From 64cc606ac9cca6060d9fba4b96b845debe281683 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 2 Dec 2024 15:53:23 +0100 Subject: [PATCH] sast-coverity-check: generate the oci-ta copy of the task Resolves: https://issues.redhat.com/browse/OSH-750 Closes: https://github.com/konflux-ci/build-definitions/pull/1653 --- .../README.md | 62 +- pipelines/docker-build-oci-ta/README.md | 62 +- pipelines/maven-zip-build-oci-ta/README.md | 44 +- pipelines/maven-zip-build/README.md | 46 +- pipelines/tekton-bundle-builder/README.md | 46 +- .../0.2/MIGRATION.md | 13 + task/sast-coverity-check-oci-ta/0.2/README.md | 48 + .../0.2/recipe.yaml | 13 + .../0.2/sast-coverity-check-oci-ta.yaml | 840 ++++++++++++++++++ 9 files changed, 1099 insertions(+), 75 deletions(-) create mode 100644 task/sast-coverity-check-oci-ta/0.2/MIGRATION.md create mode 100644 task/sast-coverity-check-oci-ta/0.2/README.md create mode 100644 task/sast-coverity-check-oci-ta/0.2/recipe.yaml create mode 100644 task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index 6013da7b55..bd07712097 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -7,18 +7,18 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| -|build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-images:0.3:BUILD_ARGS| -|build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-images:0.3:BUILD_ARGS_FILE| +|build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-images:0.3:BUILD_ARGS ; sast-coverity-check:0.2:BUILD_ARGS| +|build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-images:0.3:BUILD_ARGS_FILE ; sast-coverity-check:0.2:BUILD_ARGS_FILE| |build-image-index| Add built image into an OCI image index| true| build-image-index:0.1:ALWAYS_BUILD_INDEX| |build-platforms| List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller.| ['linux/x86_64']| | |build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-images:0.3:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-images:0.3:DOCKERFILE ; sast-coverity-check:0.2:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| -|hermetic| Execute the build with network isolation| false| build-images:0.3:HERMETIC| -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-images:0.3:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| -|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-images:0.3:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-images:0.3:CONTEXT ; push-dockerfile:0.1:CONTEXT| -|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-images:0.3:PREFETCH_INPUT| +|hermetic| Execute the build with network isolation| false| build-images:0.3:HERMETIC ; sast-coverity-check:0.2:HERMETIC| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-images:0.3:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER ; sast-coverity-check:0.2:IMAGE_EXPIRES_AFTER| +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-images:0.3:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE ; sast-coverity-check:0.2:IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-images:0.3:CONTEXT ; sast-coverity-check:0.2:CONTEXT ; push-dockerfile:0.1:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-images:0.3:PREFETCH_INPUT ; sast-coverity-check:0.2:PREFETCH_INPUT| |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| |skip-checks| Skip checks against built image| false| init:0.2:skip-checks| @@ -170,22 +170,44 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | -### sast-coverity-check-oci-ta:0.1 task parameters +### sast-coverity-check-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | +|ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'| +|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'| |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | |COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| +|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | +|HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| +|IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|IMAGE_URL| | None| | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | -|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | -|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|LABELS| Additional key=value labels that should be applied to the image| []| | +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | +|PROJECT_NAME| | | | +|RECORD_EXCLUDED| | false| | +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | +|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| | +|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| | +|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -253,9 +275,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-remote-oci-ta:0.3 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -296,7 +318,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |CHAINS-GIT_COMMIT| The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | |CHAINS-GIT_URL| The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| -|commit| The precise commit SHA that was fetched by this Task.| build-images:0.3:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-images:0.3:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA ; sast-coverity-check:0.2:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| | @@ -307,8 +329,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.3:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.3:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.3:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.2:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.3:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.2:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| ### push-dockerfile-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -319,7 +341,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGES_PROCESSED| Images processed in the task.| | |RPMS_DATA| Information about signed and unsigned RPMs| | |TEST_OUTPUT| Tekton task test output.| | -### sast-coverity-check-oci-ta:0.1 task results +### sast-coverity-check-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 595ce56385..7f481922aa 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -7,17 +7,17 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| -|build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.3:BUILD_ARGS| -|build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.3:BUILD_ARGS_FILE| +|build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.3:BUILD_ARGS ; sast-coverity-check:0.2:BUILD_ARGS| +|build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.3:BUILD_ARGS_FILE ; sast-coverity-check:0.2:BUILD_ARGS_FILE| |build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| |build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.3:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.3:DOCKERFILE ; sast-coverity-check:0.2:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| -|hermetic| Execute the build with network isolation| false| build-container:0.3:HERMETIC| -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-container:0.3:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| -|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-container:0.3:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.3:CONTEXT ; push-dockerfile:0.1:CONTEXT| -|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-container:0.3:PREFETCH_INPUT| +|hermetic| Execute the build with network isolation| false| build-container:0.3:HERMETIC ; sast-coverity-check:0.2:HERMETIC| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-container:0.3:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER ; sast-coverity-check:0.2:IMAGE_EXPIRES_AFTER| +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-container:0.3:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE ; sast-coverity-check:0.2:IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.3:CONTEXT ; sast-coverity-check:0.2:CONTEXT ; push-dockerfile:0.1:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-container:0.3:PREFETCH_INPUT ; sast-coverity-check:0.2:PREFETCH_INPUT| |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| |skip-checks| Skip checks against built image| false| init:0.2:skip-checks| @@ -167,22 +167,44 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | -### sast-coverity-check-oci-ta:0.1 task parameters +### sast-coverity-check-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | +|ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'| +|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'| |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | |COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| +|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | +|HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| +|IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|IMAGE_URL| | None| | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | -|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | -|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|LABELS| Additional key=value labels that should be applied to the image| []| | +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | +|PROJECT_NAME| | | | +|RECORD_EXCLUDED| | false| | +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | +|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| | +|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| | +|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -250,9 +272,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-oci-ta:0.3 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -293,7 +315,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |CHAINS-GIT_COMMIT| The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | |CHAINS-GIT_URL| The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.3:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.3:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA ; sast-coverity-check:0.2:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| | @@ -304,8 +326,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.3:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.3:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.3:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.2:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.3:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.2:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| ### push-dockerfile-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -316,7 +338,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGES_PROCESSED| Images processed in the task.| | |RPMS_DATA| Information about signed and unsigned RPMs| | |TEST_OUTPUT| Tekton task test output.| | -### sast-coverity-check-oci-ta:0.1 task results +### sast-coverity-check-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md index 6f90806bef..c5bca4a4ec 100644 --- a/pipelines/maven-zip-build-oci-ta/README.md +++ b/pipelines/maven-zip-build-oci-ta/README.md @@ -72,22 +72,44 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |log-level| Set cachi2 log level (debug, info, warning, error)| info| | |ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| |ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).prefetch'| -### sast-coverity-check-oci-ta:0.1 task parameters +### sast-coverity-check-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | +|ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| | +|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | | |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COMMIT_SHA| The image is built from this commit.| | | +|CONTEXT| Path to the directory to use as context.| .| | |COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | |COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| | +|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | +|HERMETIC| Determines if build will be executed without network access.| false| | +|IMAGE| Reference of the image buildah will produce.| None| | +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | | +|IMAGE_URL| | None| | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | -|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | -|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|LABELS| Additional key=value labels that should be applied to the image| []| | +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | | +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | +|PROJECT_NAME| | | | +|RECORD_EXCLUDED| | false| | +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | +|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| | +|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| | +|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -147,9 +169,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### build-maven-zip-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-shell-check:0.1:image-digest| |IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | -|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### coverity-availability-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -173,9 +195,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-oci-artifact:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT| -### sast-coverity-check-oci-ta:0.1 task results +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-oci-artifact:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.2:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.2:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT| +### sast-coverity-check-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md index 783e6060cb..7fa592f981 100644 --- a/pipelines/maven-zip-build/README.md +++ b/pipelines/maven-zip-build/README.md @@ -69,20 +69,42 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | |input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| |log-level| Set cachi2 log level (debug, info, warning, error)| info| | -### sast-coverity-check:0.1 task parameters +### sast-coverity-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | +|ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| | +|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | | +|COMMIT_SHA| The image is built from this commit.| | | +|CONTEXT| Path to the directory to use as context.| .| | |COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | |COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| | +|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | +|HERMETIC| Determines if build will be executed without network access.| false| | +|IMAGE| Reference of the image buildah will produce.| None| | +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | -|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | -|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|LABELS| Additional key=value labels that should be applied to the image| []| | +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | | +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | +|PROJECT_NAME| | | | +|RECORD_EXCLUDED| | false| | +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | +|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | +|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| | +|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| | +|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +|image-url| | None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| ### sast-shell-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -143,9 +165,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### build-maven-zip:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-shell-check:0.1:image-digest| |IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | -|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### coverity-availability-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -165,7 +187,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | -### sast-coverity-check:0.1 task results +### sast-coverity-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | @@ -187,7 +209,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.1:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.2:source ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace| ## Available workspaces from tasks ### build-maven-zip:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -205,10 +227,10 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| |netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| |source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| -### sast-coverity-check:0.1 task workspaces +### sast-coverity-check:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| -|workspace| | False| workspace| +|source| Workspace containing the source code to build.| False| workspace| ### sast-shell-check:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 650bec2fb3..87793d81a7 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -90,20 +90,42 @@ |image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | -### sast-coverity-check:0.1 task parameters +### sast-coverity-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | +|ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | +|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| | +|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | | +|COMMIT_SHA| The image is built from this commit.| | | +|CONTEXT| Path to the directory to use as context.| .| | |COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | |COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| | +|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | +|HERMETIC| Determines if build will be executed without network access.| false| | +|IMAGE| Reference of the image buildah will produce.| None| | +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | | |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | |KFP_GIT_URL| URL from repository to download known false positives files| | | -|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | -|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|LABELS| Additional key=value labels that should be applied to the image| []| | +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | | +|PRIVILEGED_NESTED| Whether to enable privileged mode| false| | +|PROJECT_NAME| | | | +|RECORD_EXCLUDED| | false| | +|SKIP_SBOM_GENERATION| Skip SBOM-related operations. This will likely cause EC policies to fail if enabled| false| | +|SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | +|SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| | +|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| | +|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|image-url| | None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-unicode-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -142,9 +164,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| sast-coverity-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| sast-coverity-check:0.2:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -169,7 +191,7 @@ |IMAGES_PROCESSED| Images processed in the task.| | |RPMS_DATA| Information about signed and unsigned RPMs| | |TEST_OUTPUT| Tekton task test output.| | -### sast-coverity-check:0.1 task results +### sast-coverity-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | @@ -189,7 +211,7 @@ |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-coverity-check:0.1:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-coverity-check:0.2:source ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -207,10 +229,10 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### sast-coverity-check:0.1 task workspaces +### sast-coverity-check:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| -|workspace| | False| workspace| +|source| Workspace containing the source code to build.| False| workspace| ### sast-unicode-check:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/task/sast-coverity-check-oci-ta/0.2/MIGRATION.md b/task/sast-coverity-check-oci-ta/0.2/MIGRATION.md new file mode 100644 index 0000000000..090232a335 --- /dev/null +++ b/task/sast-coverity-check-oci-ta/0.2/MIGRATION.md @@ -0,0 +1,13 @@ +# Migration from 0.1 to 0.2 + +- The workspace has been renamed to `source` to make the interface compatible + with the `build-container` task. + +- The unused `IMAGE_DIGEST` parameter has been removed. + +- The `sast-coverity-check` task now supports buildful SAST scanning, too. + +## Action from users + +- The workspace for this task in the build pipeline should be renamed to `source`. +- The parameter definition can be removed for this task in the build pipeline. diff --git a/task/sast-coverity-check-oci-ta/0.2/README.md b/task/sast-coverity-check-oci-ta/0.2/README.md new file mode 100644 index 0000000000..c015ff707d --- /dev/null +++ b/task/sast-coverity-check-oci-ta/0.2/README.md @@ -0,0 +1,48 @@ +# sast-coverity-check-oci-ta task + +Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Coverity. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|COV_ANALYZE_ARGS|Arguments to be appended to the cov-analyze command|--enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096|false| +|COV_LICENSE|Name of secret which contains the Coverity license|cov-license|false| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|IMAGE|Reference of the image buildah will produce.||true| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|IMP_FINDINGS_ONLY|Report only important findings. Default is true. To report all findings, specify "false"|true|false| +|KFP_GIT_URL|URL from repository to download known false positives files|""|false| +|LABELS|Additional key=value labels that should be applied to the image|[]|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|PRIVILEGED_NESTED|Whether to enable privileged mode|false|false| +|PROJECT_NAME||""|false| +|RECORD_EXCLUDED||false|false| +|SKIP_SBOM_GENERATION|Skip SBOM-related operations. This will likely cause EC policies to fail if enabled|false|false| +|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|image-url|||true| + +## Results +|name|description| +|---|---| +|TEST_OUTPUT|Tekton task test output.| + diff --git a/task/sast-coverity-check-oci-ta/0.2/recipe.yaml b/task/sast-coverity-check-oci-ta/0.2/recipe.yaml new file mode 100644 index 0000000000..659261dcb3 --- /dev/null +++ b/task/sast-coverity-check-oci-ta/0.2/recipe.yaml @@ -0,0 +1,13 @@ +--- +base: ../../sast-coverity-check/0.2/sast-coverity-check.yaml +removeParams: + - BUILDER_IMAGE +add: + - use-source + - use-cachi2 +removeWorkspaces: + - source +replacements: + workspaces.source.path: /var/workdir +regexReplacements: + "/workspace(/.*)": /var/workdir$1 diff --git a/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml new file mode 100644 index 0000000000..b50f87793f --- /dev/null +++ b/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml @@ -0,0 +1,840 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: sast-coverity-check-oci-ta + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: image-build, konflux + labels: + app.kubernetes.io/version: 0.2.1 + build.appstudio.redhat.com/build_type: docker +spec: + description: Scans source code for security vulnerabilities, including common + issues such as SQL injection, cross-site scripting (XSS), and code injection + attacks using Coverity. + params: + - name: ACTIVATION_KEY + description: Name of secret which contains subscription activation key + type: string + default: activation-key + - name: ADDITIONAL_SECRET + description: Name of a secret which will be made available to the build + with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET + type: string + default: does-not-exist + - name: ADD_CAPABILITIES + description: Comma separated list of extra capabilities to add when + running 'buildah build' + type: string + default: "" + - name: BUILD_ARGS + description: Array of --build-arg values ("arg=value" strings) + type: array + default: [] + - name: BUILD_ARGS_FILE + description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file + type: string + default: "" + - name: CACHI2_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the prefetched dependencies. + type: string + default: "" + - name: COMMIT_SHA + description: The image is built from this commit. + type: string + default: "" + - name: CONTEXT + description: Path to the directory to use as context. + type: string + default: . + - name: COV_ANALYZE_ARGS + description: Arguments to be appended to the cov-analyze command + type: string + default: --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096 + - name: COV_LICENSE + description: Name of secret which contains the Coverity license + type: string + default: cov-license + - name: DOCKERFILE + description: Path to the Dockerfile to build. + type: string + default: ./Dockerfile + - name: ENTITLEMENT_SECRET + description: Name of secret which contains the entitlement certificates + type: string + default: etc-pki-entitlement + - name: HERMETIC + description: Determines if build will be executed without network access. + type: string + default: "false" + - name: IMAGE + description: Reference of the image buildah will produce. + type: string + - name: IMAGE_EXPIRES_AFTER + description: Delete image tag after specified time. Empty means to keep + the image tag. Time values could be something like 1h, 2d, 3w for + hours, days, and weeks, respectively. + type: string + default: "" + - name: IMP_FINDINGS_ONLY + description: Report only important findings. Default is true. To report + all findings, specify "false" + type: string + default: "true" + - name: KFP_GIT_URL + description: URL from repository to download known false positives files + type: string + default: "" + - name: LABELS + description: Additional key=value labels that should be applied to the + image + type: array + default: [] + - name: PREFETCH_INPUT + description: In case it is not empty, the prefetched content should + be made available to the build. + type: string + default: "" + - name: PRIVILEGED_NESTED + description: Whether to enable privileged mode + type: string + default: "false" + - name: PROJECT_NAME + type: string + default: "" + - name: RECORD_EXCLUDED + type: string + default: "false" + - name: SKIP_SBOM_GENERATION + description: Skip SBOM-related operations. This will likely cause EC + policies to fail if enabled + type: string + default: "false" + - name: SKIP_UNUSED_STAGES + description: Whether to skip stages in Containerfile that seem unused + by subsequent stages + type: string + default: "true" + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the application source code. + type: string + - name: SQUASH + description: Squash all new and previous layers added as a part of this + build, as per --squash + type: string + default: "false" + - name: STORAGE_DRIVER + description: Storage driver to configure for buildah + type: string + default: vfs + - name: TARGET_STAGE + description: Target stage in Dockerfile to build. If not specified, + the Dockerfile is processed entirely to (and including) its last stage. + type: string + default: "" + - name: TLSVERIFY + description: Verify the TLS on the registry endpoint (for push/pull + to a non-TLS registry) + type: string + default: "true" + - name: YUM_REPOS_D_FETCHED + description: Path in source workspace where dynamically-fetched repos + are present + default: fetched.repos.d + - name: YUM_REPOS_D_SRC + description: Path in the git repository in which yum repository files + are stored + default: repos.d + - name: YUM_REPOS_D_TARGET + description: Target path on the container in which yum repository files + should be made available + default: /etc/yum.repos.d + - name: caTrustConfigMapKey + description: The name of the key in the ConfigMap that contains the + CA bundle data. + type: string + default: ca-bundle.crt + - name: caTrustConfigMapName + description: The name of the ConfigMap to read CA bundle data from. + type: string + default: trusted-ca + - name: image-url + type: string + results: + - name: TEST_OUTPUT + description: Tekton task test output. + volumes: + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) + - name: additional-secret + secret: + optional: true + secretName: $(params.ADDITIONAL_SECRET) + - name: cov-license + secret: + optional: false + secretName: $(params.COV_LICENSE) + - name: etc-pki-entitlement + secret: + optional: true + secretName: $(params.ENTITLEMENT_SECRET) + - name: shared + emptyDir: {} + - name: trusted-ca + configMap: + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + name: $(params.caTrustConfigMapName) + optional: true + - name: varlibcontainers + emptyDir: {} + - name: workdir + emptyDir: {} + stepTemplate: + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + env: + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + - name: ADDITIONAL_SECRET + value: $(params.ADDITIONAL_SECRET) + - name: ADD_CAPABILITIES + value: $(params.ADD_CAPABILITIES) + - name: BUILDAH_FORMAT + value: oci + - name: BUILD_ARGS_FILE + value: $(params.BUILD_ARGS_FILE) + - name: CONTEXT + value: $(params.CONTEXT) + - name: ENTITLEMENT_SECRET + value: $(params.ENTITLEMENT_SECRET) + - name: HERMETIC + value: $(params.HERMETIC) + - name: IMAGE + value: $(params.IMAGE) + - name: IMAGE_EXPIRES_AFTER + value: $(params.IMAGE_EXPIRES_AFTER) + - name: PRIVILEGED_NESTED + value: $(params.PRIVILEGED_NESTED) + - name: SKIP_SBOM_GENERATION + value: $(params.SKIP_SBOM_GENERATION) + - name: SKIP_UNUSED_STAGES + value: $(params.SKIP_UNUSED_STAGES) + - name: SOURCE_CODE_DIR + value: source + - name: SQUASH + value: $(params.SQUASH) + - name: STORAGE_DRIVER + value: $(params.STORAGE_DRIVER) + - name: TARGET_STAGE + value: $(params.TARGET_STAGE) + - name: TLSVERIFY + value: $(params.TLSVERIFY) + - name: YUM_REPOS_D_FETCHED + value: $(params.YUM_REPOS_D_FETCHED) + - name: YUM_REPOS_D_SRC + value: $(params.YUM_REPOS_D_SRC) + - name: YUM_REPOS_D_TARGET + value: $(params.YUM_REPOS_D_TARGET) + volumeMounts: + - mountPath: /shared + name: shared + - mountPath: /var/workdir + name: workdir + steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + - name: prepare + image: quay.io/redhat-services-prod/sast/coverity:202409.1 + workingDir: /var/workdir + volumeMounts: + - mountPath: /etc/secrets/cov + name: cov-license + readOnly: true + env: + - name: COV_ANALYZE_ARGS + value: $(params.COV_ANALYZE_ARGS) + - name: DOCKERFILE + value: $(params.DOCKERFILE) + script: | + #!/bin/bash + + # FIXME: Dockerfile discovery logic is copied from buildah task + SOURCE_CODE_DIR=source + if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then + dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" + elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then + dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" + elif echo "$DOCKERFILE" | grep -q "^https\?://"; then + echo "Fetch Dockerfile from $DOCKERFILE" + dockerfile_path=$(mktemp --suffix=-Dockerfile) + http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE") + if [ "$http_code" != 200 ]; then + echo "No Dockerfile is fetched. Server responds $http_code" + exit 1 + fi + http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore") + if [ "$http_code" = 200 ]; then + echo "Fetched .dockerignore from $DOCKERFILE.dockerignore" + mv "$dockerfile_path.dockerignore.tmp" "$SOURCE_CODE_DIR/$CONTEXT/.dockerignore" + fi + else + echo "Cannot find Dockerfile $DOCKERFILE" + exit 1 + fi + + # install Coverity license file + install -vm0644 /etc/secrets/cov/cov-license /shared/license.dat + + # pre-create directory for SAST scanning results + install -vm1777 -d /shared/sast-results + + # create a wrapper script to instrument RUN lines + tee /shared/cmd-wrap.sh >&2 <&2 + + # use current directory as project directory by default + proj_dir=\$(pwd) + + # if current directory is "/", fallback to an empty temp directory + [ / = "\$proj_dir" ] && proj_dir=\$(mktemp -d) + + # wrap the RUN command with "coverity capture" and record exit code of the wrapped command + /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" \ + -- /bin/bash -c 'PS4="@\\\${SECONDS}s: \\\${BASH_COMMAND} --> "; set -x; "\$@"; echo \$? >/tmp/idir/build-cmd-ec.txt' \ + - "\$@" + + # always remove Coverity's intermediate directory so that it can be recreated with different ownership + trap 'rm -fr /tmp/idir' EXIT + + # assign a unique file name for scan results + json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)" + + # obtain capture stats to process them later on + /opt/coverity/bin/coverity list --dir=/tmp/idir --project-dir="\$proj_dir" > "\${json_file%.json}-summary.txt" + + # serialize COV_ANALYZE_ARGS declaration into the wrapper script (to avoid shell injection) + $(declare -p COV_ANALYZE_ARGS) + + # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS + /opt/coverity/bin/cov-analyze --dir=/tmp/idir \$COV_ANALYZE_ARGS + + # export scan results and embed source code context into the scan results + /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \ + | /usr/libexec/csgrep-static --mode=json --embed-context=3 \ + > "\${json_file}" + + # propagate the original exit code of the wrapped command + exit "\$(&2 + + # make the wrapper script executable + chmod -v 0755 /shared/cmd-wrap.sh + + # instrument all RUN lines in Dockerfile to be executed through cmd-wrap.sh + cstrans-df-run --verbose /shared/cmd-wrap.sh <"$dockerfile_path" >/shared/Containerfile + - name: build + image: quay.io/redhat-services-prod/sast/coverity:202409.1 + args: + - --build-args + - $(params.BUILD_ARGS[*]) + - --labels + - $(params.LABELS[*]) + workingDir: /var/workdir + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + - mountPath: /entitlement + name: etc-pki-entitlement + - mountPath: /activation-key + name: activation-key + - mountPath: /additional-secret + name: additional-secret + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + env: + - name: COMMIT_SHA + value: $(params.COMMIT_SHA) + - name: DOCKERFILE + value: /shared/Containerfile + - name: ADDITIONAL_VOLUME_MOUNTS + value: |- + /opt:/opt + /shared:/shared + /shared/license.dat:/opt/coverity/bin/license.dat + /usr/libexec/csgrep-static:/usr/libexec/csgrep-static + script: | + #!/bin/bash + set -euo pipefail + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then + dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" + elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then + dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" + elif [ -e "$DOCKERFILE" ]; then + # Instrumented builds (SAST) use this custom dockerffile step as their base + dockerfile_path="$DOCKERFILE" + elif echo "$DOCKERFILE" | grep -q "^https\?://"; then + echo "Fetch Dockerfile from $DOCKERFILE" + dockerfile_path=$(mktemp --suffix=-Dockerfile) + http_code=$(curl -s -S -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE") + if [ "$http_code" != 200 ]; then + echo "No Dockerfile is fetched. Server responds $http_code" + exit 1 + fi + http_code=$(curl -s -S -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore") + if [ "$http_code" = 200 ]; then + echo "Fetched .dockerignore from $DOCKERFILE.dockerignore" + mv "$dockerfile_path.dockerignore.tmp" "$SOURCE_CODE_DIR/$CONTEXT/.dockerignore" + fi + else + echo "Cannot find Dockerfile $DOCKERFILE" + exit 1 + fi + + dockerfile_copy=$(mktemp --tmpdir "$(basename "$dockerfile_path").XXXXXX") + cp "$dockerfile_path" "$dockerfile_copy" + + # Fixing group permission on /var/lib/containers + chown root:root /var/lib/containers + + sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf + + # Setting new namespace to run buildah - 2^32-2 + echo 'root:1:4294967294' | tee -a /etc/subuid >>/etc/subgid + + build_args=() + if [ -n "${BUILD_ARGS_FILE}" ]; then + # Parse BUILD_ARGS_FILE ourselves because dockerfile-json doesn't support it + echo "Parsing ARGs from $BUILD_ARGS_FILE" + mapfile -t build_args < <( + # https://www.mankier.com/1/buildah-build#--build-arg-file + # delete lines that start with # + # delete blank lines + sed -e '/^#/d' -e '/^\s*$/d' "${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}" + ) + fi + + LABELS=() + # Split `args` into two sets of arguments. + while [[ $# -gt 0 ]]; do + case $1 in + --build-args) + shift + # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being + # passed to buildah. In that case, the *last* occurrence takes precedence. This is why + # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE + while [[ $# -gt 0 && $1 != --* ]]; do + build_args+=("$1") + shift + done + ;; + --labels) + shift + while [[ $# -gt 0 && $1 != --* ]]; do + LABELS+=("--label" "$1") + shift + done + ;; + *) + echo "unexpected argument: $1" >&2 + exit 2 + ;; + esac + done + + BUILD_ARG_FLAGS=() + for build_arg in "${build_args[@]}"; do + BUILD_ARG_FLAGS+=("--build-arg=$build_arg") + done + + dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" >/shared/parsed_dockerfile.json + BASE_IMAGES=$( + jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' /shared/parsed_dockerfile.json + ) + + BUILDAH_ARGS=() + UNSHARE_ARGS=() + + if [ "${HERMETIC}" == "true" ]; then + BUILDAH_ARGS+=("--pull=never") + UNSHARE_ARGS+=("--net") + + for image in $BASE_IMAGES; do + unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull "$image" + done + echo "Build will be executed with network isolation" + fi + + if [ -n "${TARGET_STAGE}" ]; then + BUILDAH_ARGS+=("--target=${TARGET_STAGE}") + fi + + BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") + + if [ "${PRIVILEGED_NESTED}" == "true" ]; then + BUILDAH_ARGS+=("--security-opt=label=disable") + BUILDAH_ARGS+=("--cap-add=all") + BUILDAH_ARGS+=("--device=/dev/fuse") + fi + + if [ -n "${ADD_CAPABILITIES}" ]; then + BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") + fi + + if [ "${SQUASH}" == "true" ]; then + BUILDAH_ARGS+=("--squash") + fi + + if [ "${SKIP_UNUSED_STAGES}" != "true" ]; then + BUILDAH_ARGS+=("--skip-unused-stages=false") + fi + + VOLUME_MOUNTS=() + + if [ -f "/var/workdir/cachi2/cachi2.env" ]; then + cp -r "/var/workdir/cachi2" /tmp/ + chmod -R go+rwX /tmp/cachi2 + VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2) + # Read in the whole file (https://unix.stackexchange.com/questions/533277), then + # for each RUN ... line insert the cachi2.env command *after* any options like --mount + sed -E -i \ + -e 'H;1h;$!d;x' \ + -e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \ + "$dockerfile_copy" + echo "Prefetched content will be made available" + + prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo" + if [ -f "$prefetched_repo_for_my_arch" ]; then + echo "Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED" + mkdir -p "$YUM_REPOS_D_FETCHED" + cp --no-clobber "$prefetched_repo_for_my_arch" "$YUM_REPOS_D_FETCHED" + fi + fi + + # if yum repofiles stored in git, copy them to mount point outside the source dir + if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then + mkdir -p "${YUM_REPOS_D_FETCHED}" + cp -r "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}"/* "${YUM_REPOS_D_FETCHED}" + fi + + # if anything in the repofiles mount point (either fetched or from git), mount it + if [ -d "${YUM_REPOS_D_FETCHED}" ]; then + chmod -R go+rwX "${YUM_REPOS_D_FETCHED}" + mount_point=$(realpath "${YUM_REPOS_D_FETCHED}") + VOLUME_MOUNTS+=(--volume "${mount_point}:${YUM_REPOS_D_TARGET}") + fi + + DEFAULT_LABELS=( + "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')" + "--label" "architecture=$(uname -m)" + "--label" "vcs-type=git" + ) + [ -n "$COMMIT_SHA" ] && DEFAULT_LABELS+=("--label" "vcs-ref=$COMMIT_SHA") + [ -n "$IMAGE_EXPIRES_AFTER" ] && DEFAULT_LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER") + + # Concatenate defaults and explicit labels. If a label appears twice, the last one wins. + LABELS=("${DEFAULT_LABELS[@]}" "${LABELS[@]}") + + ACTIVATION_KEY_PATH="/activation-key" + ENTITLEMENT_PATH="/entitlement" + + # 0. if hermetic=true, skip all subscription related stuff + # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. + # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. + # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. + # 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume + # to buildah but don't pre-register for backwards compatibility. Mount an empty directory on + # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included + + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + mkdir -p /shared/rhsm/etc/pki/entitlement + mkdir -p /shared/rhsm/etc/pki/consumer + + VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key + -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z + -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z) + echo "Adding activation key to the build" + + if ! grep -E "^[^#]*subscription-manager.[^#]*register" "$dockerfile_path"; then + # user is not running registration in the Containerfile: pre-register. + echo "Pre-registering with subscription manager." + subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)" + trap 'subscription-manager unregister || true' EXIT + + # copy generated certificates to /shared volume + cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement + cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer + + # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca + VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) + fi + + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then + cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement + VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) + echo "Adding the entitlement to the build" + fi + + if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then + # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. + # Instrumented builds (SAST) use this step as their base and add some other tools. + while read -r volume_mount; do + VOLUME_MOUNTS+=("--volume=$volume_mount") + done <<<"$ADDITIONAL_VOLUME_MOUNTS" + fi + + ADDITIONAL_SECRET_PATH="/additional-secret" + ADDITIONAL_SECRET_TMP="/tmp/additional-secret" + if [ -d "$ADDITIONAL_SECRET_PATH" ]; then + cp -r --preserve=mode -L "$ADDITIONAL_SECRET_PATH" $ADDITIONAL_SECRET_TMP + while read -r filename; do + echo "Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}" + BUILDAH_ARGS+=("--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}") + done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) + fi + + # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. + declare IMAGE + + buildah_cmd_array=( + buildah build + "${VOLUME_MOUNTS[@]}" + "${BUILDAH_ARGS[@]}" + "${LABELS[@]}" + --tls-verify="$TLSVERIFY" --no-cache + --ulimit nofile=4096:4096 + -f "$dockerfile_copy" -t "$IMAGE" . + ) + buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}") + + if [ "${HERMETIC}" == "true" ]; then + # enabling loopback adapter enables Bazel builds to work in hermetic mode. + command="ip link set lo up && $buildah_cmd" + else + command="$buildah_cmd" + fi + + # disable host subcription manager integration + find /usr/share/rhel/secrets -type l -exec unlink {} \; + + unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" + + container=$(buildah from --pull-never "$IMAGE") + + # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later + if [ -f "/tmp/cachi2/output/bom.json" ]; then + echo "Making copy of sbom-cachi2.json" + cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json + fi + + buildah mount "$container" | tee /shared/container_path + # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners + find $(cat /shared/container_path) -xtype l -delete + echo $container >/shared/container_name + + touch /shared/base_images_digests + echo "Recording base image digests used" + for image in $BASE_IMAGES; do + base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image") + # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens + # if buildah did not use that particular image during build because it was skipped + if [ -n "$base_image_digest" ]; then + echo "$image $base_image_digest" | tee -a /shared/base_images_digests + fi + done + computeResources: + limits: + cpu: "16" + memory: 16Gi + requests: + cpu: "4" + memory: 4Gi + securityContext: + capabilities: + add: + - SETFCAP + - name: postprocess + image: quay.io/redhat-services-prod/sast/coverity:202409.1 + workingDir: /var/workdir + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: COV_ANALYZE_ARGS + value: $(params.COV_ANALYZE_ARGS) + - name: KFP_GIT_URL + value: $(params.KFP_GIT_URL) + - name: IMP_FINDINGS_ONLY + value: $(params.IMP_FINDINGS_ONLY) + - name: PROJECT_NAME + value: $(params.PROJECT_NAME) + - name: RECORD_EXCLUDED + value: $(params.RECORD_EXCLUDED) + - name: COMPONENT_LABEL + valueFrom: + fieldRef: + fieldPath: metadata.labels['appstudio.openshift.io/component'] + script: | + #!/bin/bash -e + # shellcheck source=/dev/null + set -o pipefail + + . /usr/local/share/konflux-test/utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + [ -n "${PROJECT_NAME}" ] || PROJECT_NAME="${COMPONENT_LABEL}" + echo "The PROJECT_NAME used is: ${PROJECT_NAME}" + + # Installation of Red Hat certificates for cloning Red Hat internal repositories + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + if [ -z "$(ls /shared/sast-results/)" ]; then ( + set +e + set -x + + # fallback to buildless scan if we have no scan results from buildful + # shellcheck disable=SC2086 + env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "/var/workdir" + + /opt/coverity/bin/coverity list --dir=/tmp/idir >"/shared/sast-results/coverity-buildless-summary.txt" + + # install Coverity license file + install -vm0644 /{shared,opt/coverity/bin}/license.dat + + # shellcheck disable=SC2086 + /opt/coverity/bin/cov-analyze $COV_ANALYZE_ARGS --dir=/tmp/idir + + # export scan results + /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout | + csgrep --mode=json --embed-context=3 \ + >/shared/sast-results/coverity-buildless.json + ); fi + + # collect capture stats (FIXME: this doe not take findings deduplication into account) + set +e + for file in /shared/sast-results/*-summary.txt; do + ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + done + + # calculate the total number of files + ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED)) + + # calculate the ratio of successful files to total files + ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES))) + set -e + + # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments + IMP_LEVEL=1 + if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then + IMP_LEVEL=0 + fi + + # collect scan results + (set -x && csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \ + --set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}") | + tee coverity-results-raw.json | + csgrep --mode=evtstat + + # We check if the KFP_GIT_URL variable is set to apply the filters or not + if [[ -z "${KFP_GIT_URL}" ]]; then + echo "KFP_GIT_URL variable not defined. False positives won't be filtered" + mv coverity-results{-raw,}.json + else + echo "Filtering false positives in results files using csfilter-kfp..." + CMD=( + csfilter-kfp + --verbose + --kfp-git-url="${KFP_GIT_URL}" + --project-nvr="${PROJECT_NAME}" + ) + + if [ "${RECORD_EXCLUDED}" == "true" ]; then + CMD+=(--record-excluded="excluded-findings.json") + fi + + "${CMD[@]}" coverity-results-raw.json | + tee coverity-results.json | + csgrep --mode=evtstat + fi + + # convert the scan results into SARIF + csgrep --mode=sarif coverity-results.json >"/var/workdir/coverity-results.sarif" + + if [[ -z "$(csgrep --mode=stat coverity-results.json)" ]]; then + note="Task $(context.task.name) success: No finding was detected" + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + else + TEST_OUTPUT= + parse_test_output "$(context.task.name)" sarif "/var/workdir/coverity-results.sarif" || true + note="Task $(context.task.name) failed: For details, check Tekton task log." + echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + fi + + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)" + + # upload scan results + echo "Selecting auth for upload of scan results" + select-oci-auth "${IMAGE_URL}" >"${HOME}/auth.json" + + upload_file() ( + set -x + UPLOAD_FILE="$1" + MEDIA_TYPE="$2" + oras attach --no-tty --registry-config "${HOME}/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + ) + + echo "Attaching scan results to ${IMAGE_URL}" + upload_file "coverity-results.sarif" "application/sarif+json" + + # upload excluded-findings.json if enabled + if [ -f "excluded-findings.json" ]; then + upload_file "excluded-findings.json" "application/json" + fi + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "2" + memory: 2Gi