From ac82b67389e663ca4a9b37a0d400aaada69adc84 Mon Sep 17 00:00:00 2001 From: Cees-Jan Kiewiet Date: Sat, 20 Feb 2021 22:19:43 +0100 Subject: [PATCH] Restore failing when CVE scanner finds a vulnerability During the migration to GitHub Actions in #160 this functionality was mistakenly and overzealously removed. Since PHP 8 and Alpine 3.13 are out and #166 has been filed, currently with a CVE for musl in it, this check should have failed as it is our goal to ship images without known CVE's in it. On my own PHP images the CVE checking fails and as such I was surprised that #166 didn't have any failures. Up on checking the CI logs it showed the musl CVE but the step didn't fail. This commit restores the original functionality and will make the CI once again fail when it finds a CVE in one of the images. --- .github/workflows/ci.yml | 6 +++--- Makefile | 6 ++++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0ae0297..f0d92be 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -204,7 +204,7 @@ jobs: path: ./tmp - run: docker load --input ./tmp/image*.tar - run: mkdir -p "./clair/${DOCKER_IMAGE}" - - run: make scan-vulnerability + - run: make ci-scan-vulnerability scan-vulnerability-http: name: Scan nginx ${{ matrix.nginx }} for vulnerabilities needs: @@ -233,7 +233,7 @@ jobs: shell: bash - run: mkdir -p "./clair/${DOCKER_IMAGE}" shell: bash - - run: make scan-vulnerability + - run: make ci-scan-vulnerability shell: bash scan-vulnerability-prometheus-exporter-file: name: Scan HTTP prometheus-exporter-file for vulnerabilities @@ -258,7 +258,7 @@ jobs: path: ./tmp - run: docker load --input ./tmp/image*.tar - run: mkdir -p "./clair/${DOCKER_IMAGE}" - - run: make scan-vulnerability + - run: make ci-scan-vulnerability test-php: name: Functionaly test PHP ${{ matrix.php }} for ${{ matrix.type }} on Alpine ${{ matrix.alpine }} needs: diff --git a/Makefile b/Makefile index 40951a3..f2a8382 100644 --- a/Makefile +++ b/Makefile @@ -108,3 +108,9 @@ scan-vulnerability: mkdir -p ./tmp/clair/usabillabv cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log % || echo "% is vulnerable"' docker-compose -f test/security/docker-compose.yml -p clair-ci down + +ci-scan-vulnerability: + docker-compose -f test/security/docker-compose.yml -p clair-ci up -d + RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done + mkdir -p ./tmp/clair/usabillabv + cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log %'