Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

extend the sast-coverity-check CI task to support buildful scanning #1

Closed
wants to merge 298 commits into from

Conversation

kdudka
Copy link
Owner

@kdudka kdudka commented Nov 26, 2024

chmeliik and others added 30 commits September 12, 2024 14:00
For parity with BUILD_ARGS, support arguments from
BUILD_ARGS_FILE when resolving base images.

Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Adam Cmiel <[email protected]>
in order to comply with the required labels check, the generated
dockerfile needs to have labels amended to it. By providing an
additional file with this data, it can be appended in order to pass the
compliance check

```
❯ cat -p config/metadata/additional-labels.txt
LABEL com.redhat.component="" \
      description="" \
      distribution-scope="" \
      io.k8s.description="" \
      name="" \
      release="" \
      url="" \
      vendor="" \
      version=""
```

Signed-off-by: Brady Pratt <[email protected]>
This commit passes new environment variables to the e2e tests containing
references to the oci-ta build Pipelines. This allows us to test those
Pipelines.

Ref: EC-715

Signed-off-by: Luiz Carvalho <[email protected]>
Due to tektoncd/cli#2402, annotation values
that contain commas or double-quotes currently break 'tkn bundle push'.

Escape such annotation values in a way that's compatible with the
pflag.StringSlice [1] parser that 'tkn bundle push' uses to parse
CLI arguments.

[1]: https://pkg.go.dev/github.com/spf13/pflag#FlagSet.StringSlice

Signed-off-by: Adam Cmiel <[email protected]>
There is no volumeMount for workdir in the oci-copy task, and it's
presence in the volumes causes duplicate volumes in the oci-copy-oci-ta
Task.

This could also be resolved by making the generator aware of duplicate
volumes and volumeMounts. Let's do that if it indeed does become an
issue.
The secret in the namespace where this pipeline runs is called
'snyk-secret', not 'snyk-shared-secret'. Remove the param since
'snyk-secret' is the default value.

Signed-off-by: Adam Cmiel <[email protected]>
The PR pipeline already runs Snyk, but doesn't upload the results
anywhere. Run Snyk in the push pipeline as well and upload the results
to snyk.io.

Note: we should not upload to Snyk from the PR pipeline. Each PR would
overwrite the Snyk results from other PRs. By uploading only in the push
pipeline, the results will at least always reflect the state in 'main'.

The results can be found in the 'konflux-ci/build-definitions' project
in the Snyk organization associated with the Snyk token used by the
pipeline (currently the 'developer-red-hat-trusted-application-pipeline'
organization).

Signed-off-by: Adam Cmiel <[email protected]>
In order to fix KFLUXBUGS-1616, we need to ensure the digest of the
Image Index is also included in the list of PROCESSED_IMAGES. This will
allow EC to verify the Image Index directly as well as the Image
Manifests.

Signed-off-by: Luiz Carvalho <[email protected]>
redhat-appstudio/cosign image is getting deprecated due to migration to
konflux-ci, replace with konflux-ci/appstudio-utils image
- Describe steps needed for local testing
- Improve info about test-build.sh and test-builds.sh
- Fix typos and other nitpicks
Task-generator doesn't have a README.
Add a README with a description of what the generator does and its usage
Replace the python jwcrypto library with the more readily available
openssl tools.

This is part of an effort to move away from the
quay.io/redhat-appstudio/github-app-token image.

Signed-off-by: Adam Cmiel <[email protected]>
Replace the python requests library with the python urllib library,
which is part of the stdlib.

This is part of an effort to move away from the
quay.io/redhat-appstudio/github-app-token image.

Signed-off-by: Adam Cmiel <[email protected]>
The quay.io/redhat-appstudio/github-app-token image is highly suspect.

- It is a copy of quay.io/chmouel/github-app-token - an image in a
  personal namespace with unclear origins and content.
- It has not been updated for 4 years.
- It has 175 critical vlunerabilities according to quay.io.

The update-infra-deployments task no longer depends on anything this
image provides - replace it with a generic python image.

Signed-off-by: Adam Cmiel <[email protected]>
Handle the cases of GITHUB_APP_KEY_PATH not set / set to a non-existent
file more gracefully.

Signed-off-by: Adam Cmiel <[email protected]>
MartinBasti and others added 26 commits November 20, 2024 09:17
It's enought to have such PR opened weekly

Signed-off-by: Martin Basti <[email protected]>
The rule checks that Task step image is accessible.

Reference: https://issues.redhat.com/browse/EC-912
We encountered transient 502 errors from quay today.

Add retries here to avoid task failure when we encounter flakiness.
It turns out that IBM Cloud and AWS s3 bucket urls are constructed
differently, and the region is in a different place in the string.

Add a conditional here to catch AWS-style urls.
Added in konflux-ci#1529 due to tektoncd/pipeline#8388
as this is not yet deployed in the cluster.

This reverts commit 51cb724.
If they increase the file size
(tektoncd/pipeline#8388)

Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Julen Landa Alustiza <[email protected]>
when getting ephemeral cluster credentials the kubeconfig file was
assigned to the KUBECONFIG env var which is deleted before the script
ends.

This change removes that assignment and instead explicitly mentions the
kubeconfig path when it's used.

Signed-off-by: Yftach Herzog <[email protected]>
... to make the interface compatible with the `build-container` task
... from the build-container task
@kdudka kdudka self-assigned this Nov 26, 2024
@kdudka kdudka closed this Nov 26, 2024
@kdudka kdudka deleted the cov-bf branch November 26, 2024 14:48
@kdudka kdudka restored the cov-bf branch November 26, 2024 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.