Skip to content

Scan images using trivy#289

Open
dirkmueller wants to merge 1 commit intomainfrom
trivy_scan
Open

Scan images using trivy#289
dirkmueller wants to merge 1 commit intomainfrom
trivy_scan

Conversation

@dirkmueller
Copy link
Member

@dirkmueller dirkmueller commented Aug 15, 2023

No description provided.

dcermak
dcermak reviewed Aug 15, 2023
View reviewed changes
@dcermak dcermak mentioned this pull request Aug 15, 2023
Merged
@grisu48
Copy link
Contributor

grisu48 commented Aug 16, 2023

I just checked this locally with the go container (and podman) and trivy doesn't seem to be executed:

$ export CONTAINER_RUNTIME=podman
$ tox -e go -- -n auto
...
tests/test_go.py::test_build_kured[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-kured] 
tests/test_go.py::test_go_version[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
tests/test_go.py::test_base_PATH_present[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-bci/bci-base:15.5 from registry.opensuse.org/devel/bci/sle-15-sp5/images/bci/bci-base:15.5] 
tests/test_go.py::test_go_size[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
tests/test_go.py::test_go_version[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
tests/test_go.py::test_base_PATH_present[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-bci/bci-base:15.5 from registry.opensuse.org/devel/bci/sle-15-sp5/images/bci/bci-base:15.5] 
tests/test_go.py::test_go_size[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
tests/test_go.py::test_rancher_build[local-rancher-bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
[gw6] [  7%] SKIPPED tests/test_go.py::test_rancher_build[local-rancher-bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
[gw0] [ 14%] PASSED tests/test_go.py::test_go_size[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
tests/test_go.py::test_build_kured[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-kured] 
[gw4] [ 21%] PASSED tests/test_go.py::test_go_size[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
tests/test_go.py::test_build_generics_cache[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-container_git_clone0] 
[gw5] [ 28%] PASSED tests/test_go.py::test_go_version[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
tests/test_go.py::test_rancher_build[local-rancher-bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
[gw5] [ 35%] SKIPPED tests/test_go.py::test_rancher_build[local-rancher-bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
[gw3] [ 42%] PASSED tests/test_go.py::test_base_PATH_present[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-bci/bci-base:15.5 from registry.opensuse.org/devel/bci/sle-15-sp5/images/bci/bci-base:15.5]
tests/test_go.py::test_build_generics_cache[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-container_git_clone0] 
[gw2] [ 50%] PASSED tests/test_go.py::test_base_PATH_present[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-bci/bci-base:15.5 from registry.opensuse.org/devel/bci/sle-15-sp5/images/bci/bci-base:15.5]
tests/test_go.py::test_go_get_binary_in_path[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
[gw1] [ 57%] PASSED tests/test_go.py::test_go_version[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
tests/test_go.py::test_go_get_binary_in_path[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
[gw1] [ 64%] PASSED tests/test_go.py::test_go_get_binary_in_path[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19] 
[gw3] [ 71%] PASSED tests/test_go.py::test_build_generics_cache[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-container_git_clone0] 
[gw4] [ 78%] PASSED tests/test_go.py::test_build_generics_cache[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-container_git_clone0] 
[gw2] [ 85%] PASSED tests/test_go.py::test_go_get_binary_in_path[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20] 
[gw7] [ 92%] PASSED tests/test_go.py::test_build_kured[bci/golang:1.19 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.19-kured] 
[gw0] [100%] PASSED tests/test_go.py::test_build_kured[bci/golang:1.20 from registry.opensuse.org/devel/bci/sle-15-sp5/containerfile/bci/golang:1.20-kured]

Can't find the trivy_image_scan test run therein 🤔

@dcermak
Copy link
Contributor

dcermak commented Aug 17, 2023

I just checked this locally with the go container (and podman) and trivy doesn't seem to be executed:

That is because the trivy scan is part of the all test and not of go.

@dirkmueller dirkmueller marked this pull request as ready for review August 19, 2023 19:47
@grisu48
Copy link
Contributor

grisu48 commented Sep 12, 2023

That is because the trivy scan is part of the all test and not of go.

And I was wrongly assuming that all is executed everywhere. And I will make this mistake again 😅

@dirkmueller dirkmueller force-pushed the trivy_scan branch 2 times, most recently from 9adb95f to dcd8091 Compare October 29, 2023 09:37
@dirkmueller dirkmueller requested a review from dcermak January 23, 2024 12:34
dcermak
dcermak suggested changes Jan 24, 2024
View reviewed changes
Copy link
Contributor

@dcermak dcermak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good idea, but I do not think that we should add this to the test suite. Currently we have a bunch of test failures due to this and I don't see how we will ever be all green, there's always going to be an issue somewhere.

But my main issue is this: imagine we have a CVE that we need to fix. But now trivy is red, hence we have an overall test failure, so QA will flag the new build as faulty and they have to manually waive all the failing tests. This is imho not helping when we need to get a fix out.

Open to counter-opinions, but in this state, this is not helping

@dirkmueller
Copy link
Member Author

dirkmueller commented Jan 25, 2024
edited
Loading

Currently we have a bunch of test failures due to this

That's only because of TARGET=ibs-released. I can remove that easily from the testing matrix, but that is entirely unrelated to the rest of your comment because QA is never running with it

and I don't see how we will ever be all green, there's always going to be an issue somewhere.
I don't see how. we should be having it in the testsuite to prevent images with issues going out.

But my main issue is this: imagine we have a CVE that we need to fix. But now trivy is red, hence we have an overall test failure, so QA will flag the new build as faulty and they have to manually waive all the failing tests.

trivy will only flag it if the image still contains the CVE, so that's exactly what we'd like to make the check do.

This is imho not helping when we need to get a fix out.

it prevents releasing unfixed images. it doesn't prevent releasing fixed images.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dcermak dcermak dcermak requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dirkmueller @grisu48 @dcermak