Jenkins x snyk security checks

[axsaucedo]

Fixes #2183

Introduces automation using snyk. It uses the snyk CLI due to limitations in their current web service (the web service doesn't support go.mod, only the CLI).

At this point of witing the CLI is free for OSS projects, but requires a token connected to the account. In this case the token can be created in the CI cluster with:

kubectl create secret generic snyk-token \
    --from-literal=token=<TOKEN>

Security checks PR now works. It will now only run on-demand, so it won't affect the build. It seems only 1 vulnerability flagged up, namely pyyaml for which I've opened #2252

PR is now ready for review

[seldondev]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign axsaucedo
You can assign the PR to them by writing /assign @axsaucedo in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[seldondev]

Fri Aug 7 06:15:28 UTC 2020
The logs for [pr-build] [1] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/1.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=1

[seldondev]

Fri Aug 7 06:15:37 UTC 2020
The logs for [lint] [3] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/3.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=3

[seldondev]

Fri Aug 7 06:15:52 UTC 2020
The logs for [securitychecks] [2] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/2.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=2

[seldondev]

Fri Aug 7 06:24:38 UTC 2020
The logs for [lint] [6] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/6.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=6

[seldondev]

Fri Aug 7 06:24:38 UTC 2020
The logs for [pr-build] [4] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/4.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=4

[seldondev]

Fri Aug 7 06:29:31 UTC 2020
The logs for [securitychecks] [8] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/8.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=8

[seldondev]

Fri Aug 7 06:29:44 UTC 2020
The logs for [pr-build] [7] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/7.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=7

[seldondev]

Fri Aug 7 06:29:48 UTC 2020
The logs for [lint] [9] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/9.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=9

[seldondev]

Fri Aug 7 06:48:28 UTC 2020
The logs for [pr-build] [10] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/10.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=10

[seldondev]

Fri Aug 7 06:48:40 UTC 2020
The logs for [lint] [12] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/12.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=12

[seldondev]

Fri Aug 7 07:10:36 UTC 2020
The logs for [securitychecks] [14] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/14.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=14

[seldondev]

Fri Aug 7 07:11:02 UTC 2020
The logs for [lint] [15] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/15.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=15

[seldondev]

Fri Aug 7 07:11:04 UTC 2020
The logs for [pr-build] [13] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/13.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=13

[seldondev]

Fri Aug 7 07:26:24 UTC 2020
The logs for [securitychecks] [17] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/17.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=17

[seldondev]

Fri Aug 7 07:26:38 UTC 2020
The logs for [pr-build] [16] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/16.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=16

[seldondev]

Fri Aug 7 07:26:44 UTC 2020
The logs for [lint] [18] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/18.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=18

[seldondev]

Fri Aug 7 07:50:42 UTC 2020
The logs for [securitychecks] [20] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/20.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=20

[seldondev]

Fri Aug 7 07:50:49 UTC 2020
The logs for [pr-build] [19] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/19.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=19

[seldondev]

Fri Aug 7 07:50:57 UTC 2020
The logs for [lint] [21] will show after the pipeline context has finished.
https://github.com/SeldonIO/seldon-core/blob/gh-pages/jenkins-x/logs/SeldonIO/seldon-core/PR-2251/21.log

impatient try
jx get build logs SeldonIO/seldon-core/PR-2251 --build=21

[seldondev]

@axsaucedo: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
securitychecks	b3ee9b7	link	/test securitychecks

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the jenkins-x/lighthouse repository. I understand the commands that are listed here.

[axsaucedo]

Security checks PR now works. It will now only run on-demand, so it won't affect the build. It seems only 1 vulnerability flagged up, namely pyyaml for which I've opened #2252

PR is now ready for review

/cc @gsunner
/cc @RafalSkolasinski

[RafalSkolasinski]

Nice one!

Do we know what method snyk uses to determine Golang dependencies when it runs synk test --all-projects in side executor and operator directories?

[axsaucedo]

Yeah it basically checks all the dependencies and versions with their own internal CVE database