Multiple bug fixes in yamls related to patch failing with repos havin…

…g namespace, null ref error fix, timeout increase and disabling secret scanner etc
Azure · Jul 16, 2024 · f1e4209 · f1e4209
1 parent 507d8be
commit f1e4209
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/src/acrcssc/azext_acrcssc/templates/task/cssc_patch_image.yaml b/src/acrcssc/azext_acrcssc/templates/task/cssc_patch_image.yaml
@@ -1,7 +1,7 @@
 version: v1.1.0
 alias:
   values:
-    ScanReport : os-vulnerability-report_trivy_{{.Values.SOURCE_REPOSITORY}}_{{.Values.SOURCE_IMAGE_TAG}}_$(date "+%Y-%m-%d").json
+    ScanReport : os-vulnerability-report_trivy_{{ regexReplaceAll "[^a-zA-Z0-9]" .Values.SOURCE_REPOSITORY "-" }}_{{.Values.SOURCE_IMAGE_TAG}}_$(date "+%Y-%m-%d").json
     cssc : mcr.microsoft.com/acr/cssc:56f0765
 steps:
   # Step #1: Perform the vulnerability scan
@@ -17,6 +17,8 @@ steps:
       --vuln-type os \
       --ignore-unfixed \
       --format json \
+      --timeout 30m \
+      --scanners vuln \
       --output /workspace/data/$ScanReport
 
   # Step 2: Attach the vulnerability scan report to the image

diff --git a/src/acrcssc/azext_acrcssc/templates/task/cssc_scan_image.yaml b/src/acrcssc/azext_acrcssc/templates/task/cssc_scan_image.yaml
@@ -18,8 +18,10 @@ steps:
       --vuln-type os \
       --ignore-unfixed \
       --format json \
+      --timeout 30m \
+      --scanners vuln \
       --output /workspace/data/vulnerability-report_trivy_$DATE.json
-  - cmd: cssc jq "[.Results[].Vulnerabilities | length] | add" /workspace/data/vulnerability-report_trivy_$DATE.json > /workspace/data/vulCount.txt
+  - cmd: cssc jq 'if .Results == null or (.Results | length) == 0 then 0 else [.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities | length] | add end' /workspace/data/vulnerability-report_trivy_$DATE.json > /workspace/data/vulCount.txt
   - cmd: bash echo "Generated vulnerability report at /workspace/data/vulnerability-report_trivy_$DATE.json" 
   - cmd: az login --identity
   - cmd: bash echo "Vulnerabilities found for image {{.Values.SOURCE_REPOSITORY}}:{{.Values.SOURCE_IMAGE_TAG}} -> $(cat /workspace/data/vulCount.txt)"

diff --git a/src/acrcssc/azext_acrcssc/templates/task/cssc_trigger_workflow.yaml b/src/acrcssc/azext_acrcssc/templates/task/cssc_trigger_workflow.yaml
@@ -4,7 +4,7 @@ alias:
     ScanImageAndSchedulePatchTask: cssc-scan-image
     cssc : mcr.microsoft.com/acr/cssc:56f0765
 steps:
-  - cmd: bash -c 'echo "Inside CSSC-TriggerScan, getting images to be patched based on --filter-policy for Registry {{.Run.Registry}}."'
+  - cmd: bash -c 'echo "Inside cssc-trigger-workflow task, getting list of images to be patched based on --filter-policy for Registry {{.Run.Registry}}."'
   - cmd: cssc acr cssc patch --filter-policy csscpolicies/patchpolicy:v1 --dry-run > filterRepos.txt
     env:
       - ACR_EXPERIMENTAL_CSSC=true