sast: initial task for Coverity Buildless

Solves: https://issues.redhat.com/browse/OSH-740 Initial version of the Coverity Buildless task. In introduces two different tasks: A task checking the availability of Coverity license and authentication token, and a task for scanning the code. The code will be scanned using coverity buildless mode, then the results are processing using csgrep and the results are later filtered using csfilter-kfp.
konflux-ci · Sep 25, 2024 · 72ee032 · 72ee032
1 parent dc50185
commit 72ee032
Show file tree

Hide file tree

Showing 6 changed files with 411 additions and 0 deletions.
diff --git a/task/coverity-availability-check/0.1/README.md b/task/coverity-availability-check/0.1/README.md
@@ -0,0 +1,25 @@
+# coverity-availability-check task
+
+## Description:
+
+This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.
+
+The characteristics of these tasks are:
+
+- It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled.
+- It will check for a secret called "cov-license" where the Coverity license is stored.
+
+> NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license.
+
+## Params:
+
+| name                        | description                                                                                                                                 |
+|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| AUTH_TOKEN_COVERITY_IMAGE   | Append arguments to the cov-analyze CLI command                                                                                             |
+| COV_LICENSE                 | Name of secret which contains the Coverity license                                                                                          |                                                                        |
+
+## Results:
+
+| name        | description              |
+|-------------|--------------------------|
+| TASK_OUTPUT | Tekton task test output. |
diff --git a/task/coverity-availability-check/0.1/coverity-availability-check.yaml b/task/coverity-availability-check/0.1/coverity-availability-check.yaml
@@ -0,0 +1,88 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "konflux"
+  name: sast-coverity-check
+spec:
+  description: >-
+    This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.
+  results:
+    - description: Tekton task result output.
+      name: TASK_OUTPUT
+  params:
+    - description: Image URL.
+      name: image-url
+      type: string
+      # In a future 0.2 version of the task, drop the default to make this required
+      default: ""
+    - description: Image digest to report findings for.
+      name: image-digest
+      type: string
+      # In a future 0.2 version of the task, drop the default to make this required
+      default: ""
+    - name: COV_LICENSE
+      description: Name of secret which contains the Coverity license
+      default: cov-license
+    - name: AUTH_TOKEN_COVERITY_IMAGE
+      description: Name of secret which contains the authentication token for pulling the Coverity image.
+      default: "auth-token-coverity-image"
+  volumes:
+    - name: cov-license
+      secret:
+        secretName: $(params.COV_LICENSE)
+        optional: false
+    - name: auth-token-coverity-image
+      secret:
+        secretName: $(params.AUTH_TOKEN_COVERITY_IMAGE)
+        optional: false
+  steps:
+    - name: coverity-availability-check
+      image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072
+      onError: stopAndFail
+      # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+      # the cluster will set imagePullPolicy to IfNotPresent
+      workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
+      volumeMounts:
+        - name: cov-license
+          mountPath: "/etc/secrets/cov"
+          readOnly: true
+        - name: auth-token-coverity-image
+          mountPath: "/etc/secrets/auth/config.json"
+          subPath: .dockerconfigjson
+      env:
+        - name: COV_LICENSE
+          value: $(params.COV_LICENSE)
+        - name: AUTH_TOKEN_COVERITY_IMAGE
+          value: $(params.AUTH_TOKEN_COVERITY_IMAGE)
+      script: |
+        #!/usr/bin/env bash
+        set -eo pipefail
+        
+        # Checking Coverity license
+        COV_LICENSE_PATH=/etc/secrets/cov/cov-license
+        if [ -f "${COV_LICENSE_PATH}" ] && [ -s "${COV_LICENSE_PATH}" ]; then
+          echo "Coverity license detected!"
+        else
+          echo "No license file for Coverity was detected. Coverity scan won't be executed..."
+          echo "Please, create a secret called "cov-license" with a key called "cov-license" and the value containing the Coverity license."
+          exit 0
+        fi
+        
+        # Checking authentication token for downloading coverity image
+        AUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json
+        if [ -f "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ] && [ -s "${AUTH_TOKEN_COVERITY_IMAGE_PATH}" ]; then
+          echo "Authentication token detected!"
+        else
+          echo "No authentication token for downloading Coverity image detected. Coverity scan won't be executed..."
+          echo "Please, create an imagePullSecret named "auth-token-coverity-image" with the authentication token for pulling the Coverity image."
+          exit 0
+        fi
+        
+        echo -n "success" | tee "$(results.TASK_OUTPUT.path)"
+
+  workspaces:
+  - name: workspace
diff --git a/task/coverity-availability-check/OWNERS b/task/coverity-availability-check/OWNERS
@@ -0,0 +1,5 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+approvers:
+  - integration-team
+reviewers:
+  - integration-team
diff --git a/task/sast-coverity-check/0.1/README.md b/task/sast-coverity-check/0.1/README.md
@@ -0,0 +1,46 @@
+# sast-coverity-check task
+
+## Description:
+
+The sast-coverity-check task uses Coverity tool to perform Static Application Security Testing (SAST). In this task, we use the buildless mode, where Coverity has the ability to capture source code without the need of building the product.
+
+The documentation for this mode can be found here: https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html
+
+The characteristics of these tasks are:
+
+- Perform buildless scanning with Coverity
+- The whole source code is scanned (by scanning `$(workspaces.source.path)` )
+- Only important findings are reported by default.  A parameter ( `SEVERITY_THRESHOLD`) is provided to override this configuration.
+- The csdiff/v1 SARIF fingerprints are provided for all findings
+- [Known false positives](https://gitlab.cee.redhat.com/osh/known-false-positives/) are eliminated by default.  A parameter ( `KFP_GIT_URL`) is provided to disable this feature or to configure a custom known false positives repository.
+
+> NOTE: This task is executed only if there is a Coverity license set up in the environment. Please check coverity-availability-check task for more information.
+
+## Params:
+
+| name                | description                                                                                                                           |
+|---------------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| COV_CAPTURE_ARGS    | Append arguments to the Coverity Capture CLI command                                                                                  |
+| COV_ANALYZE_ARGS    | Append arguments to the cov-analyze CLI command                                                                                       |
+| COV_LICENSE         | Name of secret which contains the Coverity license                                                                                    |
+| IMP_FINDINGS_ONLY   | Report only important findings. Default is true. To report all findings, specify "false"                                              |
+| KFP_GIT_URL         | Known False Positives git URL, optionally taking a revision delimited by #; If empty, filtering of known false positives is disabled. |
+| PROJECT_NVR         | Name-Version-Release (NVR) of the scanned project, used to find path exclusions (it is optional)                                      |
+| RECORD_EXCLUDED     | File to store all excluded findings to (it is optional)                                                                               |
+
+## Results:
+
+| name              | description              |
+|-------------------|--------------------------|
+| TEST_OUTPUT       | Tekton task test output. |
+
+## Source repository for image:
+
+// TODO: Add reference to private repo for the container image once the task is migrated to repo
+
+
+## Additional links:
+
+* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/commands/topics/coverity_capture.html
+* https://scan.coverity.com/
+* https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/cli/topics/options_reference.html