From fa40b6e4a1933e39b03e77e39e0b1ef1d21144f3 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Sat, 30 Mar 2024 11:53:51 -0500 Subject: [PATCH 01/25] feat: scan for vuln Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan-vulnerability.yaml | 34 +++++++++++++++++++++++ .gitignore | 2 ++ tasks.yaml | 10 +++++-- tasks/scanvulnerability.yaml | 24 ++++++++++++++++ 4 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/scan-vulnerability.yaml create mode 100644 tasks/scanvulnerability.yaml diff --git a/.github/workflows/scan-vulnerability.yaml b/.github/workflows/scan-vulnerability.yaml new file mode 100644 index 00000000..88108788 --- /dev/null +++ b/.github/workflows/scan-vulnerability.yaml @@ -0,0 +1,34 @@ +name: Scan for vulnerabilities + +on: + pull_request: + branches: [main] + types: [milestoned, opened, synchronize] + schedule: + - cron: '0 1 * * *' + workflow_dispatch: {} + +jobs: + validate: + runs-on: ubuntu-latest + name: Scan for vulnerabilities + permissions: + contents: read # Allows reading the repo contents + pull-requests: read + + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + + - name: Environment setup + uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3 + with: + username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + + - name: Scan the repository for vulnerabilities + run: | + uds run vuln-check:grype-scan-sbom diff --git a/.gitignore b/.gitignore index 00998119..b198ee39 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,8 @@ defense-unicorns-distro/preflight.sh .terraform tmp zarf-sbom +sbom/ +sarif/ .cache/ .idea/ diff --git a/tasks.yaml b/tasks.yaml index 854f1d9d..fb3e1eb9 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -7,6 +7,7 @@ includes: - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/pull.yaml - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/deploy.yaml - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/setup.yaml + - vuln-check: ./tasks/scanvulnerability.yaml tasks: - name: default @@ -39,8 +40,8 @@ tasks: - task: dependencies:create - task: create:test-bundle -# CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names - +# CI will execute the following (via uds-common/.github/actions/test) so they need to be here with +# these names - name: test-package description: Test the GitLab package from the current branch actions: @@ -60,3 +61,8 @@ tasks: - task: deploy:test-bundle - task: test:health-check - task: test:ingress + + - name: vuln-scan-package + description: Scan the GitLab package for vulnerabilities + actions: + - task: vuln-check:grype-scan-sbom diff --git a/tasks/scanvulnerability.yaml b/tasks/scanvulnerability.yaml new file mode 100644 index 00000000..7b98a1ff --- /dev/null +++ b/tasks/scanvulnerability.yaml @@ -0,0 +1,24 @@ +tasks: + - name: grype-scan-sbom + description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities + actions: + - cmd: | + uds zarf package create . --flavor=upstream --confirm --no-progress -o sbom + for file in sbom/*.zst; do + uds zarf package inspect "$file" --sbom-out ./sbom --no-progress; + done + + if ! command -v grype &> /dev/null; then + echo "Grype could not be found, installing..." + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + fi + mkdir -p ./sarif + find ./sbom -type f -name '*.json' -exec sh -c ' + for sbom_file; do + base=$(basename "${sbom_file}" .json) + grype sbom:"${sbom_file}" -o sarif > "./sarif/${base}.sarif" + echo "Output saved to ./sarif/${base}.sarif" + done + ' sh {} + + + echo "All SBOM files processed and analyzed for vulnerabilities." From 4d0096372a8319f517cfd1864a6dc7f954643957 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Sat, 30 Mar 2024 12:02:58 -0500 Subject: [PATCH 02/25] included sarif publish Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan-vulnerability.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/scan-vulnerability.yaml b/.github/workflows/scan-vulnerability.yaml index 88108788..a8751a26 100644 --- a/.github/workflows/scan-vulnerability.yaml +++ b/.github/workflows/scan-vulnerability.yaml @@ -32,3 +32,8 @@ jobs: - name: Scan the repository for vulnerabilities run: | uds run vuln-check:grype-scan-sbom + + - name: Upload SARIF files + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'sarif/*.sarif' From 1b5508977240585f86960a8746071f02ad3adb7e Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Sat, 30 Mar 2024 12:10:11 -0500 Subject: [PATCH 03/25] updated the path Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan-vulnerability.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan-vulnerability.yaml b/.github/workflows/scan-vulnerability.yaml index a8751a26..28b2dfaf 100644 --- a/.github/workflows/scan-vulnerability.yaml +++ b/.github/workflows/scan-vulnerability.yaml @@ -34,6 +34,8 @@ jobs: uds run vuln-check:grype-scan-sbom - name: Upload SARIF files - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'sarif/*.sarif' + # Specify the directory containing SARIF files if multiple files need to be uploaded + # Note: The path is relative to the root of the repository + sarif_file: 'sarif/' From 0d26aaf6e9671b3a1c1c7343fbe0723194afb712 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Sat, 30 Mar 2024 12:23:05 -0500 Subject: [PATCH 04/25] fixed the trailing spaces Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan-vulnerability.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/scan-vulnerability.yaml b/.github/workflows/scan-vulnerability.yaml index 28b2dfaf..d9de32d2 100644 --- a/.github/workflows/scan-vulnerability.yaml +++ b/.github/workflows/scan-vulnerability.yaml @@ -16,7 +16,6 @@ jobs: contents: read # Allows reading the repo contents pull-requests: read - steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -34,8 +33,6 @@ jobs: uds run vuln-check:grype-scan-sbom - name: Upload SARIF files - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v3 with: - # Specify the directory containing SARIF files if multiple files need to be uploaded - # Note: The path is relative to the root of the repository sarif_file: 'sarif/' From f7d249bf80af6928b4c31451752ce152c108d250 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Sat, 30 Mar 2024 12:30:53 -0500 Subject: [PATCH 05/25] fixed the yamllint issues Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- tasks/scanvulnerability.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/scanvulnerability.yaml b/tasks/scanvulnerability.yaml index 7b98a1ff..86ce591b 100644 --- a/tasks/scanvulnerability.yaml +++ b/tasks/scanvulnerability.yaml @@ -1,13 +1,13 @@ +--- tasks: - name: grype-scan-sbom description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities actions: - cmd: | uds zarf package create . --flavor=upstream --confirm --no-progress -o sbom - for file in sbom/*.zst; do - uds zarf package inspect "$file" --sbom-out ./sbom --no-progress; + for file in sbom/*.zst; do + uds zarf package inspect "$file" --sbom-out ./sbom --no-progress; done - if ! command -v grype &> /dev/null; then echo "Grype could not be found, installing..." curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin @@ -20,5 +20,4 @@ tasks: echo "Output saved to ./sarif/${base}.sarif" done ' sh {} + - echo "All SBOM files processed and analyzed for vulnerabilities." From 809498ab18e4f841c98aa1ef6d4b59945e733ec0 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Sun, 31 Mar 2024 10:55:27 -0500 Subject: [PATCH 06/25] included for registry1 and upstream Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- tasks/scanvulnerability.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tasks/scanvulnerability.yaml b/tasks/scanvulnerability.yaml index 86ce591b..b1eb4773 100644 --- a/tasks/scanvulnerability.yaml +++ b/tasks/scanvulnerability.yaml @@ -4,9 +4,11 @@ tasks: description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities actions: - cmd: | - uds zarf package create . --flavor=upstream --confirm --no-progress -o sbom - for file in sbom/*.zst; do - uds zarf package inspect "$file" --sbom-out ./sbom --no-progress; + for flavor in upstream registry1; do + uds zarf package create . --flavor="$flavor" --confirm --no-progress -o sbom + for file in sbom/*.zst; do + uds zarf package inspect "$file" --sbom-out ./sbom --no-progress; + done done if ! command -v grype &> /dev/null; then echo "Grype could not be found, installing..." @@ -21,3 +23,4 @@ tasks: done ' sh {} + echo "All SBOM files processed and analyzed for vulnerabilities." + From 55dd114333b5a78c6d0aeb187099cb090b575896 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 1 Apr 2024 09:51:40 -0500 Subject: [PATCH 07/25] fixed the lint issue Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- tasks/scanvulnerability.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/scanvulnerability.yaml b/tasks/scanvulnerability.yaml index b1eb4773..4ea428c1 100644 --- a/tasks/scanvulnerability.yaml +++ b/tasks/scanvulnerability.yaml @@ -23,4 +23,3 @@ tasks: done ' sh {} + echo "All SBOM files processed and analyzed for vulnerabilities." - From 2e397f0bffc7db508d8b20953bdd8cf014a98829 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 1 Apr 2024 09:59:59 -0500 Subject: [PATCH 08/25] some more tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan-vulnerability.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan-vulnerability.yaml b/.github/workflows/scan-vulnerability.yaml index d9de32d2..7a3b41fe 100644 --- a/.github/workflows/scan-vulnerability.yaml +++ b/.github/workflows/scan-vulnerability.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest name: Scan for vulnerabilities permissions: - contents: read # Allows reading the repo contents + contents: read pull-requests: read steps: @@ -22,7 +22,7 @@ jobs: with: fetch-depth: 0 - - name: Environment setup + - name: Environment setup # this is required for scanning ironbank images uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3 with: username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} @@ -33,6 +33,6 @@ jobs: uds run vuln-check:grype-scan-sbom - name: Upload SARIF files - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.0.0 with: sarif_file: 'sarif/' From f76d1b0a790c4dffca7e59b8293442a09e75a405 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:38:13 -0500 Subject: [PATCH 09/25] fixed yaml lint Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- tasks/scanvulnerability.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/scanvulnerability.yaml b/tasks/scanvulnerability.yaml index 4ea428c1..c9ae06ec 100644 --- a/tasks/scanvulnerability.yaml +++ b/tasks/scanvulnerability.yaml @@ -7,7 +7,7 @@ tasks: for flavor in upstream registry1; do uds zarf package create . --flavor="$flavor" --confirm --no-progress -o sbom for file in sbom/*.zst; do - uds zarf package inspect "$file" --sbom-out ./sbom --no-progress; + uds zarf package inspect "$file" --sbom-out ./sbom --no-progress done done if ! command -v grype &> /dev/null; then From 46990ef960796a5377bf801e62069318c153e9ca Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 1 Apr 2024 18:24:21 -0500 Subject: [PATCH 10/25] code review comments Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .../{scan-vulnerability.yaml => scan.yaml} | 23 +++++++++++----- tasks.yaml | 5 ++-- tasks/grype.yaml | 12 +++++++++ tasks/scan.yaml | 26 +++++++++++++++++++ tasks/scanvulnerability.yaml | 25 ------------------ 5 files changed, 58 insertions(+), 33 deletions(-) rename .github/workflows/{scan-vulnerability.yaml => scan.yaml} (66%) create mode 100644 tasks/grype.yaml create mode 100644 tasks/scan.yaml delete mode 100644 tasks/scanvulnerability.yaml diff --git a/.github/workflows/scan-vulnerability.yaml b/.github/workflows/scan.yaml similarity index 66% rename from .github/workflows/scan-vulnerability.yaml rename to .github/workflows/scan.yaml index 7a3b41fe..542832a3 100644 --- a/.github/workflows/scan-vulnerability.yaml +++ b/.github/workflows/scan.yaml @@ -9,11 +9,11 @@ on: workflow_dispatch: {} jobs: - validate: + scan: runs-on: ubuntu-latest name: Scan for vulnerabilities permissions: - contents: read + contents: read pull-requests: read steps: @@ -22,7 +22,7 @@ jobs: with: fetch-depth: 0 - - name: Environment setup # this is required for scanning ironbank images + - name: Environment setup uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3 with: username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} @@ -30,9 +30,20 @@ jobs: - name: Scan the repository for vulnerabilities run: | - uds run vuln-check:grype-scan-sbom + uds run grype:install + uds run scan:vulns + + upload-sarif: + needs: scan + runs-on: ubuntu-latest + strategy: + matrix: + repo: ['upstream', 'repo1'] + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Upload SARIF files - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.0.0 + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 with: - sarif_file: 'sarif/' + sarif_file: sarif/${{ matrix.repo }}/*.sarif diff --git a/tasks.yaml b/tasks.yaml index fb3e1eb9..f99405ba 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -7,7 +7,8 @@ includes: - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/pull.yaml - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/deploy.yaml - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/setup.yaml - - vuln-check: ./tasks/scanvulnerability.yaml + - scan: ./tasks/scan.yaml + - grype: ./tasks/grype.yaml tasks: - name: default @@ -65,4 +66,4 @@ tasks: - name: vuln-scan-package description: Scan the GitLab package for vulnerabilities actions: - - task: vuln-check:grype-scan-sbom + - task: scan:vulns diff --git a/tasks/grype.yaml b/tasks/grype.yaml new file mode 100644 index 00000000..27b788ef --- /dev/null +++ b/tasks/grype.yaml @@ -0,0 +1,12 @@ +--- +tasks: + - name: install + description: Check if Grype is installed, if not install it + actions: + - cmd: | + if ! command -v grype &> /dev/null; then + echo "Grype could not be found, installing..." + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + else + echo "Grype is already installed." + fi diff --git a/tasks/scan.yaml b/tasks/scan.yaml new file mode 100644 index 00000000..20f32e8f --- /dev/null +++ b/tasks/scan.yaml @@ -0,0 +1,26 @@ +--- +tasks: + - name: vulns + description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities + actions: + - cmd: | + bash -c 'flavors=("upstream" "registry1") + for flavor in "${flavors[@]}"; do + output_dir="sbom/$flavor" + mkdir -p "$output_dir" + uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir" + for file in "$output_dir"/*.zst; do + uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress + done + done + for flavor in "${flavors[@]}"; do + sarif_output_dir="./sarif/$flavor" + mkdir -p "$sarif_output_dir" + find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do + sarif_file_name="$(basename "${json_file}").sarif" + echo "Processing $json_file" + echo "Outputting to $sarif_output_dir/$sarif_file_name" + grype sbom:"$json_file" --fail-on high -o sarif --file "$sarif_output_dir/$sarif_file_name" || true + echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" + done + done' diff --git a/tasks/scanvulnerability.yaml b/tasks/scanvulnerability.yaml deleted file mode 100644 index c9ae06ec..00000000 --- a/tasks/scanvulnerability.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -tasks: - - name: grype-scan-sbom - description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities - actions: - - cmd: | - for flavor in upstream registry1; do - uds zarf package create . --flavor="$flavor" --confirm --no-progress -o sbom - for file in sbom/*.zst; do - uds zarf package inspect "$file" --sbom-out ./sbom --no-progress - done - done - if ! command -v grype &> /dev/null; then - echo "Grype could not be found, installing..." - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - fi - mkdir -p ./sarif - find ./sbom -type f -name '*.json' -exec sh -c ' - for sbom_file; do - base=$(basename "${sbom_file}" .json) - grype sbom:"${sbom_file}" -o sarif > "./sarif/${base}.sarif" - echo "Output saved to ./sarif/${base}.sarif" - done - ' sh {} + - echo "All SBOM files processed and analyzed for vulnerabilities." From 233f612a32ece8a30484f8f389b4f58288e84f8d Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 1 Apr 2024 18:49:41 -0500 Subject: [PATCH 11/25] included upload sarif into a single action Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 542832a3..328bbfc6 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -33,17 +33,13 @@ jobs: uds run grype:install uds run scan:vulns - upload-sarif: - needs: scan - runs-on: ubuntu-latest - strategy: - matrix: - repo: ['upstream', 'repo1'] - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + # Hard coded steps to upload SARIF files for specific repositories + - name: Upload SARIF files for upstream + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 + with: + sarif_file: sarif/upstream/*.sarif - - name: Upload SARIF files + - name: Upload SARIF files for repo1 uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 with: - sarif_file: sarif/${{ matrix.repo }}/*.sarif + sarif_file: sarif/repo1/*.sarif From 2b1f2a5c161e1e59e9f7d476eeea068f706003c4 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 1 Apr 2024 18:59:38 -0500 Subject: [PATCH 12/25] Some more tweaks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 10 ++-------- tasks/scan.yaml | 6 +++--- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 328bbfc6..37ccafe6 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -33,13 +33,7 @@ jobs: uds run grype:install uds run scan:vulns - # Hard coded steps to upload SARIF files for specific repositories - - name: Upload SARIF files for upstream + - name: Upload SARIF files uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 with: - sarif_file: sarif/upstream/*.sarif - - - name: Upload SARIF files for repo1 - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 - with: - sarif_file: sarif/repo1/*.sarif + sarif_file: ./sarif diff --git a/tasks/scan.yaml b/tasks/scan.yaml index 20f32e8f..157f9a05 100644 --- a/tasks/scan.yaml +++ b/tasks/scan.yaml @@ -13,11 +13,11 @@ tasks: uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress done done + sarif_output_dir="./sarif" + mkdir -p "$sarif_output_dir" for flavor in "${flavors[@]}"; do - sarif_output_dir="./sarif/$flavor" - mkdir -p "$sarif_output_dir" find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do - sarif_file_name="$(basename "${json_file}").sarif" + sarif_file_name="${flavor}_$(basename "${json_file}").sarif" echo "Processing $json_file" echo "Outputting to $sarif_output_dir/$sarif_file_name" grype sbom:"$json_file" --fail-on high -o sarif --file "$sarif_output_dir/$sarif_file_name" || true From 11cb80fded79574a804947f3cddd38be0f479ddf Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 2 Apr 2024 10:07:45 -0500 Subject: [PATCH 13/25] moved the upstream and registry1 to separate tasks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 43 +++++++++++++++++++++++++++++++------ tasks/scan.yaml | 41 ++++++++++++++++++++++++++--------- 2 files changed, 68 insertions(+), 16 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 37ccafe6..5df552ce 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -9,9 +9,10 @@ on: workflow_dispatch: {} jobs: - scan: + # cannot scan registry1 and upstream at the same time because the sarif upload have a file limit of 20 files + scan-upstream: runs-on: ubuntu-latest - name: Scan for vulnerabilities + name: Scan for vulnerabilities - Upstream permissions: contents: read pull-requests: read @@ -23,17 +24,47 @@ jobs: fetch-depth: 0 - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3 + uses: defenseunicorns/uds-common/.github/actions/setup@264ec430c4079129870820e70c4439f3f3d57cbc # v0.3.9 with: username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - - name: Scan the repository for vulnerabilities + + - name: Scan the repository for vulnerabilities - Upstream + run: | + uds run grype:install + uds run scan:upstream + + - name: Upload SARIF files - Upstream + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 + with: + sarif_file: ./sarif + + scan-registry1: + runs-on: ubuntu-latest + name: Scan for vulnerabilities - Registry1 + permissions: + contents: read + pull-requests: read + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + + - name: Environment setup + uses: defenseunicorns/uds-common/.github/actions/setup@264ec430c4079129870820e70c4439f3f3d57cbc # v0.3.9 + with: + username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + + - name: Scan the repository for vulnerabilities - Registry1 run: | uds run grype:install - uds run scan:vulns + uds run scan:registry1 - - name: Upload SARIF files + - name: Upload SARIF files - Registry1 uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 with: sarif_file: ./sarif diff --git a/tasks/scan.yaml b/tasks/scan.yaml index 157f9a05..c19addd7 100644 --- a/tasks/scan.yaml +++ b/tasks/scan.yaml @@ -1,26 +1,47 @@ --- tasks: - - name: vulns - description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities + - name: upstream + description: Create a UDS package with upstream flavor, extract the SBOM, and analyze for vulnerabilities actions: - cmd: | - bash -c 'flavors=("upstream" "registry1") - for flavor in "${flavors[@]}"; do + bash -c ' + flavor="upstream" output_dir="sbom/$flavor" mkdir -p "$output_dir" uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir" for file in "$output_dir"/*.zst; do uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress done - done - sarif_output_dir="./sarif" - mkdir -p "$sarif_output_dir" - for flavor in "${flavors[@]}"; do + sarif_output_dir="./sarif" + mkdir -p "$sarif_output_dir" find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do sarif_file_name="${flavor}_$(basename "${json_file}").sarif" echo "Processing $json_file" echo "Outputting to $sarif_output_dir/$sarif_file_name" - grype sbom:"$json_file" --fail-on high -o sarif --file "$sarif_output_dir/$sarif_file_name" || true + grype sbom:"$json_file" -o sarif --file "$sarif_output_dir/$sarif_file_name" echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" done - done' + ' + + - name: registry1 + description: Create a UDS package with registry1 flavor, extract the SBOM, and analyze for vulnerabilities + actions: + - cmd: | + bash -c ' + flavor="registry1" + output_dir="sbom/$flavor" + mkdir -p "$output_dir" + uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir" + for file in "$output_dir"/*.zst; do + uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress + done + sarif_output_dir="./sarif" + mkdir -p "$sarif_output_dir" + find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do + sarif_file_name="${flavor}_$(basename "${json_file}").sarif" + echo "Processing $json_file" + echo "Outputting to $sarif_output_dir/$sarif_file_name" + grype sbom:"$json_file" -o sarif --file "$sarif_output_dir/$sarif_file_name" + echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" + done + ' From 58f2ab2c46a05b2be4675d3a22a92a483af15d74 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 2 Apr 2024 10:17:57 -0500 Subject: [PATCH 14/25] included check if there aren't any sarif files Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 5df552ce..270cfd9d 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -64,7 +64,17 @@ jobs: uds run grype:install uds run scan:registry1 + - name: Check for SARIF files - Registry1 + id: check_sarif + run: | + if compgen -G "./sarif/*.sarif" > /dev/null; then + echo "::set-output name=exists::true" + else + echo "::set-output name=exists::false" + fi + - name: Upload SARIF files - Registry1 + if: steps.check_sarif.outputs.exists == 'true' uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 with: - sarif_file: ./sarif + sarif_file: ./sarif/*.sarif From b20dc68ae397ae8d5de2c3adaef16ad57898e109 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:07:25 -0500 Subject: [PATCH 15/25] included path of the file which found the issue Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- tasks.yaml | 7 +------ tasks/scan.yaml | 5 +++++ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks.yaml b/tasks.yaml index f99405ba..13cfb41b 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -61,9 +61,4 @@ tasks: - task: create-gl-test-bundle - task: deploy:test-bundle - task: test:health-check - - task: test:ingress - - - name: vuln-scan-package - description: Scan the GitLab package for vulnerabilities - actions: - - task: scan:vulns + - task: test:ingress \ No newline at end of file diff --git a/tasks/scan.yaml b/tasks/scan.yaml index c19addd7..ee8b7536 100644 --- a/tasks/scan.yaml +++ b/tasks/scan.yaml @@ -20,6 +20,11 @@ tasks: echo "Outputting to $sarif_output_dir/$sarif_file_name" grype sbom:"$json_file" -o sarif --file "$sarif_output_dir/$sarif_file_name" echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" + # Extract the base name of the SBOM file without the .json extension + sbom_base_name=$(basename "$json_file" .json) + # Use yq to replace the path with the SBOM file name without the .json extension + yq eval "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) = \"$sbom_base_name\"" "$sarif_output_dir/$sarif_file_name" -i + echo "Updated SARIF file path to $sbom_base_name using yq for $sarif_file_name" done ' From 7a668e47cf4b490c873ddb7048cbe982f9d942fe Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 2 Apr 2024 18:09:36 -0500 Subject: [PATCH 16/25] yaml lint Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- tasks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks.yaml b/tasks.yaml index 13cfb41b..741495aa 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -61,4 +61,4 @@ tasks: - task: create-gl-test-bundle - task: deploy:test-bundle - task: test:health-check - - task: test:ingress \ No newline at end of file + - task: test:ingress From a6c5d7130e0d9a7d00f04be4faa6b9d10429ff08 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 10:11:30 -0500 Subject: [PATCH 17/25] included config for grype to scan registry1 Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 4 ++++ tasks/scan.yaml | 24 +++++++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 270cfd9d..5475e893 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -62,7 +62,11 @@ jobs: - name: Scan the repository for vulnerabilities - Registry1 run: | uds run grype:install + uds run create-grype-config uds run scan:registry1 + env: + GRYPE_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + GRYPE_PASSWORD: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - name: Check for SARIF files - Registry1 id: check_sarif diff --git a/tasks/scan.yaml b/tasks/scan.yaml index ee8b7536..6c7a5001 100644 --- a/tasks/scan.yaml +++ b/tasks/scan.yaml @@ -22,7 +22,6 @@ tasks: echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" # Extract the base name of the SBOM file without the .json extension sbom_base_name=$(basename "$json_file" .json) - # Use yq to replace the path with the SBOM file name without the .json extension yq eval "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) = \"$sbom_base_name\"" "$sarif_output_dir/$sarif_file_name" -i echo "Updated SARIF file path to $sbom_base_name using yq for $sarif_file_name" done @@ -50,3 +49,26 @@ tasks: echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" done ' + - name: create-grype-config + description: Generate a .grype.yaml configuration file with registry credentials + actions: + - cmd: | + bash -c ' + # Ensure the environment variables are set + if [[ -z "$GRYPE_USERNAME" || -z "$GRYPE_PASSWORD" ]]; then + echo "GRYPE_USERNAME and GRYPE_PASSWORD environment variables must be set." + exit 1 + fi + + # Create or overwrite the .grype.yaml file + cat > .grype.yaml << EOF + # Grype Configuration File + registry: + auth: + - authority: "registry1.dso.mil" + username: "$GRYPE_USERNAME" + password: "$GRYPE_PASSWORD" + EOF + + echo ".grype.yaml configuration file created with registry credentials." + ' From 22d7f95739e77aa046b019e05157d723d06ad5ca Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 10:19:34 -0500 Subject: [PATCH 18/25] changes for grype config Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 2 +- tasks/grype.yaml | 24 ++++++++++++++++++++++++ tasks/scan.yaml | 24 +----------------------- 3 files changed, 26 insertions(+), 24 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 5475e893..f70c202e 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -62,7 +62,7 @@ jobs: - name: Scan the repository for vulnerabilities - Registry1 run: | uds run grype:install - uds run create-grype-config + uds run grype:create-grype-config uds run scan:registry1 env: GRYPE_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} diff --git a/tasks/grype.yaml b/tasks/grype.yaml index 27b788ef..2bb284e9 100644 --- a/tasks/grype.yaml +++ b/tasks/grype.yaml @@ -10,3 +10,27 @@ tasks: else echo "Grype is already installed." fi + + - name: create-grype-config + description: Generate a .grype.yaml configuration file with registry credentials + actions: + - cmd: | + bash -c ' + # Ensure the environment variables are set + if [[ -z "$GRYPE_USERNAME" || -z "$GRYPE_PASSWORD" ]]; then + echo "GRYPE_USERNAME and GRYPE_PASSWORD environment variables must be set." + exit 1 + fi + + # Create or overwrite the .grype.yaml file + cat > .grype.yaml << EOF + # Grype Configuration File + registry: + auth: + - authority: "registry1.dso.mil" + username: "$GRYPE_USERNAME" + password: "$GRYPE_PASSWORD" + EOF + + echo ".grype.yaml configuration file created with registry credentials." + ' diff --git a/tasks/scan.yaml b/tasks/scan.yaml index 6c7a5001..ee8b7536 100644 --- a/tasks/scan.yaml +++ b/tasks/scan.yaml @@ -22,6 +22,7 @@ tasks: echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" # Extract the base name of the SBOM file without the .json extension sbom_base_name=$(basename "$json_file" .json) + # Use yq to replace the path with the SBOM file name without the .json extension yq eval "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) = \"$sbom_base_name\"" "$sarif_output_dir/$sarif_file_name" -i echo "Updated SARIF file path to $sbom_base_name using yq for $sarif_file_name" done @@ -49,26 +50,3 @@ tasks: echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" done ' - - name: create-grype-config - description: Generate a .grype.yaml configuration file with registry credentials - actions: - - cmd: | - bash -c ' - # Ensure the environment variables are set - if [[ -z "$GRYPE_USERNAME" || -z "$GRYPE_PASSWORD" ]]; then - echo "GRYPE_USERNAME and GRYPE_PASSWORD environment variables must be set." - exit 1 - fi - - # Create or overwrite the .grype.yaml file - cat > .grype.yaml << EOF - # Grype Configuration File - registry: - auth: - - authority: "registry1.dso.mil" - username: "$GRYPE_USERNAME" - password: "$GRYPE_PASSWORD" - EOF - - echo ".grype.yaml configuration file created with registry credentials." - ' From 1329ca61001246d7ed063208b29a61b57f1f6417 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 10:27:18 -0500 Subject: [PATCH 19/25] login into registry1 Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index f70c202e..43594754 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -59,6 +59,13 @@ jobs: username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + - name: Iron Bank Login + env: + REGISTRY_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + run: echo "${{ env.REGISTRY_PASSWORD }}" | uds zarf tools registry login -u "${{ env.REGISTRY_USERNAME }}" --password-stdin registry1.dso.mil + shell: bash + - name: Scan the repository for vulnerabilities - Registry1 run: | uds run grype:install From d0078f9a52cbcea18ed761c23232efcfeba083eb Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 10:37:52 -0500 Subject: [PATCH 20/25] upload the sarif for registry1 Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 43594754..faf4298a 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -75,17 +75,8 @@ jobs: GRYPE_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} GRYPE_PASSWORD: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - - name: Check for SARIF files - Registry1 - id: check_sarif - run: | - if compgen -G "./sarif/*.sarif" > /dev/null; then - echo "::set-output name=exists::true" - else - echo "::set-output name=exists::false" - fi - - name: Upload SARIF files - Registry1 if: steps.check_sarif.outputs.exists == 'true' uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 with: - sarif_file: ./sarif/*.sarif + sarif_file: ./sarif From 7f54ed6751dd52e0a661421249f34271889c1a8d Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 10:43:04 -0500 Subject: [PATCH 21/25] trying without grype config Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index faf4298a..a54d4adf 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -69,7 +69,6 @@ jobs: - name: Scan the repository for vulnerabilities - Registry1 run: | uds run grype:install - uds run grype:create-grype-config uds run scan:registry1 env: GRYPE_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} From 46b967e6c5db6546fdff509e2d2c4ccaa7212060 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 10:47:18 -0500 Subject: [PATCH 22/25] removed the if condition check for registry1 upload to sarif Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index a54d4adf..09f9542a 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -75,7 +75,6 @@ jobs: GRYPE_PASSWORD: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - name: Upload SARIF files - Registry1 - if: steps.check_sarif.outputs.exists == 'true' uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 with: sarif_file: ./sarif From 2864a207caa5f5cf08c1e9d3d941800a3b96a0df Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 10:58:47 -0500 Subject: [PATCH 23/25] refactor to a single task Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 5 ++++- tasks/scan.yaml | 29 +++-------------------------- 2 files changed, 7 insertions(+), 27 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 09f9542a..a730a846 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -31,9 +31,11 @@ jobs: - name: Scan the repository for vulnerabilities - Upstream + env: + FLAVOR: upstream run: | uds run grype:install - uds run scan:upstream + uds run scan:scan - name: Upload SARIF files - Upstream uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 @@ -73,6 +75,7 @@ jobs: env: GRYPE_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} GRYPE_PASSWORD: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + FLAVOR: registry1 - name: Upload SARIF files - Registry1 uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 diff --git a/tasks/scan.yaml b/tasks/scan.yaml index ee8b7536..2fc818f7 100644 --- a/tasks/scan.yaml +++ b/tasks/scan.yaml @@ -1,11 +1,11 @@ --- tasks: - - name: upstream - description: Create a UDS package with upstream flavor, extract the SBOM, and analyze for vulnerabilities + - name: scan + description: Create a UDS package with specified flavor, extract the SBOM, and analyze for vulnerabilities actions: - cmd: | bash -c ' - flavor="upstream" + flavor="${FLAVOR}" output_dir="sbom/$flavor" mkdir -p "$output_dir" uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir" @@ -27,26 +27,3 @@ tasks: echo "Updated SARIF file path to $sbom_base_name using yq for $sarif_file_name" done ' - - - name: registry1 - description: Create a UDS package with registry1 flavor, extract the SBOM, and analyze for vulnerabilities - actions: - - cmd: | - bash -c ' - flavor="registry1" - output_dir="sbom/$flavor" - mkdir -p "$output_dir" - uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir" - for file in "$output_dir"/*.zst; do - uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress - done - sarif_output_dir="./sarif" - mkdir -p "$sarif_output_dir" - find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do - sarif_file_name="${flavor}_$(basename "${json_file}").sarif" - echo "Processing $json_file" - echo "Outputting to $sarif_output_dir/$sarif_file_name" - grype sbom:"$json_file" -o sarif --file "$sarif_output_dir/$sarif_file_name" - echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)" - done - ' From 685c9f382c639048f232a4c9754c785f31038fc1 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 11:06:13 -0500 Subject: [PATCH 24/25] fixed the wrong name Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index a730a846..f049cccf 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -71,7 +71,7 @@ jobs: - name: Scan the repository for vulnerabilities - Registry1 run: | uds run grype:install - uds run scan:registry1 + uds run scan:scan env: GRYPE_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} GRYPE_PASSWORD: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} From 86c231d19a125ad02d075839273783494de15912 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 3 Apr 2024 11:16:59 -0500 Subject: [PATCH 25/25] removed the grype config tasks Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/scan.yaml | 2 -- tasks/grype.yaml | 24 ------------------------ 2 files changed, 26 deletions(-) diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index f049cccf..9fe4d73f 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -73,8 +73,6 @@ jobs: uds run grype:install uds run scan:scan env: - GRYPE_USERNAME: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} - GRYPE_PASSWORD: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} FLAVOR: registry1 - name: Upload SARIF files - Registry1 diff --git a/tasks/grype.yaml b/tasks/grype.yaml index 2bb284e9..27b788ef 100644 --- a/tasks/grype.yaml +++ b/tasks/grype.yaml @@ -10,27 +10,3 @@ tasks: else echo "Grype is already installed." fi - - - name: create-grype-config - description: Generate a .grype.yaml configuration file with registry credentials - actions: - - cmd: | - bash -c ' - # Ensure the environment variables are set - if [[ -z "$GRYPE_USERNAME" || -z "$GRYPE_PASSWORD" ]]; then - echo "GRYPE_USERNAME and GRYPE_PASSWORD environment variables must be set." - exit 1 - fi - - # Create or overwrite the .grype.yaml file - cat > .grype.yaml << EOF - # Grype Configuration File - registry: - auth: - - authority: "registry1.dso.mil" - username: "$GRYPE_USERNAME" - password: "$GRYPE_PASSWORD" - EOF - - echo ".grype.yaml configuration file created with registry credentials." - '