diff --git a/.github/workflows/sec-scan.yml b/.github/workflows/sec-scan.yml index 41bcca5f5..782ee4fce 100644 --- a/.github/workflows/sec-scan.yml +++ b/.github/workflows/sec-scan.yml @@ -58,7 +58,7 @@ jobs: repository: opendatahub-io/notebooks.git ref: ${{ env.RELEASE_VERSION_N }} - - name: Retrieve latest weekly commit hash from the release branch + - name: Retrieve latest weekly commit hash from the "N" branch id: hash-n shell: bash run: | @@ -70,11 +70,23 @@ jobs: repository: opendatahub-io/notebooks.git ref: ${{ env.RELEASE_VERSION_N_1 }} - - name: Retrieve latest weekly commit hash from the release branch + - name: Retrieve latest weekly commit hash from the "N - 1" branch id: hash-n-1 shell: bash run: | echo "HASH_N_1=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT} + + - name: Checkout "main" branch + uses: actions/checkout@v3 + with: + repository: opendatahub-io/notebooks.git + ref: main + + - name: Retrieve latest weekly commit hash from the "main" branch + id: hash-main + shell: bash + run: | + echo "LATEST_MAIN_COMMIT=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT} # Checkout the release branch to apply the updates - name: Checkout release branch @@ -99,6 +111,8 @@ jobs: HASH_N_1: ${{ steps.hash-n-1.outputs.HASH_N_1 }} RELEASE_VERSION_N_1: 2023a + + LATEST_MAIN_COMMIT: ${{ steps.hash-main.outputs.HASH_N }} run: make scan-image-vulnerabilities - name: Push the files diff --git a/ci/security-scan/quay_security_analysis.py b/ci/security-scan/quay_security_analysis.py index 89fb6e2cc..63e772587 100644 --- a/ci/security-scan/quay_security_analysis.py +++ b/ci/security-scan/quay_security_analysis.py @@ -68,8 +68,7 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N): src_tag_cmd = f'skopeo inspect docker://{img} | jq \'.Env[] | select(startswith("OPENSHIFT_BUILD_NAME=")) | split("=")[1]\'' src_tag = subprocess.check_output(src_tag_cmd, shell=True, text=True).strip().strip('"').replace('-amd64', '') - - regex = "" # f"{src_tag}-{RELEASE_VERSION_N}-\\d+-{HASH_N}" + regex = "" if RELEASE_VERSION_N == "": regex = f"{src_tag}-(\\d+-)?{HASH_N}" @@ -77,8 +76,6 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N): regex = f"{src_tag}-{RELEASE_VERSION_N}-\\d+-{HASH_N}" latest_tag_cmd = f'skopeo inspect docker://{img} | jq -r --arg regex "{regex}" \'.RepoTags | map(select(. | test($regex))) | .[0]\'' - print("latest_tag_cmd") - print(latest_tag_cmd) latest_tag = subprocess.check_output(latest_tag_cmd, shell=True, text=True).strip() digest_cmd = f'skopeo inspect docker://{registry}:{latest_tag} | jq .Digest | tr -d \'"\'' @@ -89,9 +86,6 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N): output = f"{registry}@{digest}" - print("output") - print(output) - sha_ = output.split(":")[1] url = f"https://quay.io/api/v1/repository/opendatahub/workbench-images/manifest/sha256:{sha_}/security" @@ -124,12 +118,10 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N): line = f"{image}={output}\n" print(line, end="") - -RELEASE_VERSION_N = os.environ['RELEASE_VERSION_N'] -HASH_N = os.environ['HASH_N'] +LATEST_MAIN_COMMIT = os.environ['LATEST_MAIN_COMMIT'] for i, image in enumerate(IMAGES_MAIN): - process_image(image, commit_id_path, "", "0133259") + process_image(image, commit_id_path, "", LATEST_MAIN_COMMIT) branch_main_data = "" for key, value in my_dictionary.items(): @@ -141,6 +133,9 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N): my_dictionary = {} +RELEASE_VERSION_N = os.environ['RELEASE_VERSION_N'] +HASH_N = os.environ['HASH_N'] + # Call the function for each image in IMAGES for i, image in enumerate(IMAGES): process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N) @@ -148,13 +143,13 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N): today = date.today() d2 = today.strftime("%B %d, %Y") -formatted_data = "" +branch_n_data = "" for key, value in my_dictionary.items(): - formatted_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |" + branch_n_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |" for severity in ['Medium', 'Low', 'Unknown', 'High', 'Critical']: count = value.get(severity, 0) # Get count for the severity, default to 0 if not present - formatted_data += f" {count} |" - formatted_data += "\n" + branch_n_data += f" {count} |" + branch_n_data += "\n" my_dictionary = {} @@ -164,13 +159,13 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N): for i, image in enumerate(IMAGES_N_1): process_image(image, commit_id_path, RELEASE_VERSION_N_1, HASH_N_1) -branch_n_data = "" +branch_n_1_data = "" for key, value in my_dictionary.items(): - branch_n_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |" + branch_n_1_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |" for severity in ['Medium', 'Low', 'Unknown', 'High', 'Critical']: count = value.get(severity, 0) # Get count for the severity, default to 0 if not present - branch_n_data += f" {count} |" - branch_n_data += "\n" + branch_n_1_data += f" {count} |" + branch_n_1_data += "\n" markdown_content = """# Security Scan Results @@ -186,16 +181,16 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N): | Image Name | Medium | Low | Unknown | High | Critical | |------------|-------|-----|---------|------|------| -{table_content} +{branch_n} # Branch N - 1 | Image Name | Medium | Low | Unknown | High | Critical | |------------|-------|-----|---------|------|------| -{branch_n} +{branch_n_1} """ -final_markdown = markdown_content.format(table_content=formatted_data, todays_date=d2, branch_n=branch_n_data, branch_main=branch_main_data) +final_markdown = markdown_content.format(branch_n=branch_n_data, todays_date=d2, branch_n_1=branch_n_1_data, branch_main=branch_main_data) # Writing to the markdown file with open("ci/security-scan/security_scan_results.md", "w") as markdown_file: