use kustomize to build sast-coverity-check

... from the build-container task. The `hack/generate-sast-tasks.sh` script can be used to rebuild `sast-coverity-check.yaml`. Related: konflux-ci#1653
kdudka · Dec 12, 2024 · c341498 · c341498
1 parent 266f2fc
commit c341498
Show file tree

Hide file tree

Showing 6 changed files with 1,114 additions and 255 deletions.
diff --git a/hack/generate-sast-tasks.sh b/hack/generate-sast-tasks.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o errtrace
+set -o nounset
+set -o pipefail
+set -o posix
+
+shopt -s globstar nullglob
+
+HACK_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+TASK_DIR="$(realpath "${ROOT_DIR}/task")"
+
+# sast-coverity-check of version 0.2 and newer uses kustomize to build the task
+# definition from the buildah task and a locally maintained patch.yaml
+for dir in "${TASK_DIR}/sast-coverity-check"/0.[2-9]; do (
+    cd "$dir" && kustomize build > sast-coverity-check.yaml
+) done
diff --git a/task/sast-coverity-check/0.2/README.md b/task/sast-coverity-check/0.2/README.md
@@ -2,14 +2,13 @@
 
 ## Description:
 
-The sast-coverity-check task uses Coverity tool to perform Static Application Security Testing (SAST). In this task, we use the buildless mode, where Coverity has the ability to capture source code without the need of building the product.
+The sast-coverity-check task uses Coverity tool to perform Static Application Security Testing (SAST).
 
 The documentation for this mode can be found here: https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html
 
 The characteristics of these tasks are:
 
-- Perform buildless scanning with Coverity
-- The whole source code is scanned (by scanning `$(workspaces.source.path)` )
+- Perform buildful scanning with Coverity
 - Only important findings are reported by default.  A parameter ( `IMP_FINDINGS_ONLY`) is provided to override this configuration.
 - The csdiff/v1 SARIF fingerprints are provided for all findings
 - A parameter ( `KFP_GIT_URL`) is provided to remove false positives providing a known false positives repository. By default, no repository is provided.
@@ -20,7 +19,6 @@ The characteristics of these tasks are:
 
 | name                      | description                                                                                                                           | default value             | required |                                                                                                                   
 |---------------------------|---------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
-| COV_CAPTURE_ARGS          | Append arguments to the Coverity Capture CLI command                                                                                  | ""                        | no       |
 | COV_ANALYZE_ARGS          | Append arguments to the cov-analyze CLI command                                                                                       | ""                        | no       |
 | COV_LICENSE               | Name of secret which contains the Coverity license                                                                                    | cov-license               | no       |
 | AUTH_TOKEN_COVERITY_IMAGE | Name of secret which contains the authentication token for pulling the Coverity image                                                 | auth-token-coverity-image | no       |

diff --git a/task/sast-coverity-check/0.2/kustomization.yaml b/task/sast-coverity-check/0.2/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../buildah/0.2
+
+patches:
+- path: patch.yaml
+  target:
+    kind: Task