Skip to content

integrate codeql with tests #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
janisz merged 4 commits into from
Mar 29, 2023
Merged

integrate codeql with tests #240

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
628129d
fix style
janisz Mar 27, 2023
5b7336c
Do not run custom proxy on e2e
janisz Mar 28, 2023
f5227e8
integrate codeql with tests
janisz Mar 29, 2023
e4c4eaa
but compilation does not occur between the init and analyze steps in…
janisz Mar 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 0 additions & 72 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop

This file was deleted.

17 changes: 9 additions & 8 deletions .github/workflows/tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,22 @@ jobs:
distribution: 'temurin'
java-version: '8'
cache: 'maven'

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: java, javascript

- name: Build with Maven
run: cd stackrox-container-image-scanner && ./mvnw -B verify package hpi:hpi cyclonedx:makeAggregateBom
- uses: actions/upload-artifact@v3
with:
name: stackrox-container-image-scanner.hpi
path: stackrox-container-image-scanner/target/stackrox-container-image-scanner.hpi

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2

e2e:
runs-on: ubuntu-latest
needs: build
Expand Down Expand Up @@ -91,14 +100,6 @@ jobs:
./deploy/k8s/central.sh
pass=$(cat deploy/k8s/central-deploy/password)
echo "ROX_PASSWORD=$(cat deploy/k8s/central-deploy/password)" >> $GITHUB_OUTPUT
- name: Run proxy
env:
port: 8000
run: |
pid="$(lsof -n -i "tcp:${port}" | grep kubectl | awk '{print $2}' | uniq)"
[[ -n "${pid}" ]] || { einfo "No kubectl port-forward is running on port ${port}."; exit 0; }
kill "${pid}" || die "Kill failed"
kubectl port-forward -n 'stackrox' svc/central "8000:443" --address='0.0.0.0' &
- name: Wait for API
run: |
cd stackrox
Expand Down
27 changes: 16 additions & 11 deletions functionaltest-jenkins-plugin/src/test/groovy/ImageScanningTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,14 @@ import spock.lang.Unroll
class ImageScanningTest extends BaseSpecification {

protected static final String CENTRAL_URI = Config.centralUri
protected static final String QUAY_REPO = "quay.io/openshifttest/"

@Unroll
def "image scanning test with toggle enforcement(#imageName, #policyName, #enforcements, #endStatus)"() {
given:
updatePolicy("Fixable CVSS >= 7", "latest", [])
updatePolicy("Fixable Severity at least Important", "latest", [])

when:
StoragePolicy enforcementPolicy = updatePolicy(policyName, "latest", enforcements)

Expand All @@ -39,9 +44,9 @@ class ImageScanningTest extends BaseSpecification {

where:
"data inputs are: "
imageName | policyName | enforcements | endStatus
"nginx:latest" | "Latest tag" | [] | SUCCESS
"nginx:latest" | "Latest tag" | [FAIL_BUILD_ENFORCEMENT] | FAILURE
imageName | policyName | enforcements | endStatus
"nginx-alpine:latest" | "Latest tag" | [] | SUCCESS
"nginx-alpine:latest" | "Latest tag" | [FAIL_BUILD_ENFORCEMENT] | FAILURE
}

@Unroll
Expand All @@ -63,9 +68,9 @@ class ImageScanningTest extends BaseSpecification {

where:
"data inputs are: "
imageName | policyName | tag
"jenkins/jenkins:2.77" | "Fixable CVSS >= 7" | "2.77"
"nginx:latest" | "Latest tag" | "latest"
imageName | policyName | tag
"nginx-alpine:1.2.1" | "Fixable CVSS >= 7" | "1.2.1"
"nginx-alpine:latest" | "Latest tag" | "latest"
}

@Unroll
Expand All @@ -79,14 +84,14 @@ class ImageScanningTest extends BaseSpecification {

where:
"data inputs are: "
imageName | failOnCriticalPluginError | endStatus
"postgres:latest" | true | SUCCESS
"mis-spelled:lts" | true | FAILURE
"mis-spelled:lts" | false | SUCCESS
imageName | failOnCriticalPluginError | endStatus
"nginx-alpine:latest" | true | SUCCESS
"mis-spelled:lts" | true | FAILURE
"mis-spelled:lts" | false | SUCCESS
}

String getJobConfig(String imageName, Boolean policyEvalCheck, Boolean failOnCriticalPluginError) {
return createJobConfig(imageName, CENTRAL_URI, token, policyEvalCheck, failOnCriticalPluginError)
return createJobConfig(QUAY_REPO + imageName, CENTRAL_URI, token, policyEvalCheck, failOnCriticalPluginError)
}

StoragePolicy updatePolicy(String policyName, String tag, List<StorageEnforcementAction> enforcements) {
Expand Down
3 changes: 2 additions & 1 deletion functionaltest-jenkins-plugin/src/test/groovy/ImageScanningTestNoFileTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import static JenkinsClient.createJobConfigNoFile
class ImageScanningTestNoFileTest extends ImageScanningTest {
@Override
String getJobConfig(String imageName, Boolean policyEvalCheck, Boolean failOnCriticalPluginError) {
return createJobConfigNoFile(imageName, CENTRAL_URI, token, policyEvalCheck, failOnCriticalPluginError)
String image = QUAY_REPO + imageName
return createJobConfigNoFile(image, CENTRAL_URI, token, policyEvalCheck, failOnCriticalPluginError)
}
}