diff --git a/.pipelines/.vsts-vhd-builder-release.yaml b/.pipelines/.vsts-vhd-builder-release.yaml index 8fbcf5ecd69..67b013f4a00 100644 --- a/.pipelines/.vsts-vhd-builder-release.yaml +++ b/.pipelines/.vsts-vhd-builder-release.yaml @@ -189,6 +189,7 @@ parameters: variables: - group: aks-vuln-to-kusto - group: "AKS Node SIG UA Token (KV)" + - group: aks-vuln-to-kusto-tme stages: - stage: build diff --git a/vhdbuilder/packer/test-scan-and-cleanup.sh b/vhdbuilder/packer/test-scan-and-cleanup.sh index 908edc53c22..c217139e9c6 100755 --- a/vhdbuilder/packer/test-scan-and-cleanup.sh +++ b/vhdbuilder/packer/test-scan-and-cleanup.sh @@ -11,13 +11,18 @@ required_env_vars=( "SIG_GALLERY_NAME" "OS_VERSION" "SIG_IMAGE_NAME" - "UMSI_RESOURCE_ID" - "UMSI_PRINCIPAL_ID" "AZURE_MSI_RESOURCE_STRING" - "UMSI_CLIENT_ID" "BUILD_RUN_NUMBER" "VHD_ARTIFACT_NAME" "DRY_RUN" + "ACCOUNT_NAME" + "UMSI_RESOURCE_ID" + "UMSI_PRINCIPAL_ID" + "UMSI_CLIENT_ID" + "ACCOUNT_NAME_TME" + "UMSI_RESOURCE_ID_TME" + "UMSI_PRINCIPAL_ID_TME" + "UMSI_CLIENT_ID_TME" ) for v in "${required_env_vars[@]}"; do diff --git a/vhdbuilder/packer/trivy-scan.sh b/vhdbuilder/packer/trivy-scan.sh index e6de787062f..19227db0b49 100644 --- a/vhdbuilder/packer/trivy-scan.sh +++ b/vhdbuilder/packer/trivy-scan.sh @@ -4,6 +4,7 @@ set -euxo pipefail TRIVY_REPORT_DIRNAME=/opt/azure/containers TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt +CVE_DIFF_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-diff.txt TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db" TRIVY_VERSION="0.57.0" @@ -40,6 +41,8 @@ export SYSTEM_COLLECTIONURI=${26} export SYSTEM_TEAMPROJECT=${27} export BUILD_BUILDID=${28} export IMAGE_VERSION=${29} +CVE_DIFF_UPLOAD_REPORT_NAME=${30} +SCAN_RESOURCE_PREFIX=${31} retrycmd_if_failure() { retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift @@ -187,13 +190,30 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do fi done +./vuln-to-kusto-vhd query-report query-diff 24h \ + --vhd-vhdname=${VHD_ARTIFACT_NAME} \ + --vhd-nodeimageversion=${IMAGE_VERSION} \ + --severity="HIGH" \ + --scan-resource-prefix=${SCAN_RESOURCE_PREFIX} \ + --kusto-endpoint=${KUSTO_ENDPOINT} \ + --kusto-database=${KUSTO_DATABASE} \ + --kusto-table=${KUSTO_TABLE} \ + --kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH} + rm ./trivy +chmod a+r "${CVE_DIFF_QUERY_OUTPUT_PATH}" chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}" chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}" login_with_user_assigned_managed_identity ${AZURE_MSI_RESOURCE_STRING} +az storage blob upload --file ${CVE_DIFF_QUERY_OUTPUT_PATH} \ + --container-name ${SIG_CONTAINER_NAME} \ + --name ${CVE_DIFF_UPLOAD_REPORT_NAME} \ + --account-name ${STORAGE_ACCOUNT_NAME} \ + --auth-mode login + az storage blob upload --file ${TRIVY_REPORT_ROOTFS_JSON_PATH} \ --container-name ${SIG_CONTAINER_NAME} \ --name ${TRIVY_UPLOAD_REPORT_NAME} \ diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index cb4c93c1e4e..2b288e33886 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -11,14 +11,32 @@ if [ -z "$PACKER_BUILD_LOCATION" ]; then exit 1 fi +CURRENT_TIME=$(date +%s) + TRIVY_SCRIPT_PATH="trivy-scan.sh" SCAN_RESOURCE_PREFIX="vhd-scanning" -SCAN_VM_NAME="$SCAN_RESOURCE_PREFIX-vm-$(date +%s)-$RANDOM" +SCAN_VM_NAME="$SCAN_RESOURCE_PREFIX-vm-$CURRENT_TIME-$RANDOM" VHD_IMAGE="$MANAGED_SIG_ID" SIG_CONTAINER_NAME="vhd-scans" SCAN_VM_ADMIN_USERNAME="azureuser" +if [ "${ENVIRONMENT,,}" == "tme" ]; then + ACCOUNT_NAME="$ACCOUNT_NAME_TME" + KUSTO_DATABASE="$KUSTO_DATABASE_TME" + KUSTO_TABLE="$KUSTO_TABLE_TME" + KUSTO_ENDPOINT="$KUSTO_ENDPOINT_TME" + UMSI_CLIENT_ID="$UMSI_CLIENT_ID_TME" + UMSI_PRINCIPAL_ID="$UMSI_PRINCIPAL_ID_TME" + UMSI_RESOURCE_ID="$UMSI_RESOURCE_ID_TME" +fi + +RELEASE_NOTES_FILEPATH="$(pwd)/release-notes.txt" +if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then + echo "${RELEASE_NOTES_FILEPATH} does not exist" + exit 1 +fi + # we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning" if [ -z "$(az network vnet subnet show --ids $SCANNING_SUBNET_ID | jq -r '.id')" ]; then @@ -41,11 +59,11 @@ else fi set +x -SCAN_VM_ADMIN_PASSWORD="ScanVM@$(date +%s)" +SCAN_VM_ADMIN_PASSWORD="ScanVM@$CURRENT_TIME" set -x -RESOURCE_GROUP_NAME="$SCAN_RESOURCE_PREFIX-$(date +%s)-$RANDOM" -az group create --name $RESOURCE_GROUP_NAME --location ${PACKER_BUILD_LOCATION} --tags "source=AgentBaker" "now=$(date +%s)" "branch=${GIT_BRANCH}" +RESOURCE_GROUP_NAME="$SCAN_RESOURCE_PREFIX-$CURRENT_TIME-$RANDOM" +az group create --name $RESOURCE_GROUP_NAME --location ${PACKER_BUILD_LOCATION} --tags "source=AgentBaker" "now=${CURRENT_TIME}" "branch=${GIT_BRANCH}" function cleanup() { echo "Deleting resource group ${RESOURCE_GROUP_NAME}" @@ -68,7 +86,7 @@ if [ "${OS_TYPE}" == "Linux" ] && grep -q "cvm" <<< "$FEATURE_FLAGS"; then VM_OPTIONS="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true" fi -SCANNING_NIC_ID=$(az network nic create --resource-group $RESOURCE_GROUP_NAME --name "scanning$(date +%s)${RANDOM}" --subnet $SCANNING_SUBNET_ID | jq -r '.NewNIC.id') +SCANNING_NIC_ID=$(az network nic create --resource-group $RESOURCE_GROUP_NAME --name "scanning${CURRENT_TIME}${RANDOM}" --subnet $SCANNING_SUBNET_ID | jq -r '.NewNIC.id') if [ -z "$SCANNING_NIC_ID" ]; then echo "unable to create new NIC for scanning VM" exit 1 @@ -97,6 +115,7 @@ TRIVY_SCRIPT_PATH="$CDIR/$TRIVY_SCRIPT_PATH" TIMESTAMP=$(date +%s%3N) TRIVY_UPLOAD_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json" TRIVY_UPLOAD_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt" +CVE_DIFF_UPLOAD_REPORT_NAME="cve-diff-${BUILD_ID}-${TIMESTAMP}.txt" # Extract date, revision from build number BUILD_RUN_NUMBER=$(echo $BUILD_RUN_NUMBER | cut -d_ -f 1) @@ -140,17 +159,25 @@ az vm run-command invoke \ "SYSTEM_COLLECTIONURI"=${SYSTEM_COLLECTIONURI} \ "SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \ "BUILDID"=${BUILD_ID} \ - "IMAGE_VERSION"=${IMAGE_VERSION} + "IMAGE_VERSION"=${IMAGE_VERSION} \ + "CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME} \ + "SCAN_RESOURCE_PREFIX"=${SCAN_RESOURCE_PREFIX} capture_benchmark "${SCRIPT_NAME}_run_az_scan_command" az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --file trivy-report.json --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --file trivy-images-table.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login +az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --file cve-diff.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --auth-mode login az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --auth-mode login +az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --auth-mode login + capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs" +echo "=== CVEs fixed in version: ${IMAGE_VERSION}" >> ${RELEASE_NOTES_FILEPATH} +cat cve-diff.txt >> ${RELEASE_NOTES_FILEPATH} + echo -e "Trivy Scan Script Completed\n\n\n" capture_benchmark "${SCRIPT_NAME}_overall" true process_benchmarks