From 1d9bc7e557ff578da3109027e02abeec7d3c9237 Mon Sep 17 00:00:00 2001 From: Christian Schlotter Date: Tue, 8 Aug 2023 09:10:45 +0200 Subject: [PATCH] Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action --- ...ge-scan.yaml => weekly-security-scan.yaml} | 6 +- Makefile | 25 ++++++ docs/release/release-tasks.md | 81 ++++++++++--------- hack/verify-security.sh | 40 +++++++++ 4 files changed, 109 insertions(+), 43 deletions(-) rename .github/workflows/{weekly-image-scan.yaml => weekly-security-scan.yaml} (88%) create mode 100755 hack/verify-security.sh diff --git a/.github/workflows/weekly-image-scan.yaml b/.github/workflows/weekly-security-scan.yaml similarity index 88% rename from .github/workflows/weekly-image-scan.yaml rename to .github/workflows/weekly-security-scan.yaml index cac026712a09..be7bfaf216ca 100644 --- a/.github/workflows/weekly-image-scan.yaml +++ b/.github/workflows/weekly-security-scan.yaml @@ -1,4 +1,4 @@ -name: Weekly image scan +name: Weekly security scan on: schedule: @@ -28,5 +28,5 @@ jobs: uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # tag=v4.0.1 with: go-version: ${{ steps.vars.outputs.go_version }} - - name: Run verify container script - run: make verify-container-images + - name: Run verify security target + run: make verify-security diff --git a/Makefile b/Makefile index c34dfb202b3f..ca2ef0755879 100644 --- a/Makefile +++ b/Makefile @@ -164,6 +164,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/pr-golangci-lint.yaml | grep GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)) GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint +GOVULNCHECK_BIN := govulncheck +GOVULNCHECK_VER := v1.0.0 +GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER)) +GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck + CONVERSION_VERIFIER_BIN := conversion-verifier CONVERSION_VERIFIER := $(abspath $(TOOLS_BIN_DIR)/$(CONVERSION_VERIFIER_BIN)) @@ -653,6 +658,20 @@ verify-tiltfile: ## Verify Tiltfile format verify-container-images: ## Verify container images TRACE=$(TRACE) ./hack/verify-container-images.sh +.PHONY: verify-govulncheck +verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities + $(GOVULNCHECK) ./... && R1=$$? || R1=$$?; \ + $(GOVULNCHECK) -C "$(TOOLS_DIR)" ./... && R2=$$? || R2=$$?; \ + $(GOVULNCHECK) -C "$(TEST_DIR)" ./... && R3=$$? || R3=$$?; \ + if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ] || [ "$$R3" -ne "0" ]; then \ + exit 1; \ + fi + + +.PHONY: verify-security +verify-security: ## Verify code and images for vulnerabilities + TRACE=$(TRACE) ./hack/verify-security.sh + ## -------------------------------------- ## Binaries ## -------------------------------------- @@ -1249,6 +1268,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo. .PHONY: $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint. +.PHONY: $(GOVULNCHECK_BIN) +$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck. + $(CONTROLLER_GEN): # Build controller-gen from tools folder. GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER) @@ -1300,6 +1322,9 @@ $(GINKGO): # Build ginkgo from tools folder. $(GOLANGCI_LINT): # Build golangci-lint from tools folder. GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER) +$(GOVULNCHECK): # Build govulncheck. + GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER) + ## -------------------------------------- ## Helpers ## -------------------------------------- diff --git a/docs/release/release-tasks.md b/docs/release/release-tasks.md index 4fd90f92ddd6..6fa8abf628ad 100644 --- a/docs/release/release-tasks.md +++ b/docs/release/release-tasks.md @@ -11,45 +11,46 @@ This document details the responsibilities and tasks for each role in the releas -- [Release Lead](#release-lead) - - [Responsibilities](#responsibilities) - - [Tasks](#tasks) - - [Set a tentative release date for the minor release](#set-a-tentative-release-date-for-the-minor-release) - - [Assemble release team](#assemble-release-team) - - [Finalize release schedule and team](#finalize-release-schedule-and-team) - - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release) - - [Create a new GitHub milestone for the next release](#create-a-new-github-milestone-for-the-next-release) - - [[Track] Remove previously deprecated code](#track-remove-previously-deprecated-code) - - [[Track] Bump dependencies](#track-bump-dependencies) - - [Create a release branch](#create-a-release-branch) - - [[Continuously] Maintain the GitHub release milestone](#continuously-maintain-the-github-release-milestone) - - [[Continuously] Bump the Go version](#continuously-bump-the-go-version) - - [[Repeatedly] Cut a release](#repeatedly-cut-a-release) - - [[Optional] [Track] Bump the Cluster API apiVersion](#optional-track-bump-the-cluster-api-apiversion) - - [[Optional] [Track] Bump the Kubernetes version](#optional-track-bump-the-kubernetes-version) -- [Communications/Docs/Release Notes Manager](#communicationsdocsrelease-notes-manager) - - [Responsibilities](#responsibilities-1) - - [Tasks](#tasks-1) - - [Add docs to collect release notes for users and migration notes for provider implementers](#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers) - - [Update supported versions](#update-supported-versions) - - [Ensure the book for the new release is available](#ensure-the-book-for-the-new-release-is-available) - - [Polish release notes](#polish-release-notes) - - [Change production branch in Netlify to the new release branch](#change-production-branch-in-netlify-to-the-new-release-branch) - - [Update clusterctl links in the quickstart](#update-clusterctl-links-in-the-quickstart) - - [Continuously: Communicate key dates to the community](#continuously-communicate-key-dates-to-the-community) - - [Communicate beta to providers](#communicate-beta-to-providers) -- [CI Signal/Bug Triage/Automation Manager](#ci-signalbug-triageautomation-manager) - - [Responsibilities](#responsibilities-2) - - [Tasks](#tasks-2) - - [Setup jobs and dashboards for a new release branch](#setup-jobs-and-dashboards-for-a-new-release-branch) - - [[Continuously] Monitor CI signal](#continuously-monitor-ci-signal) - - [[Continuously] Reduce the amount of flaky tests](#continuously-reduce-the-amount-of-flaky-tests) - - [[Continuously] Bug triage](#continuously-bug-triage) -- [Maintainer](#maintainer) - - [Responsibilities](#responsibilities-3) - - [Tasks](#tasks-3) - - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release-1) - - [[Repeatedly] Cut a release](#repeatedly-cut-a-release-1) +- [Release Tasks](#release-tasks) + - [Release Lead](#release-lead) + - [Responsibilities](#responsibilities) + - [Tasks](#tasks) + - [Set a tentative release date for the minor release](#set-a-tentative-release-date-for-the-minor-release) + - [Assemble release team](#assemble-release-team) + - [Finalize release schedule and team](#finalize-release-schedule-and-team) + - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release) + - [Create a new GitHub milestone for the next release](#create-a-new-github-milestone-for-the-next-release) + - [\[Track\] Remove previously deprecated code](#track-remove-previously-deprecated-code) + - [\[Track\] Bump dependencies](#track-bump-dependencies) + - [Create a release branch](#create-a-release-branch) + - [\[Continuously\] Maintain the GitHub release milestone](#continuously-maintain-the-github-release-milestone) + - [\[Continuously\] Bump the Go version](#continuously-bump-the-go-version) + - [\[Repeatedly\] Cut a release](#repeatedly-cut-a-release) + - [\[Optional\] \[Track\] Bump the Cluster API apiVersion](#optional-track-bump-the-cluster-api-apiversion) + - [\[Optional\] \[Track\] Bump the Kubernetes version](#optional-track-bump-the-kubernetes-version) + - [Communications/Docs/Release Notes Manager](#communicationsdocsrelease-notes-manager) + - [Responsibilities](#responsibilities-1) + - [Tasks](#tasks-1) + - [Add docs to collect release notes for users and migration notes for provider implementers](#add-docs-to-collect-release-notes-for-users-and-migration-notes-for-provider-implementers) + - [Update supported versions](#update-supported-versions) + - [Ensure the book for the new release is available](#ensure-the-book-for-the-new-release-is-available) + - [Polish release notes](#polish-release-notes) + - [Change production branch in Netlify to the new release branch](#change-production-branch-in-netlify-to-the-new-release-branch) + - [Update clusterctl links in the quickstart](#update-clusterctl-links-in-the-quickstart) + - [Continuously: Communicate key dates to the community](#continuously-communicate-key-dates-to-the-community) + - [Communicate beta to providers](#communicate-beta-to-providers) + - [CI Signal/Bug Triage/Automation Manager](#ci-signalbug-triageautomation-manager) + - [Responsibilities](#responsibilities-2) + - [Tasks](#tasks-2) + - [Setup jobs and dashboards for a new release branch](#setup-jobs-and-dashboards-for-a-new-release-branch) + - [\[Continuously\] Monitor CI signal](#continuously-monitor-ci-signal) + - [\[Continuously\] Reduce the amount of flaky tests](#continuously-reduce-the-amount-of-flaky-tests) + - [\[Continuously\] Bug triage](#continuously-bug-triage) + - [Maintainer](#maintainer) + - [Responsibilities](#responsibilities-3) + - [Tasks](#tasks-3) + - [Prepare main branch for development of the new release](#prepare-main-branch-for-development-of-the-new-release-1) + - [\[Repeatedly\] Cut a release](#repeatedly-cut-a-release-1) @@ -426,7 +427,7 @@ While we add test coverage for the new release branch we will also drop the test 3. Remove tests for old release branches according to our policy documented in [Support and guarantees](../../CONTRIBUTING.md#support-and-guarantees) For example, let's assume we just created tests for v1.4, then we can now drop test coverage for the release-1.1 branch. 4. Verify the jobs and dashboards a day later by taking a look at: `https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api-1.4` -5. Update `.github/workflows/weekly-image-scan.yaml` - to setup Trivy scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches. +5. Update `.github/workflows/weekly-security-scan.yaml` - to setup Trivy scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches. Prior art: diff --git a/hack/verify-security.sh b/hack/verify-security.sh new file mode 100755 index 000000000000..dd73bc3aecbd --- /dev/null +++ b/hack/verify-security.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Copyright 2023 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +if [[ "${TRACE-0}" == "1" ]]; then + set -o xtrace +fi + +# Scan the images +make verify-container-images && R1=$? || R1=$? +make verify-govulncheck && R2=$? || R2=$? + +echo "" +BRed='\033[1;31m' +BGreen='\033[1;32m' +NC='\033[0m' # No + +if [ "$R1" -ne "0" ] || [ "$R2" -ne "0" ] +then + echo -e "${BRed}Check for vulnerabilities failed! There are vulnerability to be fixed${NC}" + exit 1 +fi + +echo -e "${BGreen}Check for vulnerabilities passed! No vulnerability found${NC}"