add openshift-ci-security workflow to OCP storage repos #47618

dobsonj · 2024-01-12T23:36:13Z

This adds the snyk security scan as a presubmit job. It should pass (if we successfully ignored all false positives).

Also some cleanup around storage owners.

make storage-approvers and storage-reviewers consistent
update storage team members for backport-risk-assessed label
add openshift-ci-security workflow to OCP storage repos

/cc @openshift/storage

openshift-ci · 2024-01-12T23:36:19Z

@dobsonj: GitHub didn't allow me to request PR reviews from the following users: openshift/storage.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

This adds the snyk security scan as a presubmit job. It should pass (if we successfully ignored all false positives).

Also some cleanup around storage owners.

make storage-approvers and storage-reviewers consistent

update storage team members for backport-risk-assessed label

add openshift-ci-security workflow to OCP storage repos

/cc @openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

dobsonj · 2024-01-12T23:39:24Z

/pj-rehearse max

dobsonj · 2024-01-16T15:53:29Z

/hold to fix these issues before merging this

dobsonj · 2024-01-18T19:14:10Z

I opened PR's to ignore most of the false positives:
openshift/vmware-vsphere-csi-driver-operator#213
openshift/azure-file-csi-driver#52
openshift/azure-disk-csi-driver#74
openshift/csi-external-attacher#70
openshift/csi-external-provisioner#88
openshift/gcp-pd-csi-driver#58
openshift/aws-efs-csi-driver#66
openshift/vmware-vsphere-csi-driver#112
openshift/secrets-store-csi-driver#13
openshift/local-storage-operator#465
openshift/gcp-filestore-csi-driver#30
openshift/csi-node-driver-registrar#64
After those merge, I'll run the rehearsals again and it should be better.
gcp-filestore-csi-driver and node-driver-registrar will still report some issues under pkg and cmd, so I've set those to always_run=false until we can get a fix merged for those.

dobsonj · 2024-01-19T22:13:44Z

/pj-rehearse max

dobsonj · 2024-01-20T00:27:25Z

/unhold

dobsonj · 2024-01-20T04:29:50Z

/retest

dobsonj · 2024-01-20T05:10:38Z

/pj-rehearse pull-ci-openshift-local-storage-operator-master-security
/pj-rehearse pull-ci-openshift-gcp-filestore-csi-driver-master-security

duanwei33 · 2024-01-22T09:26:42Z

/pj-rehearse pull-ci-openshift-cluster-storage-operator-master-e2e-openstack
/pj-rehearse pull-ci-openshift-csi-node-driver-registrar-master-security

openshift-ci-robot · 2024-01-22T09:28:26Z

@duanwei33, pj-rehearse: unable prepare a candidate for rehearsal; rehearsals will not be run. This could be due to a branch that needs to be rebased. ERROR:

couldn't rebase candidate onto master: %!w(<nil>)

dobsonj · 2024-01-22T18:32:08Z

/pj-rehearse max

dobsonj · 2024-01-22T21:14:35Z

Just the known issues remain, and those need to be fixed upstream.
/pj-rehearse ack
/assign @jsafrane

The openshift-ci-security workflow exposed some false-positives in upstream code for gcp-filestore-csi-driver and node-driver-registrar. Set this job to always_run=false until we can get the issue fixed and this job passes consistently.

openshift-ci-robot · 2024-01-23T16:23:33Z

[REHEARSALNOTIFIER]
@dobsonj: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-ibm-vpc-block-csi-driver-operator-master-security	openshift/ibm-vpc-block-csi-driver-operator	presubmit	Presubmit changed
pull-ci-openshift-gcp-pd-csi-driver-operator-master-security	openshift/gcp-pd-csi-driver-operator	presubmit	Presubmit changed
pull-ci-openshift-local-storage-operator-master-security	openshift/local-storage-operator	presubmit	Presubmit changed
pull-ci-openshift-gcp-filestore-csi-driver-master-security	openshift/gcp-filestore-csi-driver	presubmit	Presubmit changed
pull-ci-openshift-csi-node-driver-registrar-master-security	openshift/csi-node-driver-registrar	presubmit	Presubmit changed
pull-ci-openshift-azure-file-csi-driver-operator-main-security	openshift/azure-file-csi-driver-operator	presubmit	Presubmit changed
pull-ci-openshift-vsphere-problem-detector-master-security	openshift/vsphere-problem-detector	presubmit	Presubmit changed
pull-ci-openshift-csi-external-provisioner-master-security	openshift/csi-external-provisioner	presubmit	Presubmit changed
pull-ci-openshift-aws-efs-csi-driver-master-security	openshift/aws-efs-csi-driver	presubmit	Presubmit changed
pull-ci-openshift-aws-efs-csi-driver-operator-master-security	openshift/aws-efs-csi-driver-operator	presubmit	Presubmit changed
pull-ci-openshift-gcp-filestore-csi-driver-operator-main-security	openshift/gcp-filestore-csi-driver-operator	presubmit	Presubmit changed
pull-ci-openshift-azure-file-csi-driver-master-security	openshift/azure-file-csi-driver	presubmit	Presubmit changed
pull-ci-openshift-azure-disk-csi-driver-master-security	openshift/azure-disk-csi-driver	presubmit	Presubmit changed
pull-ci-openshift-gcp-pd-csi-driver-master-security	openshift/gcp-pd-csi-driver	presubmit	Presubmit changed
pull-ci-openshift-csi-external-attacher-master-security	openshift/csi-external-attacher	presubmit	Presubmit changed
pull-ci-openshift-cluster-csi-snapshot-controller-operator-master-security	openshift/cluster-csi-snapshot-controller-operator	presubmit	Presubmit changed
pull-ci-openshift-secrets-store-csi-driver-main-security	openshift/secrets-store-csi-driver	presubmit	Presubmit changed
pull-ci-openshift-ibm-vpc-block-csi-driver-master-security	openshift/ibm-vpc-block-csi-driver	presubmit	Presubmit changed
pull-ci-openshift-vmware-vsphere-csi-driver-master-security	openshift/vmware-vsphere-csi-driver	presubmit	Presubmit changed
pull-ci-openshift-cluster-storage-operator-master-e2e-aws-csi	openshift/cluster-storage-operator	presubmit	Presubmit changed
pull-ci-openshift-cluster-storage-operator-master-e2e-aws-shared-resources	openshift/cluster-storage-operator	presubmit	Presubmit changed
pull-ci-openshift-cluster-storage-operator-master-e2e-gcp-csi	openshift/cluster-storage-operator	presubmit	Presubmit changed
pull-ci-openshift-cluster-storage-operator-master-e2e-openstack	openshift/cluster-storage-operator	presubmit	Presubmit changed
pull-ci-openshift-cluster-storage-operator-master-e2e-openstack-parallel	openshift/cluster-storage-operator	presubmit	Presubmit changed
pull-ci-openshift-cluster-storage-operator-master-security	openshift/cluster-storage-operator	presubmit	Presubmit changed

A total of 27 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse abort to abort all active rehearsals

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

dobsonj · 2024-01-23T16:45:54Z

/test check-gh-automation-tide
/pj-rehearse ack

mpatlasov · 2024-01-23T16:56:32Z

/lgtm
/approve

dobsonj · 2024-01-23T22:14:58Z

/assign @deepsm007
for approval on owners file change

smg247 · 2024-01-24T18:00:58Z

/approve

openshift-ci · 2024-01-24T18:01:23Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj, mpatlasov, smg247

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [smg247]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2024-01-24T18:26:51Z

@dobsonj: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci · 2024-01-24T18:30:55Z

@dobsonj: Updated the plugins configmap in namespace ci at cluster app.ci using the following files:

key core-services-prow-02_config-openshift-alibaba-cloud-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/alibaba-cloud-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-alibaba-disk-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/alibaba-disk-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-aws-ebs-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/aws-ebs-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-aws-ebs-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/aws-ebs-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-aws-efs-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/aws-efs-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-aws-efs-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/aws-efs-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-aws-efs-utils-_pluginconfig.yaml using file core-services/prow/02_config/openshift/aws-efs-utils/_pluginconfig.yaml
key core-services-prow-02_config-openshift-azure-disk-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/azure-disk-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-azure-disk-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/azure-disk-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-azure-file-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/azure-file-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-azure-file-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/azure-file-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-cluster-csi-snapshot-controller-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/cluster-csi-snapshot-controller-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-cluster-storage-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/cluster-storage-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-csi-external-attacher-_pluginconfig.yaml using file core-services/prow/02_config/openshift/csi-external-attacher/_pluginconfig.yaml
key core-services-prow-02_config-openshift-csi-external-provisioner-_pluginconfig.yaml using file core-services/prow/02_config/openshift/csi-external-provisioner/_pluginconfig.yaml
key core-services-prow-02_config-openshift-csi-external-resizer-_pluginconfig.yaml using file core-services/prow/02_config/openshift/csi-external-resizer/_pluginconfig.yaml
key core-services-prow-02_config-openshift-csi-external-snapshotter-_pluginconfig.yaml using file core-services/prow/02_config/openshift/csi-external-snapshotter/_pluginconfig.yaml
key core-services-prow-02_config-openshift-csi-livenessprobe-_pluginconfig.yaml using file core-services/prow/02_config/openshift/csi-livenessprobe/_pluginconfig.yaml
key core-services-prow-02_config-openshift-csi-node-driver-registrar-_pluginconfig.yaml using file core-services/prow/02_config/openshift/csi-node-driver-registrar/_pluginconfig.yaml
key core-services-prow-02_config-openshift-csi-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/csi-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-gcp-filestore-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/gcp-filestore-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-gcp-filestore-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/gcp-filestore-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-gcp-pd-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/gcp-pd-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-gcp-pd-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/gcp-pd-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-ibm-vpc-block-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/ibm-vpc-block-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-ibm-vpc-block-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/ibm-vpc-block-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-ibm-vpc-node-label-updater-_pluginconfig.yaml using file core-services/prow/02_config/openshift/ibm-vpc-node-label-updater/_pluginconfig.yaml
key core-services-prow-02_config-openshift-local-storage-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/local-storage-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-secrets-store-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/secrets-store-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-secrets-store-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/secrets-store-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-sig-storage-local-static-provisioner-_pluginconfig.yaml using file core-services/prow/02_config/openshift/sig-storage-local-static-provisioner/_pluginconfig.yaml
key core-services-prow-02_config-openshift-vmware-vsphere-csi-driver-operator-_pluginconfig.yaml using file core-services/prow/02_config/openshift/vmware-vsphere-csi-driver-operator/_pluginconfig.yaml
key core-services-prow-02_config-openshift-vmware-vsphere-csi-driver-_pluginconfig.yaml using file core-services/prow/02_config/openshift/vmware-vsphere-csi-driver/_pluginconfig.yaml
key core-services-prow-02_config-openshift-vsphere-problem-detector-_pluginconfig.yaml using file core-services/prow/02_config/openshift/vsphere-problem-detector/_pluginconfig.yaml

Details

In response to this:

This adds the snyk security scan as a presubmit job. It should pass (if we successfully ignored all false positives).

Also some cleanup around storage owners.

make storage-approvers and storage-reviewers consistent

update storage team members for backport-risk-assessed label

add openshift-ci-security workflow to OCP storage repos

/cc @openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

) * make storage-approvers and storage-reviewers consistent * update storage team members for backport-risk-assessed label * add openshift-ci-security workflow to OCP storage repos * security: always_run=false for gcp-filestore and node-driver-registrar The openshift-ci-security workflow exposed some false-positives in upstream code for gcp-filestore-csi-driver and node-driver-registrar. Set this job to always_run=false until we can get the issue fixed and this job passes consistently.

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 16, 2024

dobsonj force-pushed the ocp-storage-security-presubmits branch from 4dfd83a to 227d6a1 Compare January 19, 2024 21:52

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 20, 2024

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 22, 2024

dobsonj force-pushed the ocp-storage-security-presubmits branch from 227d6a1 to 6bb1cfe Compare January 22, 2024 18:29

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 22, 2024

openshift-ci bot assigned jsafrane Jan 22, 2024

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jan 22, 2024

dobsonj added 4 commits January 23, 2024 09:03

make storage-approvers and storage-reviewers consistent

2f3707d

update storage team members for backport-risk-assessed label

1d45253

add openshift-ci-security workflow to OCP storage repos

d821ed7

dobsonj force-pushed the ocp-storage-security-presubmits branch from 6bb1cfe to f556692 Compare January 23, 2024 16:05

openshift-ci-robot removed the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jan 23, 2024

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jan 23, 2024

openshift-ci bot assigned mpatlasov Jan 23, 2024

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 23, 2024

openshift-ci bot assigned deepsm007 Jan 23, 2024

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 24, 2024

openshift-merge-bot bot merged commit 7a1df5a into openshift:master Jan 24, 2024

add openshift-ci-security workflow to OCP storage repos #47618

add openshift-ci-security workflow to OCP storage repos #47618

Uh oh!

Conversation

dobsonj commented Jan 12, 2024

Uh oh!

openshift-ci bot commented Jan 12, 2024

Uh oh!

dobsonj commented Jan 12, 2024

Uh oh!

dobsonj commented Jan 16, 2024

Uh oh!

dobsonj commented Jan 18, 2024

Uh oh!

dobsonj commented Jan 19, 2024

Uh oh!

dobsonj commented Jan 20, 2024

Uh oh!

dobsonj commented Jan 20, 2024

Uh oh!

dobsonj commented Jan 20, 2024

Uh oh!

duanwei33 commented Jan 22, 2024

Uh oh!

openshift-ci-robot commented Jan 22, 2024

Uh oh!

dobsonj commented Jan 22, 2024

Uh oh!

dobsonj commented Jan 22, 2024

Uh oh!

openshift-ci-robot commented Jan 23, 2024

Uh oh!

dobsonj commented Jan 23, 2024

Uh oh!

mpatlasov commented Jan 23, 2024

Uh oh!

dobsonj commented Jan 23, 2024

Uh oh!

smg247 commented Jan 24, 2024

Uh oh!

openshift-ci bot commented Jan 24, 2024

Uh oh!

openshift-ci bot commented Jan 24, 2024

Uh oh!

openshift-ci bot commented Jan 24, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants