Merge branch 'main' into akd/auto-update-charmcraft-channel

canonical · Oct 25, 2024 · 1d7baff · 1d7baff
2 parents 19b0651 + a1a2aa9
commit 1d7baff
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 23 deletions.
diff --git a/.github/workflows/integration_test.yaml b/.github/workflows/integration_test.yaml
@@ -259,6 +259,14 @@ jobs:
         scan: ${{ fromJSON(needs.plan-scan.outputs.scans) }}
     steps:
       - uses: actions/[email protected]
+      - name: Change directory
+        run: |
+          TEMP_DIR=$(mktemp -d)
+          cp -rp ./${{ inputs.working-directory }}/. $TEMP_DIR
+          rm -rf .* * || :
+          cp -rp $TEMP_DIR/. .
+          rm -rf $TEMP_DIR
+          ls -lah
       - uses: actions/[email protected]
         if: matrix.scan.artifact != ''
         with:
@@ -277,7 +285,7 @@ jobs:
           docker image pull ${{ matrix.scan.image }}
           docker image save -o ${{ matrix.scan.file }} ${{ matrix.scan.image }}
       - name: Run Github Trivy Image Action
-        uses: aquasecurity/trivy-action@0.25.0
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           input: ${{ matrix.scan.file }}
           trivy-config: ${{ inputs.trivy-image-config }}

diff --git a/.github/workflows/integration_test_run.yaml b/.github/workflows/integration_test_run.yaml
@@ -326,7 +326,7 @@ jobs:
         run: k6 run load_tests/load-test.js ${{ inputs.load-test-run-args }}
       - name: Run Github Trivy FS Action
         if: ${{ inputs.trivy-fs-enabled }}
-        uses: aquasecurity/trivy-action@0.25.0
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: "fs"
           scan-ref: ${{ inputs.trivy-fs-ref }}

diff --git a/tests/workflows/integration/test-rock/.trivyignore b/tests/workflows/integration/test-rock/.trivyignore
@@ -0,0 +1,2 @@
+# Pebble CVE, false positive: https://github.com/canonical/pebble/issues/498#issuecomment-2339325722
+CVE-2024-34156
diff --git a/tests/workflows/integration/test-upload-charm/.trivyignore b/tests/workflows/integration/test-upload-charm/.trivyignore
@@ -4,4 +4,4 @@ CVE-2022-31042
 CVE-2022-31043
 CVE-2022-31090
 CVE-2022-31091
-CVE-2022-24775
+CVE-2022-24775
diff --git a/tests/workflows/integration/test-upload-charm/test.Dockerfile b/tests/workflows/integration/test-upload-charm/test.Dockerfile
@@ -2,23 +2,3 @@
 # See LICENSE file for licensing details.
 
 FROM ubuntu:latest
-
-RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections && \
-    apt-get update \
-        && apt-get --purge autoremove -y \
-        && apt-get install -y apache2 \
-            curl \
-            git \
-            libapache2-mod-php \
-            libgmp-dev \
-            php \
-            php-curl \
-            php-gd \
-            php-gmp \
-            php-mysql \
-            php-symfony-yaml \
-            php-xml \
-            pwgen \
-            python3 \
-            python3-yaml \
-            unzip
diff --git a/tests/workflows/integration/test-upload-charm/trivy.yaml b/tests/workflows/integration/test-upload-charm/trivy.yaml
@@ -2,3 +2,7 @@ disable-rules:
 # Ignore these rules
 # ssl-cert lib ships with a certificate and it's identified by trivy as a vulnerability
   - private-key
+# trivy >= 0.28 skip certificate files that cause headaches and breaking CI
+scan:
+  skip-files:
+    - /etc/ssl/private/ssl-cert-snakeoil.key