search

solo-io / go-utils

golang utilities
Apache License 2.0
110 stars 18 forks source link

[13501] Continue security scanning but highlight missing images #524

Closed t-edris closed 6 months ago

t-edris commented 6 months ago

Previously, when an image for a specific version was unable to be found, the remaining images for that version would be skipped as a result. This behavior has been changed so a clear error message will be visible on the generated vulnerability report for that image and the remaining images will be scanned.

Example usage of new flag

❯ cat developerDebugInstructions.md
## Debug Instructions

Use `make run-local-security-checks` to reproduce these results manually on your machine.

For quick iteration, choose an image to focus on (perhaps one with the majority of the CVEs) and run scans against it individually before ensuring the fixes have worked for all the images.

For example, use `make mgmt-server-image` to build the `mgmt-server` image and `./trivy image --severity HIGH,CRITICAL gcr.io/gloo-mesh/gloo-mesh-mgmt-server:${VERSION}` to scan it.

The UI image often has unique CVEs because it is built from separate Dockerfiles than the others. For this one, run `make ui-docker` and `./trivy image --severity HIGH,CRITICAL gcr.io/gloo-mesh/gloo-mesh-ui:${VERSION}`

❯ go run cli/main.go scan-repo -v -i ../../gloo-mesh-enterprise/docs/cmd/imageVersionConstraints.csv \
-c ">=v2.1.0-0" \
-r gcr.io/gloo-mesh \
-g gloo-mesh-enterprise \
-a none \
-d developerDebugInstructions.md

Along with some temp code to output the final MD to a local file rather than a GH issue, just for this demo

func (g *GithubIssueWriter) CreateUpdateVulnerabilityIssue(. . .) error {
. . .
    f, err := os.Create("testGeneratedFile.md")
    if err != nil {
        return err
    }
    if _, err := f.WriteString(vulnerabilityMarkdown); err != nil {
        return err
    }
    if err := f.Sync(); err != nil {
        return err
    }
. . .
}

The generated file Screenshot 2023-12-11 at 10 42 01 AM

also includes the new error Screenshot 2023-12-11 at 10 42 20 AM

The expected usage of this would be in gloo-mesh-enterprise, similar to the usage of docs/cmd/imageVersionConstraints.csv.

BOT NOTES: resolves https://github.com/solo-io/gloo-mesh-enterprise/issues/13501

t-edris commented 6 months ago

Unsure why changelog-bot expects v0.24.9. v0.24.8 is the latest release and there have been no commits to main since it has been released.

Maybe because the changelog doesn't have BREAKING_CHANGE?

marcogschmidt commented 6 months ago

Unsure why changelog-bot expects v0.24.9. v0.24.8 is the latest release and there have been no commits to main since it has been released.

Maybe because the changelog doesn't have BREAKING_CHANGE?

I think that's it. The last release is v0.24.8 and since you have marked this as FIX/NEW_FEATURE, it's expecting only a patch version bump.

Post-v1.0.0, a NEW_FEATURE will require a minor version bump, but for major version 0 the rules are different. Would have to check the changelog bot logic (which is in the changelogutils package in this repo IIRC).

solo-changelog-bot[bot] commented 6 months ago

Issues linked to changelog: https://github.com/solo-io/gloo-mesh-enterprise/issues/13501

solo-changelog-bot[bot] commented 6 months ago

Issues linked to changelog: https://github.com/solo-io/gloo-mesh-enterprise/issues/13499 https://github.com/solo-io/gloo-mesh-enterprise/issues/13501