From 48b9d8ca76dcea956b23221632a8995d37e8c7f9 Mon Sep 17 00:00:00 2001 From: jperezde Date: Sun, 15 Sep 2024 17:28:24 +0200 Subject: [PATCH] sast: initial task for Coverity Buildless Solves: https://issues.redhat.com/browse/OSH-740 Initial version of the Coverity Buildless task. The code will be scanned using coverity buildless mode, then the results are processuing using csgrep and the results are later filtered using csfilter-kfp. --- .../0.1/README.md | 43 ++++ .../0.1/sast-coverity-buildless-check.yaml | 190 ++++++++++++++++++ task/sast-coverity-buildless-check/OWNERS | 5 + 3 files changed, 238 insertions(+) create mode 100644 task/sast-coverity-buildless-check/0.1/README.md create mode 100644 task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml create mode 100644 task/sast-coverity-buildless-check/OWNERS diff --git a/task/sast-coverity-buildless-check/0.1/README.md b/task/sast-coverity-buildless-check/0.1/README.md new file mode 100644 index 0000000000..0112bb7329 --- /dev/null +++ b/task/sast-coverity-buildless-check/0.1/README.md @@ -0,0 +1,43 @@ +# sast-coverity-buildless-check task + +## Description: + +The sast-coverity-buildless-check task uses Coverity tool to perform Static Application Security Testing (SAST). In this task, we use the buildless mode, where Coverity has the ability to capture source code without the need of building the product. + +The documentation for this mode can be found here: https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html + +The characteristics of these tasks are: + +- Perform buildless scanning with Coverity +- The whole source code is scanned (by scanning `$(workspaces.source.path)` ) +- Only important findings are reported by default. A parameter ( `SEVERITY_THRESHOLD`) is provided to override this configuration. +- The csdiff/v1 SARIF fingerprints are provided for all findings +- [Known false positives](https://gitlab.cee.redhat.com/osh/known-false-positives/) are eliminated by default. A parameter ( `KFP_GIT_URL`) is provided to disable this feature or to configure a custom known false positives repository. + +> NOTE: This task is executed only if there is a Coverity license set up in the environment. This license should not be known by users. + +## Params: + +| name | description | +|-------------|-------------------------------------------| +| COV_CAPTURE_ARGS | Append arguments to the Coverity Capture CLI command | +| COV_LICENSE | Name of secret which contains the Coverity license | +| SEVERITY_THRESHOLD | Report only vulnerabilities at the specified level or higher. Default is --imp-level=1 | +| KFP_GIT_URL | URL from repository to download known false positives files | + +## Results: + +| name | description | +|-----------------------|--------------------------| +| TEST_OUTPUT | Tekton task test output. | + +## Source repository for image: + +// TODO: Add reference to private repo for the container image once the task is migrated to repo + + +## Additional links: + +* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html +* https://scan.coverity.com/ +* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/cli/topics/options_reference.html diff --git a/task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml b/task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml new file mode 100644 index 0000000000..8cf0dd01f2 --- /dev/null +++ b/task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml @@ -0,0 +1,190 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "konflux" + name: sast-coverity-buildless-check +spec: + description: >- + Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Coverity. This scan uses the captureless mode doesn't build the project in order to analyze it. + results: + - description: Tekton task test output. + name: TEST_OUTPUT + params: + - description: Image URL. + name: image-url + type: string + # In a future 0.2 version of the task, drop the default to make this required + default: "" + - description: Image digest to report findings for. + name: image-digest + type: string + # In a future 0.2 version of the task, drop the default to make this required + default: "" + - description: Arguments to be appended to the coverity capture command + name: COV_CAPTURE_ARGS + type: string + default: "" + - name: COV_LICENSE + description: Name of secret which contains the Coverity license + default: cov-license + - name: SEVERITY_THRESHOLD + type: string + description: Report only vulnerabilities at the specified level or higher. Default is --imp-level=1 + default: "--imp-level=1" + - name: KFP_GIT_URL + type: string + description: URL from repository to download known false positives files + default: "https://gitlab.cee.redhat.com/osh/known-false-positives.git" + volumes: + - name: cov-license + secret: + secretName: $(params.COV_LICENSE) + optional: false + steps: + - name: sast-coverity-buildless-check + # TODO: Change image + image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:ce98d4a80a2b77cd1b51fb11d563515226331fdf9521daa1b82da5b0a99e8d22 + computeResources: + requests: + memory: "16Gi" + cpu: "8" + limits: + memory: "32Gi" + cpu: "16" + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) + volumeMounts: + - name: cov-license + mountPath: "/etc/secrets" + readOnly: true + env: + - name: COV_CAPTURE_ARGS + value: $(params.COV_CAPTURE_ARGS) + - name: KFP_GIT_URL + value: $(params.KFP_GIT_URL) + - name: SEVERITY_THRESHOLD + value: $(params.SEVERITY_THRESHOLD) + script: | + #!/usr/bin/env bash + set -eo pipefail + . /usr/local/share/konflux-test/utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + echo 'Starting Coverity buildless scan' + SOURCE_CODE_DIR=$(workspaces.workspace.path) + COVERITY_DIR=/tmp/cov-scan/cov + COVERITY_RESULTS_FILE=coverity-buildless-results.js + COV_LICENSE_PATH=/etc/secrets/cov-license + # Installing Coverity licen + cp /etc/secrets/cov-license /opt/coverity/bin/license.dat + # Install dependencies + dnf copr enable copr.devel.redhat.com/@osh/csdiff -y + dnf install -y csdiff + if test -z "$(find /opt -name 'license.dat')"; then + echo "No license file for Coverity was detected. Exiting..." + exit 1 + fi + + # Installation of Red Hat certificates for cloning Red Hat internal repositories + curl -sS https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem > /etc/pki/ca-trust/source/anchors/2015-RH-IT-Root-CA.crt + curl -sS https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem > /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem + update-ca-trust + + # Create configuration file for coverity buildless + echo -e 'capture:\n build-command-inference: false' > $SOURCE_CODE_DIR/coverity.yml + + # Captureless scan + env COV_HOST=konflux HOME=/tmp/cov-scan/home /opt/coverity/bin/coverity capture $COV_CAPTURE_ARGS --project-dir $SOURCE_CODE_DIR --dir $COVERITY_DIR + COV_CAPTURE_EXIT_CODE=$? + + if [[ "$COV_CAPTURE_EXIT_CODE" -eq 0 ]]; then + echo "Coverity capture scan finished succesfully" + else + echo "Coverity capture command failed. Exiting..." + exit 1 + fi + + # Analysis phase + /opt/coverity/bin/cov-manage-emit --dir $COVERITY_DIR reset-host-name + /opt/coverity/bin/cov-analyze $COV_ANALYZE_ARGS --dir=$COVERITY_DIR --enable HARDCODED_CREDENTIALS --security --concurrency --include-java --spotbugs-max-mem=4096 + COV_ANALYZE_EXIT_CODE=$? + + if [[ "$COV_ANALYZE_EXIT_CODE" -eq 0 ]]; then + echo "Coverity analyze scan finished successfully" + else + echo "Coverity analyze scan failed. Exiting..." + exit 1 + fi + + /opt/coverity/bin/cov-format-errors --dir=$COVERITY_DIR --json-output-v10 $COVERITY_RESULTS_FILE + # We parse the results, embed context, remove duplicates and store them in SARIF format. + csgrep --mode=json --prepend-path-prefix=$SOURCE_CODE_DIR/ $COVERITY_RESULTS_FILE | csgrep --mode=json $SEVERITY_THRESHOLD --remove-duplicates --embed-context 3 | csgrep --mode=json --strip-path-prefix="$SOURCE_CODE_DIR"/source/ > sast_coverity_buildless_check_all_findings.json + + echo "Results:" + set -x + csgrep --mode=evtstat sast_coverity_buildless_check_all_findings.json + set +x + + # We check if the KFP_GIT_URL variable is set to apply the filters or not + if [[ -z "${KFP_GIT_URL}" ]]; then + mv sast_coverity_buildless_check_all_findings.json filtered_sast_coverity_buildless_check_all_findings.json + else + echo "Filtering false positives in results files using csfilter-kfp..." + csfilter-kfp --verbose --kfp-git-url=$KFP_GIT_URL sast_coverity_buildless_check_all_findings.json > filtered_sast_coverity_buildless_check_all_findings.json + echo "Results after filtering:" + set -x + csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json + set +x + fi + + csgrep --mode=sarif filtered_sast_coverity_buildless_check_all_findings.json > $(workspaces.workspace.path)/hacbs/$(context.task.name)/coverity-buildless-results.sarif + + if [[ -z "$(csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json)" ]]; then + note="Task $(context.task.name) success: No finding was detected" + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + else + TEST_OUTPUT= + parse_test_output $(context.task.name) sarif $(workspaces.workspace.path)/hacbs/$(context.task.name)/coverity-buildless-results.sarif || true + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + fi + + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) + + - name: upload + image: quay.io/konflux-ci/oras:latest@sha256:99737f436051e6d3866eb8a8706463c35abf72c87f05090ff42ff642f6729661 + workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + script: | + #!/usr/bin/env bash + + UPLOAD_FILE=coverity-buildless-results.sarif + MEDIA_TYPE=application/sarif+json + + if [ -z "${IMAGE_URL}" ] || [ -z "${IMAGE_DIGEST}" ]; then + echo 'No image-url or image-digest param provided. Skipping upload.' + exit 0; + fi + + if [ ! -f "${UPLOAD_FILE}" ]; then + echo "No ${UPLOAD_FILE} exists. Skipping upload." + exit 0; + fi + + echo "Selecting auth" + select-oci-auth $IMAGE_URL > $HOME/auth.json + echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API" + oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag" + oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + workspaces: + - name: workspace diff --git a/task/sast-coverity-buildless-check/OWNERS b/task/sast-coverity-buildless-check/OWNERS new file mode 100644 index 0000000000..27203edec2 --- /dev/null +++ b/task/sast-coverity-buildless-check/OWNERS @@ -0,0 +1,5 @@ +# See the OWNERS docs: https://go.k8s.io/owners +approvers: + - integration-team +reviewers: + - integration-team