diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index cb0fd2c82d..d0f4e7cf33 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -65,7 +65,7 @@ |YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -### clair-scan:0.1 task parameters +### clair-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -182,8 +182,8 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -193,11 +193,11 @@ |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | -### clair-scan:0.1 task results +### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CLAIR_SCAN_RESULT| Clair scan result.| | |IMAGES_PROCESSED| Images processed in the task.| | +|SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | ### clamav-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 03e8fc7651..794c6178b7 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -62,7 +62,7 @@ |YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -### clair-scan:0.1 task parameters +### clair-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -179,8 +179,8 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### buildah-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -190,11 +190,11 @@ |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | -### clair-scan:0.1 task results +### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CLAIR_SCAN_RESULT| Clair scan result.| | |IMAGES_PROCESSED| Images processed in the task.| | +|SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | ### clamav-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index d9c9c43432..8eb67102db 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -60,7 +60,7 @@ |YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -### clair-scan:0.1 task parameters +### clair-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -177,8 +177,8 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -188,11 +188,11 @@ |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | -### clair-scan:0.1 task results +### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CLAIR_SCAN_RESULT| Clair scan result.| | |IMAGES_PROCESSED| Images processed in the task.| | +|SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | ### clamav-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index 3c09a6d109..c344e468d2 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -32,7 +32,7 @@ |IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### clair-scan:0.1 task parameters +### clair-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -162,13 +162,13 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| -### clair-scan:0.1 task results +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CLAIR_SCAN_RESULT| Clair scan result.| | |IMAGES_PROCESSED| Images processed in the task.| | +|SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | ### clamav-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index 63dc07a9fc..b0b277dda2 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -32,7 +32,7 @@ |IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### clair-scan:0.1 task parameters +### clair-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -162,13 +162,13 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| -### clair-scan:0.1 task results +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CLAIR_SCAN_RESULT| Clair scan result.| | |IMAGES_PROCESSED| Images processed in the task.| | +|SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | ### clamav-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 218dd4ce56..81fcef5d05 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -32,7 +32,7 @@ |IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### clair-scan:0.1 task parameters +### clair-scan:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | @@ -134,13 +134,13 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_URL| Image repository and tag where the built image was pushed| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| -### clair-scan:0.1 task results +|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository and tag where the built image was pushed| clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CLAIR_SCAN_RESULT| Clair scan result.| | |IMAGES_PROCESSED| Images processed in the task.| | +|SCAN_OUTPUT| Clair scan result.| | |TEST_OUTPUT| Tekton task test output.| | ### clamav-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 0f2b4303fb..6e8ff4d61b 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -186,7 +186,7 @@ spec: - build-image-index taskRef: name: clair-scan - version: "0.1" + version: "0.2" params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) diff --git a/policies/all-tasks.yaml b/policies/all-tasks.yaml index 02db4f481a..44645c6ea7 100644 --- a/policies/all-tasks.yaml +++ b/policies/all-tasks.yaml @@ -16,6 +16,9 @@ sources: # Certain EC rules rely on the presence of this result when validating an image. - task: clair-scan result: CLAIR_SCAN_RESULT + version: 0.1 + - task: clair-scan + result: SCAN_OUTPUT config: include: - kind diff --git a/task/clair-scan/0.2/MIGRATION.md b/task/clair-scan/0.2/MIGRATION.md new file mode 100644 index 0000000000..ac8e1a0113 --- /dev/null +++ b/task/clair-scan/0.2/MIGRATION.md @@ -0,0 +1,10 @@ +# Migration from 0.1 to 0.2 + +Version 0.2: + +This change is required for providing consistent experience for users. This originates in https://issues.redhat.com/browse/ADR-30, look there for more details. +CLAIR_SCAN_RESULT is being renamed to SCAN_OUTPUT. + +## Action from users + +Renovate bot PR will be created with warning icon for a clair-scan which is expected, no actions from users are required. diff --git a/task/clair-scan/0.2/README.md b/task/clair-scan/0.2/README.md new file mode 100644 index 0000000000..2052abf59f --- /dev/null +++ b/task/clair-scan/0.2/README.md @@ -0,0 +1,32 @@ +# clair-scan task + +## Description: +The clair-scan task performs vulnerability scanning using Clair, an open source tool for performing static analysis +on container images. Clair is specifically designed for scanning container images for security issues by +analyzing the components of a container image and comparing them against Clair's vulnerability databases. + +## Params: + +| name | description | default | +|--------------|-----------------------------------------------------------------|-| +| image-digest | Image digest to scan. | None | +| image-url | Image URL. | None | +| docker-auth | unused, should be removed in next task version | | +| ca-trust-config-map-name|The name of the ConfigMap to read CA bundle data from.| trusted-ca | +| ca-trust-config-map-key |The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt | + +## Results: + +| name | description | +|-------------------|--------------------------| +| TEST_OUTPUT | Tekton task test output. | +| SCAN_OUTPUT | Clair scan result. | + +## Clair-action repository: +https://github.com/quay/clair-action + +## Source repository for image: +https://github.com/konflux-ci/konflux-test/tree/main/clair-in-ci + +## Additional links: +https://quay.github.io/clair/whatis.html diff --git a/task/clair-scan/0.2/clair-scan.yaml b/task/clair-scan/0.2/clair-scan.yaml new file mode 100644 index 0000000000..e45ed5b2b9 --- /dev/null +++ b/task/clair-scan/0.2/clair-scan.yaml @@ -0,0 +1,220 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "konflux" + name: clair-scan +spec: + description: >- + Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases. + params: + - name: image-digest + description: Image digest to scan. + - name: image-url + description: Image URL. + - name: docker-auth + description: unused, should be removed in next task version. + default: "" + - name: ca-trust-config-map-name + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: ca-trust-config-map-key + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt + results: + - name: TEST_OUTPUT + description: Tekton task test output. + - name: SCAN_OUTPUT + description: Clair scan result. + - name: IMAGES_PROCESSED + description: Images processed in the task. + stepTemplate: + volumeMounts: + - name: trusted-ca + mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + subPath: ca-bundle.crt + readOnly: true + steps: + - name: get-image-manifests + image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 + # the clair-in-ci image neither has skopeo or jq installed. Hence, we create an extra step to get the image manifest digests + computeResources: + limits: + memory: 512Mi + cpu: 200m + requests: + memory: 256Mi + cpu: 100m + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + securityContext: + capabilities: + add: + - SETFCAP + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + + imagewithouttag=$(echo -n $IMAGE_URL | sed "s/\(.*\):.*/\1/") + # strip new-line escape symbol from parameter and save it to variable + imageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST) + echo "Inspecting raw image manifest $imageanddigest." + + # Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes + image_manifests=$(get_image_manifests -i ${imageanddigest}) + if [ -n "$image_manifests" ]; then + echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"' | while read -r arch arch_sha; do + echo "$arch_sha" > /tekton/home/image-manifest-$arch.sha + done + fi + - name: get-vulnerabilities + image: quay.io/redhat-appstudio/clair-in-ci:v1 # explicit floating tag, daily updates, per arch call this is exempt for now for use of image digest + computeResources: + limits: + memory: 4Gi + cpu: '2' + requests: + memory: 1Gi + cpu: 500m + imagePullPolicy: Always + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + script: | + #!/usr/bin/env bash + + imagewithouttag=$(echo -n $IMAGE_URL | sed "s/\(.*\):.*/\1/") + images_processed_template='{"image": {"pullspec": "'"$IMAGE_URL"'", "digests": [%s]}}' + digests_processed=() + + for sha_file in /tekton/home/image-manifest-*.sha; do + if [ -e "$sha_file" ]; then + arch_sha=$(cat "$sha_file") + arch=$(basename "$sha_file" | sed 's/image-manifest-//;s/.sha//') + arch_specific_digest="$imagewithouttag@$arch_sha" + + echo "Running clair-action on $arch image manifest." + # run the scan for each image manifest in the image index + clair-action report --image-ref=$arch_specific_digest --db-path=/tmp/matcher.db --format=quay | tee /tekton/home/clair-result-$arch.json || true + + digests_processed+=("\"$arch_sha\"") + fi + done + + digests_processed_string=$(IFS=,; echo "${digests_processed[*]}") + + # add the image_index to the processed digests list and store the result in a file + images_processed=$(echo "${images_processed_template/\[%s]/[$digests_processed_string]}") + echo "$images_processed" > /tekton/home/images-processed.json + - name: conftest-vulnerabilities + image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + computeResources: + limits: + memory: 2Gi + cpu: 500m + requests: + memory: 256Mi + cpu: 100m + securityContext: + capabilities: + add: + - SETFCAP + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + clair_result_files=$(ls /tekton/home/clair-result-*.json) + if [ -z "$clair_result_files" ]; then + echo "Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home." + fi + + missing_vulnerabilities_files="" + for file in $clair_result_files; do + file_suffix=$(basename "$file" | sed 's/clair-result-//;s/.json//') + if [ ! -s "$file" ]; then + echo "Previous step [get-vulnerabilities] failed: $file is empty." + else + /usr/bin/conftest test --no-fail $file \ + --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \ + --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true + fi + + #check for missing "clair-vulnerabilities-/image-index" file and create a string + if [ ! -f "/tekton/home/clair-vulnerabilities-$file_suffix.json" ]; then + missing_vulnerabilities_files+="${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json" + fi + done + + if [ -n "$missing_vulnerabilities_files" ]; then + note="Task $(context.task.name) failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log." + TEST_OUTPUT=$(make_result_json -r "ERROR" -t "$note") + echo "$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log." + echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path) + exit 0 + fi + + scan_result='{"vulnerabilities":{"critical":0, "high":0, "medium":0, "low":0, "unknown":0}, "unpatched_vulnerabilities":{"critical":0, "high":0, "medium":0, "low":0, "unknown":0}}' + for file in /tekton/home/clair-vulnerabilities-*.json; do + result=$(jq -rce \ + '{ + vulnerabilities:{ + critical: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_critical_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + high: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_high_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + medium: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_medium_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + low: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_low_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_unknown_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0) + }, + unpatched_vulnerabilities:{ + critical: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_unpatched_critical_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + high: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_unpatched_high_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + medium: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_unpatched_medium_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + low: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_unpatched_low_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0), + unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name=="clair_unpatched_unknown_vulnerabilities").metadata."vulnerabilities_number" // 0)| add // 0) + } + }' "$file") + + scan_result=$(jq -s -rce \ + '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical | + .[0].vulnerabilities.high += .[1].vulnerabilities.high | + .[0].vulnerabilities.medium += .[1].vulnerabilities.medium | + .[0].vulnerabilities.low += .[1].vulnerabilities.low | + .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown | + .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical | + .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high | + .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium | + .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low | + .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown | + .[0]' <<<"$scan_result $result") + done + + echo "$scan_result" | tee "$(results.SCAN_OUTPUT.path)" + + cat /tekton/home/images-processed.json | tee $(results.IMAGES_PROCESSED.path) + + note="Task $(context.task.name) completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair." + TEST_OUTPUT=$(make_result_json -r "SUCCESS" -t "$note") + echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path) + volumes: + - name: trusted-ca + configMap: + name: $(params.ca-trust-config-map-name) + items: + - key: $(params.ca-trust-config-map-key) + path: ca-bundle.crt + optional: true