diff --git a/.github/workflows/sec-scan.yml b/.github/workflows/sec-scan.yml index a305dfb4d..41bcca5f5 100644 --- a/.github/workflows/sec-scan.yml +++ b/.github/workflows/sec-scan.yml @@ -85,21 +85,21 @@ jobs: - name: setup python uses: actions/setup-python@v4 with: - python-version: '3.10' # install the python version needed + python-version: '3.10' # install the python version needed - name: install python packages run: | python -m pip install --upgrade pip pip install requests - - name: execute py script # run trial.py + - name: execute py script # run trial.py env: - HASH_N : ${{ steps.hash-n.outputs.HASH_N }} + HASH_N: ${{ steps.hash-n.outputs.HASH_N }} RELEASE_VERSION_N: 2023b HASH_N_1: ${{ steps.hash-n-1.outputs.HASH_N_1 }} RELEASE_VERSION_N_1: 2023a - run: make scan-image-vulnerabilities + run: make scan-image-vulnerabilities - name: Push the files run: | diff --git a/ci/security-scan/quay_security_analysis_2.py b/ci/security-scan/quay_security_analysis_2.py deleted file mode 100644 index 97de63b88..000000000 --- a/ci/security-scan/quay_security_analysis_2.py +++ /dev/null @@ -1,111 +0,0 @@ -import os -import subprocess -import re -from datetime import date -import requests -from collections import Counter -import fileinput - - -IMAGES = [ - "odh-minimal-notebook-image-n", - "odh-minimal-gpu-notebook-image-n", - "odh-pytorch-gpu-notebook-image-n", - "odh-generic-data-science-notebook-image-n", - "odh-tensorflow-gpu-notebook-image-n", - "odh-trustyai-notebook-image-n", - "odh-habana-notebook-image-n", - "odh-codeserver-notebook-n", - "odh-rstudio-notebook-n", - "odh-rstudio-gpu-notebook-n" -] - -commit_id_path = "ci/security-scan/weekly_commit_ids.env" - -RELEASE_VERSION_N = "2023b" # os.environ['RELEASE_VERSION_N'] -HASH_N = "73c20d1" # os.environ['HASH_N'] - -my_dictionary = {} - -for i, image in enumerate(IMAGES): - - # Read the contents of params.env and extract the image information - with open(commit_id_path, 'r') as params_file: - img_line = next(line for line in params_file if re.search(f"{image}=", line)) - img = img_line.split('=')[1].strip() - - registry = img.split('@')[0] - - # Get source tag from skopeo inspection - src_tag_cmd = f'skopeo inspect docker://{img} | jq \'.Env[] | select(startswith("OPENSHIFT_BUILD_NAME=")) | split("=")[1]\'' - src_tag = subprocess.check_output(src_tag_cmd, shell=True, text=True).strip().strip('"').replace('-amd64', '') - - regex = f"{src_tag}-{RELEASE_VERSION_N}-\\d+-{HASH_N}" - latest_tag_cmd = f'skopeo inspect docker://{img} | jq -r --arg regex "{regex}" \'.RepoTags | map(select(. | test($regex))) | .[0]\'' - - latest_tag = subprocess.check_output(latest_tag_cmd, shell=True, text=True).strip() - - digest_cmd = f'skopeo inspect docker://{registry}:{latest_tag} | jq .Digest | tr -d \'"\'' - digest = subprocess.check_output(digest_cmd, shell=True, text=True).strip() - - output = f"{registry}@{digest}" - - sha_ = output.split(":")[1] - - url = f"https://quay.io/api/v1/repository/opendatahub/workbench-images/manifest/sha256:{sha_}/security" - headers = { - "X-Requested-With": "XMLHttpRequest", - "Authorization": "Bearer 3PZX0UYX6FSENKQ14I1VTHUJ4KGBS8L5LHJ0W1RN7TPHFVQ4P0NR7VQNCZIFRC9B_1" - } - - response = requests.get(url, headers=headers) - data = response.json() - - vulnerabilities = [] - - for feature in data['data']['Layer']['Features']: - if(len(feature['Vulnerabilities']) > 0): - for vulnerability in feature['Vulnerabilities']: - vulnerabilities.append(vulnerability) - - severity_levels = [entry.get("Severity", "Unknown") for entry in vulnerabilities] - - # Count occurrences of each severity level - severity_counts = Counter(severity_levels) - - my_dictionary[latest_tag] = {} - my_dictionary[latest_tag]['sha']= digest - - for severity, count in severity_counts.items(): - my_dictionary[latest_tag][severity] = count - - for line in fileinput.input(commit_id_path, inplace=True): - if line.startswith(f"{image}="): - line = f"{image}={output}\n" - print(line, end="") - -today = date.today() -d2 = today.strftime("%B %d, %Y") - -markdown_content = """# Security Scan Results - -Date: {todays_date} - -| Image Name | Medium | Low | Unknown | High | Critical | -|------------|-------|-----|---------|------|------| -{table_content} -""" - -formatted_data = "" -for key, value in my_dictionary.items(): - formatted_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |" - for severity in ['Medium', 'Low', 'Unknown', 'High', 'Critical']: - count = value.get(severity, 0) # Get count for the severity, default to 0 if not present - formatted_data += f" {count} |" - formatted_data += "\n" - -final_markdown = markdown_content.format(table_content=formatted_data, todays_date=d2) - -# Writing to the markdown file -with open("ci/security-scan/security_scan_results.md", "w") as markdown_file: - markdown_file.write(final_markdown) \ No newline at end of file diff --git a/ci/security-scan/token_test.py b/ci/security-scan/token_test.py deleted file mode 100644 index 11f1f42d9..000000000 --- a/ci/security-scan/token_test.py +++ /dev/null @@ -1,30 +0,0 @@ -# import requests - -# headers = { -# "X-Requested-With": "XMLHttpRequest", -# "Authorization": "Bearer IMUSI3RVH0FQ426LNP1CY7Q1MT4KXMZMWE6W5RQ2JYERP2RJQFL8LS1OF3Y18WOK" -# } - -# url = f"https://quay.io/api/v1/repository/rpattnai/workbench-images/manifest/sha256:f802620c6e5aff5e1e719574b57253e07fccee101600a0b6bb96723827f379fd/security\?vulnerabilities\=true" - -# response = requests.get(url, headers=headers) -# data = response.json() - -# print(data) - -import requests - -url = "https://quay.io/api/v1/repository/opendatahub/workbench-images/manifest/sha256:7eea86c98f20ed3c58c838e40369d68219c13967daafc52970412f669f621522/security?vulnerabilities" -headers = { - "X-Requested-With": "XMLHttpRequest", - "Authorization": "Bearer 3PZX0UYX6FSENKQ14I1VTHUJ4KGBS8L5LHJ0W1RN7TPHFVQ4P0NR7VQNCZIFRC9B_1", -} - -response = requests.get(url, headers=headers) - -if response.status_code == 200: - vulnerabilities_data = response.json() - print(vulnerabilities_data) - # Process vulnerabilities_data as needed -else: - print(f"Error: {response.status_code}") \ No newline at end of file