Skip to content

Commit

Permalink
sast-coverity-check: use kustomize to build the task
Browse files Browse the repository at this point in the history
... from the build-container task.  The `hack/generate-sast-tasks.sh`
script can be used to rebuild `sast-coverity-check.yaml`.

Related: konflux-ci#1653
  • Loading branch information
kdudka committed Dec 17, 2024
1 parent 9b1a1ee commit b340b65
Show file tree
Hide file tree
Showing 8 changed files with 1,170 additions and 261 deletions.
19 changes: 19 additions & 0 deletions hack/generate-sast-tasks.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/usr/bin/env bash

set -o errexit
set -o errtrace
set -o nounset
set -o pipefail
set -o posix

shopt -s globstar nullglob

HACK_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
ROOT_DIR="$(git rev-parse --show-toplevel)"
TASK_DIR="$(realpath "${ROOT_DIR}/task")"

# sast-coverity-check of version 0.2 and newer uses kustomize to build the task
# definition from the buildah task and a locally maintained patch.yaml
for dir in "${TASK_DIR}/sast-coverity-check"/0.[2-9]; do (
cd "$dir" && kustomize build > sast-coverity-check.yaml
) done
32 changes: 26 additions & 6 deletions pipelines/docker-build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -163,17 +163,37 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
### sast-coverity-check:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| |
|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| |
|ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| |
|ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | |
|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| |
|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | |
|COMMIT_SHA| The image is built from this commit.| | |
|CONTEXT| Path to the directory to use as context.| .| |
|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| |
|COV_CAPTURE_ARGS| Arguments to be appended to the coverity capture command| | |
|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| |
|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| |
|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| |
|HERMETIC| Determines if build will be executed without network access.| false| |
|IMAGE| Reference of the image buildah will produce.| None| |
|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | |
|IMAGE_URL| | None| |
|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
|KFP_GIT_URL| URL from repository to download known false positives files| | |
|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |
|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| |
|LABELS| Additional key=value labels that should be applied to the image| []| |
|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | |
|PROJECT_NAME| | | |
|RECORD_EXCLUDED| | false| |
|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| |
|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| |
|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| |
|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | |
|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| |
|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| |
|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| |
|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| |
|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'|
### sast-shell-check:0.1 task parameters
|name|description|default value|already set by|
|---|---|---|---|
Expand Down Expand Up @@ -356,7 +376,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
### sast-coverity-check:0.2 task workspaces
|name|description|optional|workspace from pipeline
|---|---|---|---|
|source| | False| workspace|
|source| Workspace containing the source code to build.| False| workspace|
### sast-shell-check:0.1 task workspaces
|name|description|optional|workspace from pipeline
|---|---|---|---|
Expand Down
2 changes: 2 additions & 0 deletions task/sast-coverity-check/0.2/MIGRATION.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@

- The unused `IMAGE_DIGEST` parameter has been removed.

- The `sast-coverity-check` task now supports buildful SAST scanning, too.

## Action from users

- The workspace for this task in the build pipeline should be renamed to `source`.
Expand Down
6 changes: 2 additions & 4 deletions task/sast-coverity-check/0.2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,13 @@

## Description:

The sast-coverity-check task uses Coverity tool to perform Static Application Security Testing (SAST). In this task, we use the buildless mode, where Coverity has the ability to capture source code without the need of building the product.
The sast-coverity-check task uses Coverity tool to perform Static Application Security Testing (SAST).

The documentation for this mode can be found here: https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html

The characteristics of these tasks are:

- Perform buildless scanning with Coverity
- The whole source code is scanned (by scanning `$(workspaces.source.path)` )
- Perform buildful scanning with Coverity
- Only important findings are reported by default. A parameter ( `IMP_FINDINGS_ONLY`) is provided to override this configuration.
- The csdiff/v1 SARIF fingerprints are provided for all findings
- A parameter ( `KFP_GIT_URL`) is provided to remove false positives providing a known false positives repository. By default, no repository is provided.
Expand All @@ -20,7 +19,6 @@ The characteristics of these tasks are:

| name | description | default value | required |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
| COV_CAPTURE_ARGS | Append arguments to the Coverity Capture CLI command | "" | no |
| COV_ANALYZE_ARGS | Append arguments to the cov-analyze CLI command | "" | no |
| COV_LICENSE | Name of secret which contains the Coverity license | cov-license | no |
| AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image | auth-token-coverity-image | no |
Expand Down
10 changes: 10 additions & 0 deletions task/sast-coverity-check/0.2/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../../buildah/0.2

patches:
- path: patch.yaml
target:
kind: Task
Loading

0 comments on commit b340b65

Please sign in to comment.