Skip to content

chore: Adding step for install #37276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yatinappsmith merged 2 commits into from
Nov 7, 2024
Merged

chore: Adding step for install #37276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3981526
Addind step for install
sagar-qa007 Nov 7, 2024
89f775f
Merge remote-tracking branch 'origin' into chore/addingmissingstep
sagar-qa007 Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/test-vulnerabilities-data.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:
"${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \
"${{ github.run_id }}"

- name: Check for new vulnerabilities in Scout and Trivy files
if: always()
run: |
Expand All @@ -71,7 +71,7 @@ jobs:
cat scout_new_vulnerabilities.csv
exit 1 # Fail the job if data exists
fi

# Check if Trivy vulnerabilities file is not empty
if [ -s "trivy_new_vulnerabilities.csv" ]; then
echo "Trivy vulnerabilities detected."
Expand Down
65 changes: 64 additions & 1 deletion scripts/scout_vulnerabilities_data.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,69 @@ GITHUB_PR_LINK="$3"
GITHUB_RUN_ID="$4"
OLD_VULN_FILE="${5:-vulnerability_base_data.csv}"

# Function to install Docker Scout
install_docker_scout() {
echo "Installing Docker Scout..."
local attempts=0
while [ $attempts -lt 5 ]; do
echo "Attempt $((attempts + 1))..."
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh &> install_scout_log.txt
Comment on lines +30 to +31
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Verify 'curl' command success before executing the installation script

Ensure that the 'curl' command successfully downloads the installation script before executing it to prevent errors from incomplete downloads.

Apply this diff to add an error check:

curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
+if [ $? -ne 0 ]; then
+    echo "Failed to download Docker Scout installation script."
+    exit 1
+fi
sh install-scout.sh &> install_scout_log.txt
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh &> install_scout_log.txt
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
if [ $? -ne 0 ]; then
echo "Failed to download Docker Scout installation script."
exit 1
fi
sh install-scout.sh &> install_scout_log.txt

if [ $? -eq 0 ]; then
echo "Docker Scout installed successfully."
return 0
fi
echo "Attempt $((attempts + 1)) failed. Check install_scout_log.txt for details."
((attempts++))
sleep 2
done
echo "Error: Docker Scout installation failed after $attempts attempts."
exit 1
}

# Check if Docker is installed
if ! command -v docker &> /dev/null; then
echo "Error: Docker is not installed. Please install Docker and try again."
exit 1
fi

# Ensure Docker is running
if ! systemctl is-active --quiet docker; then
echo "Starting Docker..."
sudo systemctl start docker
fi
Comment on lines +51 to +54
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Avoid using 'sudo' within scripts; handle Docker daemon status appropriately

Using sudo may prompt for passwords and is not recommended in scripts. Instead, check if the Docker daemon is running and inform the user if it isn't.

Apply this diff:

if ! systemctl is-active --quiet docker; then
     echo "Docker is not running. Please start Docker and try again."
     exit 1
fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if ! systemctl is-active --quiet docker; then
echo "Starting Docker..."
sudo systemctl start docker
fi
if ! systemctl is-active --quiet docker; then
echo "Docker is not running. Please start Docker and try again."
exit 1
fi


# Check if Docker Scout is installed
if ! command -v scout &> /dev/null; then
install_docker_scout
fi

# Prepare the output CSV file
CSV_OUTPUT_FILE="scout_vulnerabilities.csv"
rm -f "$CSV_OUTPUT_FILE"

# Extract the product name from the image name
case "$IMAGE" in
*appsmith/appsmith-ce:*) product_name="CE" ;;
*appsmith/appsmith-ee:*) product_name="EE" ;;
*appsmith/cloud-services:*) product_name="CLOUD" ;;
*) product_name="UNKNOWN" ;;
esac

# Fetch vulnerabilities and format the output correctly
docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product_name" -F' ' '
{
# Check for valid vulnerability data and format it correctly
if ($2 != "" && $3 ~ /^CVE-/) {
# Extract severity level, CVE ID, and format output correctly
print $3","product_name",""SCOUT"","$2
}
}' | sort -u > "$CSV_OUTPUT_FILE"
Comment on lines +74 to +81
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Use structured output for reliable parsing of vulnerabilities

Parsing command-line output is fragile. If available, use JSON output from docker scout cves for more reliable data extraction.

Example adjustment:

-docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product_name" -F' ' '
-{
-    if ($2 != "" && $3 ~ /^CVE-/) {
-        print $3","product_name",""SCOUT"","$2
-    }
-}' | sort -u > "$CSV_OUTPUT_FILE"
+docker scout cves "$IMAGE" --output json | jq -r '.vulnerabilities[] | "\(.identifiers.CVE[0]),'"$product_name"',SCOUT,\(.severity)"' | sort -u > "$CSV_OUTPUT_FILE"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product_name" -F' ' '
{
# Check for valid vulnerability data and format it correctly
if ($2 != "" && $3 ~ /^CVE-/) {
# Extract severity level, CVE ID, and format output correctly
print $3","product_name",""SCOUT"","$2
}
}' | sort -u > "$CSV_OUTPUT_FILE"
docker scout cves "$IMAGE" --output json | jq -r '.vulnerabilities[] | "\(.identifiers.CVE[0]),'"$product_name"',SCOUT,\(.severity)"' | sort -u > "$CSV_OUTPUT_FILE"


# Check if the CSV output file is empty
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE"

Comment on lines +84 to +85
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Avoid writing messages into CSV output files

Writing non-CSV messages into the CSV file can break downstream processing. Handle the case separately without altering the CSV file.

Apply this diff:

# Check if the CSV output file is empty
-[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE"
+if [ ! -s "$CSV_OUTPUT_FILE" ]; then
+    echo "No vulnerabilities found for image: $IMAGE"
+fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE"
if [ ! -s "$CSV_OUTPUT_FILE" ]; then
echo "No vulnerabilities found for image: $IMAGE"
fi


# Compare each vulnerability with the database and store new ones in a CSV file
compare_and_store_vulns() {
local new_vulns_file="scout_new_vulnerabilities.csv"
Expand Down Expand Up @@ -68,4 +131,4 @@ if [ -s "$CSV_OUTPUT_FILE" ]; then
compare_and_store_vulns
else
echo "No vulnerabilities to process."
fi
fi
3 changes: 1 addition & 2 deletions scripts/trivy_vulnerabilities_data.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,6 @@ else
echo "No vulnerabilities found." > "$NEW_VULN_FILE"
fi


# Compare each vulnerability with the database and store new ones in a CSV file
compare_and_store_vulns() {
local new_vulns_file="trivy_new_vulnerabilities.csv"
Expand Down Expand Up @@ -154,4 +153,4 @@ else
fi

# Cleanup
rm -f "trivy_vulnerabilities.json"
rm -f "trivy_vulnerabilities.json"