Skip to content

Commit

Permalink
test: full append
Browse files Browse the repository at this point in the history
  • Loading branch information
@jason1028kr
jason1028kr committed Jan 30, 2025
1 parent cdbdfd3 commit ad0cbea
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 32 deletions.
32 changes: 16 additions & 16 deletions .pipelines/templates/.builder-release-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,17 +111,18 @@ steps:
echo "##vso[task.setvariable variable=SKU_NAME]$SKU_NAME"
echo "Set SKU_NAME to $SKU_NAME"
displayName: Set SKU Name
# - bash: make -f packer.mk run-packer
# displayName: Build VHD
# retryCountOnTaskFailure: 3
# env:
# OS_TYPE: Linux
# GIT_VERSION: $(Build.SourceVersion)
# BRANCH: $(Build.SourceBranch)
# BUILD_NUMBER: $(Build.BuildNumber)
# BUILD_ID: $(Build.BuildId)
# BUILD_DEFINITION_NAME: $(Build.DefinitionName)
# UA_TOKEN: $(ua-token)
- bash: make -f packer.mk run-packer
displayName: Build VHD
retryCountOnTaskFailure: 3
env:
OS_TYPE: Linux
GIT_VERSION: $(Build.SourceVersion)
BRANCH: $(Build.SourceBranch)
BUILD_NUMBER: $(Build.BuildNumber)
BUILD_ID: $(Build.BuildId)
BUILD_DEFINITION_NAME: $(Build.DefinitionName)
UA_TOKEN: $(ua-token)

- bash: |
PACKER_VNET_RESOURCE_GROUP_NAME="$(cat vhdbuilder/packer/settings.json | grep "vnet_resource_group_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
Expand All @@ -137,11 +138,11 @@ steps:
echo "##vso[task.setvariable variable=SIG_IMAGE_NAME]${SIG_IMAGE_NAME}" && \
echo "##vso[task.setvariable variable=CAPTURED_SIG_VERSION]${CAPTURED_SIG_VERSION}" && \
echo "##vso[task.setvariable variable=IMPORTED_IMAGE_NAME]$(cat vhdbuilder/packer/settings.json | grep "imported_image_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
echo "##vso[task.setvariable variable=OS_DISK_URI]" && \
echo "##vso[task.setvariable variable=MANAGED_SIG_ID]/subscriptions/c4c3550e-a965-4993-a50c-628fd38cd3e1/resourceGroups/aksvhdtestbuildrg/providers/Microsoft.Compute/galleries/PackerSigGalleryEastUS/images/2204containerd/versions/1.1738120749.14404" && \
echo "##vso[task.setvariable variable=SIG_GALLERY_NAME]PackerSigGalleryEastUS" && \
echo "##vso[task.setvariable variable=OS_DISK_URI]$(cat packer-output | grep "OSDiskUri:" | cut -d " " -f 2)" && \
echo "##vso[task.setvariable variable=MANAGED_SIG_ID]$(cat packer-output | grep "ManagedImageSharedImageGalleryId:" | cut -d " " -f 2)" && \
echo "##vso[task.setvariable variable=SIG_GALLERY_NAME]$(cat vhdbuilder/packer/settings.json | grep "sig_gallery_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
echo "##vso[task.setvariable variable=PERFORMANCE_DATA_FILE]vhd-build-performance-data.json" && \
echo "##vso[task.setvariable variable=PKR_RG_NAME]aksvhdtestbuildrg" && \
echo "##vso[task.setvariable variable=PKR_RG_NAME]$(cat packer-output | grep "ResourceGroupName" | cut -d "'" -f 2 | head -1)" && \
echo "##vso[task.setvariable variable=IS_NOT_1804]$( [[ "${OS_VERSION}" != "18.04" ]] && echo true || echo false )" && \
echo "##vso[task.setvariable variable=OS_NAME]Linux" && \
echo "##vso[task.setvariable variable=OS_TYPE]Linux" && \
Expand Down Expand Up @@ -171,7 +172,6 @@ steps:
PACKER_VNET_NAME: $(PACKER_VNET_NAME)
SKIP_SCANNING: $(SKIP_SCANNING)
DRY_RUN: $(DRY_RUN)
DEFAULT_WORKING_DIRECTORY: $(System.DefaultWorkingDirectory)

- task: PublishPipelineArtifact@0
condition: always()
Expand Down
9 changes: 7 additions & 2 deletions vhdbuilder/packer/trivy-scan.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ export SYSTEM_TEAMPROJECT=${27}
export BUILD_BUILDID=${28}
export IMAGE_VERSION=${29}
CVE_DIFF_UPLOAD_REPORT_NAME=${30}
SCAN_RESOURCE_PREFIX=${31}

retrycmd_if_failure() {
retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
Expand Down Expand Up @@ -133,7 +134,7 @@ rm "trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz"
chmod a+x trivy

# pull vuln-to-kusto binary
MODULE_VERSION="v0.0.3-03a822ef770"
MODULE_VERSION="v0.0.3-a60608e7896"
az storage blob download --auth-mode login --account-name ${ACCOUNT_NAME} -c vuln-to-kusto \
--name ${MODULE_VERSION}/${MODULE_NAME}_linux_${GO_ARCH} \
--file ./${MODULE_NAME}
Expand Down Expand Up @@ -190,15 +191,19 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
fi
done

./vuln-to-kusto-vhd query-report query-diff 12h\
./vuln-to-kusto-vhd query-report query-diff 24h \
--vhd-vhdname=${VHD_ARTIFACT_NAME} \
--vhd-nodeimageversion=${IMAGE_VERSION} \
--severity="HIGH" \
--scan-resource-prefix=${SCAN_RESOURCE_PREFIX} \
--kusto-endpoint=${KUSTO_ENDPOINT} \
--kusto-database=${KUSTO_DATABASE} \
--kusto-table=${KUSTO_TABLE} \
--kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH}

rm ./trivy

chmod a+r "${CVE_DIFF_QUERY_OUTPUT_PATH}"
chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}"
chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}"

Expand Down
23 changes: 9 additions & 14 deletions vhdbuilder/packer/vhd-scanning.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,10 @@ SIG_CONTAINER_NAME="vhd-scans"
SCAN_VM_ADMIN_USERNAME="azureuser"

RELEASE_NOTES_FILEPATH="${DEFAULT_WORKING_DIRECTORY}/release-notes.txt"
# if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
# echo "${RELEASE_NOTES_FILEPATH} does not exist"
# exit 1
# fi
if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
echo "${RELEASE_NOTES_FILEPATH} does not exist"
exit 1
fi

# we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs
SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning"
Expand Down Expand Up @@ -59,7 +59,7 @@ function cleanup() {
echo "Deleting resource group ${RESOURCE_GROUP_NAME}"
az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait
}
trap cleanup EXIT
# trap cleanup EXIT
capture_benchmark "${SCRIPT_NAME}_set_variables_and_create_scan_resource_group"

# VM_OPTIONS="--size Standard_D8ds_v5"
Expand Down Expand Up @@ -151,7 +151,8 @@ az vm run-command invoke \
"SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
"BUILDID"=${BUILD_ID} \
"IMAGE_VERSION"=${IMAGE_VERSION} \
"CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME}
"CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME} \
"SCAN_RESOURCE_PREFIX"=${SCAN_RESOURCE_PREFIX}

capture_benchmark "${SCRIPT_NAME}_run_az_scan_command"

Expand All @@ -165,14 +166,8 @@ az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name $

capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs"

if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
echo "${RELEASE_NOTES_FILEPATH} does not exist"
exit 1
fi

echo "This is a new line" >> ${RELEASE_NOTES_FILEPATH}

cat ${RELEASE_NOTES_FILEPATH}
echo "=== CVEs fixed in version: ${IMAGE_VERSION}"
cat cve-diff.txt >> ${RELEASE_NOTES_FILEPATH}

echo -e "Trivy Scan Script Completed\n\n\n"
capture_benchmark "${SCRIPT_NAME}_overall" true
Expand Down

0 comments on commit ad0cbea

Please sign in to comment.