarshal([]byte(s), v) +} + +func (v *VulnerabilityScanOptions) String() string { + data, err := json.Marshal(*v) + if err != nil { + panic(err.Error()) + } + return string(data) +} + +func (v *VulnerabilityScanOptions) Type() string { + return "vulnerability-scan-settings" +} + // Image refers to an container image with credentials type Image struct { // Image is the reference of the image. @@ -233,6 +280,11 @@ type Image struct { // // +optional Labels map[string]string `json:"labels,omitempty"` + + // VulnerabilityScan references the options for vulnerability scanning + // + // +optional + VulnerabilityScan *VulnerabilityScanOptions `json:"vulnerabilityScan,omitempty"` } // BuildStatus defines the observed state of Build diff --git a/pkg/apis/build/v1alpha1/buildrun_types.go b/pkg/apis/build/v1alpha1/buildrun_types.go index f8458f82b2..ec5e499304 100644 --- a/pkg/apis/build/v1alpha1/buildrun_types.go +++ b/pkg/apis/build/v1alpha1/buildrun_types.go @@ -138,6 +138,12 @@ type GitSourceResult struct { BranchName string `json:"branchName,omitempty"` } +// Vulnerability defines a vulnerability by its ID and severity +type Vulnerability struct { + VulnerabilityID string `json:"vulnerabilityID,omitempty"` + Severity string `json:"severity,omitempty"` +} + // Output holds the results emitted from the output step (build-and-push) type Output struct { // Digest holds the digest of output image @@ -145,6 +151,11 @@ type Output struct { // Size holds the compressed size of output image Size int64 `json:"size,omitempty"` + + // Vulnerabilities holds the list of vulnerabilities detected in the image + // + // +optional + Vulnerabilities []Vulnerability `json:"vulnerabilities,omitempty"` } // BuildRunStatus defines the observed state of BuildRun diff --git a/pkg/apis/build/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/build/v1alpha1/zz_generated.deepcopy.go index a546cc9ef0..6cd4a0fd04 100644 --- a/pkg/apis/build/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/build/v1alpha1/zz_generated.deepcopy.go @@ -312,7 +312,7 @@ func (in *BuildRunStatus) DeepCopyInto(out *BuildRunStatus) { if in.Output != nil { in, out := &in.Output, &out.Output *out = new(Output) - **out = **in + (*in).DeepCopyInto(*out) } if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions @@ -904,6 +904,11 @@ func (in *Image) DeepCopyInto(out *Image) { (*out)[key] = val } } + if in.VulnerabilityScan != nil { + in, out := &in.VulnerabilityScan, &out.VulnerabilityScan + *out = new(VulnerabilityScanOptions) + (*in).DeepCopyInto(*out) + } return } @@ -941,6 +946,11 @@ func (in *ObjectKeyRef) DeepCopy() *ObjectKeyRef { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Output) DeepCopyInto(out *Output) { *out = *in + if in.Vulnerabilities != nil { + in, out := &in.Vulnerabilities, &out.Vulnerabilities + *out = make([]Vulnerability, len(*in)) + copy(*out, *in) + } return } @@ -1221,6 +1231,64 @@ func (in *TriggerWhen) DeepCopy() *TriggerWhen { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Vulnerability) DeepCopyInto(out *Vulnerability) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Vulnerability. +func (in *Vulnerability) DeepCopy() *Vulnerability { + if in == nil { + return nil + } + out := new(Vulnerability) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VulnerabilityIgnoreOptions) DeepCopyInto(out *VulnerabilityIgnoreOptions) { + *out = *in + if in.Issues != nil { + in, out := &in.Issues, &out.Issues + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VulnerabilityIgnoreOptions. +func (in *VulnerabilityIgnoreOptions) DeepCopy() *VulnerabilityIgnoreOptions { + if in == nil { + return nil + } + out := new(VulnerabilityIgnoreOptions) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VulnerabilityScanOptions) DeepCopyInto(out *VulnerabilityScanOptions) { + *out = *in + if in.IgnoreOptions != nil { + in, out := &in.IgnoreOptions, &out.IgnoreOptions + *out = new(VulnerabilityIgnoreOptions) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VulnerabilityScanOptions. +func (in *VulnerabilityScanOptions) DeepCopy() *VulnerabilityScanOptions { + if in == nil { + return nil + } + out := new(VulnerabilityScanOptions) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WhenGitHub) DeepCopyInto(out *WhenGitHub) { *out = *in diff --git a/pkg/apis/build/v1beta1/build_conversion.go b/pkg/apis/build/v1beta1/build_conversion.go index c0199aae74..5d11a3f728 100644 --- a/pkg/apis/build/v1beta1/build_conversion.go +++ b/pkg/apis/build/v1beta1/build_conversion.go @@ -195,6 +195,20 @@ func (dest *BuildSpec) ConvertFrom(orig *v1alpha1.BuildSpec) error { dest.Output.Annotations = orig.Output.Annotations dest.Output.Labels = orig.Output.Labels + if orig.Output.VulnerabilityScan != nil { + dest.Output.VulnerabilityScan = &VulnerabilityScanOptions{ + Enabled: orig.Output.VulnerabilityScan.Enabled, + FailPush: orig.Output.VulnerabilityScan.FailPush, + } + if orig.Output.VulnerabilityScan.IgnoreOptions != nil { + dest.Output.VulnerabilityScan.IgnoreOptions = &VulnerabilityIgnoreOptions{ + Issues: orig.Output.VulnerabilityScan.IgnoreOptions.Issues, + Severity: orig.Output.VulnerabilityScan.IgnoreOptions.Severity, + Unfixed: orig.Output.VulnerabilityScan.IgnoreOptions.Unfixed, + } + } + } + // Handle BuildSpec Timeout dest.Timeout = orig.Timeout @@ -286,6 +300,19 @@ func (dest *BuildSpec) ConvertTo(bs *v1alpha1.BuildSpec) error { } bs.Output.Annotations = dest.Output.Annotations bs.Output.Labels = dest.Output.Labels + if dest.Output.VulnerabilityScan != nil { + bs.Output.VulnerabilityScan = &v1alpha1.VulnerabilityScanOptions{ + Enabled: dest.Output.VulnerabilityScan.Enabled, + FailPush: dest.Output.VulnerabilityScan.FailPush, + } + if dest.Output.VulnerabilityScan.IgnoreOptions != nil { + bs.Output.VulnerabilityScan.IgnoreOptions = &v1alpha1.VulnerabilityIgnoreOptions{ + Issues: dest.Output.VulnerabilityScan.IgnoreOptions.Issues, + Severity: dest.Output.VulnerabilityScan.IgnoreOptions.Severity, + Unfixed: dest.Output.VulnerabilityScan.IgnoreOptions.Unfixed, + } + } + } // Handle BuildSpec Timeout bs.Timeout = dest.Timeout diff --git a/pkg/apis/build/v1beta1/build_types.go b/pkg/apis/build/v1beta1/build_types.go index 738fa05e14..c17ff528eb 100644 --- a/pkg/apis/build/v1beta1/build_types.go +++ b/pkg/apis/build/v1beta1/build_types.go @@ -5,6 +5,9 @@ package v1beta1 import ( + "encoding/json" + + "github.com/spf13/pflag" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -172,6 +175,50 @@ func (buildSpec *BuildSpec) StrategyName() string { return buildSpec.Strategy.Name } +// VulnerabilityIgnoreOptions refers to ignore options for vulnerability scan +type VulnerabilityIgnoreOptions struct { + + // Issues references the security issues to be ignored in vulnerability scan + Issues []string `json:"issues,omitempty"` + + // Severity indicates the severities of security issues to be ignored (comma separated) + Severity string `json:"severity,omitempty"` + + // IgnoreUnfixed indicates flag to display only fixed vulnerabilities + Unfixed bool `json:"unfixed,omitempty"` +} + +// VulnerabilityScanOptions references the options for vulnerability scanning +type VulnerabilityScanOptions struct { + + // Enabled indicates whether to run vulnerability scan for image + Enabled bool `json:"enabled,omitempty"` + + // FailPush indicates whether to push the image if the vulnerability scan fails + FailPush bool `json:"fail,omitempty"` + + // IgnoreOptions refers to ignore options for vulnerability scan + IgnoreOptions *VulnerabilityIgnoreOptions `json:"ignore,omitempty"` +} + +var _ pflag.Value = &VulnerabilityScanOptions{} + +func (v *VulnerabilityScanOptions) Set(s string) error { + return json.Unmarshal([]byte(s), v) +} + +func (v *VulnerabilityScanOptions) String() string { + data, err := json.Marshal(*v) + if err != nil { + panic(err.Error()) + } + return string(data) +} + +func (v *VulnerabilityScanOptions) Type() string { + return "vulnerability-scan-settings" +} + // Image refers to an container image with credentials type Image struct { // Image is the reference of the image. @@ -196,6 +243,11 @@ type Image struct { // // +optional Labels map[string]string `json:"labels,omitempty"` + + // VulnerabilityScan references the options for vulnerability scanning + // + // +optional + VulnerabilityScan *VulnerabilityScanOptions `json:"vulnerabilityScan,omitempty"` } // BuildStatus defines the observed state of Build diff --git a/pkg/apis/build/v1beta1/buildrun_conversion.go b/pkg/apis/build/v1beta1/buildrun_conversion.go index 41180e9ae5..7206f04cf4 100644 --- a/pkg/apis/build/v1beta1/buildrun_conversion.go +++ b/pkg/apis/build/v1beta1/buildrun_conversion.go @@ -88,6 +88,19 @@ func (src *BuildRun) ConvertTo(ctx context.Context, obj *unstructured.Unstructur Name: *src.Spec.Output.PushSecret, } } + if src.Spec.Output.VulnerabilityScan != nil { + alphaBuildRun.Spec.Output.VulnerabilityScan = &v1alpha1.VulnerabilityScanOptions{ + Enabled: src.Spec.Output.VulnerabilityScan.Enabled, + FailPush: src.Spec.Output.VulnerabilityScan.FailPush, + } + if src.Spec.Output.VulnerabilityScan.IgnoreOptions != nil { + alphaBuildRun.Spec.Output.VulnerabilityScan.IgnoreOptions = &v1alpha1.VulnerabilityIgnoreOptions{ + Issues: src.Spec.Output.VulnerabilityScan.IgnoreOptions.Issues, + Severity: src.Spec.Output.VulnerabilityScan.IgnoreOptions.Severity, + Unfixed: src.Spec.Output.VulnerabilityScan.IgnoreOptions.Unfixed, + } + } + } } // BuildRunSpec State @@ -166,9 +179,23 @@ func (src *BuildRun) ConvertFrom(ctx context.Context, obj *unstructured.Unstruct } } + var output *Output + if alphaBuildRun.Status.Output != nil { + output = &Output{ + Digest: alphaBuildRun.Status.Output.Digest, + Size: alphaBuildRun.Status.Output.Size, + } + for _, vuln := range alphaBuildRun.Status.Output.Vulnerabilities { + output.Vulnerabilities = append(output.Vulnerabilities, Vulnerability{ + VulnerabilityID: vuln.VulnerabilityID, + Severity: vuln.Severity, + }) + } + } + src.Status = BuildRunStatus{ Source: sourceStatus, - Output: (*Output)(alphaBuildRun.Status.Output), + Output: output, Conditions: conditions, TaskRunName: alphaBuildRun.Status.LatestTaskRunRef, StartTime: alphaBuildRun.Status.StartTime, @@ -233,6 +260,20 @@ func (dest *BuildRunSpec) ConvertFrom(orig *v1alpha1.BuildRunSpec) error { if orig.Output.Credentials != nil { dest.Output.PushSecret = &orig.Output.Credentials.Name } + + if orig.Output.VulnerabilityScan != nil { + dest.Output.VulnerabilityScan = &VulnerabilityScanOptions{ + Enabled: orig.Output.VulnerabilityScan.Enabled, + FailPush: orig.Output.VulnerabilityScan.FailPush, + } + if orig.Output.VulnerabilityScan.IgnoreOptions != nil { + dest.Output.VulnerabilityScan.IgnoreOptions = &VulnerabilityIgnoreOptions{ + Issues: orig.Output.VulnerabilityScan.IgnoreOptions.Issues, + Severity: orig.Output.VulnerabilityScan.IgnoreOptions.Severity, + Unfixed: orig.Output.VulnerabilityScan.IgnoreOptions.Unfixed, + } + } + } } // BuildRunSpec State diff --git a/pkg/apis/build/v1beta1/buildrun_types.go b/pkg/apis/build/v1beta1/buildrun_types.go index 7a40e822b0..522f7cac81 100644 --- a/pkg/apis/build/v1beta1/buildrun_types.go +++ b/pkg/apis/build/v1beta1/buildrun_types.go @@ -145,6 +145,12 @@ type GitSourceResult struct { BranchName string `json:"branchName,omitempty"` } +// Vulnerability defines a vulnerability by its ID and severity +type Vulnerability struct { + VulnerabilityID string `json:"vulnerabilityID,omitempty"` + Severity string `json:"severity,omitempty"` +} + // Output holds the information about the container image that the BuildRun built type Output struct { // Digest holds the digest of output image @@ -156,6 +162,11 @@ type Output struct { // // +optional Size int64 `json:"size,omitempty"` + + // Vulnerabilities holds the list of vulnerabilities detected in the image + // + // +optional + Vulnerabilities []Vulnerability `json:"vulnerabilities,omitempty"` } // BuildRunStatus defines the observed state of BuildRun diff --git a/pkg/apis/build/v1beta1/zz_generated.deepcopy.go b/pkg/apis/build/v1beta1/zz_generated.deepcopy.go index 4000f8342c..1beae19691 100644 --- a/pkg/apis/build/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/build/v1beta1/zz_generated.deepcopy.go @@ -304,7 +304,7 @@ func (in *BuildRunStatus) DeepCopyInto(out *BuildRunStatus) { if in.Output != nil { in, out := &in.Output, &out.Output *out = new(Output) - **out = **in + (*in).DeepCopyInto(*out) } if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions @@ -804,6 +804,11 @@ func (in *Image) DeepCopyInto(out *Image) { (*out)[key] = val } } + if in.VulnerabilityScan != nil { + in, out := &in.VulnerabilityScan, &out.VulnerabilityScan + *out = new(VulnerabilityScanOptions) + (*in).DeepCopyInto(*out) + } return } @@ -920,6 +925,11 @@ func (in *OciArtifactSourceResult) DeepCopy() *OciArtifactSourceResult { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Output) DeepCopyInto(out *Output) { *out = *in + if in.Vulnerabilities != nil { + in, out := &in.Vulnerabilities, &out.Vulnerabilities + *out = make([]Vulnerability, len(*in)) + copy(*out, *in) + } return } @@ -1236,6 +1246,64 @@ func (in *TriggerWhen) DeepCopy() *TriggerWhen { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Vulnerability) DeepCopyInto(out *Vulnerability) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Vulnerability. +func (in *Vulnerability) DeepCopy() *Vulnerability { + if in == nil { + return nil + } + out := new(Vulnerability) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VulnerabilityIgnoreOptions) DeepCopyInto(out *VulnerabilityIgnoreOptions) { + *out = *in + if in.Issues != nil { + in, out := &in.Issues, &out.Issues + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VulnerabilityIgnoreOptions. +func (in *VulnerabilityIgnoreOptions) DeepCopy() *VulnerabilityIgnoreOptions { + if in == nil { + return nil + } + out := new(VulnerabilityIgnoreOptions) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VulnerabilityScanOptions) DeepCopyInto(out *VulnerabilityScanOptions) { + *out = *in + if in.IgnoreOptions != nil { + in, out := &in.IgnoreOptions, &out.IgnoreOptions + *out = new(VulnerabilityIgnoreOptions) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VulnerabilityScanOptions. +func (in *VulnerabilityScanOptions) DeepCopy() *VulnerabilityScanOptions { + if in == nil { + return nil + } + out := new(VulnerabilityScanOptions) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WhenGitHub) DeepCopyInto(out *WhenGitHub) { *out = *in