From e4d743699c446bba8c6940318451801241d3167d Mon Sep 17 00:00:00 2001
From: jason1028kr <jason1028kr@gmail.com>
Date: Fri, 24 Jan 2025 16:00:26 -0800
Subject: [PATCH] feat: add cve information on the release note

---
 vhdbuilder/packer/trivy-scan.sh   | 20 ++++++++++++++++++++
 vhdbuilder/packer/vhd-scanning.sh | 17 ++++++++++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/vhdbuilder/packer/trivy-scan.sh b/vhdbuilder/packer/trivy-scan.sh
index e6de787062f..19227db0b49 100644
--- a/vhdbuilder/packer/trivy-scan.sh
+++ b/vhdbuilder/packer/trivy-scan.sh
@@ -4,6 +4,7 @@ set -euxo pipefail
 TRIVY_REPORT_DIRNAME=/opt/azure/containers
 TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json
 TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt
+CVE_DIFF_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-diff.txt
 TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db"
 
 TRIVY_VERSION="0.57.0"
@@ -40,6 +41,8 @@ export SYSTEM_COLLECTIONURI=${26}
 export SYSTEM_TEAMPROJECT=${27}
 export BUILD_BUILDID=${28}
 export IMAGE_VERSION=${29}
+CVE_DIFF_UPLOAD_REPORT_NAME=${30}
+SCAN_RESOURCE_PREFIX=${31}
 
 retrycmd_if_failure() {
     retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
@@ -187,13 +190,30 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
     fi
 done
 
+./vuln-to-kusto-vhd query-report query-diff 24h \
+    --vhd-vhdname=${VHD_ARTIFACT_NAME} \
+    --vhd-nodeimageversion=${IMAGE_VERSION} \
+    --severity="HIGH" \
+    --scan-resource-prefix=${SCAN_RESOURCE_PREFIX} \
+    --kusto-endpoint=${KUSTO_ENDPOINT} \
+    --kusto-database=${KUSTO_DATABASE} \
+    --kusto-table=${KUSTO_TABLE} \
+    --kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH}
+
 rm ./trivy
 
+chmod a+r "${CVE_DIFF_QUERY_OUTPUT_PATH}"
 chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}"
 chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}"
 
 login_with_user_assigned_managed_identity ${AZURE_MSI_RESOURCE_STRING}
 
+az storage blob upload --file ${CVE_DIFF_QUERY_OUTPUT_PATH} \
+    --container-name ${SIG_CONTAINER_NAME} \
+    --name ${CVE_DIFF_UPLOAD_REPORT_NAME} \
+    --account-name ${STORAGE_ACCOUNT_NAME} \
+    --auth-mode login
+
 az storage blob upload --file ${TRIVY_REPORT_ROOTFS_JSON_PATH} \
     --container-name ${SIG_CONTAINER_NAME} \
     --name ${TRIVY_UPLOAD_REPORT_NAME} \
diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh
index cb4c93c1e4e..df22ed7364c 100755
--- a/vhdbuilder/packer/vhd-scanning.sh
+++ b/vhdbuilder/packer/vhd-scanning.sh
@@ -19,6 +19,12 @@ VHD_IMAGE="$MANAGED_SIG_ID"
 SIG_CONTAINER_NAME="vhd-scans"
 SCAN_VM_ADMIN_USERNAME="azureuser"
 
+RELEASE_NOTES_FILEPATH="$(pwd)/release-notes.txt"
+if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
+    echo "${RELEASE_NOTES_FILEPATH} does not exist"
+    exit 1
+fi
+
 # we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs
 SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning"
 if [ -z "$(az network vnet subnet show --ids $SCANNING_SUBNET_ID | jq -r '.id')" ]; then
@@ -97,6 +103,7 @@ TRIVY_SCRIPT_PATH="$CDIR/$TRIVY_SCRIPT_PATH"
 TIMESTAMP=$(date +%s%3N)
 TRIVY_UPLOAD_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json"
 TRIVY_UPLOAD_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt"
+CVE_DIFF_UPLOAD_REPORT_NAME="cve-diff-${BUILD_ID}-${TIMESTAMP}.txt"
 
 # Extract date, revision from build number
 BUILD_RUN_NUMBER=$(echo $BUILD_RUN_NUMBER | cut -d_ -f 1)
@@ -140,17 +147,25 @@ az vm run-command invoke \
         "SYSTEM_COLLECTIONURI"=${SYSTEM_COLLECTIONURI} \
         "SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
         "BUILDID"=${BUILD_ID} \
-        "IMAGE_VERSION"=${IMAGE_VERSION}
+        "IMAGE_VERSION"=${IMAGE_VERSION} \
+        "CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME} \
+        "SCAN_RESOURCE_PREFIX"=${SCAN_RESOURCE_PREFIX}
 
 capture_benchmark "${SCRIPT_NAME}_run_az_scan_command"
 
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_REPORT_NAME} --file trivy-report.json --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_TABLE_NAME} --file  trivy-images-table.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
+az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${CVE_DIFF_UPLOAD_REPORT_NAME} --file  cve-diff.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 
 az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --auth-mode login
 az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --auth-mode login
+az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --auth-mode login
+
 capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs"
 
+echo "=== CVEs fixed in version: ${IMAGE_VERSION}" >> ${RELEASE_NOTES_FILEPATH}
+cat cve-diff.txt >> ${RELEASE_NOTES_FILEPATH}
+
 echo -e "Trivy Scan Script Completed\n\n\n"
 capture_benchmark "${SCRIPT_NAME}_overall" true
 process_benchmarks