sast-snyk-check: increased version to 0.3#1359
Conversation
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
9801287 to
38f3878
Compare
|
@jsztuka Would you mind giving a review for this? |
|
@jsztuka Does the 👍🏻 mean that it looks good and nothind needs to be modified? |
|
@jsztuka Could you please approve the 6 workflows that are awaiting approval? |
|
Will update lint problems in following commit adding false positives filtering... |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
a5f8188 to
7d3c6e5
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
3 times, most recently
from
f3a637d to
2907e70
Compare
|
Although the MR is finished, I will look for ProdSec feedback before taking this out from draft. |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
2907e70 to
70eb685
Compare
kdudka
left a comment
kdudka
left a comment
There was a problem hiding this comment.
@jperezdealgaba I can see that we still print the full SARIF file into the CI log, which is not much user-friendly and it will cause problems on tasks that produce too much results. I would suggest to invoke csgrep --mode=evtstat instead to provide a useful summary for end users. In case we are filtering false positives we can run the command twice to record the number of findings that were excluded from the results.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
70eb685 to
251cfaf
Compare
@kdudka The SARIF output is no longer shown and the results are shown in |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
7801607 to
227c4ed
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
e85b7e6 to
436e45f
Compare
|
@kdudka I updated the container image, I added the |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
436e45f to
287fbde
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
287fbde to
70e2b25
Compare
kdudka
left a comment
kdudka
left a comment
There was a problem hiding this comment.
@jperezdealgaba The latest changes look good.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
7a8c95c to
95f1282
Compare
| # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context | ||
| (cd "$SOURCE_CODE_DIR" && csgrep --mode=json --embed-context=3 "/var/workdir"/hacbs/"$(context.task.name)"/sast_snyk_check_out.json) | | ||
| csgrep --mode=json --strip-path-prefix="source/" \ | ||
| >sast_snyk_check_out_all_findings.json |
There was a problem hiding this comment.
@kdudka FYI: The missing space in this line is being introduced by the *-ta CI pipeline. It seems that some cases are not covered by the script.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
2 times, most recently
from
616ad52 to
aa16856
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
3 times, most recently
from
703089c to
99ae424
Compare
|
@jperezdealgaba @lcarva @zregvart Why do we maintain two copies of the task description? The first paragraph is identical (although formatted differently). The steps to obtain Snyk token and Snyk binary are in the diff --git a/task/sast-snyk-check-oci-ta/0.3/recipe.yaml b/task/sast-snyk-check-oci-ta/0.3/recipe.yaml
index 4a6e4544..afec045d 100644
--- a/task/sast-snyk-check-oci-ta/0.3/recipe.yaml
+++ b/task/sast-snyk-check-oci-ta/0.3/recipe.yaml
@@ -3,23 +3,6 @@ base: ../../sast-snyk-check/0.3/sast-snyk-check.yaml
add:
- use-source
- use-cachi2
-description: >-
- Scans source code for security vulnerabilities, including common issues such as SQL injection,
- cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application
- Security Testing (SAST) tool.
-
-
- Follow the steps given
- [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)
- to obtain a snyk-token and to enable the snyk task in a Pipeline.
-
-
- The snyk binary used in this Task comes from a container image defined in
- https://github.com/konflux-ci/konflux-test
-
-
- See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk
- tool.
preferStepTemplate: true
removeWorkspaces:
- workspace
diff --git a/task/sast-snyk-check/0.3/sast-snyk-check.yaml b/task/sast-snyk-check/0.3/sast-snyk-check.yaml
index ad0ee3ec..cd82225c 100644
--- a/task/sast-snyk-check/0.3/sast-snyk-check.yaml
+++ b/task/sast-snyk-check/0.3/sast-snyk-check.yaml
@@ -9,7 +9,22 @@ metadata:
name: sast-snyk-check
spec:
description: >-
- Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.
+ Scans source code for security vulnerabilities, including common issues such as SQL injection,
+ cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application
+ Security Testing (SAST) tool.
+
+
+ Follow the steps given
+ [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)
+ to obtain a snyk-token and to enable the snyk task in a Pipeline.
+
+
+ The snyk binary used in this Task comes from a container image defined in
+ https://github.com/konflux-ci/konflux-test
+
+
+ See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk
+ tool.
results:
- description: Tekton task test output.
name: TEST_OUTPUT |
|
@kdudka Just tested it and technically it is possible. It would be one small change to the |
@kdudka because the descriptions often differ, if you do not need to modify the description don't specify it in the |
|
@zregvart Thanks for confirmation! That is exactly what the above patch does. @jperezdealgaba Could you please apply it in this pull request? |
The changes have been added |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
3 times, most recently
from
5c72196 to
51f2f06
Compare
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
51f2f06 to
9b42f9f
Compare
|
Just rebased the branch |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
9b42f9f to
eb205d5
Compare
|
Now is your chance, you can merge it. |
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
eb205d5 to
1b11039
Compare
|
@jsztuka I tried to merge it but it seems that I don't have access. |
Solves: https://issues.redhat.com/browse/OSH-737 In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. Also, results are filtered using the newly introduced csfilter-kfp and KFP_GIT_URL variable and known false positives won't be shown.
jperezdealgaba
force-pushed
the
snyk-enhanced-version
branch
from
1b11039 to
061e7ed
Compare
10 participants
Resolves: https://issues.redhat.com/browse/OSH-737
In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. This MR needs to be merged after this one: konflux-ci/konflux-test#292
All changes have been discussed in the provided Jira tracker.
@konflux-team , we created this as a draft PR in order to gather feedback from you. Would this be acceptable? Is something else needed? ...
Before you complete this pull request ...
Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.