From 6601875a3668ae56d2478c3aca6742d738526434 Mon Sep 17 00:00:00 2001 From: Adrian Clay Lake Date: Fri, 20 Dec 2024 15:54:16 +0100 Subject: [PATCH 1/7] Revert "Revert "move github vulnerability report"" This reverts commit 7c474a19577ff05c2d80537815f58808ad079bac. --- .github/workflows/Test-Rock.yaml | 29 +++++++++++++++++++++++ .github/workflows/Vulnerability-Scan.yaml | 6 ----- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/.github/workflows/Test-Rock.yaml b/.github/workflows/Test-Rock.yaml index 0a9fa1b2..f35b7cf4 100644 --- a/.github/workflows/Test-Rock.yaml +++ b/.github/workflows/Test-Rock.yaml @@ -271,6 +271,35 @@ jobs: name: ${{ steps.configure-trivy.outputs.report-name }} path: ${{ steps.configure-trivy.outputs.report-name}} + + # We have to walk through the vulnerabilities since trivy does not support outputting the results as Markdown + - name: Create markdown content + id: create-markdown + run: | + set -x + + vulnerabilities="$(jq -r -c '[ + try(.scanner.result.Results[]) + | .Target as $target + | .Vulnerabilities + | select(. != null) + | .[] + | {Target: $target, LastModifiedDate: .LastModifiedDate, VulnerabilityID: .VulnerabilityID, + PkgName: .PkgName, Severity: .Severity} + ]' < ${{ steps.configure-trivy.outputs.report-name }})" + + num_vulns=$(echo '$vulnerabilities' | jq -r 'length') + + if [[ $num_vulns -gt 0 ]]; then + echo "# Vulnerabilities found for ${{ inputs.oci-archive-name }}" >> $GITHUB_STEP_SUMMARY + title="Vulnerabilities found for ${{ inputs.oci-archive-name }}" + echo "## $title" >> $GITHUB_STEP_SUMMARY + echo "| ID | Target | Severity | Package |" >> $GITHUB_STEP_SUMMARY + echo "| -- | ----- | -------- | ------- |" >> $GITHUB_STEP_SUMMARY + echo '$vulnerabilities' | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> $GITHUB_STEP_SUMMARY + fi + + test-malware: runs-on: ubuntu-22.04 name: "test-malware ${{ inputs.oci-archive-name != '' && format('| {0}', inputs.oci-archive-name) || ' '}}" diff --git a/.github/workflows/Vulnerability-Scan.yaml b/.github/workflows/Vulnerability-Scan.yaml index 2e82b05a..d81dfd95 100644 --- a/.github/workflows/Vulnerability-Scan.yaml +++ b/.github/workflows/Vulnerability-Scan.yaml @@ -213,12 +213,6 @@ jobs: echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT" fi - - name: Write to summary - if: ${{ !inputs.create-issue && steps.create-markdown.outputs.vulnerability-exists == 'true' }} - run: | - echo "# Vulnerabilities found for ${{ inputs.oci-image-name }}" >> $GITHUB_STEP_SUMMARY - cat ${{ steps.create-markdown.outputs.issue-body-file }} | tail -n +2 >> $GITHUB_STEP_SUMMARY - - id: issue-exists if: ${{ inputs.create-issue}} run: | From b65f0bad8fbd5e8889d29d998beabe4f91b84e23 Mon Sep 17 00:00:00 2001 From: Adrian Clay Lake Date: Fri, 20 Dec 2024 16:05:32 +0100 Subject: [PATCH 2/7] fix: bash variable sub --- .github/workflows/Test-Rock.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Test-Rock.yaml b/.github/workflows/Test-Rock.yaml index f35b7cf4..5e40159d 100644 --- a/.github/workflows/Test-Rock.yaml +++ b/.github/workflows/Test-Rock.yaml @@ -288,7 +288,7 @@ jobs: PkgName: .PkgName, Severity: .Severity} ]' < ${{ steps.configure-trivy.outputs.report-name }})" - num_vulns=$(echo '$vulnerabilities' | jq -r 'length') + num_vulns=$(echo "$vulnerabilities" | jq -r 'length') if [[ $num_vulns -gt 0 ]]; then echo "# Vulnerabilities found for ${{ inputs.oci-archive-name }}" >> $GITHUB_STEP_SUMMARY From 8f6ccb7d8ce82c5db2053648f6d6ed8243654813 Mon Sep 17 00:00:00 2001 From: clay-lake Date: Fri, 20 Dec 2024 15:15:24 +0000 Subject: [PATCH 3/7] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/12433705292 --- oci/mock-rock/_releases.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index edc455e6..edcbcb0e 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "candidate": { - "target": "1002" + "target": "1056" }, "beta": { - "target": "1002" + "target": "1056" }, "edge": { - "target": "1002" + "target": "1056" } }, "1-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "candidate": { - "target": "1002" + "target": "1056" }, "beta": { - "target": "1002" + "target": "1056" }, "edge": { - "target": "1002" + "target": "1056" } }, "1.2-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "beta": { - "target": "1003" + "target": "1057" }, "edge": { "target": "1.2-22.04_beta" From 96f616c1d9a50c908244609381f9927451c95e4a Mon Sep 17 00:00:00 2001 From: Adrian Clay Lake Date: Fri, 20 Dec 2024 16:24:12 +0100 Subject: [PATCH 4/7] add if not cancelled to Create markdown content step --- .github/workflows/Test-Rock.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/Test-Rock.yaml b/.github/workflows/Test-Rock.yaml index 5e40159d..e599d7f9 100644 --- a/.github/workflows/Test-Rock.yaml +++ b/.github/workflows/Test-Rock.yaml @@ -275,6 +275,7 @@ jobs: # We have to walk through the vulnerabilities since trivy does not support outputting the results as Markdown - name: Create markdown content id: create-markdown + if: ${{ !cancelled() }} run: | set -x From 2076a3653b26f0aebd6381240a243af4269eafee Mon Sep 17 00:00:00 2001 From: clay-lake Date: Fri, 20 Dec 2024 15:36:20 +0000 Subject: [PATCH 5/7] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/12433997812 --- oci/mock-rock/_releases.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index edcbcb0e..0808bb4e 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "candidate": { - "target": "1056" + "target": "1059" }, "beta": { - "target": "1056" + "target": "1059" }, "edge": { - "target": "1056" + "target": "1059" } }, "1-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "candidate": { - "target": "1056" + "target": "1059" }, "beta": { - "target": "1056" + "target": "1059" }, "edge": { - "target": "1056" + "target": "1059" } }, "1.2-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "beta": { - "target": "1057" + "target": "1060" }, "edge": { "target": "1.2-22.04_beta" From 31edad23830909e75596141e4ea2cc8d99dca138 Mon Sep 17 00:00:00 2001 From: Adrian Clay Lake Date: Fri, 20 Dec 2024 16:37:46 +0100 Subject: [PATCH 6/7] fix: bash variable sub --- .github/workflows/Test-Rock.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Test-Rock.yaml b/.github/workflows/Test-Rock.yaml index e599d7f9..2143daf0 100644 --- a/.github/workflows/Test-Rock.yaml +++ b/.github/workflows/Test-Rock.yaml @@ -297,7 +297,7 @@ jobs: echo "## $title" >> $GITHUB_STEP_SUMMARY echo "| ID | Target | Severity | Package |" >> $GITHUB_STEP_SUMMARY echo "| -- | ----- | -------- | ------- |" >> $GITHUB_STEP_SUMMARY - echo '$vulnerabilities' | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> $GITHUB_STEP_SUMMARY + echo "$vulnerabilities" | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> $GITHUB_STEP_SUMMARY fi From a63a1ec50f3560b7e6117e1c06354a4fc4e9b19b Mon Sep 17 00:00:00 2001 From: clay-lake Date: Fri, 20 Dec 2024 15:54:56 +0000 Subject: [PATCH 7/7] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/12434320726 --- oci/mock-rock/_releases.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index 6d741778..01dd9ee7 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "candidate": { - "target": "1059" + "target": "1065" }, "beta": { - "target": "1059" + "target": "1065" }, "edge": { - "target": "1059" + "target": "1065" } }, "1-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "candidate": { - "target": "1059" + "target": "1065" }, "beta": { - "target": "1059" + "target": "1065" }, "edge": { - "target": "1059" + "target": "1065" } }, "1.2-22.04": { "end-of-life": "2030-05-01T00:00:00Z", "beta": { - "target": "1060" + "target": "1066" }, "edge": { "target": "1.2-22.04_beta"