Skip to content

fix(cssc): task files cleanup #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Ruchii-27 merged 4 commits into from
Feb 5, 2025
Merged

fix(cssc): task files cleanup #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1f28380
Removed unwanted vuln upload step and list output file step, also mov…
Feb 4, 2025
a43de4b
A few more cleanups and updates to make the message consistent
Feb 4, 2025
be4f1ba
Removed comments and increased retry delay
Feb 4, 2025
6e07dbb
making "and patch" optional to ensure both old and new logs continue …
Feb 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/acrcssc/azext_acrcssc/helper/_workflow_status.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,14 +128,14 @@ def _get_image_from_tasklog(logs):
original_tag = match.group(2)
return f"{repository}:{original_tag}"

match = re.search(r'Scanning image for vulnerability and patch (\S+) for tag (\S+)', logs)
Comment thread
cegraybl marked this conversation as resolved.
match = re.search(r'Scanning image for vulnerability(?: and patch)? (\S+) for tag (\S+)', logs)
if match:
patched_image = match.group(1)
original_tag = match.group(2)
repository = patched_image.split(':')[0]
return f"{repository}:{original_tag}"

match = re.search(r'Scan, Upload scan report and Schedule Patch for (\S+)', logs)
match = re.search(r'Patching OS vulnerabilities for image (\S+)', logs)
if match:
return match.group(1)
return None
Expand Down
33 changes: 9 additions & 24 deletions src/acrcssc/azext_acrcssc/templates/task/cssc_patch_image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,24 @@ alias:
ScanReport : os-vulnerability-report_trivy_{{ regexReplaceAll "[^a-zA-Z0-9]" .Values.SOURCE_REPOSITORY "-" }}_{{.Values.SOURCE_IMAGE_TAG}}_$(date "+%Y-%m-%d").json
cssc : mcr.microsoft.com/acr/cssc:0995fb8
steps:
- id: print-inputs
cmd: |
bash -c 'echo "Patching OS vulnerabilities for image {{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}}"'
bash -c 'echo "Patching repo: {{.Values.SOURCE_REPOSITORY}}, Tag:{{.Values.SOURCE_IMAGE_TAG}}, NewPatchTag:{{.Values.SOURCE_IMAGE_NEWPATCH_TAG}}"'

# Step 1: Check if new patch tag is greate than 999 by extracting the digits after the last hyphen
- id: check-patch-tag
cmd: |
bash -c 'echo "New Patch tag is {{.Values.SOURCE_IMAGE_NEWPATCH_TAG}}"
if [ "{{.Values.SOURCE_IMAGE_NEWPATCH_TAG}}" != "patched" ] && [ {{.Values.SOURCE_IMAGE_NEWPATCH_TAG}} -gt 999 ]; then
echo "New Patch tag is greater than 999. No more than 1000 patches can be created for a tag. Exiting the patching workflow."
exit 1
fi'
# Step 2: Perform the vulnerability scan
- id: print-inputs
cmd: |
bash -c 'echo "Scan, Upload scan report and Schedule Patch for {{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}}"'

- id: setup-data-dir
cmd: bash mkdir ./data
- id: generate-trivy-report
retries: 3
retryDelay: 3
retryDelay: 5
timeout: 1800
cmd: |
cssc trivy image \
Expand All @@ -34,30 +34,16 @@ steps:
--db-repository "ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db" \
--output /workspace/data/$ScanReport

# Step 3: Attach the vulnerability scan report to the image
- id: upload-trivy-report
cmd: |
cssc oras attach \
--artifact-type vulnerabilityScan/report \
{{.Run.Registry}}/{{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}} \
./data/$ScanReport

- cmd: bash echo "Uploaded vulnerability report $ScanReport to the image {{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}}"

- id: buildkitd
cmd: moby/buildkit --addr tcp://0.0.0.0:8888
entrypoint: buildkitd
detach: true
privileged: true
ports: ["127.0.0.1:8888:8888/tcp"]

- id: list-output-file
cmd: bash ls -l /workspace/data

# Step 4: Patch the image with Copacetic

- id: patch-image
retries: 3
retryDelay: 3
retryDelay: 5
Comment thread
Ruchii-27 marked this conversation as resolved.
timeout: 1800
cmd: |
cssc copa patch \
Expand All @@ -70,8 +56,7 @@ steps:

- id: push-image
retries: 3
retryDelay: 3
retryDelay: 5
timeout: 1800
cmd: docker push {{.Run.Registry}}/{{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}}-{{.Values.SOURCE_IMAGE_NEWPATCH_TAG}}

- cmd: bash echo "Patched image pushed to {{.Run.Registry}}/{{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}}-{{.Values.SOURCE_IMAGE_NEWPATCH_TAG}}"
4 changes: 2 additions & 2 deletions src/acrcssc/azext_acrcssc/templates/task/cssc_scan_image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@ alias:
steps:
- id: print-inputs
cmd: |
bash -c 'echo "Scanning image for vulnerability and patch {{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}} for tag {{.Values.SOURCE_IMAGE_ORIGINAL_TAG}}"'
bash -c 'echo "Scanning image for vulnerability {{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}} for tag {{.Values.SOURCE_IMAGE_ORIGINAL_TAG}}"'
bash -c 'echo "Scanning repo: {{.Values.SOURCE_REPOSITORY}}, Tag:{{.Values.SOURCE_IMAGE_TAG}}, OriginalTag:{{.Values.SOURCE_IMAGE_ORIGINAL_TAG}}"'
- id: setup-data-dir
cmd: bash mkdir ./data

- id: generate-trivy-report
retries: 3
retryDelay: 3
retryDelay: 5
timeout: 1800
cmd: |
cssc trivy image \
Expand Down