From 3880d2b8988a78b663471ab8bbf52119559846c8 Mon Sep 17 00:00:00 2001
From: Cristovao Cordeiro <cristovao.cordeiro@canonical.com>
Date: Mon, 14 Oct 2024 16:28:19 +0200
Subject: [PATCH 1/2] ci: report vulnerabilities and fail on HIGH,CRITICAL
 (#152)

Add an additional Trivy execution that raises an error on HIGH and CRITICAL vulnerabilities.
It also uploads the vulnerability report to the CI run and the GitHub Security dashboard.
---
 .github/workflows/security.yaml | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index 8adf838d..93d4cc18 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -1,15 +1,15 @@
 name: Security
 
 on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
+  schedule:
+    - cron: "0 1 * * *"
 
 jobs:
   scan:
     name: Scan for known vulnerabilities
     runs-on: ubuntu-latest
+    env:
+      TRIVY_RESULTS: 'trivy-results.sarif'
     steps:
       - uses: actions/checkout@v3
 
@@ -18,3 +18,23 @@ jobs:
         with:
           scan-type: 'fs'
           scan-ref: '.'
+          format: 'sarif'
+          output: ${{ env.TRIVY_RESULTS }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.TRIVY_RESULTS }}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.TRIVY_RESULTS }}
+          path: ${{ env.TRIVY_RESULTS }}
+
+      - name: Raise error on HIGH,CRITICAL vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'

From 022d771a4f106a47c37beaf68b2f175a81c592ca Mon Sep 17 00:00:00 2001
From: Hadrien Patte <hadrien.patte@protonmail.com>
Date: Mon, 14 Oct 2024 16:37:03 +0200
Subject: [PATCH 2/2] feat: make suites mandatory in archive config (#161)

This PR makes the suites attribute of archives in the chisel.yaml mandatory. All other attributes are already mandatory (version, components and keys).

There was an old fallback logic which would set suites to the release adjective if left unset, but this logic was only configured for 4 ubuntu releases, one of which (bionic) is no longer supported by chisel, and all other three have their suites properly configured in their chisel.yaml already, so this piece of logic never triggers (focal, jammy, kinetic).
---
 cmd/chisel/cmd_info_test.go    |  1 +
 internal/setup/setup.go        | 13 +------------
 internal/setup/setup_test.go   | 13 +++++++++++++
 internal/slicer/slicer_test.go |  3 +++
 4 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/cmd/chisel/cmd_info_test.go b/cmd/chisel/cmd_info_test.go
index 0629f467..81377906 100644
--- a/cmd/chisel/cmd_info_test.go
+++ b/cmd/chisel/cmd_info_test.go
@@ -153,6 +153,7 @@ var defaultChiselYaml = `
 		ubuntu:
 			version: 22.04
 			components: [main, universe]
+			suites: [jammy]
 			public-keys: [test-key]
 	public-keys:
 		test-key:
diff --git a/internal/setup/setup.go b/internal/setup/setup.go
index 0efe8e67..d17cead4 100644
--- a/internal/setup/setup.go
+++ b/internal/setup/setup.go
@@ -477,13 +477,6 @@ type yamlPubKey struct {
 	Armor string `yaml:"armor"`
 }
 
-var ubuntuAdjectives = map[string]string{
-	"18.04": "bionic",
-	"20.04": "focal",
-	"22.04": "jammy",
-	"22.10": "kinetic",
-}
-
 func parseRelease(baseDir, filePath string, data []byte) (*Release, error) {
 	release := &Release{
 		Path:     baseDir,
@@ -525,11 +518,7 @@ func parseRelease(baseDir, filePath string, data []byte) (*Release, error) {
 			return nil, fmt.Errorf("%s: archive %q missing version field", fileName, archiveName)
 		}
 		if len(details.Suites) == 0 {
-			adjective := ubuntuAdjectives[details.Version]
-			if adjective == "" {
-				return nil, fmt.Errorf("%s: archive %q missing suites field", fileName, archiveName)
-			}
-			details.Suites = []string{adjective}
+			return nil, fmt.Errorf("%s: archive %q missing suites field", fileName, archiveName)
 		}
 		if len(details.Components) == 0 {
 			return nil, fmt.Errorf("%s: archive %q missing components field", fileName, archiveName)
diff --git a/internal/setup/setup_test.go b/internal/setup/setup_test.go
index de50899a..117d78f9 100644
--- a/internal/setup/setup_test.go
+++ b/internal/setup/setup_test.go
@@ -819,6 +819,18 @@ var setupTests = []setupTest{{
 			},
 		},
 	},
+}, {
+	summary: "Archive with suites unset",
+	input: map[string]string{
+		"chisel.yaml": `
+			format: v1
+			archives:
+				ubuntu:
+					version: 22.04
+					components: [main, other]
+		`,
+	},
+	relerror: `chisel.yaml: archive "ubuntu" missing suites field`,
 }, {
 	summary: "Extra fields in YAML are ignored (necessary for forward compatibility)",
 	input: map[string]string{
@@ -1589,6 +1601,7 @@ var defaultChiselYaml = `
 		ubuntu:
 			version: 22.04
 			components: [main, universe]
+			suites: [jammy]
 			public-keys: [test-key]
 	public-keys:
 		test-key:
diff --git a/internal/slicer/slicer_test.go b/internal/slicer/slicer_test.go
index 36d6271c..0f3bdfd8 100644
--- a/internal/slicer/slicer_test.go
+++ b/internal/slicer/slicer_test.go
@@ -778,11 +778,13 @@ var slicerTests = []slicerTest{{
 				foo:
 					version: 22.04
 					components: [main, universe]
+					suites: [jammy]
 					default: true
 					public-keys: [test-key]
 				bar:
 					version: 22.04
 					components: [main]
+					suites: [jammy]
 					public-keys: [test-key]
 			public-keys:
 				test-key:
@@ -1202,6 +1204,7 @@ var defaultChiselYaml = `
 		ubuntu:
 			version: 22.04
 			components: [main, universe]
+			suites: [jammy]
 			public-keys: [test-key]
 	public-keys:
 		test-key: