hansinikarunarathne commented 4 days ago

Pull Request Template for Kubeflow manifests Issues

Please include a summary of changes and the related issue.
List any dependencies that are required for this change.
Please delete the options that are not relevant.
The following checklist will help you to satisfy the requirements.

✏️ A brief description of the changes

Fixed the requested chnages

✅ Contributor checklist

[X] All the commits have been signed-off (To pass the DCO check)
[X] Submit the Contributor License Agreements (To pass the cla/google check)

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

juliusvonkohout commented 4 days ago

Please also get rid of the /documents AND /image_lists folderS in this PR and address all comments from the previous PR.

juliusvonkohout commented 4 days ago

I see for example

File ../image_lists/kf_latest_model-registry_images.txt successfully created File ../image_lists/kf_latest_all_images.txt successfully created Started scanning images Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning centraldashboard:v1.9.0-rc.0

Scanning jupyter-web-app:v1.9.0-rc.0

...

can we have something like

Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning centraldashboard:v1.9.0-rc.0	Critical	High	Medium	Low
1	2	3	4

Scanning jupyter-web-app:v1.9.0-rc.0	Critical	High	Medium	Low
5	6	7	8

...

? So a mini table per image in the logs. This makes it easier to verify the numbers for third parties.

hansinikarunarathne commented 3 days ago

Please also get rid of the /documents AND /image_lists folderS in this PR and address all comments from the previous PR.

I fixed it. Can you check it ?

hansinikarunarathne commented 3 days ago

I see for example

File ../image_lists/kf_latest_model-registry_images.txt successfully created File ../image_lists/kf_latest_all_images.txt successfully created Started scanning images Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning centraldashboard:v1.9.0-rc.0

Scanning jupyter-web-app:v1.9.0-rc.0

...

can we have something like

Scanning images in ../image_lists/kf_latest_workbenches_images.txt Scanning centraldashboard:v1.9.0-rc.0

Critical High Medium Low 1 2 3 4 Scanning jupyter-web-app:v1.9.0-rc.0

Critical High Medium Low 5 6 7 8 ...

? So a mini table per image in the logs. This makes it easier to verify the numbers for third parties.

Added the table for each log of scanning

juliusvonkohout commented 3 days ago

ah and it should not run on pull requests by default. It should run only if a PR has been merged into the master branch. This blocks other PRs such as https://github.com/kubeflow/manifests/pull/2769 because it takes 40 minutes to run.

Add i think the formatting is a bit off It should look like

Started scanning images
Scanning images in ../image_lists/kf_latest_workbenches_images.txt
Scanning  docker.io/kubeflownotebookswg/centraldashboard:v1.9.0-rc.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    1     |  11  |   37   |  4  |
+----------+------+--------+-----+

Scanning  docker.io/kubeflownotebookswg/jupyter-web-app:v1.9.0-rc.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    1     |  11  |   39   |  67 |
+----------+------+--------+-----+

instead of

Started scanning images
Scanning images in ../image_lists/kf_latest_workbenches_images.txt
Scanning  docker.io/kubeflownotebookswg/centraldashboard:v1.9.0-rc.0

+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    1     |  11  |   37   |  4  |
+----------+------+--------+-----+
Scanning  docker.io/kubeflownotebookswg/jupyter-web-app:v1.9.0-rc.0

+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    1     |  11  |   39   |  67 |
+----------+------+--------+-----+

juliusvonkohout commented 3 days ago

@AndersBennedsgaard I hope you can verify the CVE numbers per image and WG independently.

AndersBennedsgaard commented 3 days ago

@AndersBennedsgaard I hope you can verify the CVE numbers per image and WG independently.

@juliusvonkohout did you mean to tag @hansinikarunarathne instead ?

juliusvonkohout commented 2 days ago

@AndersBennedsgaard I hope you can verify the CVE numbers per image and WG independently.

@juliusvonkohout did you mean to tag @hansinikarunarathne instead ?

No, i would like others to validate as well.

AndersBennedsgaard commented 2 days ago

@juliusvonkohout I'm not entirely sure what you mean. Do you want me to check if all Kubeflow images are caught by the script, or do you want me to run Trivy on the same images? Running Trivy to verify the numbers are the same when running locally version in GH actions seems redundant - especially due to the time it takes to scan all the images.

However, speaking of the time to scan: you could probably introduce threading/multi-processing when scanning different images to speed up the script by a lot, since it should be possible to run the trivy command concurrently.

juliusvonkohout commented 2 days ago

Do you want me to check if all Kubeflow images are caught by the script

Yes, if you think that the CVE numbers are not worth checking.

hansinikarunarathne commented 2 days ago

ah and it should not run on pull requests by default. It should run only if a PR has been merged into the master branch. This blocks other PRs such as #2769 because it takes 40 minutes to run.

Add i think the formatting is a bit off It should look like

Started scanning images
Scanning images in ../image_lists/kf_latest_workbenches_images.txt
Scanning  docker.io/kubeflownotebookswg/centraldashboard:v1.9.0-rc.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    1     |  11  |   37   |  4  |
+----------+------+--------+-----+

Scanning  docker.io/kubeflownotebookswg/jupyter-web-app:v1.9.0-rc.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    1     |  11  |   39   |  67 |
+----------+------+--------+-----+

instead of

Started scanning images
Scanning images in ../image_lists/kf_latest_workbenches_images.txt
Scanning  docker.io/kubeflownotebookswg/centraldashboard:v1.9.0-rc.0

+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    1     |  11  |   37   |  4  |
+----------+------+--------+-----+
Scanning  docker.io/kubeflownotebookswg/jupyter-web-app:v1.9.0-rc.0

+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    1     |  11  |   39   |  67 |
+----------+------+--------+-----+

I made the adjustment according to this

google-oss-prow[bot] commented 2 days ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AndersBennedsgaard Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/kubeflow/manifests/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

kubeflow / manifests

Improve the trivy CVE scanning output #2764

Pull Request Template for Kubeflow manifests Issues

✏️ A brief description of the changes

✅ Contributor checklist