search

crc-org / crc

CRC is a tool to help you run containers. It manages a local OpenShift 4.x cluster, Microshift or a Podman VM optimized for testing and development purposes
https://crc.dev
Apache License 2.0
1.26k stars 242 forks source link

CI: Add .snyk file to consumed by openshift ci's security scanning #4102

Closed praveenkumar closed 7 months ago

praveenkumar commented 7 months ago

https://github.com/openshift/release/pull/48942 is currently merged which means now security scanning can run on the CI for each PR (non blocking) and .snyk config file have details what to run or ignore.

We need to review the CVEs which is raised by scanning to figure out if this is valid or not in crc context and take appropriate action.

cfergeau commented 7 months ago

I'm unimpressed that the first step we have to take (as all other OpenShift projects) is to disable security checks for the whole vendor/ directory. There is a lot of code we run in there, and this is code we never really look at, and we also tell our security scanner not to look at it?

cfergeau commented 7 months ago

How many snyk issues are reported if we don't ignore vendor/?

cfergeau commented 7 months ago

We also have a tools/vendor directory.

praveenkumar commented 7 months ago

How many snyk issues are reported if we don't ignore vendor/?

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/48942/rehearse-48942-pull-ci-crc-org-crc-main-security/1775530026075164672 check the logs this is run as part of rehearse job when we didn't added any .snyk file.

We also have a tools/vendor directory.

yes, will add that but as of now there is no vulnerability found in tool/vendor.

cfergeau commented 7 months ago

yes, will add that but as of now there is no vulnerability found in tool/vendor.

There are a few matches for tools/vendor in the prow link you gave

praveenkumar commented 7 months ago

There are a few matches for tools/vendor in the prow link you gave

That was for rehearse job which I provided you for this PR link is https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/crc-org_crc/4102/pull-ci-crc-org-crc-main-security/1775844349024669696 one.

cfergeau commented 7 months ago

There are a few matches for tools/vendor in the prow link you gave

That was for rehearse job which I provided you for this PR link is https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/crc-org_crc/4102/pull-ci-crc-org-crc-main-security/1775844349024669696 one.

The rehearse job was getting some results in tools/vendor, this PR link is not showing any results in tools/vendor, but I don't understand why.

praveenkumar commented 7 months ago

There are a few matches for tools/vendor in the prow link you gave

That was for rehearse job which I provided you for this PR link is https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/crc-org_crc/4102/pull-ci-crc-org-crc-main-security/1775844349024669696 one.

The rehearse job was getting some results in tools/vendor, this PR link is not showing any results in tools/vendor, but I don't understand why.

May be because of https://docs.snyk.io/snyk-cli/commands/test#exclude-less-than-name-greater-than-less-than-name-greater-than-...greater-than which mention around how exclude work in this case don't scan for any directory with vendor name?

cfergeau commented 7 months ago

There are a few matches for tools/vendor in the prow link you gave

That was for rehearse job which I provided you for this PR link is https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/crc-org_crc/4102/pull-ci-crc-org-crc-main-security/1775844349024669696 one.

The rehearse job was getting some results in tools/vendor, this PR link is not showing any results in tools/vendor, but I don't understand why.

May be because of https://docs.snyk.io/snyk-cli/commands/test#exclude-less-than-name-greater-than-less-than-name-greater-than-...greater-than which mention around how exclude work in this case don't scan for any directory with vendor name?

Ah yes that's likely. I was suspecting a behaviour like this, this is why I searched for https://docs.snyk.io/scan-with-snyk/import-project-repository/excluding-directories-and-files-from-the-import-process#syntax-to-use-to-exclude-files-and-directories-from-snyk-code-testing , which rather unhelpefully says the opposite!

        # Exclude a single directory. For example, - src/lib
        - source/directory_name
        # Exclude all files and directories in a specific directory. For example, - tests/
        - directory_name/**
praveenkumar commented 7 months ago

There are a few matches for tools/vendor in the prow link you gave

That was for rehearse job which I provided you for this PR link is https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/crc-org_crc/4102/pull-ci-crc-org-crc-main-security/1775844349024669696 one.

The rehearse job was getting some results in tools/vendor, this PR link is not showing any results in tools/vendor, but I don't understand why.

May be because of https://docs.snyk.io/snyk-cli/commands/test#exclude-less-than-name-greater-than-less-than-name-greater-than-...greater-than which mention around how exclude work in this case don't scan for any directory with vendor name?

Ah yes that's likely. I was suspecting a behaviour like this, this is why I searched for https://docs.snyk.io/scan-with-snyk/import-project-repository/excluding-directories-and-files-from-the-import-process#syntax-to-use-to-exclude-files-and-directories-from-snyk-code-testing , which rather unhelpefully says the opposite!

        # Exclude a single directory. For example, - src/lib
        - source/directory_name
        # Exclude all files and directories in a specific directory. For example, - tests/
        - directory_name/**

Yes that's confusing, I added https://docs.snyk.io/snyk-cli/commands/test#exclude-less-than-name-greater-than-less-than-name-greater-than-...greater-than as reference doc so that we are sure how it is ignored.

cfergeau commented 7 months ago

Yes that's confusing, I added https://docs.snyk.io/snyk-cli/commands/test#exclude-less-than-name-greater-than-less-than-name-greater-than-...greater-than as reference doc so that we are sure how it is ignored.

I filed https://github.com/snyk/user-docs/issues/255

openshift-ci[bot] commented 7 months ago

@praveenkumar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 4b4c70936c8b57e936faf08fa9ad8bf36f2a35c2 link false /test security
ci/prow/integration-crc 4b4c70936c8b57e936faf08fa9ad8bf36f2a35c2 link true /test integration-crc
ci/prow/e2e-crc 4b4c70936c8b57e936faf08fa9ad8bf36f2a35c2 link true /test e2e-crc

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
openshift-ci[bot] commented 7 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cfergeau

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/crc-org/crc/blob/main/OWNERS)~~ [cfergeau] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment