Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/add retry to trivy #29

Merged
merged 4 commits into from
Oct 9, 2024
+45 −85
Merged

Fix/add retry to trivy #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e098bb9
Fixing check conditions for trivy retry
louisledev Oct 8, 2024
b84793b
Bumping version of NugetAuthenticate because it is retired
louisledev Oct 8, 2024
0b01b99
Removing dependency on Docker@0 which is deprecated
louisledev Oct 8, 2024
4d46106
Trying to share common code
louisledev Oct 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion restore.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ parameters:

steps:
- ${{if parameters.nuGetServiceConnections}}:
- task: NuGetAuthenticate@0
- task: NuGetAuthenticate@1
inputs:
nuGetServiceConnections: ${{ parameters.nuGetServiceConnections }}

Expand Down
30 changes: 4 additions & 26 deletions scanBinaries.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,29 +21,7 @@ jobs:
destinationFolder: $(System.DefaultWorkingDirectory)/Binaries
cleanDestinationFolder: true
overwriteExistingFiles: false
- script: |
retries=10
count=0
while [ $count -lt $retries ]; do
log_output=$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp -v $(System.DefaultWorkingDirectory)/Binaries:/src aquasec/trivy:latest --exit-code 1 --format table --scanners vuln,misconfig,secret filesystem /src 2>&1)
result=$?
echo "$log_output"
if echo "$log_output" | grep -q "Fatal error init error: DB error: failed to download vulnerability DB: database download error"; then
count=$((count + 1))
echo "Scan failed due to DB download error. Attempt $count/$retries. Retrying in 30 seconds..."
sleep 30
else
if [ $result -eq 0 ]; then
echo "Scan completed successfully."
break
else
echo "Scan failed due to other errors."
exit 1
fi
fi
done
if [ $count -eq $retries ]; then
echo "Scan failed after $retries attempts due to DB download error."
exit 1
fi
displayName: Scan compiled code with Trivy
- script: |
./scan_with_retries.sh "docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp -v $(System.DefaultWorkingDirectory)/Binaries:/src aquasec/trivy:latest --exit-code 1 --format table --scanners vuln,misconfig,secret filesystem /src"
displayName: Scan compiled code with Trivy

30 changes: 3 additions & 27 deletions scanCompiledArtifacts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,30 +8,6 @@ parameters:
displayName: 'The directory to scan for vulnerabilities'

steps:
- script: |
retries=10
count=0
while [ $count -lt $retries ]; do
log_output=$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp -v ${{ parameters.directory }}:/src aquasec/trivy:latest --exit-code 1 --format table --scanners vuln,misconfig,secret filesystem /src 2>&1)
result=$?
echo "$log_output"
if echo "$log_output" | grep -q "Fatal error init error: DB error: failed to download vulnerability DB: database download error"; then
count=$((count + 1))
echo "Scan failed due to DB download error. Attempt $count/$retries. Retrying in 30 seconds..."
sleep 30
else
if [ $result -eq 0 ]; then
echo "Scan completed successfully."
break
else
echo "Scan failed due to other errors."
exit 1
fi
fi
done
if [ $count -eq $retries ]; then
echo "Scan failed after $retries attempts due to DB download error."
exit 1
fi

displayName: Scan compiled code with Trivy
- script: |
./scan_with_retries.sh "docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp -v ${{ parameters.directory }}:/src aquasec/trivy:latest --exit-code 1 --format table --scanners vuln,misconfig,secret filesystem /src"
displayName: Scan compiled code with Trivy
37 changes: 6 additions & 31 deletions scanDockerImage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,40 +30,15 @@ jobs:
inputs:
command: login
containerRegistry: ${{ parameters.dockerRegistryConnection }}
- task: Docker@0
- task: Bash@3
displayName: 'Pull Docker image from private registry'
inputs:
containerregistrytype: 'Container Registry'
dockerRegistryConnection: ${{ parameters.dockerRegistryConnection }}
action: 'Run a Docker command'
customCommand: 'pull ${{ parameters.dockerRegistryName }}/${{ parameters.dockerImageRepoName }}:${{ parameters.dockerImageRepoVersion }}'
targetType: inline
script: |
docker pull ${{ parameters.dockerRegistryName }}/${{ parameters.dockerImageRepoName }}:${{ parameters.dockerImageRepoVersion }}

- script: |
retries=10
count=0
while [ $count -lt $retries ]; do
log_output=$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${{ parameters.trivyIgnoreFile }}:/tmp/trivyignore aquasec/trivy:latest image --ignorefile /tmp/trivyignore --exit-code 1 --format table --scanners vuln,misconfig,secret ${{ parameters.dockerRegistryName }}/${{ parameters.dockerImageRepoName }}:${{ parameters.dockerImageRepoVersion }} 2>&1)
result=$?
echo "$log_output"
if echo "$log_output" | grep -q "Fatal error init error: DB error: failed to download vulnerability DB: database download error"; then
count=$((count + 1))
echo "Scan failed due to DB download error. Attempt $count/$retries. Retrying in 30 seconds..."
sleep 30
else
if [ $result -eq 0 ]; then
echo "Scan completed successfully."
break
else
echo "Scan failed due to other errors."
exit 1
fi
fi
done
if [ $count -eq $retries ]; then
echo "Scan failed after $retries attempts due to DB download error."
exit 1
fi

- script: |
./scan_with_retries.sh "docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${{ parameters.trivyIgnoreFile }}:/tmp/trivyignore aquasec/trivy:latest image --ignorefile /tmp/trivyignore --exit-code 1 --format table --scanners vuln,misconfig,secret ${{ parameters.dockerRegistryName }}/${{ parameters.dockerImageRepoName }}:${{ parameters.dockerImageRepoVersion }}"
displayName: Scan image with Trivy

# The Trivy task does not work yet.
Expand Down
31 changes: 31 additions & 0 deletions scan_with_retries.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/bin/bash

command=$1
retries=10
count=0

echo "Scan command: $command"
echo "Starting scan with retries..."

while [ $count -lt $retries ]; do
log_output=$($command 2>&1)
echo "$log_output"
if echo "$log_output" | grep "Fatal" | grep "failed to download artifact from any source" | grep -q "failed to download vulnerability DB"; then
count=$((count + 1))
echo "Scan failed due to DB download error. Attempt $count/$retries. Retrying in 30 seconds..."
sleep 30
else
if [ $? -eq 0 ]; then
echo "Scan completed successfully."
break
else
echo "Scan failed due to other errors."
exit 1
fi
fi
done

if [ $count -eq $retries ]; then
echo "Scan failed after $retries attempts due to DB download error."
exit 1
fi