Skip to content

Commit

Permalink
chore: move to trivy based image scan, removed snyk (#187)
Browse files Browse the repository at this point in the history
  • Loading branch information
@saxenakshitiz
saxenakshitiz authored Jul 4, 2023
1 parent 6b3081e commit 52f972f
Show file tree
Hide file tree
Showing 13 changed files with 147 additions and 204 deletions.
18 changes: 3 additions & 15 deletions .github/workflows/merge-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,30 +7,18 @@ on:

jobs:
merge-publish:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
# Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
- name: Check out code
uses: actions/checkout@v2.3.4
uses: actions/checkout@v3
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0

- name: create checksum file
uses: hypertrace/github-actions/checksum@main

- name: Cache packages
uses: actions/cache@v2
with:
path: ~/.gradle
key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
restore-keys: |
gradle-packages-${{ runner.os }}-${{ github.job }}
gradle-packages-${{ runner.os }}
- name: Login to Docker Hub
uses: docker/login-action@v1
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_READ_USER }}
password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
Expand Down
53 changes: 9 additions & 44 deletions .github/workflows/pr-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,30 +9,18 @@ on:

jobs:
build:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
# Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
- name: Check out code
uses: actions/checkout@v2.3.4
uses: actions/checkout@v3
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0

- name: create checksum file
uses: hypertrace/github-actions/checksum@main

- name: Cache packages
uses: actions/cache@v2
with:
path: ~/.gradle
key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
restore-keys: |
gradle-packages-${{ runner.os }}-${{ github.job }}
gradle-packages-${{ runner.os }}
- name: Login to Docker Hub
uses: docker/login-action@v1
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_READ_USER }}
password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
Expand All @@ -42,44 +30,21 @@ jobs:
with:
args: build dockerBuildImages

- name: Determine docker tag
id: tag
run: echo ::set-output name=tag::$(./gradlew -q printDockerImageDefaultTag | head -1)

- name: Scan docker image
uses: azure/[email protected]
- name: Run Trivy vulnerability scanner for query service
uses: hypertrace/github-actions/trivy-image-scan@main
with:
image-name: hypertrace/query-service:${{ steps.tag.outputs.tag }}
env:
DOCKLE_HOST: "unix:///var/run/docker.sock"
continue-on-error: true
image: hypertrace/query-service
output-mode: github

validate-helm-charts:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- name: Check out code
uses: actions/checkout@v2.3.4
uses: actions/checkout@v3
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0

- name: validate charts
uses: hypertrace/github-actions/validate-charts@main

snyk-scan:
runs-on: ubuntu-20.04
steps:
# Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
- name: Check out code
uses: actions/[email protected]
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0
- name: Setup snyk
uses: snyk/actions/[email protected]
- name: Snyk test
run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$' --remote-repo-url='${{ github.server_url }}/${{ github.repository }}.git'
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
22 changes: 8 additions & 14 deletions .github/workflows/pr-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,26 +7,14 @@ on:

jobs:
test:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
# Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
- name: Check out code
uses: actions/checkout@v2.3.4
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: create checksum file
uses: hypertrace/github-actions/checksum@main

- name: Cache packages
uses: actions/cache@v2
with:
path: ~/.gradle
key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
restore-keys: |
gradle-packages-${{ runner.os }}-${{ github.job }}
gradle-packages-${{ runner.os }}
- name: Unit test
uses: hypertrace/github-actions/gradle@main
with:
Expand Down Expand Up @@ -67,3 +55,9 @@ jobs:
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
files: ./**/build/test-results/**/*.xml

dependency-check:
runs-on: ubuntu-22.04
steps:
- name: Dependency Check
uses: hypertrace/github-actions/dependency-check@main
28 changes: 8 additions & 20 deletions .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,28 +8,16 @@ on:

jobs:
publish-artifacts:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
# Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
- name: Check out code
uses: actions/checkout@v2.3.4
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: create checksum file
uses: hypertrace/github-actions/checksum@main

- name: Cache packages
uses: actions/cache@v2
with:
path: ~/.gradle
key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
restore-keys: |
gradle-packages-${{ runner.os }}-${{ github.job }}
gradle-packages-${{ runner.os }}
- name: Login to Docker Hub
uses: docker/login-action@v1
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_READ_USER }}
password: ${{ secrets.DOCKERHUB_READ_TOKEN }}
Expand All @@ -47,11 +35,11 @@ jobs:

publish-helm-charts:
needs: publish-artifacts
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
# Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
- name: Checkout Repository
uses: actions/checkout@v2.3.4
uses: actions/checkout@v3
with:
fetch-depth: 0

Expand All @@ -62,12 +50,12 @@ jobs:
helm-gcs-repository: ${{ secrets.HELM_GCS_REPOSITORY }}

publish-release-notes:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v2.3.4
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: hypertrace/github-actions/release-notes@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}


46 changes: 0 additions & 46 deletions .snyk
View file

This file was deleted.

1 change: 1 addition & 0 deletions .trivyignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

8 changes: 8 additions & 0 deletions build.gradle.kts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ plugins {
id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false
id("org.hypertrace.integration-test-plugin") version "0.2.0" apply false
id("org.hypertrace.code-style-plugin") version "1.1.1" apply false
id("org.owasp.dependencycheck") version "8.2.1"
}

subprojects {
Expand All @@ -23,3 +24,10 @@ subprojects {
}
}
}

dependencyCheck {
format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString()
suppressionFile = "owasp-suppressions.xml"
scanConfigurations.add("runtimeClasspath")
failBuildOnCVSS = 3.0F
}
57 changes: 57 additions & 0 deletions owasp-suppressions.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes><![CDATA[
Any hypertrace dep
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
<cpe>cpe:/a:utils_project:utils</cpe>
</suppress>

<suppress>
<notes><![CDATA[
We need to get pinot to upgrade this dep, it's 16 years old. Upgrades fix this issue but have changed package/group names
]]></notes>
<packageUrl regex="true">^pkg:maven/commons\-httpclient/commons\-httpclient@.*$</packageUrl>
<cve>CVE-2012-5783</cve>
<cve>CVE-2020-13956</cve>
</suppress>

<suppress until="2023-07-30Z">
<notes><![CDATA[
file name: zookeeper-api-1.2.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.helix/zookeeper\-api@.*$</packageUrl>
<cve>CVE-2016-5017</cve>
<cve>CVE-2018-8012</cve>
<cve>CVE-2019-0201</cve>
</suppress>

<suppress until="2023-07-30Z">
<notes><![CDATA[
file name: commons-compiler-3.1.9.jar
https://github.com/janino-compiler/janino/issues/201
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.janino/commons\-compiler@.*$</packageUrl>
<cve>CVE-2023-33546</cve>
</suppress>

<suppress until="2023-07-30Z">
<notes><![CDATA[
Same series of issues that also impacts jackson, vendor disputed and not currently fixed
https://github.com/janino-compiler/janino/issues/201
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.janino/.*@.*$</packageUrl>
<cve>CVE-2023-33546</cve>
</suppress>

<suppress until="2023-07-30Z">
<notes><![CDATA[
file name: jackson-databind-2.14.2.jar
This is currently disputed.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
</suppressions>
Loading

0 comments on commit 52f972f

Please sign in to comment.