search

SAP / jenkins-library

Jenkins shared library for Continuous Delivery pipelines.
https://www.project-piper.io
Apache License 2.0
779 stars 588 forks source link

Feature Request: Enable Black Duck Binary Analysis (fka Protecode) with Kaniko Multiple Docker Images #4892

Closed Johannes-Schneider closed 3 months ago

Johannes-Schneider commented 5 months ago

Dear team,

we are currently building a new Release pipeline using Hyperspace, GitHub Actions, and the general purpose Piper pipeline. Our pipeline produces multiple Docker images using the kanikoExecute with multipleImages approach.

Once the build step succeeds, we want to scan all of the built images with Black Duck Binary Analysis (aka Protecode) using the regular protecodeExecuteScan step. However, the scan step fails with following error:

info  protecodeExecuteScan - fatal error: errorDetails{"category":"undefined","correlationId":"<our-repo>/actions/runs/5667887","error":"failed to get Docker image: failed to download docker image: could not parse reference: 363001348081-20240411-075333575-56.staging.repositories.cloud.sap/:0.0.1-20240411075300_e6e66afc774fe29c78e1bca4aaa39d9e2abe5b4f","library":"SAP/jenkins-library","message":"Failed to execute protecode scan.","result":"failure","stepName":"protecodeExecuteScan","time":"2024-04-11T08:02:57.6752669Z"}

When inspecting the environment of the step, I found following (interesting) values to be present:

PIPER_ACTION_PIPELINE_ENV: {
    "container/imageDigests":null,
    "container/imageNameTag":":0.0.1-20240411075300_e6e66afc774fe29c78e1bca4aaa39d9e2abe5b4f",
    "container/imageNameTags":["com.sap.ai/nvidia-installer-1312.3.0-535.86.10:nvidia-poc-0.0.1"],
    "container/imageNames":["com.sap.ai/nvidia-installer-1312.3.0-535.86.10"],
    "container/registryUrl":"https://363001348081-20240411-075333575-56.staging.repositories.cloud.sap/"
}

As per the documentation, the protecodeExecuteScan will consider one scan image only (which might be read from the container/imageNameTag common pipeline environment variable).

To make our use case work, however, we would need the scan to also consider the container/imageNameTags common environment variable.

Would it be possible to build such a feature in the somewhat near future?

Best regards, Johannes

github-actions[bot] commented 3 months ago

Thank you for your contribution! This issue is stale because it has been open 60 days with no activity. In order to keep it open, please remove stale label or add a comment within the next 10 days. If you need a Piper team member to remove the stale label make sure to add @SAP/jenkins-library-team to your comment.

github-actions[bot] commented 3 months ago

Issue got stale and no further activity happened. It has automatically been closed. Please re-open in case you still consider it relevant.