Setup and integrate ECLAIR SCA into infrastructure

[simhein]

A proof of concept was created to integrating the ECLAIR SCA into the zephyr CI. The proof of concept was done on the following fork/branch: https://github.com/simhein/zephyr/tree/eclair_ci_integration

The next step would be set up and integrate the ECLAIR SCA into the zephyr infrastructure itself.

Steps that need to be done:

• [ ] Setup the license server in a containerized environment
• [ ] Setup the SCA tool ECLAIR itself in a containerized environment

[stephanosio]

Setup the license server in a containerized environment

It is possible to deploy a containerised license server on a private network that is accessible from the CI runners (zephyr-runner v2).

For this, we will need a Docker image, preferably from the ECLAIR developers themselves), that includes the license server binaries and allows loading the license file from a specific location.

The Kubernetes deployment will include:

• a Pod that runs the above Docker image.
• a ConfigMap that contains the content of the license file (mounted by the above Pod).
• a Service that exports the license server ports (DNS-resolvable from the zephyr-runner v2 pods by Service name).

Setup the SCA tool ECLAIR itself in a containerized environment

We would want the ECLAIR SCA tool to be running inside a GitHub Actions workflow using a zephyr-runner v2 runner scale set.

Ideally, this would be done by including the ECLAIR SCA tool binaries into the main CI image; however, this would require the ECLAIR licence to allow publicly redistributing the ECLAIR binaries (unlikely?).

If ECLAIR licence does not allow public redistribution, we will need to create a dedicated private Docker image, based on the public main CI image, that includes the ECLAIR SCA tool binaries.

[simhein]

Sorry for my late response on your reply.

Setup the license server in a containerized environment

It is possible to deploy a containerised license server on a private network that is accessible from the CI runners (zephyr-runner v2).

For this, we will need a Docker image, preferably from the ECLAIR developers themselves), that includes the license server binaries and allows loading the license file from a specific location.

I checked on this and they got a prepared Docker image but maybe we need to adapt it because that image was installing the license server binaries and the SCA tool in the same container. But I will contact them to get more information.

The Kubernetes deployment will include:

* a Pod that runs the above Docker image.

* a ConfigMap that contains the content of the license file (mounted by the above Pod).

* a Service that exports the license server ports (DNS-resolvable from the zephyr-runner v2 pods by Service name).

Setup the SCA tool ECLAIR itself in a containerized environment

We would want the ECLAIR SCA tool to be running inside a GitHub Actions workflow using a zephyr-runner v2 runner scale set.

A PoC was done for the Actions workflow will work on it to bring it in good shape so it could be used with the runner.

Ideally, this would be done by including the ECLAIR SCA tool binaries into the main CI image; however, this would require the ECLAIR licence to allow publicly redistributing the ECLAIR binaries (unlikely?).

If ECLAIR licence does not allow public redistribution, we will need to create a dedicated private Docker image, based on the public main CI image, that includes the ECLAIR SCA tool binaries.

I assume the redistribution is not allowed and we need to create a private docker image for that. I will contact them and also direct them to this issue maybe it is better if they answer some of the open points directly

[nvetrini]

Hi. Before going into the details I'll post a graphical overview of how the setup is supposed to work in terms of components:

disregard the Ext server on the bottom right: that's an optional component and in this case was not part of the PoC done by Simon. The license server container will have the licenses that are detached by the runner containers before doing an analysis and then canceled (given back to the server) once the analysis finished. In the case of Simon's PoC the CI controller (github-runner) and the License Server Container were the same container, but they can be different.

[nvetrini]

Setup the license server in a containerized environment

It is possible to deploy a containerised license server on a private network that is accessible from the CI runners (zephyr-runner v2).

For this, we will need a Docker image, preferably from the ECLAIR developers themselves), that includes the license server binaries and allows loading the license file from a specific location.

The Kubernetes deployment will include:

* a Pod that runs the above Docker image.

* a ConfigMap that contains the content of the license file (mounted by the above Pod).

The license is not a single file. It controlled by two directories that need to be mounted via volumes on the physical machine running the job (as was the case in Simon's PoC). These directories are read and written by the licensing software. Skimming the documentation for ConfigMap, it does not seem that the ConfigMap spec allows to do this, but I might be wrong of course.

* a Service that exports the license server ports (DNS-resolvable from the zephyr-runner v2 pods by Service name).

This seems ok

Setup the SCA tool ECLAIR itself in a containerized environment

We would want the ECLAIR SCA tool to be running inside a GitHub Actions workflow using a zephyr-runner v2 runner scale set.

Ideally, this would be done by including the ECLAIR SCA tool binaries into the main CI image; however, this would require the ECLAIR licence to allow publicly redistributing the ECLAIR binaries (unlikely?).

If ECLAIR licence does not allow public redistribution, we will need to create a dedicated private Docker image, based on the public main CI image, that includes the ECLAIR SCA tool binaries.

Yes, we would need that. Note that building the image from the Dockerfile needs the delivered ECLAIR installer. How are images built?