Skip to content

ROX-19158: Add cluster param to scan requests#268

Merged
dcaravel merged 2 commits intomasterfrom
dc/jenkins-polugin-add-cluster-param
Sep 20, 2023
Merged

ROX-19158: Add cluster param to scan requests#268
dcaravel merged 2 commits intomasterfrom
dc/jenkins-polugin-add-cluster-param

Conversation

@dcaravel
Copy link
Copy Markdown
Contributor

@dcaravel dcaravel commented Sep 13, 2023
edited
Loading

As part of ROX-18691 a cluster parameter has been added to the various APIs that result in image scans

This PR modifies the Jenkins plugin to accept a new cluster parameter and pass that parameter to the various ACS API's used by the Plugin

Tests Performed

  • Created jobs:
    • acs-freestyle-ocp-internal - freestyle job not using cluster param, expected to fail w/ no scan
    • acs-freestyle-ocp-internal-cluster - freestyle job using cluster param, expected to fail but with successful scan
    • acs-pipeline-ocp-internal - same as above just a pipeline job
    • acs-pipeline-ocp-internal-cluster - same as above just a pipeline job
  • Ran jobs and confirmed expected results

Help Text For New Param

image

acs-freestyle-ocp-internal

Job Setup

image

Console Output

Started by user [admin](http://localhost:8080/user/admin)
Running as SYSTEM
Building in workspace /home/dcaravel/.jenkins/workspace/acs-freestyle-ocp-internal
Checking image image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest...
ERROR: Fatal error: Failed image scan request. Status code: 500. Error: image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest error: no matching image registries found: please add an image integration for image-registry.openshift-image-registry.svc:5000. Aborting ...
Finished: FAILURE

acs-freestyle-ocp-internal-cluster

Job Setup

image

Console Output

Started by user [admin](http://localhost:8080/user/admin)
Running as SYSTEM
Building in workspace /home/dcaravel/.jenkins/workspace/acs-freestyle-ocp-internal-with-cluster
Checking image image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest...
Archiving artifacts
Cleaning up the workspace ...
ERROR: At least one image violated at least one enforced system policy. Marking StackRox Image Security plugin build step failed. Check the report for additional details.
Finished: FAILURE

Successful Report

image

image

acs-pipeline-ocp-internal

Job Setup

pipeline {
    agent any

    stages {
        stage('Test') {
            steps {
                withCredentials([string(credentialsId: 'stackrox-api-token', variable: 'apiToken')]) {
                    stackrox (
                        apiToken: apiToken,
                        caCertPEM: '',
                        enableTLSVerification: false,
                        failOnCriticalPluginError: true,
                        failOnPolicyEvalFailure: true,
                        portalAddress: 'https://<address>',
                        imageNames: "image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest",
                        cluster: ""
                    )
                }
            }
        }
    }
}

Console Output

Started by user [admin](http://localhost:8080/user/admin)
[Pipeline] Start of Pipeline
[Pipeline] node
Running on [Jenkins](http://localhost:8080/computer/(built-in)/) in /home/dcaravel/.jenkins/workspace/acs-pipeline-ocp-internal
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Test)
[Pipeline] withCredentials
Masking supported pattern matches of $apiToken
[Pipeline] {
[Pipeline] stackrox
Checking image image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest...
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: Fatal error: Failed image scan request. Status code: 500. Error: image enrichment error: error getting metadata for image: image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest error: no matching image registries found: please add an image integration for image-registry.openshift-image-registry.svc:5000. Aborting ...
Finished: FAILURE

acs-pipeline-ocp-internal-cluster

Job Setup (cluster added)

pipeline {
    agent any

    stages {
        stage('Test') {
            steps {
                withCredentials([string(credentialsId: 'stackrox-api-token', variable: 'apiToken')]) {
                    stackrox (
                        apiToken: apiToken,
                        caCertPEM: '',
                        enableTLSVerification: false,
                        failOnCriticalPluginError: true,
                        failOnPolicyEvalFailure: true,
                        portalAddress: 'https://34.23.176.25',
                        imageNames: "image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest",
                        cluster: "remote"
                    )
                }
            }
        }
    }
}

Console Output

Started by user [admin](http://localhost:8080/user/admin)
[Pipeline] Start of Pipeline
[Pipeline] node
Running on [Jenkins](http://localhost:8080/computer/(built-in)/) in /home/dcaravel/.jenkins/workspace/acs-pipeline-ocp-internal-cluster
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Test)
[Pipeline] withCredentials
Masking supported pattern matches of $apiToken
[Pipeline] {
[Pipeline] stackrox
Checking image image-registry.openshift-image-registry.svc:5000/dave/dave-is:latest...
Archiving artifacts
Cleaning up the workspace ...
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: At least one image violated at least one enforced system policy. Marking StackRox Image Security plugin build step failed. Check the report for additional details.
Finished: FAILURE

Successful Report

image

image

Ensured works with multiple images as well

image

Related PRs

@dcaravel dcaravel marked this pull request as ready for review September 13, 2023 20:05
dhaus67
dhaus67 reviewed Sep 15, 2023
View reviewed changes
Copy link
Copy Markdown

@dhaus67 dhaus67 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good to me, can you also update https://github.com/stackrox/jenkins-plugin/blob/master/stackrox-container-image-scanner/README.md#freestyle-project which holds the description of the parameters as well as some sample pipelines? It'd be great to update that.

Comment thread ...ge-scanner/src/main/resources/com/stackrox/jenkins/plugins/StackroxBuilder/config.properties Outdated
@dcaravel dcaravel requested a review from dhaus67 September 15, 2023 16:50
dhaus67
dhaus67 approved these changes Sep 20, 2023
View reviewed changes
Copy link
Copy Markdown

@dhaus67 dhaus67 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay in review, but LGTM!

@dcaravel dcaravel merged commit 0850038 into master Sep 20, 2023
@dcaravel dcaravel deleted the dc/jenkins-polugin-add-cluster-param branch September 20, 2023 23:06
@dcaravel dcaravel mentioned this pull request Sep 29, 2023
Merged
5 tasks
@dhaus67 dhaus67 added the enhancement New feature or request label Sep 29, 2023
@janisz janisz mentioned this pull request Aug 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rukletsov rukletsov Awaiting requested review from rukletsov

@janisz janisz Awaiting requested review from janisz

@jvdm jvdm Awaiting requested review from jvdm

@RTann RTann Awaiting requested review from RTann

@daynewlee daynewlee Awaiting requested review from daynewlee

1 more reviewer

@dhaus67 dhaus67 dhaus67 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcaravel @dhaus67