Merge pull request #1080 from stackhpc/fail-kolla-image-build-when-critical-cve

markgoddard · web-flow · commit 0c07da382dda · 2024-07-03T13:41:25.000+01:00
Fail kolla image build when critical CVEs are detected
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -39,11 +39,10 @@ on:
         required: false
         default: true
       push-dirty:
-        description: Push scanned images that have vulnerabilities?
+        description: Push scanned images that have critical vulnerabilities?
         type: boolean
         required: false
-        # NOTE(Alex-Welsh): This default should be flipped once we resolve existing failures
-        default: true
+        default: false
 
 env:
   ANSIBLE_FORCE_COLOR: True
@@ -181,7 +180,7 @@ jobs:
           KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }}
 
       - name: Create build logs output directory
-        run: mkdir image-build-logs 
+        run: mkdir image-build-logs
 
       - name: Build kolla overcloud images
         id: build_overcloud_images
@@ -240,9 +239,16 @@ jobs:
         run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt
         if: inputs.push
 
+      # NOTE(seunghun1ee): This always appends dirty images with CVEs severity lower than critical.
+      # This should be reverted when it's decided to filter high level CVEs as well.
       - name: Append dirty images to push list
         run: |
           cat image-build-logs/image-scan-output/dirty-images.txt >> image-build-logs/push-attempt-images.txt
+        if: ${{ inputs.push }}
+
+      - name: Append images with critical vulnerabilities to push list
+        run: |
+          cat image-build-logs/image-scan-output/critical-images.txt >> image-build-logs/push-attempt-images.txt
         if: ${{ inputs.push && inputs.push-dirty }}
 
       - name: Push images
@@ -254,7 +260,7 @@ jobs:
 
           while read -r image; do
             # Retries!
-            for i in {1..5}; do 
+            for i in {1..5}; do
               if docker push $image; then
                 echo "Pushed $image"
                 break
@@ -288,8 +294,15 @@ jobs:
         run: if [ $(wc -l < image-build-logs/push-failed-images.txt) -gt 0 ]; then cat image-build-logs/push-failed-images.txt && exit 1; fi
         if: ${{ !cancelled() }}
 
-      - name: Fail when images failed scanning
-        run: if [ $(wc -l < image-build-logs/dirty-images.txt) -gt 0 ]; then cat image-build-logs/dirty-images.txt && exit 1; fi
+      # NOTE(seunghun1ee): Currently we want to mark the job fail only when critical CVEs are detected.
+      # This can be used again instead of "Fail when critical vulnerabilities are found" when it's
+      # decided to fail the job on detecting high CVEs as well.
+      # - name: Fail when images failed scanning
+      #   run: if [ $(wc -l < image-build-logs/image-scan-output/dirty-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/dirty-images.txt && exit 1; fi
+      #   if: ${{ !inputs.push-dirty && !cancelled() }}
+
+      - name: Fail when critical vulnerabilities are found
+        run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/critical-images.txt && exit 1; fi
         if: ${{ !inputs.push-dirty && !cancelled() }}
 
       # NOTE(mgoddard): Trigger another CI workflow in the
diff --git a/tools/scan-images.sh b/tools/scan-images.sh
@@ -27,11 +27,13 @@ docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/$1-*:$2" > $1-
 images=$(grep --invert-match --no-filename ^REPOSITORY $1-scanned-container-images.txt | sed 's/ \+/:/g' | cut -f 1,2 -d:)
 
 # Ensure output files exist
-touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt
+touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt image-scan-output/critical-images.txt
 
 # If Trivy detects no vulnerabilities, add the image name to clean-images.txt.
 # If there are vulnerabilities detected, add it to dirty-images.txt and
 # generate a csv summary
+# If the image contains at least one critical vulnerabilities, add it to
+# critical-images.txt
 for image in $images; do
   filename=$(basename $image | sed 's/:/\./g')
   if $(trivy image \
@@ -49,15 +51,13 @@ for image in $images; do
     # Add the image to the clean list
     echo "${image}" >> image-scan-output/clean-images.txt
   else
-    # Add the image to the dirty list
-    echo "${image}" >> image-scan-output/dirty-images.txt
-    
+
     # Write a header for the summary CSV
     echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename}.summary.csv
 
     # Write the summary CSV data
-    jq -r '.Results[] 
-            | select(.Vulnerabilities) 
+    jq -r '.Results[]
+            | select(.Vulnerabilities)
             | .Vulnerabilities
             # Ignore packages with "kernel" in the PkgName
             | map(select(.PkgName | test("kernel") | not ))
@@ -72,8 +72,16 @@ for image in $images; do
                     .[0].PrimaryURL,
                     .[0].Severity
                     ]
-                ) 
-            | .[] 
+                )
+            | .[]
             | @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv
+
+    if [ $(grep "CRITICAL" image-scan-output/${filename}.summary.csv -c) -gt 0 ]; then
+      # If the image contains critical vulnerabilities, add the image to critical list
+      echo "${image}" >> image-scan-output/critical-images.txt
+    else
+      # Otherwise, add the image to the dirty list
+      echo "${image}" >> image-scan-output/dirty-images.txt
+    fi
   fi
 done
