From 2577fe24a7167d14b60e97a751631bc48972f6f8 Mon Sep 17 00:00:00 2001 From: Adam Valenta Date: Wed, 7 Aug 2024 14:07:03 +0200 Subject: [PATCH 1/4] GH-16354 remove Snyk and add Trivy --- docker/prisma/Dockerfile | 4 ++-- .../jenkins/jenkinsfiles/Jenkinsfile-PrismaScan | 15 +++++++-------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/docker/prisma/Dockerfile b/docker/prisma/Dockerfile index f0cf92efca0c..c552efb0bbf7 100644 --- a/docker/prisma/Dockerfile +++ b/docker/prisma/Dockerfile @@ -1,5 +1,5 @@ FROM alpine:latest -RUN apk update && apk upgrade && apk add openjdk8 nodejs npm git +RUN apk update && apk upgrade && apk add openjdk8 nodejs npm git curl ENV DIRECTORIES=".config .npm .cache .local" @@ -8,6 +8,6 @@ RUN for dir in $DIRECTORIES; do \ chown -R 2117:2117 /$dir; \ done -RUN npm install snyk -g +RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin CMD ["/bin/bash"] diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index 263875e91ab0..6bf27729b727 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -13,13 +13,11 @@ def setPrismaScanningStages(assemblyType, stageIndex) { sh "docker build . -t ${assemblyImage} -f ./docker/prisma/Dockerfile.${assemblyType}jars" } } - stage ("${stageIndex}.B. Scan ${assemblyType} jar using Snyk") { - withCredentials([string(credentialsId: 'H2O_3_SNYK_TOKEN_JENKINS_TEXT', variable: 'SNYK_TOKEN')]) { - script { - sh "./snyk container test ${assemblyImage} --file=./docker/prisma/Dockerfile.${assemblyType}jars --severity-threshold=medium --app-vulns --nested-jars-depth=4 | tee ${assemblyImage}-snyk.out || true" - } - archiveArtifacts artifacts: "${assemblyImage}-snyk.out" + stage ("${stageIndex}.B. Scan ${assemblyType} jar using Trivy") { + script { + sh "./trivy image --pkg-types library ${assemblyImage} --output ${assemblyImage}-trivy.out" } + archiveArtifacts artifacts: "${assemblyImage}-trivy.out" } stage("${stageIndex}.C. Scan ${assemblyType} jar using Prisma") { script { @@ -62,8 +60,9 @@ pipeline { dir("docker/prisma"){ dockerImage = docker.build("node-java","-f Dockerfile .") } - sh "curl --compressed https://static.snyk.io/cli/latest/snyk-linux -o snyk" - sh "chmod +x ./snyk" + sh "wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.tar.gz" + sh "tar -zxvf trivy_0.54.1_Linux-64bit.tar.gz" + sh "chmod +x ./trivy" } } From 2a480bc13ac66313867a9533c2f424fc7c0c0de1 Mon Sep 17 00:00:00 2001 From: Adam Valenta Date: Tue, 6 Aug 2024 21:42:17 +0200 Subject: [PATCH 2/4] remove -pkg-types because it creates empty file if no vulnerability in the jar --- docker/prisma/Dockerfile | 4 +--- scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan | 7 ++++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docker/prisma/Dockerfile b/docker/prisma/Dockerfile index c552efb0bbf7..60eb3b381dac 100644 --- a/docker/prisma/Dockerfile +++ b/docker/prisma/Dockerfile @@ -1,5 +1,5 @@ FROM alpine:latest -RUN apk update && apk upgrade && apk add openjdk8 nodejs npm git curl +RUN apk update && apk upgrade && apk add openjdk8 nodejs npm git ENV DIRECTORIES=".config .npm .cache .local" @@ -8,6 +8,4 @@ RUN for dir in $DIRECTORIES; do \ chown -R 2117:2117 /$dir; \ done -RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin - CMD ["/bin/bash"] diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index 6bf27729b727..0e36ef0d14cc 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -3,6 +3,7 @@ @Library('test-shared-library') _ def dockerImage +def trivyVersion = "0.54.1" def setPrismaScanningStages(assemblyType, stageIndex) { branchName = "${env.BRANCH_NAME}".replace('/', '-') @@ -15,7 +16,7 @@ def setPrismaScanningStages(assemblyType, stageIndex) { } stage ("${stageIndex}.B. Scan ${assemblyType} jar using Trivy") { script { - sh "./trivy image --pkg-types library ${assemblyImage} --output ${assemblyImage}-trivy.out" + sh "./trivy image ${assemblyImage} --output ${assemblyImage}-trivy.out" } archiveArtifacts artifacts: "${assemblyImage}-trivy.out" } @@ -60,8 +61,8 @@ pipeline { dir("docker/prisma"){ dockerImage = docker.build("node-java","-f Dockerfile .") } - sh "wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.tar.gz" - sh "tar -zxvf trivy_0.54.1_Linux-64bit.tar.gz" + sh "wget https://github.com/aquasecurity/trivy/releases/download/v${trivyVersion}/trivy_${trivyVersion}_Linux-64bit.tar.gz" + sh "tar -zxvf trivy_${trivyVersion}_Linux-64bit.tar.gz" sh "chmod +x ./trivy" } From 3603ec767029e8e7bd61b476f4b18eb95186dbef Mon Sep 17 00:00:00 2001 From: Adam Valenta Date: Tue, 6 Aug 2024 22:10:59 +0200 Subject: [PATCH 3/4] refactor --- scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index 0e36ef0d14cc..c2d4b739f6dd 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -5,7 +5,7 @@ def dockerImage def trivyVersion = "0.54.1" -def setPrismaScanningStages(assemblyType, stageIndex) { +def setScanningStages(assemblyType, stageIndex) { branchName = "${env.BRANCH_NAME}".replace('/', '-') assemblyImage = "h2o-assemblies/${assemblyType}:${BUILD_NUMBER}-${branchName}" @@ -80,14 +80,14 @@ pipeline { } } } - stage('2. Steam assembly jar (Prisma)') { + stage('2. Steam assembly jar') { steps { - setPrismaScanningStages("steam", 2) + setScanningStages("steam", 2) } } - stage('3. Main assembly jar (Prisma)') { + stage('3. Main assembly jar') { steps { - setPrismaScanningStages("main", 3) + setScanningStages("main", 3) } } } From feb199b01d17f81cd51504d3e898dcf88e05b7e1 Mon Sep 17 00:00:00 2001 From: Adam Valenta Date: Tue, 6 Aug 2024 22:29:05 +0200 Subject: [PATCH 4/4] Replace special characters with * in order to show it directly in browser --- .../jenkins/jenkinsfiles/Jenkinsfile-PrismaScan | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan index c2d4b739f6dd..0b36d48fb85f 100644 --- a/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan +++ b/scripts/jenkins/jenkinsfiles/Jenkinsfile-PrismaScan @@ -17,6 +17,20 @@ def setScanningStages(assemblyType, stageIndex) { stage ("${stageIndex}.B. Scan ${assemblyType} jar using Trivy") { script { sh "./trivy image ${assemblyImage} --output ${assemblyImage}-trivy.out" + // Replace special characters with * in order to show it directly in browser + sh """ + sed -i 's/─/*/g' ${assemblyImage}-trivy.out + sed -i 's/│/*/g' ${assemblyImage}-trivy.out + sed -i 's/┤/*/g' ${assemblyImage}-trivy.out + sed -i 's/├/*/g' ${assemblyImage}-trivy.out + sed -i 's/┼/*/g' ${assemblyImage}-trivy.out + sed -i 's/┐/*/g' ${assemblyImage}-trivy.out + sed -i 's/┌/*/g' ${assemblyImage}-trivy.out + sed -i 's/└/*/g' ${assemblyImage}-trivy.out + sed -i 's/┘/*/g' ${assemblyImage}-trivy.out + sed -i 's/┬/*/g' ${assemblyImage}-trivy.out + sed -i 's/┴/*/g' ${assemblyImage}-trivy.out + """ } archiveArtifacts artifacts: "${assemblyImage}-trivy.out" }