update to the latest release of the coverity image

konflux-ci · Dec 12, 2024 · 900aa21 · 900aa21
1 parent 9e8ff7e
commit 900aa21
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 21 deletions.
diff --git a/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml
@@ -241,7 +241,7 @@ spec:
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: prepare
-      image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+      image: quay.io/redhat-services-prod/sast/coverity:202409.1
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /etc/secrets/cov
@@ -312,7 +312,7 @@ spec:
         # instrument all RUN lines in Dockerfile to be executed through cmd-wrap.sh
         cstrans-df-run --verbose /shared/cmd-wrap.sh <"$dockerfile_path" >/shared/Containerfile
     - name: build
-      image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+      image: quay.io/redhat-services-prod/sast/coverity:202409.1
       args:
         - --build-args
         - $(params.BUILD_ARGS[*])
@@ -439,9 +439,9 @@ spec:
           BUILD_ARG_FLAGS+=("--build-arg=$build_arg")
         done
 
+        dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" >/shared/parsed_dockerfile.json
         BASE_IMAGES=$(
-          dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" |
-            jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)'
+          jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' /shared/parsed_dockerfile.json
         )
 
         BUILDAH_ARGS=()
@@ -621,11 +621,13 @@ spec:
 
         touch /shared/base_images_digests
         for image in $BASE_IMAGES; do
-          buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>/shared/base_images_digests
+          base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
+          # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens
+          # if buildah did not use that particular image during build because it was skipped
+          if [ -n "$base_image_digest" ]; then
+            echo "$image $base_image_digest" >>/shared/base_images_digests
+          fi
         done
-
-        # Needed to generate base images SBOM
-        echo "$BASE_IMAGES" >/shared/base_images_from_dockerfile
       computeResources:
         limits:
           cpu: "16"
@@ -638,7 +640,7 @@ spec:
           add:
             - SETFCAP
     - name: postprocess
-      image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+      image: quay.io/redhat-services-prod/sast/coverity:202409.1
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /mnt/trusted-ca

diff --git a/task/sast-coverity-check/0.2/patch.yaml b/task/sast-coverity-check/0.2/patch.yaml
@@ -38,7 +38,7 @@
 - op: replace
   path: /spec/steps/0/image
   # New image shoould be based on quay.io/konflux-ci/buildah-task:latest or have all the tooling that the original image has.
-  value: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+  value: quay.io/redhat-services-prod/sast/coverity:202409.1
 
 # Change build step resources
 - op: replace
@@ -125,7 +125,7 @@
   path: /spec/steps/0
   value:
     name: prepare
-    image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+    image: quay.io/redhat-services-prod/sast/coverity:202409.1
     workingDir: $(workspaces.source.path)
     env:
       - name: DOCKERFILE
@@ -206,7 +206,7 @@
   path: /spec/steps/2
   value:
     name: postprocess
-    image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+    image: quay.io/redhat-services-prod/sast/coverity:202409.1
     computeResources:
       limits:
         memory: 4Gi

diff --git a/task/sast-coverity-check/0.2/sast-coverity-check.yaml b/task/sast-coverity-check/0.2/sast-coverity-check.yaml
@@ -192,7 +192,7 @@ spec:
   - env:
     - name: DOCKERFILE
       value: $(params.DOCKERFILE)
-    image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+    image: quay.io/redhat-services-prod/sast/coverity:202409.1
     name: prepare
     script: |
       #!/bin/bash -x
@@ -283,7 +283,7 @@ spec:
         /shared:/shared
         /shared/license.dat:/opt/coverity/bin/license.dat
         /usr/libexec/csgrep-static:/usr/libexec/csgrep-static
-    image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+    image: quay.io/redhat-services-prod/sast/coverity:202409.1
     name: build
     script: |
       #!/bin/bash
@@ -376,9 +376,10 @@ spec:
         BUILD_ARG_FLAGS+=("--build-arg=$build_arg")
       done
 
+
+      dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" > /shared/parsed_dockerfile.json
       BASE_IMAGES=$(
-        dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" |
-          jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)'
+          jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' /shared/parsed_dockerfile.json
       )
 
       BUILDAH_ARGS=()
@@ -560,11 +561,13 @@ spec:
 
       touch /shared/base_images_digests
       for image in $BASE_IMAGES; do
-        buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> /shared/base_images_digests
+        base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
+        # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens
+        # if buildah did not use that particular image during build because it was skipped
+        if [ -n "$base_image_digest" ]; then
+          echo "$image $base_image_digest" >> /shared/base_images_digests
+        fi
       done
-
-      # Needed to generate base images SBOM
-      echo "$BASE_IMAGES" > /shared/base_images_from_dockerfile
     securityContext:
       capabilities:
         add:
@@ -606,7 +609,7 @@ spec:
       valueFrom:
         fieldRef:
           fieldPath: metadata.labels['appstudio.openshift.io/component']
-    image: quay.io/redhat-user-workloads/sast-tenant/sast-scanner/coverity@sha256:4c17d06f245d124bed3f8f50085144d5237fd09e9c72897fde84a694780c65de
+    image: quay.io/redhat-services-prod/sast/coverity:202409.1
     name: postprocess
     script: |
       #!/bin/bash -ex