From 4466be0ef3137fe6d0ad830b9fff33381b4196ac Mon Sep 17 00:00:00 2001 From: holysoles Date: Mon, 28 Apr 2025 13:26:56 -0500 Subject: [PATCH 1/4] fix: skip trivy builds for 386, not everything else Signed-off-by: holysoles --- scripts/image_scan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/image_scan.sh b/scripts/image_scan.sh index 09169519f07f..676e2700720b 100755 --- a/scripts/image_scan.sh +++ b/scripts/image_scan.sh @@ -10,7 +10,7 @@ fi ARCH=$2 # skipping image scan for 32 bits image since trivy dropped support for those https://github.com/aquasecurity/trivy/discussions/4789 -if [[ "${ARCH}" = "arm" ]] || [ "${ARCH}" != "386" ]; then +if [[ "${ARCH}" = "arm" ]] || [ "${ARCH}" = "386" ]; then exit 0 fi From 6543a4cafd8b5d80e7a00b1df7b1f884bf461b64 Mon Sep 17 00:00:00 2001 From: holysoles Date: Mon, 28 Apr 2025 13:27:18 -0500 Subject: [PATCH 2/4] fix: Trivy download into dapper container is skipped Signed-off-by: holysoles --- Dockerfile.dapper | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.dapper b/Dockerfile.dapper index 4668875e2a72..c0763e84e8e9 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -28,8 +28,8 @@ RUN case "$(go env GOARCH)" in \ amd64) TRIVY_ARCH="64bit" ;; \ s390x) TRIVY_ARCH="s390x" ;; \ *) TRIVY_ARCH="" ;; \ - esac -RUN if [ -n "${TRIVY_ARCH}" ]; then \ + esac && \ + if [ -n "${TRIVY_ARCH}" ]; then \ wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz" \ && tar -zxvf "trivy_${TRIVY_VERSION}_Linux-${TRIVY_ARCH}.tar.gz" \ && mv trivy /usr/local/bin; \ From eec1580fe9bbc2ba09b22e1a06daa81027423521 Mon Sep 17 00:00:00 2001 From: holysoles Date: Wed, 30 Apr 2025 22:26:24 -0500 Subject: [PATCH 3/4] only run trivy if executable is available Signed-off-by: holysoles --- scripts/image_scan.sh | 11 +++++------ scripts/package-image | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/scripts/image_scan.sh b/scripts/image_scan.sh index 676e2700720b..34cabc7ca1ef 100755 --- a/scripts/image_scan.sh +++ b/scripts/image_scan.sh @@ -2,15 +2,14 @@ set -e -if [ -z $1 ] && [ -z $2 ]; then - echo "error: image name and arch name are required as arguments. exiting..." +if [ -z $1 ]; then + echo "error: image name is required as argument. exiting..." exit 1 fi -ARCH=$2 - -# skipping image scan for 32 bits image since trivy dropped support for those https://github.com/aquasecurity/trivy/discussions/4789 -if [[ "${ARCH}" = "arm" ]] || [ "${ARCH}" = "386" ]; then +# we wont have trivy installed if its an unsupported arch +if [ -z "$(which trivy)" ]; then + echo "warning: trivy scan being skipped since 'trivy' executable not found in path" exit 0 fi diff --git a/scripts/package-image b/scripts/package-image index 9ae43e58b76f..478f66aaabc7 100755 --- a/scripts/package-image +++ b/scripts/package-image @@ -19,5 +19,5 @@ PROXY_OPTS= [ -z "$https_proxy" ] || PROXY_OPTS="$PROXY_OPTS --build-arg https_proxy=$https_proxy" [ -z "$no_proxy" ] || PROXY_OPTS="$PROXY_OPTS --build-arg no_proxy=$no_proxy" docker build ${PROXY_OPTS} --build-arg DRONE_TAG=${VERSION_TAG} -t ${IMAGE} -f package/Dockerfile . -./scripts/image_scan.sh ${IMAGE} ${ARCH} +./scripts/image_scan.sh ${IMAGE} echo Built ${IMAGE} From 35d7896870533313c403b5be59a91e6ccb98f468 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Fri, 30 May 2025 11:16:35 -0700 Subject: [PATCH 4/4] Fix master rebase Signed-off-by: Derek Nola --- scripts/package-image | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/package-image b/scripts/package-image index 5f0b20e37675..e96ad1739205 100755 --- a/scripts/package-image +++ b/scripts/package-image @@ -14,6 +14,6 @@ REPO=${REPO:-rancher} IMAGE_NAME=${IMAGE_NAME:-k3s} IMAGE=${REPO}/${IMAGE_NAME}:${TAG} -docker build ${PROXY_OPTS} --build-arg DRONE_TAG=${VERSION_TAG} -t ${IMAGE} -f package/Dockerfile . +docker build --build-arg DRONE_TAG=${VERSION_TAG} -t ${IMAGE} -f package/Dockerfile . ./scripts/image_scan.sh ${IMAGE} echo Built ${IMAGE}