From 567e59b013201e472a2b3a71db11100a4bb462db Mon Sep 17 00:00:00 2001 From: Lakshya Gupta Date: Tue, 6 Sep 2022 10:13:24 +0530 Subject: [PATCH] move script from test-infra to sig-security --- .../scanning/build-deps-and-release-images.sh | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 sig-security-tooling/scanning/build-deps-and-release-images.sh diff --git a/sig-security-tooling/scanning/build-deps-and-release-images.sh b/sig-security-tooling/scanning/build-deps-and-release-images.sh new file mode 100644 index 0000000..46f5a81 --- /dev/null +++ b/sig-security-tooling/scanning/build-deps-and-release-images.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +# Copyright 2022 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail +apt update && apt -y install jq +wget -q -O /usr/local/bin/snyk https://github.com/snyk/cli/releases/download/v1.993.0/snyk-linux && chmod +x /usr/local/bin/snyk +mkdir -p "${ARTIFACTS}" +if [ -z "${SNYK_TOKEN}" ]; then + echo "SNYK_TOKEN env var is not set, required for snyk scan" + exit 1 +fi +echo "Running snyk scan .." +EXIT_CODE=0 +RESULT_UNFILTERED=$(snyk test -d --json) || EXIT_CODE=$? +if [ $EXIT_CODE -gt 1 ]; then + echo "Failed to run snyk scan with exit code $EXIT_CODE " + exit 1 +fi +RESULT=$(echo $RESULT_UNFILTERED | jq \ + '{vulnerabilities: .vulnerabilities | map(select((.type != "license") and (.version != "0.0.0"))) | select(length > 0) }') +if [[ ${RESULT} ]]; then + CVE_IDs=$(echo $RESULT | jq '.vulnerabilities[].identifiers.CVE') + #convert string to array + CVE_IDs_array=($(echo ${CVE_IDs})) + #TODO:Implement deduplication of CVE IDs in future + for i in "${CVE_IDs_array[@]}"; do + if [[ "$i" == *"CVE"* ]]; then + #Look for presence of GitHub Issues for detected CVEs. If no issues are present, this CVE needs triage + #Once the job fails, CVE is triaged by SIG Security and a tracking issue is created. + #This will allow in the next run for the job to pass again + TOTAL_COUNT=$(curl -H "Accept: application/vnd.github.v3+json" "https://api.github.com/search/issues?q=repo:kubernetes/kubernetes+${i}" | jq .total_count) + if [[ $TOTAL_COUNT -eq 0 ]]; then + echo "Vulnerability filtering failed" + exit 1 + fi + fi + done +fi +echo "Build time dependency scan completed" + +# container images scan +echo "Fetch the list of k8s images" +curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep 'PackageName: registry.k8s.io/' | awk '{print $2}' >images +while read image; do + echo "Running container image scan.." + EXIT_CODE=0 + RESULT_UNFILTERED=$(snyk container test $image -d --json) || EXIT_CODE=$? + if [ $EXIT_CODE -gt 1 ]; then + echo "Failed to run snyk scan with exit code $EXIT_CODE . Error message: $RESULT_UNFILTERED" + exit 1 + fi + RESULT=$(echo $RESULT_UNFILTERED | jq \ + '{vulnerabilities: .vulnerabilities | map(select(.isUpgradable == true or .isPatchable == true)) | select(length > 0) }') + if [[ ${RESULT} ]]; then + echo "Vulnerability filtering failed" + # exit 1 (To allow other images to be scanned even if one fails) + else + echo "Scan completed image $image" + fi +done