feat: add cve information on the release note

.pipelines/.vsts-vhd-builder-release.yaml

@@ -189,6 +189,7 @@ parameters:
 variables:
   - group: aks-vuln-to-kusto
   - group: "AKS Node SIG UA Token (KV)"
+  - group: aks-vuln-to-kusto-tme
 
 stages:
   - stage: build

vhdbuilder/packer/test-scan-and-cleanup.sh

@@ -11,13 +11,18 @@ required_env_vars=(
   "SIG_GALLERY_NAME"
   "OS_VERSION"
   "SIG_IMAGE_NAME"
-  "UMSI_RESOURCE_ID"
-  "UMSI_PRINCIPAL_ID"
   "AZURE_MSI_RESOURCE_STRING"
-  "UMSI_CLIENT_ID"
   "BUILD_RUN_NUMBER"
   "VHD_ARTIFACT_NAME"
   "DRY_RUN"
+  "ACCOUNT_NAME"
+  "UMSI_RESOURCE_ID"
+  "UMSI_PRINCIPAL_ID"
+  "UMSI_CLIENT_ID"
+  "ACCOUNT_NAME_TME"
+  "UMSI_RESOURCE_ID_TME"
+  "UMSI_PRINCIPAL_ID_TME"
+  "UMSI_CLIENT_ID_TME"
 )
 
 for v in "${required_env_vars[@]}"; do

vhdbuilder/packer/trivy-scan.sh

@@ -4,6 +4,7 @@ set -euxo pipefail
 TRIVY_REPORT_DIRNAME=/opt/azure/containers
 TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json
 TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt
+CVE_DIFF_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-diff.txt
 TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db"
 
 TRIVY_VERSION="0.57.0"
@@ -40,6 +41,8 @@ export SYSTEM_COLLECTIONURI=${26}
 export SYSTEM_TEAMPROJECT=${27}
 export BUILD_BUILDID=${28}
 export IMAGE_VERSION=${29}
+CVE_DIFF_UPLOAD_REPORT_NAME=${30}
+SCAN_RESOURCE_PREFIX=${31}
 
 retrycmd_if_failure() {
     retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
@@ -187,13 +190,30 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
     fi
 done
 
+./vuln-to-kusto-vhd query-report query-diff 24h \
+    --vhd-vhdname=${VHD_ARTIFACT_NAME} \
+    --vhd-nodeimageversion=${IMAGE_VERSION} \
+    --severity="HIGH" \
+    --scan-resource-prefix=${SCAN_RESOURCE_PREFIX} \
+    --kusto-endpoint=${KUSTO_ENDPOINT} \
+    --kusto-database=${KUSTO_DATABASE} \
+    --kusto-table=${KUSTO_TABLE} \
+    --kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH}
+
 rm ./trivy
 
+chmod a+r "${CVE_DIFF_QUERY_OUTPUT_PATH}"
 chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}"
 chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}"
 
 login_with_user_assigned_managed_identity ${AZURE_MSI_RESOURCE_STRING}
 
+az storage blob upload --file ${CVE_DIFF_QUERY_OUTPUT_PATH} \
+    --container-name ${SIG_CONTAINER_NAME} \
+    --name ${CVE_DIFF_UPLOAD_REPORT_NAME} \
+    --account-name ${STORAGE_ACCOUNT_NAME} \
+    --auth-mode login
+
 az storage blob upload --file ${TRIVY_REPORT_ROOTFS_JSON_PATH} \
     --container-name ${SIG_CONTAINER_NAME} \
     --name ${TRIVY_UPLOAD_REPORT_NAME} \

vhdbuilder/packer/vhd-scanning.sh

@@ -11,14 +11,32 @@ if [ -z "$PACKER_BUILD_LOCATION" ]; then
     exit 1
 fi
 
+CURRENT_TIME=$(date +%s)
+
 TRIVY_SCRIPT_PATH="trivy-scan.sh"
 SCAN_RESOURCE_PREFIX="vhd-scanning"
-SCAN_VM_NAME="$SCAN_RESOURCE_PREFIX-vm-$(date +%s)-$RANDOM"
+SCAN_VM_NAME="$SCAN_RESOURCE_PREFIX-vm-$CURRENT_TIME-$RANDOM"
 VHD_IMAGE="$MANAGED_SIG_ID"
 
 SIG_CONTAINER_NAME="vhd-scans"
 SCAN_VM_ADMIN_USERNAME="azureuser"
 
+if [ "${ENVIRONMENT,,}" == "tme" ]; then
+    ACCOUNT_NAME="$ACCOUNT_NAME_TME"
+    KUSTO_DATABASE="$KUSTO_DATABASE_TME"
+    KUSTO_TABLE="$KUSTO_TABLE_TME"
+    KUSTO_ENDPOINT="$KUSTO_ENDPOINT_TME"
+    UMSI_CLIENT_ID="$UMSI_CLIENT_ID_TME"
+    UMSI_PRINCIPAL_ID="$UMSI_PRINCIPAL_ID_TME"
+    UMSI_RESOURCE_ID="$UMSI_RESOURCE_ID_TME"
+fi
+
+RELEASE_NOTES_FILEPATH="$(pwd)/release-notes.txt"
+if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
+    echo "${RELEASE_NOTES_FILEPATH} does not exist"
+    exit 1
+fi
+
 # we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs
 SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning"
 if [ -z "$(az network vnet subnet show --ids $SCANNING_SUBNET_ID | jq -r '.id')" ]; then
@@ -41,11 +59,11 @@ else
 fi
 
 set +x
-SCAN_VM_ADMIN_PASSWORD="ScanVM@$(date +%s)"
+SCAN_VM_ADMIN_PASSWORD="ScanVM@$CURRENT_TIME"
 set -x
 
-RESOURCE_GROUP_NAME="$SCAN_RESOURCE_PREFIX-$(date +%s)-$RANDOM"
-az group create --name $RESOURCE_GROUP_NAME --location ${PACKER_BUILD_LOCATION} --tags "source=AgentBaker" "now=$(date +%s)" "branch=${GIT_BRANCH}"
+RESOURCE_GROUP_NAME="$SCAN_RESOURCE_PREFIX-$CURRENT_TIME-$RANDOM"
+az group create --name $RESOURCE_GROUP_NAME --location ${PACKER_BUILD_LOCATION} --tags "source=AgentBaker" "now=${CURRENT_TIME}" "branch=${GIT_BRANCH}"
 
 function cleanup() {
     echo "Deleting resource group ${RESOURCE_GROUP_NAME}"
@@ -68,7 +86,7 @@ if [ "${OS_TYPE}" == "Linux" ] && grep -q "cvm" <<< "$FEATURE_FLAGS"; then
     VM_OPTIONS="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true"
 fi
 
-SCANNING_NIC_ID=$(az network nic create --resource-group $RESOURCE_GROUP_NAME --name "scanning$(date +%s)${RANDOM}" --subnet $SCANNING_SUBNET_ID | jq -r '.NewNIC.id')
+SCANNING_NIC_ID=$(az network nic create --resource-group $RESOURCE_GROUP_NAME --name "scanning${CURRENT_TIME}${RANDOM}" --subnet $SCANNING_SUBNET_ID | jq -r '.NewNIC.id')
 if [ -z "$SCANNING_NIC_ID" ]; then
     echo "unable to create new NIC for scanning VM"
     exit 1
@@ -97,6 +115,7 @@ TRIVY_SCRIPT_PATH="$CDIR/$TRIVY_SCRIPT_PATH"
 TIMESTAMP=$(date +%s%3N)
 TRIVY_UPLOAD_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json"
 TRIVY_UPLOAD_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt"
+CVE_DIFF_UPLOAD_REPORT_NAME="cve-diff-${BUILD_ID}-${TIMESTAMP}.txt"
 
 # Extract date, revision from build number
 BUILD_RUN_NUMBER=$(echo $BUILD_RUN_NUMBER | cut -d_ -f 1)
@@ -140,17 +159,25 @@ az vm run-command invoke \
         "SYSTEM_COLLECTIONURI"=${SYSTEM_COLLECTIONURI} \
         "SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
         "BUILDID"=${BUILD_ID} \
-        "IMAGE_VERSION"=${IMAGE_VERSION}
+        "IMAGE_VERSION"=${IMAGE_VERSION} \
+        "CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME} \
+        "SCAN_RESOURCE_PREFIX"=${SCAN_RESOURCE_PREFIX}
 
 capture_benchmark "${SCRIPT_NAME}_run_az_scan_command"
 
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_REPORT_NAME} --file trivy-report.json --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_TABLE_NAME} --file  trivy-images-table.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
+az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${CVE_DIFF_UPLOAD_REPORT_NAME} --file  cve-diff.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 
 az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --auth-mode login
 az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --auth-mode login
+az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --auth-mode login
+
 capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs"
 
+echo "=== CVEs fixed in version: ${IMAGE_VERSION}" >> ${RELEASE_NOTES_FILEPATH}
+cat cve-diff.txt >> ${RELEASE_NOTES_FILEPATH}
+
 echo -e "Trivy Scan Script Completed\n\n\n"
 capture_benchmark "${SCRIPT_NAME}_overall" true
 process_benchmarks