From 5e13bf7692cd9efcf5d96ebc7f2f061742933439 Mon Sep 17 00:00:00 2001 From: Yunchu Lee Date: Mon, 29 Apr 2024 14:33:30 +0900 Subject: [PATCH 1/6] update trivy worflow --- .ci/{trivy.yaml => trivy-csv.yaml} | 5 +++++ .ci/trivy-json.yaml | 6 ++++++ .github/workflows/code_scan.yml | 20 ++++++++++++++------ 3 files changed, 25 insertions(+), 6 deletions(-) rename .ci/{trivy.yaml => trivy-csv.yaml} (66%) create mode 100644 .ci/trivy-json.yaml diff --git a/.ci/trivy.yaml b/.ci/trivy-csv.yaml similarity index 66% rename from .ci/trivy.yaml rename to .ci/trivy-csv.yaml index 0b20468b5b5..4049a5d7adc 100644 --- a/.ci/trivy.yaml +++ b/.ci/trivy-csv.yaml @@ -9,3 +9,8 @@ scan: severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL vulnerability: ignore-unfixed: false +format: template +template: "@.ci/csv.tmpl" +output: trivy-results.csv +list-all-pkgs: true +debug: true diff --git a/.ci/trivy-json.yaml b/.ci/trivy-json.yaml new file mode 100644 index 00000000000..79811807509 --- /dev/null +++ b/.ci/trivy-json.yaml @@ -0,0 +1,6 @@ +ignore-policy: "" +ignorefile: .trivyignore +format: spdx-json +output: trivy-results.spdx.json +list-all-pkgs: true +debug: true diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index b1877a5dd1a..2bcb08089de 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -26,12 +26,20 @@ jobs: - name: Install dependencies run: | pip install --require-hashes --no-deps -r requirements/gh-actions.txt - pip-compile --generate-hashes -o /tmp/otx-dev-requirements.txt requirements/dev.txt - pip install --require-hashes --no-deps -r /tmp/otx-dev-requirements.txt - - name: Trivy Scanning - env: - TRIVY_DOWNLOAD_URL: ${{ vars.TRIVY_DOWNLOAD_URL }} - run: tox -vv -e trivy-scan + pip-compile --extra=full -o requirements.txt setup.py + - name: Trivy Scanning (CSV) + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + with: + trivy-config: ".ci/trivy-csv.yaml" + scan-type: "fs" + scan-ref: . + scanners: vuln,secret + - name: Trivy Scanning (spdx.json) + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 + with: + trivy-config: ".ci/trivy-json.yaml" + scan-type: "fs" + scan-ref: . - name: Upload Trivy results artifact uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: From 49f4d4547d75c479786fce262e5a6d97410dafed Mon Sep 17 00:00:00 2001 From: Yunchu Lee Date: Mon, 29 Apr 2024 14:41:01 +0900 Subject: [PATCH 2/6] update --- .github/workflows/code_scan.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index 2bcb08089de..d0de72f9b17 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -15,7 +15,7 @@ permissions: read-all jobs: Trivy-scan: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -44,12 +44,9 @@ jobs: uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: trivy-results - path: | - .tox/trivy-spdx-otx.json - .tox/trivy-results-otx.txt - .tox/trivy-results-otx.csv + path: trivy-results* Bandit: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 From b678302b851b9f68a80ae78eca757722a9dc3e09 Mon Sep 17 00:00:00 2001 From: Yunchu Lee Date: Tue, 30 Apr 2024 10:12:54 +0900 Subject: [PATCH 3/6] generate requirements.txt to tmp path to isolate product deps only --- .github/workflows/code_scan.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index d0de72f9b17..2e93d012d22 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -26,20 +26,20 @@ jobs: - name: Install dependencies run: | pip install --require-hashes --no-deps -r requirements/gh-actions.txt - pip-compile --extra=full -o requirements.txt setup.py + pip-compile --extra=full -o /tmp/${{ github.sha }}/requirements.txt setup.py - name: Trivy Scanning (CSV) uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 with: trivy-config: ".ci/trivy-csv.yaml" scan-type: "fs" - scan-ref: . + scan-ref: /tmp/${{ github.sha }}/ scanners: vuln,secret - name: Trivy Scanning (spdx.json) uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 with: trivy-config: ".ci/trivy-json.yaml" scan-type: "fs" - scan-ref: . + scan-ref: /tmp/${{ github.sha }}/ - name: Upload Trivy results artifact uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: @@ -57,8 +57,8 @@ jobs: - name: Install dependencies run: | pip install --require-hashes --no-deps -r requirements/gh-actions.txt - pip-compile --generate-hashes -o /tmp/otx-dev-requirements.txt requirements/dev.txt - pip install --require-hashes --no-deps -r /tmp/otx-dev-requirements.txt + pip-compile --generate-hashes -o /tmp/${{ github.sha }}/requirements.txt requirements/dev.txt + pip install --require-hashes --no-deps -r /tmp/${{ github.sha }}/requirements.txt rm /tmp/otx-dev-requirements.txt - name: Bandit Scanning run: tox -e bandit-scan From 905794edf7c0796c83b946c6557fe8a9f33c20a3 Mon Sep 17 00:00:00 2001 From: Yunchu Lee Date: Tue, 30 Apr 2024 10:45:00 +0900 Subject: [PATCH 4/6] update to use runner.temp path --- .github/workflows/code_scan.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index 2e93d012d22..d013bd934d6 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -26,20 +26,20 @@ jobs: - name: Install dependencies run: | pip install --require-hashes --no-deps -r requirements/gh-actions.txt - pip-compile --extra=full -o /tmp/${{ github.sha }}/requirements.txt setup.py + pip-compile --extra=full -o ${{ runner.temp }}/requirements.txt setup.py - name: Trivy Scanning (CSV) uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 with: trivy-config: ".ci/trivy-csv.yaml" scan-type: "fs" - scan-ref: /tmp/${{ github.sha }}/ + scan-ref: ${{ runner.temp }} scanners: vuln,secret - name: Trivy Scanning (spdx.json) uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 with: trivy-config: ".ci/trivy-json.yaml" scan-type: "fs" - scan-ref: /tmp/${{ github.sha }}/ + scan-ref: ${{ runner.temp }} - name: Upload Trivy results artifact uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: @@ -57,9 +57,8 @@ jobs: - name: Install dependencies run: | pip install --require-hashes --no-deps -r requirements/gh-actions.txt - pip-compile --generate-hashes -o /tmp/${{ github.sha }}/requirements.txt requirements/dev.txt - pip install --require-hashes --no-deps -r /tmp/${{ github.sha }}/requirements.txt - rm /tmp/otx-dev-requirements.txt + pip-compile --generate-hashes -o ${{ runner.temp }}/requirements.txt requirements/dev.txt + pip install --require-hashes --no-deps -r ${{ runner.temp }}/requirements.txt - name: Bandit Scanning run: tox -e bandit-scan - name: Upload Bandit artifact From 8ff982f77de4adf24a7716cf780f36dcc0930451 Mon Sep 17 00:00:00 2001 From: Yunchu Lee Date: Tue, 30 Apr 2024 12:51:45 +0900 Subject: [PATCH 5/6] change requirements.txt output path for trivy --- .github/workflows/code_scan.yml | 6 +++--- tox.ini | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index d013bd934d6..f75e17c826c 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -26,20 +26,20 @@ jobs: - name: Install dependencies run: | pip install --require-hashes --no-deps -r requirements/gh-actions.txt - pip-compile --extra=full -o ${{ runner.temp }}/requirements.txt setup.py + pip-compile --extra=full -o requirements.txt setup.py - name: Trivy Scanning (CSV) uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 with: trivy-config: ".ci/trivy-csv.yaml" scan-type: "fs" - scan-ref: ${{ runner.temp }} + scan-ref: . scanners: vuln,secret - name: Trivy Scanning (spdx.json) uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 with: trivy-config: ".ci/trivy-json.yaml" scan-type: "fs" - scan-ref: ${{ runner.temp }} + scan-ref: . - name: Upload Trivy results artifact uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: diff --git a/tox.ini b/tox.ini index ea8bd6df02d..b65fa7380bb 100644 --- a/tox.ini +++ b/tox.ini @@ -165,4 +165,4 @@ deps = allowlist_externals = bandit commands = - - bandit -r -c .ci/ipas_default.config {toxinidir}/ -f txt -o {toxworkdir}/bandit-report.txt + bandit -r -c .ci/ipas_default.config {toxinidir}/ -f txt -o {toxworkdir}/bandit-report.txt From fecea9240396d16fdae969ebe4ab092564549881 Mon Sep 17 00:00:00 2001 From: Yunchu Lee Date: Tue, 30 Apr 2024 13:20:51 +0900 Subject: [PATCH 6/6] update bandit config to exclude tools folder --- .ci/ipas_default.config | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.ci/ipas_default.config b/.ci/ipas_default.config index bdb8fefbebc..5473aef44fe 100644 --- a/.ci/ipas_default.config +++ b/.ci/ipas_default.config @@ -97,6 +97,11 @@ exclude_dirs: [ '.vscode/', '.git/', 'build/', + 'tools/', +] + +targets: [ + 'src', ] ### (optional) plugin settings - some test plugins require configuration data