From 415279f31194fcbc6cebe2e0a36c6ced59e6a271 Mon Sep 17 00:00:00 2001
From: Luiz Carvalho <lucarval@redhat.com>
Date: Tue, 14 May 2024 16:23:07 -0400
Subject: [PATCH] Implement the sast-snyk-check-oci-ta Task

Ref: EC-553
Co-authored-by: Zoran Regvart <zoran@regvart.com>

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
---
 task/sast-snyk-check-oci-ta/0.1/README.md     | 43 +++++++------------
 .../0.1/sast-snyk-check-oci-ta.yaml           | 43 +++++++++++++++----
 2 files changed, 49 insertions(+), 37 deletions(-)

diff --git a/task/sast-snyk-check-oci-ta/0.1/README.md b/task/sast-snyk-check-oci-ta/0.1/README.md
index bb189328c2..227286f85c 100644
--- a/task/sast-snyk-check-oci-ta/0.1/README.md
+++ b/task/sast-snyk-check-oci-ta/0.1/README.md
@@ -1,35 +1,22 @@
-# sast-snyk-check task
+# sast-snyk-check-oci-ta task
 
-## Description:
+Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.
 
-The sast-snyk-check task uses Snyk Code tool to perform Static Application Security Testing (SAST) for Snyk, a popular cloud-native application security platform.
+Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) to obtain a snyk-token and to enable the snyk task in a Pipeline.
 
-Snyk's SAST tool uses a combination of static analysis and machine learning techniques to scan an application's source code for potential security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks.
+The snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test
 
-> NOTE: This task is executed only if the user provides a Snyk token stored in a secret in their namespace. The name of the secret then needs to be supplied in the `snyk-secret` pipeline parameter.
+See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.
 
-## Params:
+## Parameters
+|name|description|default value|required|
+|---|---|---|---|
+|SOURCE_ARTIFACT|The trusted artifact URI containing the application source code.||true|
+|SNYK_SECRET|Name of secret which contains Snyk token.|snyk-secret|false|
+|ARGS|Append arguments.|--all-projects --exclude=test*,vendor,deps|false|
 
-| name        | description                               |
-|-------------|-------------------------------------------|
-| SNYK_SECRET | Name of secret which contains Snyk token. |
-| ARGS        | Append arguments.                         |
+## Results
+|name|description|
+|---|---|
+|TEST_OUTPUT|Tekton task test output.|
 
-## How to obtain a snyk-token and enable snyk task on the pipeline:
-
-Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)
-
-## Results:
-
-| name                  | description              |
-|-----------------------|--------------------------|
-| TEST_OUTPUT     | Tekton task test output. |
-
-## Source repository for image:
-
-https://github.com/konflux-ci/konflux-test
-
-## Additional links:
-
-* https://snyk.io/product/snyk-code/
-* https://snyk.io/
diff --git a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml
index 08b2b68044..7da4636038 100644
--- a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml
+++ b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: tekton.dev/v1
 kind: Task
 metadata:
@@ -6,14 +7,32 @@ metadata:
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: "appstudio, hacbs"
-  name: sast-snyk-check
+  name: sast-snyk-check-oci-ta
 spec:
   description: >-
-    Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.
+    Scans source code for security vulnerabilities, including common issues such as SQL injection,
+    cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application
+    Security Testing (SAST) tool.
+
+
+    Follow the steps given
+    [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)
+    to obtain a snyk-token and to enable the snyk task in a Pipeline.
+
+
+    The snyk binary used in this Task comes from a container image defined in
+    https://github.com/konflux-ci/konflux-test
+
+
+    See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk
+    tool.
   results:
     - description: Tekton task test output.
       name: TEST_OUTPUT
   params:
+    - name: SOURCE_ARTIFACT
+      type: string
+      description: The trusted artifact URI containing the application source code.
     - name: SNYK_SECRET
       description: Name of secret which contains Snyk token.
       default: snyk-secret
@@ -26,13 +45,21 @@ spec:
       secret:
         secretName: $(params.SNYK_SECRET)
         optional: true
+    - name: workdir
+      emptyDir: {}
+  stepTemplate:
+    volumeMounts:
+      - mountPath: /var/workdir
+        name: workdir
   steps:
+    - name: use-trusted-artifact
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d
+      args:
+        - use
+        - $(params.SOURCE_ARTIFACT)=/var/workdir/source
     - name: sast-snyk-check
       image: quay.io/redhat-appstudio/konflux-test:v1.4.0@sha256:54d49b37c9a2e280d42961a57e4f7a16c171d6b065559f1329b548db85300bea
-      # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
-      # the cluster will set imagePullPolicy to IfNotPresent
-      # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
-      workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
+      workingDir: /var/workdir/source
       volumeMounts:
         - name: snyk-secret
           mountPath: "/etc/secrets"
@@ -63,7 +90,7 @@ spec:
         fi
 
         SNYK_EXIT_CODE=0
-        SOURCE_CODE_DIR=$(workspaces.workspace.path)/source
+        SOURCE_CODE_DIR=/var/workdir/source
         snyk code test $ARGS $SOURCE_CODE_DIR --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$?
         test_not_skipped=0
         SKIP_MSG="We found 0 supported files"
@@ -85,5 +112,3 @@ spec:
           ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note")
         fi
         echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
-  workspaces:
-  - name: workspace