KAFKA-19881: change CVE scanner workflow to run on active branches (wip)#20927
KAFKA-19881: change CVE scanner workflow to run on active branches (wip)#20927FrankYang0529 wants to merge 1 commit intoapache:trunkfrom
Conversation
github-actions
Bot
added
build
|
This PR is being marked as stale since it has not had any activity in 90 days. If you If you are having difficulty finding a reviewer, please reach out on the [mailing list](https://kafka.apache.org/contact). If this PR is no longer valid or desired, please feel free to close it. If no activity occurs in the next 30 days, it will be automatically closed. |
|
This PR has been closed since it has not had any activity in 120 days. If you feel like this |
FrankYang0529
force-pushed
the
KAFKA-19881
branch
from
2b96386 to
5f61931
Compare
FrankYang0529
removed
stale
FrankYang0529
force-pushed
the
KAFKA-19881
branch
5 times, most recently
from
c1dcebf to
7a058a0
Compare
Signed-off-by: PoAn Yang <payang@apache.org>
FrankYang0529
force-pushed
the
KAFKA-19881
branch
from
7a058a0 to
4bda99a
Compare
|
Sample run: https://github.com/apache/kafka/actions/runs/23897721438/job/69686380260?pr=20927 The CI failure is not error. It's trivy find the CVE. |
mimaison
left a comment
mimaison
left a comment
There was a problem hiding this comment.
I left a couple of comments but to be honest I'm not sure what we should do.
I think there's some value in scanning the latest images too. So for example if you are using the recently released 4.1.2 image you know if there's a CVE in it. Scanning the current branch is helpful when doing a release.
| working-directory: ./docker | ||
| run: | | ||
| python docker_build_test.py kafka/branch-scan -tag=test -type=native --kafka-archive=../${{ steps.tarball.outputs.path }} -b | ||
| - name: Install Trivy |
There was a problem hiding this comment.
I'm not sure we're allowed to install Trivy like this. We should probably use the action directly.
There was a problem hiding this comment.
It looks like trivy-action cannot use now.
There was a problem hiding this comment.
Create another PR to fix this in all workflow.
| - name: Build Docker image from current branch | ||
| working-directory: ./docker | ||
| run: | | ||
| python docker_build_test.py kafka/branch-scan -tag=test -type=native --kafka-archive=../${{ steps.tarball.outputs.path }} -b |
There was a problem hiding this comment.
Since our native image are not for production usage [0], maybe scan the jvm image
0: https://kafka.apache.org/42/getting-started/docker/#graalvm-based-native-apache-kafka-docker-image
|
@FrankYang0529 would you mind testing apache/infrastructure-actions#582 ? It works for other project apache/pulsar#25480 |
ugh, you have opened #22024 :) |
3 participants
Change CVE scanner workflow to run on active branches. A released image
cannot be replaced, so it doesn't make sense to run CVE on it. We should
run on active branches to find CVE and fix it.
Reviewers: Mickael Maison mimaison@users.noreply.github.com