From dc378e31e9ad2f868e14f4a29036f6a2068c6577 Mon Sep 17 00:00:00 2001
From: Cees-Jan Kiewiet <ceesjank@gmail.com>
Date: Sat, 20 Feb 2021 22:19:43 +0100
Subject: [PATCH] Fail on failing CVE scan

---
 .github/workflows/ci.yml | 10 +++++-----
 Makefile                 |  6 ++++++
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a193be33..d03375ef 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ jobs:
         name: Generate Alpine
         shell: bash
         run: |
-          echo "::set-output name=versions::[\"3.12\", \"3.11\", \"3.10\"]"
+          echo "::set-output name=versions::[\"3.13\", \"3.12\"]"
   supported-nginx-versions:
     name: Supported nginx versions
     runs-on: ubuntu-latest
@@ -43,7 +43,7 @@ jobs:
         name: Generate PHP
         shell: bash
         run: |
-          echo "::set-output name=versions::[\"7.4\", \"7.3\", \"7.2\"]"
+          echo "::set-output name=versions::[\"7.4\", \"7.3\"]"
   php-type-matrix:
     name: PHP Type Matrix
     runs-on: ubuntu-latest
@@ -204,7 +204,7 @@ jobs:
           path: ./tmp
       - run: docker load --input ./tmp/image*.tar
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
   scan-vulnerability-http:
     name: Scan nginx ${{ matrix.nginx }} for vulnerabilities
     needs:
@@ -233,7 +233,7 @@ jobs:
         shell: bash
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
         shell: bash
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
         shell: bash
   scan-vulnerability-prometheus-exporter-file:
     name: Scan HTTP prometheus-exporter-file for vulnerabilities
@@ -258,7 +258,7 @@ jobs:
           path: ./tmp
       - run: docker load --input ./tmp/image*.tar
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
   test-php:
     name: Functionaly test PHP ${{ matrix.php }} for ${{ matrix.type }} on Alpine ${{ matrix.alpine }}
     needs:
diff --git a/Makefile b/Makefile
index 25d27f85..6d161f2c 100644
--- a/Makefile
+++ b/Makefile
@@ -110,3 +110,9 @@ scan-vulnerability:
 	mkdir -p ./tmp/clair/usabillabv
 	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log % || echo "% is vulnerable"'
 	docker-compose -f test/security/docker-compose.yml -p clair-ci down
+
+ci-scan-vulnerability:
+	docker-compose -f test/security/docker-compose.yml -p clair-ci up -d
+	RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done
+	mkdir -p ./tmp/clair/usabillabv
+	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log %'