Open hansinikarunarathne opened 4 days ago
Please also get rid of the /documents AND /image_lists folderS in this PR and address all comments from the previous PR.
I see for example
File ../image_lists/kf_latest_model-registry_images.txt successfully created File ../image_lists/kf_latest_all_images.txt successfully created Started scanning images Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning centraldashboard:v1.9.0-rc.0
Scanning jupyter-web-app:v1.9.0-rc.0
...
can we have something like
Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning centraldashboard:v1.9.0-rc.0 | Critical | High | Medium | Low |
---|---|---|---|---|
1 | 2 | 3 | 4 |
Scanning jupyter-web-app:v1.9.0-rc.0 | Critical | High | Medium | Low |
---|---|---|---|---|
5 | 6 | 7 | 8 |
...
? So a mini table per image in the logs. This makes it easier to verify the numbers for third parties.
Please also get rid of the /documents AND /image_lists folderS in this PR and address all comments from the previous PR.
I fixed it. Can you check it ?
I see for example
File ../image_lists/kf_latest_model-registry_images.txt successfully created File ../image_lists/kf_latest_all_images.txt successfully created Started scanning images Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning centraldashboard:v1.9.0-rc.0
Scanning jupyter-web-app:v1.9.0-rc.0
...
can we have something like
Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning centraldashboard:v1.9.0-rc.0
Critical High Medium Low 1 2 3 4 Scanning jupyter-web-app:v1.9.0-rc.0
Critical High Medium Low 5 6 7 8 ...
? So a mini table per image in the logs. This makes it easier to verify the numbers for third parties.
Added the table for each log of scanning
ah and it should not run on pull requests by default. It should run only if a PR has been merged into the master branch. This blocks other PRs such as https://github.com/kubeflow/manifests/pull/2769 because it takes 40 minutes to run.
Add i think the formatting is a bit off It should look like
Started scanning images
Scanning images in ../image_lists/kf_latest_workbenches_images.txt
Scanning docker.io/kubeflownotebookswg/centraldashboard:v1.9.0-rc.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
| 1 | 11 | 37 | 4 |
+----------+------+--------+-----+
Scanning docker.io/kubeflownotebookswg/jupyter-web-app:v1.9.0-rc.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
| 1 | 11 | 39 | 67 |
+----------+------+--------+-----+
instead of
Started scanning images
Scanning images in ../image_lists/kf_latest_workbenches_images.txt
Scanning docker.io/kubeflownotebookswg/centraldashboard:v1.9.0-rc.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
| 1 | 11 | 37 | 4 |
+----------+------+--------+-----+
Scanning docker.io/kubeflownotebookswg/jupyter-web-app:v1.9.0-rc.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
| 1 | 11 | 39 | 67 |
+----------+------+--------+-----+
@AndersBennedsgaard I hope you can verify the CVE numbers per image and WG independently.
@AndersBennedsgaard I hope you can verify the CVE numbers per image and WG independently.
@juliusvonkohout did you mean to tag @hansinikarunarathne instead ?
@AndersBennedsgaard I hope you can verify the CVE numbers per image and WG independently.
@juliusvonkohout did you mean to tag @hansinikarunarathne instead ?
No, i would like others to validate as well.
@juliusvonkohout I'm not entirely sure what you mean. Do you want me to check if all Kubeflow images are caught by the script, or do you want me to run Trivy on the same images? Running Trivy to verify the numbers are the same when running locally version in GH actions seems redundant - especially due to the time it takes to scan all the images.
However, speaking of the time to scan: you could probably introduce threading/multi-processing when scanning different images to speed up the script by a lot, since it should be possible to run the trivy
command concurrently.
Do you want me to check if all Kubeflow images are caught by the script
Yes, if you think that the CVE numbers are not worth checking.
ah and it should not run on pull requests by default. It should run only if a PR has been merged into the master branch. This blocks other PRs such as #2769 because it takes 40 minutes to run.
Add i think the formatting is a bit off It should look like
Started scanning images Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning docker.io/kubeflownotebookswg/centraldashboard:v1.9.0-rc.0 +----------+------+--------+-----+ | Critical | High | Medium | Low | +----------+------+--------+-----+ | 1 | 11 | 37 | 4 | +----------+------+--------+-----+ Scanning docker.io/kubeflownotebookswg/jupyter-web-app:v1.9.0-rc.0 +----------+------+--------+-----+ | Critical | High | Medium | Low | +----------+------+--------+-----+ | 1 | 11 | 39 | 67 | +----------+------+--------+-----+
instead of
Started scanning images Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning docker.io/kubeflownotebookswg/centraldashboard:v1.9.0-rc.0 +----------+------+--------+-----+ | Critical | High | Medium | Low | +----------+------+--------+-----+ | 1 | 11 | 37 | 4 | +----------+------+--------+-----+ Scanning docker.io/kubeflownotebookswg/jupyter-web-app:v1.9.0-rc.0 +----------+------+--------+-----+ | Critical | High | Medium | Low | +----------+------+--------+-----+ | 1 | 11 | 39 | 67 | +----------+------+--------+-----+
I made the adjustment according to this
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: AndersBennedsgaard Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Pull Request Template for Kubeflow manifests Issues
✏️ A brief description of the changes
✅ Contributor checklist
DCO
check)cla/google
check)