From 507863633bc75fed7bf95881f6b57829134c1cd2 Mon Sep 17 00:00:00 2001 From: Jessica Wagantall Date: Tue, 7 Mar 2023 12:54:25 -0800 Subject: [PATCH] Feat: Add Docker Snyk CLI Scanner jobs Introduce Docker Snyk CLI scanner jobs. These jobs can be triggered to download the latest version of Snyk's CLI scanner and trigger a scan for Docker based repos. These jobs produce a report which is published into Snyk's dashboard. These reports are fetched and reflected back into the LFX Security tool. Issue: RELENG-4609 Signed-off-by: Jessica Wagantall Change-Id: Ifc9ab4c51393e893b22b06844f3701caaca06c6f --- .jjb-test/lf-docker-jobs/docker-jobs.yaml | 1 + docs/jjb/lf-docker-jobs.rst | 56 ++++++++ jjb/lf-docker-jobs.yaml | 159 +++++++++++++++++++++ ...d-docker-snyk-cli-scanner-7c1e372de3a65376.yaml | 7 + shell/snyk-cli-scanner-run.sh | 11 +- 5 files changed, 232 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/add-docker-snyk-cli-scanner-7c1e372de3a65376.yaml diff --git a/.jjb-test/lf-docker-jobs/docker-jobs.yaml b/.jjb-test/lf-docker-jobs/docker-jobs.yaml index 8f8f770b..1cfdf588 100644 --- a/.jjb-test/lf-docker-jobs/docker-jobs.yaml +++ b/.jjb-test/lf-docker-jobs/docker-jobs.yaml @@ -3,6 +3,7 @@ name: "{project-name}-docker" jobs: - "{project-name}-gerrit-docker-jobs" + - gerrit-docker-snyk-cli project: docker/project project-name: docker-project diff --git a/docs/jjb/lf-docker-jobs.rst b/docs/jjb/lf-docker-jobs.rst index efe66745..a10624ba 100644 --- a/docs/jjb/lf-docker-jobs.rst +++ b/docs/jjb/lf-docker-jobs.rst @@ -215,3 +215,59 @@ Sample container-tag.yaml File --- tag: 1.0.0 + +Docker Snyk CLI +--------------- + +Builds the code, downloads and runs a Snyk CLI scan of the code into the Snyk dashboard. + +:Template Names: + + - {project-name}-docker-snyk-cli-{stream} + - gerrit-docker-snyk-cli + - github-docker-snyk-cli + +:Comment Trigger: run-snyk + +:Required parameters: + + :build-node: The node to run build on. + :container-public-registry: Docker registry source with base images. + :docker-name: Name of the Docker image. + :jenkins-ssh-credential: Credential to use for SSH. (Generally configured + in defaults.yaml) + :mvn-settings: Maven settings.xml file containing Docker credentials. + :snyk-token-credential-id: Snyk API token to communicate with Jenkins. + :snyk-org-credential-id: Snyk organization ID. + +:Optional parameters: + + :branch: Git branch to fetch for the build. (default: master) + :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7) + :build-timeout: Timeout in minutes before aborting build. (default: 60) + :container-tag-method: Specifies the docker tag-choosing method. + Options are "latest", "git-describe" or "yaml-file". + Option latest uses the "latest" tag. + Option git-describe uses the string returned by git-describe, + which requires a tag to exist in the repository. + Option yaml-file uses the string from file "container-tag.yaml" + in the repository. (default: latest) + :container-tag-yaml-dir: Directory with container-tag.yaml. (default: $DOCKER_ROOT) + :docker-build-args: Arguments for the docker build command. + :docker-get-container-tag-script: Path to script that chooses docker tag. + (default: ../shell/docker-get-container-tag.sh in global-jjb) + :docker-root: Build directory within the repo. (default: $WORKSPACE, the repo root) + :git-url: URL clone project from. (default: $GIT_URL/$PROJECT) + :pre_docker_build_script: Build script to execute before the main verify + builder steps. (default: "") + :post_docker_build_script: Build script to execute after the main verify + builder steps. (default: "") + :snyk-cli-options: Additional Snyk CLI options. (default: '') + :stream: Keyword that represents a release code-name. + Often the same as the branch. (default: master) + :submodule-recursive: Whether to checkout submodules recursively. + (default: true) + :submodule-timeout: Timeout (in minutes) for checkout operation. + (default: 10) + + :gerrit_snyk_triggers: Override Gerrit Triggers. diff --git a/jjb/lf-docker-jobs.yaml b/jjb/lf-docker-jobs.yaml index 411fe33a..7fd937d5 100644 --- a/jjb/lf-docker-jobs.yaml +++ b/jjb/lf-docker-jobs.yaml @@ -344,3 +344,162 @@ white-list-target-branches: - "{branch}" included-regions: "{obj:github_included_regions}" + +################## +# Docker Snyk CLI # +################## + +- lf_docker_snyk_cli: &lf_docker_snyk_cli + name: lf-docker-snyk_cli + + ###################### + # Default parameters # + ###################### + + branch: master + build-days-to-keep: 30 # 30 days for troubleshooting purposes + build-timeout: 60 + container-tag-method: "latest" + container-tag-yaml-dir: "" + disable-job: false + docker-get-container-tag-script: "../shell/docker-get-container-tag.sh" + docker-root: "$WORKSPACE" + docker-build-args: "" + git-url: "$GIT_URL/$PROJECT" + github-url: "https://github.com" + pre_docker_build_script: "# pre docker build script goes here" + post_docker_build_script: "# post docker build script goes here" + snyk-cli-options: "" + snyk-token-credential-id: snyk-token + snyk-org-credential-id: snyk-org + stream: master + submodule-recursive: true + submodule-timeout: 10 + submodule-disable: false + + gerrit_snyk_triggers: + - comment-added-contains-event: + comment-contains-value: '^Patch Set\s+\d+:\s+run-snyk\s*$' + + parameters: + - lf-infra-parameters: + project: "{project}" + branch: "{branch}" + stream: "{stream}" + - string: + name: SNYK_CLI_OPTIONS + default: "{snyk-cli-options}" + description: Additional Snyk CLI commands and options + + wrappers: + - credentials-binding: + - text: + credential-id: "{snyk-token-credential-id}" + variable: SNYK_TOKEN + - text: + credential-id: "{snyk-org-credential-id}" + variable: SNYK_ORG + + ##################### + # Job Configuration # + ##################### + + disabled: "{disable-job}" + + builders: + - lf-infra-pre-build + - lf-infra-docker-login: + global-settings-file: "global-settings" + settings-file: "{mvn-settings}" + - shell: "{pre_docker_build_script}" + - lf-docker-get-container-tag: + container-tag-method: "{container-tag-method}" + container-tag-yaml-dir: "{container-tag-yaml-dir}" + docker-root: "{docker-root}" + docker-get-container-tag-script: "{docker-get-container-tag-script}" + - lf-docker-build: + docker-build-args: "{docker-build-args}" + docker-name: "{docker-name}" + docker-root: "{docker-root}" + container-public-registry: "{container-public-registry}" + container-push-registry: "{container-push-registry}" + - shell: "{post_docker_build_script}" + - lf-infra-snyk-cli-scanner + - lf-provide-maven-settings-cleanup + - shell: 'find . -regex ".*karaf/target" | xargs rm -rf' + +- job-template: + name: "{project-name}-docker-snyk-cli-{stream}" + id: gerrit-docker-snyk-cli + <<: *lf_docker_common + # yamllint disable-line rule:key-duplicates + <<: *lf_docker_snyk_cli + + scm: + - lf-infra-gerrit-scm: + jenkins-ssh-credential: "{jenkins-ssh-credential}" + git-url: "{git-url}" + refspec: "$GERRIT_REFSPEC" + branch: "$GERRIT_BRANCH" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - gerrit: + server-name: "{gerrit-server-name}" + trigger-on: "{obj:gerrit_snyk_triggers}" + projects: + - project-compare-type: ANT + project-pattern: "{project}" + branches: + - branch-compare-type: ANT + branch-pattern: "**/{branch}" + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + +- job-template: + name: "{project-name}-docker-snyk-cli-{stream}" + id: github-docker-snyk-cli + <<: *lf_docker_common + # yamllint disable-line rule:key-duplicates + <<: *lf_docker_snyk_cli + + properties: + - lf-infra-properties: + build-days-to-keep: "{build-days-to-keep}" + - github: + url: "{github-url}/{github-org}/{project}" + + scm: + - lf-infra-github-scm: + url: "{git-clone-url}{github-org}/{project}" + refspec: "" + branch: "refs/heads/{branch}" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + jenkins-ssh-credential: "{jenkins-ssh-credential}" + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - github-pull-request: + trigger-phrase: "^run-snyk$" + only-trigger-phrase: true + status-context: "SNYK scan" + permit-all: true + github-hooks: true + org-list: + - "{github-org}" + white-list: "{obj:github_pr_allowlist}" + admin-list: "{obj:github_pr_admin_list}" + white-list-target-branches: + - "{branch}" diff --git a/releasenotes/notes/add-docker-snyk-cli-scanner-7c1e372de3a65376.yaml b/releasenotes/notes/add-docker-snyk-cli-scanner-7c1e372de3a65376.yaml new file mode 100644 index 00000000..e67a8c8a --- /dev/null +++ b/releasenotes/notes/add-docker-snyk-cli-scanner-7c1e372de3a65376.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Introduce Docker Snyk CLI scanner jobs. These jobs can be triggered to download the + latest version of Snyk's CLI scanner and trigger a scan for Docker based repos. These + jobs produce a report which is published into Snyk's dashboard. These reports are + fetched and reflected back into the LFX Security tool. diff --git a/shell/snyk-cli-scanner-run.sh b/shell/snyk-cli-scanner-run.sh index 87681233..ed667cfb 100644 --- a/shell/snyk-cli-scanner-run.sh +++ b/shell/snyk-cli-scanner-run.sh @@ -31,5 +31,12 @@ snyk --version echo "Authenticate with SNYK_TOKEN..." snyk auth "$SNYK_CLI" echo "Running Snyk CLI..." -snyk test --json --severity-threshold=low "$SNYK_CLI_OPTIONS" --org="$SNYK_ORG" -snyk monitor --severity-threshold=low "$SNYK_CLI_OPTIONS" --org="$SNYK_ORG" +if [[ "$JOB_NAME" =~ "docker" ]]; then + snyk container test "$SNYK_CLI_OPTIONS" \ + "$CONTAINER_PULL_REGISTRY/$DOCKER_NAME:$DOCKER_IMAGE_TAG" --org="$SNYK_ORG" + snyk container monitor "$SNYK_CLI_OPTIONS" \ + "$CONTAINER_PULL_REGISTRY/$DOCKER_NAME:$DOCKER_IMAGE_TAG" --org="$SNYK_ORG" +else + snyk test --json --severity-threshold=low "$SNYK_CLI_OPTIONS" --org="$SNYK_ORG" + snyk monitor --severity-threshold=low "$SNYK_CLI_OPTIONS" --org="$SNYK_ORG" +fi -- 2.16.6