Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-0.6] add targets for verifying code and images for vulnerabilities #1486

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@
# limitations under the License.

# Build the manager binary
FROM --platform=${BUILDPLATFORM} golang:1.20.7 as toolchain
FROM --platform=${BUILDPLATFORM} golang:1.20.11 as toolchain

# Run this with docker build --build_arg $(go env GOPROXY) to override the goproxy
ARG goproxy=https://proxy.golang.org,direct
37 changes: 37 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -18,6 +18,8 @@ ROOT_DIR_RELATIVE := .

include $(ROOT_DIR_RELATIVE)/common.mk

GO_VERSION ?= 1.20.11

# Image URL to use all building/pushing image targets
IMG ?= controller:latest
# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
@@ -46,6 +48,8 @@ MOCKGEN := $(TOOLS_BIN_DIR)/mockgen
CONTROLLER_GEN := $(TOOLS_BIN_DIR)/controller-gen
CONVERSION_VERIFIER := $(TOOLS_BIN_DIR)/conversion-verifier
SETUP_ENVTEST := $(TOOLS_BIN_DIR)/setup-envtest
GOVULNCHECK := $(TOOLS_BIN_DIR)/govulncheck
TRIVY := $(TOOLS_BIN_DIR)/trivy

STAGING_REGISTRY ?= gcr.io/k8s-staging-capi-ibmcloud
STAGING_BUCKET ?= artifacts.k8s-staging-capi-ibmcloud.appspot.com
@@ -512,6 +516,27 @@ verify-gen: generate ## Verfiy go generated files are up to date
verify-conversions: $(CONVERSION_VERIFIER) ## Verifies expected API conversion are in place
$(CONVERSION_VERIFIER)

.PHONY: verify-container-images
verify-container-images: $(TRIVY) ## Verify container images
TRACE=$(TRACE) ./hack/verify-container-images.sh

.PHONY: verify-govulncheck
verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
$(GOVULNCHECK) ./... && R1=$$? || R1=$$?; \
$(GOVULNCHECK) -C "$(TOOLS_DIR)" ./... && R2=$$? || R2=$$?; \
if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
exit 1; \
fi

.PHONY: verify-security
verify-security: ## Verify code and images for vulnerabilities
$(MAKE) verify-container-images && R1=$$? || R1=$$?; \
$(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \
if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
echo "Check for vulnerabilities failed! There are vulnerabilities to be fixed"; \
exit 1; \
fi

## --------------------------------------
## Cleanup / Verification
## --------------------------------------
@@ -543,6 +568,10 @@ clean-temporary: ## Remove all temporary files and folders
clean-release: ## Remove the release folder
rm -rf $(RELEASE_DIR)

.PHONY: clean-release-git
clean-release-git: ## Restores the git files usually modified during a release
git restore ./*manager_image_patch.yaml ./*manager_pull_policy.yaml

.PHONY: clean-generated-conversions
clean-generated-conversions: ## Remove files generated by conversion-gen from the mentioned dirs
(IFS=','; for i in $(SRC_DIRS); do find $$i -type f -name 'zz_generated.conversion*' -exec rm -f {} \;; done)
@@ -561,3 +590,11 @@ clean-kind: ## Cleans up the kind cluster with the name $CAPI_KIND_CLUSTER_NAME
kind-cluster: ## Create a new kind cluster designed for development with Tilt
hack/kind-install.sh

## --------------------------------------
## Helpers
## --------------------------------------

##@ helpers:

go-version: ## Print the go version we use to compile our binaries and images
@echo $(GO_VERSION)
2 changes: 1 addition & 1 deletion hack/ccm/Dockerfile
Original file line number Diff line number Diff line change
@@ -18,7 +18,7 @@ ARG TARGETPLATFORM=linux/amd64
ARG ARCH=amd64

# Build IBM cloud controller manager binary
FROM golang:1.20.7 AS ccm-builder
FROM golang:1.20.11 AS ccm-builder
ARG ARCH
ARG POWERVS_CLOUD_CONTROLLER_COMMIT
WORKDIR /build
8 changes: 8 additions & 0 deletions hack/tools/Makefile
Original file line number Diff line number Diff line change
@@ -121,3 +121,11 @@ $(CONVERSION_VERIFIER): $(BIN_DIR) go.mod go.sum ## Build a local copy of conver
SETUP_ENVTEST := $(BIN_DIR)/setup-envtest
$(SETUP_ENVTEST): $(BIN_DIR) go.mod go.sum ## Build a local copy of setup-envtest.
go build -tags=capibmtools -o $@ sigs.k8s.io/controller-runtime/tools/setup-envtest

GOVULNCHECK := $(BIN_DIR)/govulncheck
$(GOVULNCHECK): $(BIN_DIR) go.mod go.sum ## Build a local copy of govulncheck.
go build -tags=capibmtools -o $@ golang.org/x/vuln/cmd/govulncheck

TRIVY := $(BIN_DIR)/trivy
$(TRIVY): $(BIN_DIR) go.mod go.sum ## Build a local copy of trivy.
go build -tags=capibmtools -o $@ github.com/aquasecurity/trivy/cmd/trivy
306 changes: 289 additions & 17 deletions hack/tools/go.mod

Large diffs are not rendered by default.

1,413 changes: 1,379 additions & 34 deletions hack/tools/go.sum

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions hack/tools/tools.go
Original file line number Diff line number Diff line change
@@ -21,12 +21,14 @@ limitations under the License.
package tools

import (
_ "github.com/aquasecurity/trivy/cmd/trivy"
_ "github.com/drone/envsubst/v2/cmd/envsubst"
_ "github.com/golang/mock/mockgen"
_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
_ "github.com/itchyny/gojq/cmd/gojq"
_ "github.com/joelanford/go-apidiff"
_ "github.com/onsi/ginkgo/v2/ginkgo"
_ "golang.org/x/vuln/cmd/govulncheck"
_ "gotest.tools/gotestsum"
_ "k8s.io/code-generator/cmd/conversion-gen"
_ "sigs.k8s.io/cluster-api/hack/tools/conversion-verifier"
49 changes: 49 additions & 0 deletions hack/verify-container-images.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
#!/bin/bash

# Copyright 2023 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o errexit
set -o nounset
set -o pipefail

if [[ "${TRACE-0}" == "1" ]]; then
set -o xtrace
fi

GO_ARCH="$(go env GOARCH)"

REPO_ROOT=$(git rev-parse --show-toplevel)

TRIVY="${REPO_ROOT}/hack/tools/bin/trivy"

# Builds all the container images to be scanned and cleans up changes to ./*manager_image_patch.yaml ./*manager_pull_policy.yaml.
make REGISTRY=gcr.io/k8s-staging-capi-ibmcloud PULL_POLICY=IfNotPresent TAG=dev OUTPUT_TYPE=type=docker docker-build
make clean-release-git

# Scan the images
"${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-capi-ibmcloud/cluster-api-ibmcloud-controller-"${GO_ARCH}":dev && R1=$? || R1=$?

echo ""
BRed='\033[1;31m'
BGreen='\033[1;32m'
NC='\033[0m' # No

if [ "$R1" -ne "0" ]
then
echo -e "${BRed}Check container images failed! There are vulnerabilities to be fixed${NC}"
exit 1
fi

echo -e "${BGreen}Check container images passed! No vulnerability found${NC}"