From 6f3d36bc0d10dbfe1c8ac8fc3b349ccc2e323df5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= Date: Tue, 8 Oct 2024 09:52:42 +0800 Subject: [PATCH] ci: set trivy db repository to public.ecr.aws/aquasecurity/trivy-db:2 (#4570) Signed-off-by: zhangzujian --- .github/workflows/build-arm64-image.yaml | 2 ++ .github/workflows/build-kube-ovn-base.yaml | 2 ++ .github/workflows/build-x86-image.yaml | 4 ++++ Makefile | 11 +++++------ dist/images/Dockerfile.base | 3 ++- 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-arm64-image.yaml b/.github/workflows/build-arm64-image.yaml index d20e96aa663..23f6d7cc9f2 100644 --- a/.github/workflows/build-arm64-image.yaml +++ b/.github/workflows/build-arm64-image.yaml @@ -55,6 +55,8 @@ jobs: - name: Scan base image uses: aquasecurity/trivy-action@0.24.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 with: scan-type: image scanners: vuln diff --git a/.github/workflows/build-kube-ovn-base.yaml b/.github/workflows/build-kube-ovn-base.yaml index 1256a6a9de4..c3e836f0101 100644 --- a/.github/workflows/build-kube-ovn-base.yaml +++ b/.github/workflows/build-kube-ovn-base.yaml @@ -49,6 +49,7 @@ jobs: if: (github.event.inputs.branch || matrix.branch) == matrix.branch env: GO_VERSION: ${{ steps.setup-go.outputs.go-version }} + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 run: | make base-amd64 make base-tar-amd64 @@ -99,6 +100,7 @@ jobs: if: (github.event.inputs.branch || matrix.branch) == matrix.branch env: GO_VERSION: ${{ steps.setup-go.outputs.go-version }} + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 run: | make base-arm64 || make base-arm64 make base-tar-arm64 diff --git a/.github/workflows/build-x86-image.yaml b/.github/workflows/build-x86-image.yaml index aaff2c9725b..a401f71203c 100644 --- a/.github/workflows/build-x86-image.yaml +++ b/.github/workflows/build-x86-image.yaml @@ -207,6 +207,8 @@ jobs: - name: Scan base image uses: aquasecurity/trivy-action@0.24.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 with: scan-type: image scanners: vuln @@ -2896,6 +2898,8 @@ jobs: fi - name: Security Scan + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 run: | sudo apt-get install wget apt-transport-https gnupg lsb-release wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - diff --git a/Makefile b/Makefile index 35acc2a63e8..a694e53db79 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,6 @@ VERSION = $(shell echo $${VERSION:-$(RELEASE_TAG)}) COMMIT = git-$(shell git rev-parse --short HEAD) DATE = $(shell date +"%Y-%m-%d_%H:%M:%S") -GO_VERSION = $(shell echo $${GO_VERSION:-1.22.7}) GOLDFLAGS = -extldflags '-z now' -X github.com/kubeovn/kube-ovn/versions.COMMIT=$(COMMIT) -X github.com/kubeovn/kube-ovn/versions.VERSION=$(RELEASE_TAG) -X github.com/kubeovn/kube-ovn/versions.BUILDDATE=$(DATE) ifdef DEBUG GO_BUILD_FLAGS = -ldflags "$(GOLDFLAGS)" @@ -154,9 +153,9 @@ build-debug: .PHONY: base-amd64 base-amd64: - docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION=$(GO_VERSION) -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-amd64 -o type=docker -f dist/images/Dockerfile.base dist/images/ - docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION=$(GO_VERSION) --build-arg LEGACY=true -t $(REGISTRY)/kube-ovn-base:$(LEGACY_TAG) -o type=docker -f dist/images/Dockerfile.base dist/images/ - docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION=$(GO_VERSION) --build-arg DEBUG=true -t $(REGISTRY)/kube-ovn-base:$(DEBUG_TAG)-amd64 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION --build-arg TRIVY_DB_REPOSITORY -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-amd64 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION --build-arg TRIVY_DB_REPOSITORY --build-arg LEGACY=true -t $(REGISTRY)/kube-ovn-base:$(LEGACY_TAG) -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/amd64 --build-arg ARCH=amd64 --build-arg GO_VERSION --build-arg TRIVY_DB_REPOSITORY --build-arg DEBUG=true -t $(REGISTRY)/kube-ovn-base:$(DEBUG_TAG)-amd64 -o type=docker -f dist/images/Dockerfile.base dist/images/ .PHONY: base-amd64-dpdk base-amd64-dpdk: @@ -164,8 +163,8 @@ base-amd64-dpdk: .PHONY: base-arm64 base-arm64: - docker buildx build --platform linux/arm64 --build-arg ARCH=arm64 --build-arg GO_VERSION=$(GO_VERSION) -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-arm64 -o type=docker -f dist/images/Dockerfile.base dist/images/ - docker buildx build --platform linux/arm64 --build-arg ARCH=arm64 --build-arg GO_VERSION=$(GO_VERSION) --build-arg DEBUG=true -t $(REGISTRY)/kube-ovn-base:$(DEBUG_TAG)-arm64 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/arm64 --build-arg ARCH=arm64 --build-arg GO_VERSION --build-arg TRIVY_DB_REPOSITORY -t $(REGISTRY)/kube-ovn-base:$(RELEASE_TAG)-arm64 -o type=docker -f dist/images/Dockerfile.base dist/images/ + docker buildx build --platform linux/arm64 --build-arg ARCH=arm64 --build-arg GO_VERSION --build-arg TRIVY_DB_REPOSITORY --build-arg DEBUG=true -t $(REGISTRY)/kube-ovn-base:$(DEBUG_TAG)-arm64 -o type=docker -f dist/images/Dockerfile.base dist/images/ .PHONY: build-kit diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base index f81d192539b..8c63f810b22 100644 --- a/dist/images/Dockerfile.base +++ b/dist/images/Dockerfile.base @@ -1,5 +1,5 @@ # syntax = docker/dockerfile:experimental -ARG GO_VERSION +ARG GO_VERSION=1.22.7 FROM ubuntu:24.04 AS ovs-builder @@ -94,6 +94,7 @@ ARG ARCH ENV CNI_VERSION="v1.5.1" ENV KUBE_VERSION="v1.31.1" ENV GOBGP_VERSION="3.29.0" +ENV TRIVY_DB_REPOSITORY="public.ecr.aws/aquasecurity/trivy-db:2" RUN apk --no-cache add curl jq ADD go-deps/download-go-deps.sh /