From cc2eda033575a22b0ae5fe14300a3d898e97227c Mon Sep 17 00:00:00 2001 From: Andrei Aaron Date: Thu, 15 Feb 2024 13:49:25 +0200 Subject: [PATCH] test: add test images build instructions and stacker.yamls (#2249) Signed-off-by: Andrei Aaron --- test/images/README.md | 39 +++++++++++++++++++++++++++++++++ test/images/stacker-java.yaml | 31 ++++++++++++++++++++++++++ test/images/stacker-spring.yaml | 6 +++++ test/images/test.java | 5 +++++ 4 files changed, 81 insertions(+) create mode 100644 test/images/README.md create mode 100644 test/images/stacker-java.yaml create mode 100644 test/images/stacker-spring.yaml create mode 100644 test/images/test.java diff --git a/test/images/README.md b/test/images/README.md new file mode 100644 index 00000000..f9e67ca5 --- /dev/null +++ b/test/images/README.md @@ -0,0 +1,39 @@ +# Build scripts for images used in tests + +## General instructions + +This folder contains build files used to produce oci images used in zot tests. +Build them using stacker, and copy them over to ghrc.io using skopeo. + +For example in case of the java image: + +```bash +stacker build -f stacker-java.yaml +``` + +Check the image is scanned correctly using a trivy binary, in order to make sure it does +or does not contain expected vulnerabilities, in case the image is to be used for CVE scanning. + +```bash +trivy image scan --input oci:java-test +``` + +Copy the new image over to ghcr.io using skopeo + +```bash +skopeo copy --dest-creds=: oci:oci:java-test docker://ghcr.io/project-zot/test-images/java:0.0.1 +``` + +## Images + +### Java + +The file stacker-java.yaml is used to produce the images in the repo at: ghcr.io/project-zot/test-images/java +Basically we compile a simple java file and without any vulnerabilities. +We can test the CVE scanning of Java images, including zot downloading the Java vulnerability DB. + +### Spring + +The file stacker-spring.yaml is used to produce the images in the repo at: ghcr.io/project-zot/test-images/spring-web +We just copy and download the already compiled spring jar file. +It can be scanned to identify at least one Java specific vulnerability in zot tests. diff --git a/test/images/stacker-java.yaml b/test/images/stacker-java.yaml new file mode 100644 index 00000000..05c2aa4d --- /dev/null +++ b/test/images/stacker-java.yaml @@ -0,0 +1,31 @@ +build-java-test: + from: + type: docker + url: docker://zothub.io/c3/ubuntu/openj9-devel-amd64:11 + import: + - test.java + run: | + . /etc/profile + env # export PATH=$PATH:/bin:/usr/bin + javac -version + java -version + mkdir /workspace + cp /stacker/test.java /workspace/ + cd /workspace/ + mkdir META-INF + echo "Main-Class: test" > META-INF/MANIFEST.MF + javac test.java + ls + java test + jar cmvf META-INF/MANIFEST.MF test.jar test.class + ls + jar tf test.jar + java -jar test.jar + build_only: true + +java-test: + from: + type: scratch + import: + path: stacker://build-java-test/workspace/ + dest: / diff --git a/test/images/stacker-spring.yaml b/test/images/stacker-spring.yaml new file mode 100644 index 00000000..64615b95 --- /dev/null +++ b/test/images/stacker-spring.yaml @@ -0,0 +1,6 @@ +spring-test: + from: + type: scratch + import: + - path: "https://repo1.maven.org/maven2/org/springframework/spring-web/5.3.31/spring-web-5.3.31.jar" + dest: /usr/local/artifacts/ diff --git a/test/images/test.java b/test/images/test.java new file mode 100644 index 00000000..425990af --- /dev/null +++ b/test/images/test.java @@ -0,0 +1,5 @@ +public class test { + public static void main(String[] args) { + System.out.println("hello world!"); + } +}