test(end-to-end): provide CVE information for the tests to consume (#330)

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-04-12 14:43:39 +03:00 · 2023-04-12 14:43:39 +03:00 · 63ff8dabc0
commit 63ff8dabc0
parent f9cafd0b90
3 changed files with 61 additions and 6 deletions
--- a/.github/workflows/end-to-end-test.yml
+++ b/.github/workflows/end-to-end-test.yml
@ -61,6 +61,13 @@ jobs:
        sudo mv cosign /usr/local/bin/cosign
        which cosign
        cosign version
+        pushd $(mktemp -d)
+        curl -L https://github.com/aquasecurity/trivy/releases/download/v0.38.3/trivy_0.38.3_Linux-64bit.tar.gz -o trivy.tar.gz
+        tar -xzvf trivy.tar.gz
+        sudo mv trivy /usr/local/bin/trivy
+        popd
+        which trivy
+        trivy version
        cd $GITHUB_WORKSPACE

    - name: Install go
--- a/tests/scripts/load_test_data.py
+++ b/tests/scripts/load_test_data.py
@ -85,10 +85,41 @@ def pull_modify_push_image(logger, registry, image_name, tag, cosign_password,

        with open(metafile) as f:
            image_metadata = json.load(f)
-            image_metadata[image_name][tag]["multiarch"] = multiarch
+            logger.debug("raw image metadata")
+            logger.debug(image_metadata)
+            image_metadata["multiarch"] = multiarch
+            image_metadata["cves"] = getCVEInfo(image_metadata.pop("trivy"))

+    logger.debug("processed image metadata")
+    logger.debug(image_metadata)
    return image_metadata

+def getCVEInfo(trivy_results):
+    cve_dict = {}
+
+    for result in trivy_results:
+        for vulnerability in result.get("Vulnerabilities", []):
+            cve_id = vulnerability["VulnerabilityID"]
+
+            package =  {
+                "PackageName": vulnerability.get("PkgName"),
+                "InstalledVersion": vulnerability.get("InstalledVersion"),
+                "FixedVersion": vulnerability.get("FixedVersion", "Not Specified")
+            }
+
+            if cve_dict.get(cve_id):
+                cve_dict[cve_id]["PackageList"].append(package)
+            else:
+                cve_dict[cve_id] = {
+                    "ID": cve_id,
+                    "Title": vulnerability.get("Title"),
+                    "Description": vulnerability.get("Description"),
+                    "Severity": vulnerability.get("Severity"),
+                    "PackageList": [package]
+                }
+
+    return cve_dict
+
 def main():
    args = parse_args()

@ -137,7 +168,7 @@ def main():
            image_metadata = pull_modify_push_image(logger, registry, image_name, tag, cosign_password, multiarch, username, password, debug, data_dir)

            metadata.setdefault(image_name, {})
-            metadata[image_name][tag] = image_metadata[image_name][tag]
+            metadata[image_name][tag] = image_metadata

    with open(metadata_file, "w") as f:
        json.dump(metadata, f, indent=2)
--- a/tests/scripts/pull_update_push_image.sh
+++ b/tests/scripts/pull_update_push_image.sh
@ -125,6 +125,11 @@ function verify_prerequisites {
        return 1
    fi

+    if [ ! command -v trivy ] &>/dev/null; then
+        echo "you need to install trivy as a prerequisite" >&3
+        return 1
+    fi
+
    if [ ! command -v jq ] &>/dev/null; then
        echo "you need to install jq as a prerequisite" >&3
        return 1
@ -160,6 +165,7 @@ doc=$(cat ${docker_docs_dir}/${image}/content.md)

 local_image_ref_skopeo=oci:${images_dir}:${image}-${tag}
 local_image_ref_regtl=ocidir://${images_dir}:${image}-${tag}
+local_image_ref_trivy=${images_dir}:${image}-${tag}
 remote_src_image_ref=docker://${image}:${tag}
 remote_dest_image_ref=${registry}/${image}:${tag}

@ -209,13 +215,24 @@ if [ $? -ne 0 ]; then
    exit 1
 fi

+trivy_out_file=trivy-${image}-${tag}.json
+if [ ! -z "${multiarch}" ]; then
+    trivy image --scanners vuln --format json --input ${local_image_ref_trivy} -o ${trivy_out_file}
+    jq -n --argfile trivy_file ${trivy_out_file}  '.trivy=$trivy_file.Results' > ${trivy_out_file}.tmp
+    mv ${trivy_out_file}.tmp ${trivy_out_file}
+else
+    echo '{"trivy":[]}' > ${trivy_out_file}
+fi
+
 # Sign new updated image
 COSIGN_PASSWORD=${cosign_password} cosign sign ${remote_dest_image_ref} --key ${cosign_key_path} --allow-insecure-registry
 if [ $? -ne 0 ]; then
    exit 1
 fi

-details=$(jq -n \
+details_file=details-${image}-${tag}.json
+
+jq -n \
    --arg org.opencontainers.image.title "${image}" \
    --arg org.opencontainers.image.description " $description" \
    --arg org.opencontainers.image.url "${repo}" \
@ -223,7 +240,7 @@ details=$(jq -n \
    --arg org.opencontainers.image.licenses "${license}" \
    --arg org.opencontainers.image.vendor "${vendor}" \
    --arg org.opencontainers.image.documentation "${description}" \
-    '$ARGS.named'
-)
+    '$ARGS.named' > ${details_file}

-jq -n --arg image "${image}" --arg tag "${tag}"  --argjson details "${details}" '.[$image][$tag]=$details' > ${metafile}
+jq -c -s add ${details_file} ${trivy_out_file} > ${metafile}
+rm ${details_file} ${trivy_out_file}