Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan images using trivy #289

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Scan images using trivy #289

wants to merge 1 commit into from

Conversation

dirkmueller
Copy link
Member

No description provided.

dcermak
dcermak reviewed Aug 15, 2023
View reviewed changes
tests/test_all.py Outdated Show resolved Hide resolved
@dcermak dcermak mentioned this pull request Aug 15, 2023
Merged
@grisu48
Copy link
Contributor

grisu48 commented Aug 16, 2023

I just checked this locally with the go container (and podman) and trivy doesn't seem to be executed:

$ export CONTAINER_RUNTIME=podman
$ tox -e go -- -n auto
...
tests/test_go.py::test_build_kured[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-kured] 
tests/test_go.py::test_go_version[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
tests/test_go.py::test_base_PATH_present[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-bci/bci-base:15.5 from registry.opensuse.org/devel/bci/sle-15-sp5/images/bci/bci-base:15.5] 
tests/test_go.py::test_go_size[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
tests/test_go.py::test_go_version[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
tests/test_go.py::test_base_PATH_present[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-bci/bci-base:15.5 from registry.opensuse.org/devel/bci/sle-15-sp5/images/bci/bci-base:15.5] 
tests/test_go.py::test_go_size[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
tests/test_go.py::test_rancher_build[local-rancher-bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
[gw6] [  7%] SKIPPED tests/test_go.py::test_rancher_build[local-rancher-bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
[gw0] [ 14%] PASSED tests/test_go.py::test_go_size[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
tests/test_go.py::test_build_kured[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-kured] 
[gw4] [ 21%] PASSED tests/test_go.py::test_go_size[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
tests/test_go.py::test_build_generics_cache[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-container_git_clone0] 
[gw5] [ 28%] PASSED tests/test_go.py::test_go_version[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
tests/test_go.py::test_rancher_build[local-rancher-bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
[gw5] [ 35%] SKIPPED tests/test_go.py::test_rancher_build[local-rancher-bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
[gw3] [ 42%] PASSED tests/test_go.py::test_base_PATH_present[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-bci/bci-base:15.5 from registry.opensuse.org/devel/bci/sle-15-sp5/images/bci/bci-base:15.5]
tests/test_go.py::test_build_generics_cache[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-container_git_clone0] 
[gw2] [ 50%] PASSED tests/test_go.py::test_base_PATH_present[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-bci/bci-base:15.5 from registry.opensuse.org/devel/bci/sle-15-sp5/images/bci/bci-base:15.5]
tests/test_go.py::test_go_get_binary_in_path[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
[gw1] [ 57%] PASSED tests/test_go.py::test_go_version[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
tests/test_go.py::test_go_get_binary_in_path[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
[gw1] [ 64%] PASSED tests/test_go.py::test_go_get_binary_in_path[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
[gw3] [ 71%] PASSED tests/test_go.py::test_build_generics_cache[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-container_git_clone0] 
[gw4] [ 78%] PASSED tests/test_go.py::test_build_generics_cache[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-container_git_clone0] 
[gw2] [ 85%] PASSED tests/test_go.py::test_go_get_binary_in_path[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
[gw7] [ 92%] PASSED tests/test_go.py::test_build_kured[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-kured] 
[gw0] [100%] PASSED tests/test_go.py::test_build_kured[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-kured]

Can't find the trivy_image_scan test run therein 🤔

@dcermak
Copy link
Collaborator

dcermak commented Aug 17, 2023

I just checked this locally with the go container (and podman) and trivy doesn't seem to be executed:

That is because the trivy scan is part of the all test and not of go.

@dirkmueller dirkmueller marked this pull request as ready for review August 19, 2023 19:47
@grisu48
Copy link
Contributor

grisu48 commented Sep 12, 2023

That is because the trivy scan is part of the all test and not of go.

And I was wrongly assuming that all is executed everywhere. And I will make this mistake again 😅

@dirkmueller dirkmueller force-pushed the trivy_scan branch 2 times, most recently from 9adb95f to dcd8091 Compare October 29, 2023 09:37
@dirkmueller dirkmueller requested a review from dcermak January 23, 2024 12:34
dcermak
dcermak requested changes Jan 24, 2024
View reviewed changes
Copy link
Collaborator

@dcermak dcermak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good idea, but I do not think that we should add this to the test suite. Currently we have a bunch of test failures due to this and I don't see how we will ever be all green, there's always going to be an issue somewhere.

But my main issue is this: imagine we have a CVE that we need to fix. But now trivy is red, hence we have an overall test failure, so QA will flag the new build as faulty and they have to manually waive all the failing tests. This is imho not helping when we need to get a fix out.

Open to counter-opinions, but in this state, this is not helping

@dirkmueller
Copy link
Member Author

dirkmueller commented Jan 25, 2024
edited
Loading

Currently we have a bunch of test failures due to this

That's only because of TARGET=ibs-released. I can remove that easily from the testing matrix, but that is entirely unrelated to the rest of your comment because QA is never running with it

and I don't see how we will ever be all green, there's always going to be an issue somewhere.
I don't see how. we should be having it in the testsuite to prevent images with issues going out.

But my main issue is this: imagine we have a CVE that we need to fix. But now trivy is red, hence we have an overall test failure, so QA will flag the new build as faulty and they have to manually waive all the failing tests.

trivy will only flag it if the image still contains the CVE, so that's exactly what we'd like to make the check do.

This is imho not helping when we need to get a fix out.

it prevents releasing unfixed images. it doesn't prevent releasing fixed images.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcermak dcermak dcermak requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dirkmueller @grisu48 @dcermak