Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(KFLUXBUGS-1581): force releaseNotes.type when cves defined #619

Open
wants to merge 1 commit into
base: development
Choose a base branch
from
+304 −3
Open

fix(KFLUXBUGS-1581): force releaseNotes.type when cves defined #619

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions tasks/create-advisory/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ Only all `redhat-pending` or all `redhat-prod` repositories may be specified in
| synchronously | Whether the task should wait for InternalRequests to complete | Yes | true |
| pipelineRunUid | The uid of the current pipelineRun. Used as a label value when creating internal requests | No | - |

## Changes in 4.4.2
* If the releaseNotes do not specify any CVEs fixed and the type is RHSA, fail the task
* If the releaseNotes specify CVEs fixed, proceed with type set to RHSA regardless of the passed type

## Changes in 4.4.1
* Fix linting issues in this task.

Expand Down
20 changes: 17 additions & 3 deletions tasks/create-advisory/create-advisory.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ kind: Task
metadata:
name: create-advisory
labels:
app.kubernetes.io/version: "4.4.1"
app.kubernetes.io/version: "4.4.2"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: release
Expand Down Expand Up @@ -55,10 +55,10 @@ spec:
RESULTS_FILE="$(workspaces.data.path)/$(params.resultsDirPath)/create-advisory-results.json"
# Obtain application from snapshot
application=$(jq -rc .application "$(workspaces.data.path)/$(params.snapshotPath)")
application=$(jq -r .application "$(workspaces.data.path)/$(params.snapshotPath)")
mmalina marked this conversation as resolved.
Show resolved Hide resolved
# Obtain origin workspace from releasePlanAdmission
origin=$(jq -rc '.spec.origin' "$(workspaces.data.path)/$(params.releasePlanAdmissionPath)")
origin=$(jq -r '.spec.origin' "$(workspaces.data.path)/$(params.releasePlanAdmissionPath)")
mmalina marked this conversation as resolved.
Show resolved Hide resolved
# Extract the advisory key and signing configMap name from the data JSON file
advisoryData=$(jq -c "$(params.jsonKey)" "$(workspaces.data.path)/$(params.dataPath)")
Expand All @@ -71,6 +71,20 @@ spec:
exit 1
fi
# Ensure RHSA is only used if CVEs are provided
NUM_CVES=$(jq '.content.images[]?.cves.fixed // 0 | length' <<< "$advisoryData" \
| awk '{sum=sum+$0} END{print sum}')
Comment on lines +75 to +76
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can do the sum directly with jq. Also, while it works with the default 0, you're expecting an array, so defaulting to [] seems more correct.

Suggested change
NUM_CVES=$(jq '.content.images[]?.cves.fixed // 0 | length' <<< "$advisoryData" \
| awk '{sum=sum+$0} END{print sum}')
NUM_CVES=$(jq '[.content.images[]?.cves.fixed // [] | length] | add' <<< "$advisoryData")

But if you prefer awk, that's fine with me.

if [[ "$advisoryType" == "RHSA" ]] && [[ "$NUM_CVES" -eq 0 ]] ; then
echo "Provided advisory type is RHSA, but no fixed CVEs were listed"
echo "RHSA should only be used if CVEs are fixed in the advisory. Failing..."
exit 1
fi
# Set type to RHSA if there are fixed CVEs
if [[ "$NUM_CVES" -gt 0 ]] ; then
advisoryData=$(jq -c '.type = "RHSA"' <<< "$advisoryData")
fi
pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid"
# only 2 gitlab instances are permitted...prod and staging
Expand Down
109 changes: 109 additions & 0 deletions tasks/create-advisory/tests/test-create-advisory-fail-rhsa-no-cve.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-create-advisory-fail-rhsa-no-cve
annotations:
test/assert-task-failure: "run-task"
spec:
description: |
Run the create-advisory task with releaseNotes.type set to RHSA but no CVEs in releaseNotes.
The task should fail.
workspaces:
- name: tests-workspace
tasks:
- name: setup
taskSpec:
steps:
- name: create-crs
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env bash
set -eux
mkdir "$(workspaces.data.path)"/results
cat > "$(workspaces.data.path)"/test_release_plan_admission.json << EOF
{
"apiVersion": "appstudio.redhat.com/v1alpha1",
"kind": "ReleasePlanAdmission",
"metadata": {
"name": "test",
"namespace": "default"
},
"spec": {
"applications": [
"app"
],
"policy": "policy",
"pipeline": {
"pipelineRef": {
"resolver": "git",
"params": [
{
"name": "url",
"value": "github.com"
},
{
"name": "revision",
"value": "main"
},
{
"name": "pathInRepo",
"value": "pipeline.yaml"
}
]
},
"serviceAccountName": "sa"
},
"origin": "dev"
}
}
EOF
cat > "$(workspaces.data.path)"/test_snapshot_spec.json << EOF
{
"application": "myapp",
"components": [
{
"name": "comp",
"repository": "quay.io/redhat-prod/repo"
}
]
}
EOF
cat > "$(workspaces.data.path)"/data.json << EOF
{
"releaseNotes": {
"type": "RHSA"
},
"sign": {
"configMapName": "cm"
}
}
EOF
workspaces:
- name: data
workspace: tests-workspace
- name: run-task
taskRef:
name: create-advisory
params:
- name: releasePlanAdmissionPath
value: "test_release_plan_admission.json"
- name: snapshotPath
value: "test_snapshot_spec.json"
- name: dataPath
value: "data.json"
- name: resultsDirPath
value: "results"
- name: synchronously
value: "false"
- name: pipelineRunUid
value: $(context.pipelineRun.uid)
runAfter:
- setup
workspaces:
- name: data
workspace: tests-workspace
174 changes: 174 additions & 0 deletions tasks/create-advisory/tests/test-create-advisory-overwrite-type.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: test-create-advisory-overwrite-type
spec:
description: |
Run the create-advisory task with a releaseNotes.type that is not RHSA, but CVEs present in releaseNotes.
The type should be overwritten to RHSA.
workspaces:
- name: tests-workspace
tasks:
- name: setup
taskSpec:
steps:
- name: create-crs
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env bash
set -eux

mkdir "$(workspaces.data.path)"/results

cat > "$(workspaces.data.path)"/test_release_plan_admission.json << EOF
{
"apiVersion": "appstudio.redhat.com/v1alpha1",
"kind": "ReleasePlanAdmission",
"metadata": {
"name": "test",
"namespace": "default"
},
"spec": {
"applications": [
"app"
],
"policy": "policy",
"pipeline": {
"pipelineRef": {
"resolver": "git",
"params": [
{
"name": "url",
"value": "github.com"
},
{
"name": "revision",
"value": "main"
},
{
"name": "pathInRepo",
"value": "pipeline.yaml"
}
]
},
"serviceAccountName": "sa"
},
"origin": "dev"
}
}
EOF

cat > "$(workspaces.data.path)"/test_snapshot_spec.json << EOF
{
"application": "myapp",
"components": [
{
"name": "comp",
"repository": "quay.io/redhat-prod/repo"
}
]
}
EOF

cat > "$(workspaces.data.path)"/data.json << EOF
{
"releaseNotes": {
"type": "RHEA",
"content": {
"images": [
{
"containerImage": "foo",
"cves": {
"fixed": {
"CVE-123": {
"components": [
"pkg:rpm/foo"
]
}
}
}
}
]
}
},
"sign": {
"configMapName": "cm"
}
}
EOF
workspaces:
- name: data
workspace: tests-workspace
- name: run-task
taskRef:
name: create-advisory
params:
- name: releasePlanAdmissionPath
value: "test_release_plan_admission.json"
- name: snapshotPath
value: "test_snapshot_spec.json"
- name: dataPath
value: "data.json"
- name: resultsDirPath
value: "results"
- name: synchronously
value: "false"
- name: pipelineRunUid
value: $(context.pipelineRun.uid)
runAfter:
- setup
workspaces:
- name: data
workspace: tests-workspace
- name: check-result
workspaces:
- name: data
workspace: tests-workspace
runAfter:
- run-task
taskSpec:
workspaces:
- name: data
steps:
- name: check-result
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env bash
set -ex

# Count the number of InternalRequests
requestsCount=$(kubectl get InternalRequest -o json | jq -r '.items | length')

# Check if the number of InternalRequests is as expected
if [ "$requestsCount" -ne 1 ]; then
echo "Unexpected number of InternalRequests. Expected: 1, Found: $requestsCount"
exit 1
fi

internalRequest=$(kubectl get InternalRequest -o json | jq -r '.items[0]')

# Check the request field
if [ "$(echo "$internalRequest" | jq -r '.spec.request' )" != "create-advisory" ]; then
echo "InternalRequest doesn't contain 'create-advisory' in 'request' field"
exit 1
fi

# Check the advisory_json parameter
if [[ "$(echo "$internalRequest" | jq -r '.spec.params.advisory_json' )" != \
'{"type":"RHSA"'* ]]; then
echo "The advisory_json should have had its type overwritten to RHSA because there were CVEs"
echo "in the releaseNotes. However, it was not"
exit 1
fi
finally:
- name: cleanup
taskSpec:
steps:
- name: delete-crs
image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
script: |
#!/usr/bin/env sh
set -eux

kubectl delete internalrequests --all