chore: sync stdout before container is stopped

The container is otherwise stopped before the result of
the scan is outputted to stdout, resulting in errored scan jobs.

Author: daanschipper

pkg/plugins/trivy/image.go

@@ -690,7 +690,8 @@ func buildTrailingCommandArgs(resultFileName string, compressLogs bool) string {
 	} else {
 		cmd = fmt.Sprintf("cat /tmp/scan/%s", resultFileName)
 	}
-	return fmt.Sprintf("; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/%s.log; else %s; fi; exit $rc", resultFileName, cmd)
+	// Sync is required to flush the result to stdout before the scan job container exits, otherwise the output will be cut off halfway.
+	return fmt.Sprintf("; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/%s.log && sync; else %s && sync; fi; exit $rc", resultFileName, cmd)
 }
 
 func GetSbomScanCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, sbomFile, trivyServerURL, resultFileName string) ([]string, []string) {

pkg/plugins/trivy/image_test.go

@@ -79,7 +79,7 @@ func TestGetSbomScanCommandAndArgs(t *testing.T) {
 			serverUrl:      "",
 			resultFileName: "result_output.json",
 			compressedLogs: "true",
-			wantArgs:       []string{"-c", "trivy --cache-dir /tmp/trivy/.cache sbom --format json /tmp/scan/bom.json --slow --skip-db-update --output /tmp/scan/result_output.json 2>/tmp/scan/result_output.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_output.json.log; else bzip2 -c /tmp/scan/result_output.json | base64; fi; exit $rc"},
+			wantArgs:       []string{"-c", "trivy --cache-dir /tmp/trivy/.cache sbom --format json /tmp/scan/bom.json --slow --skip-db-update --output /tmp/scan/result_output.json 2>/tmp/scan/result_output.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_output.json.log && sync; else bzip2 -c /tmp/scan/result_output.json | base64 && sync; fi; exit $rc"},
 			wantCmd:        []string{"/bin/sh"},
 		},
 		{
@@ -89,7 +89,7 @@ func TestGetSbomScanCommandAndArgs(t *testing.T) {
 			serverUrl:      "",
 			resultFileName: "result_output.json",
 			compressedLogs: "false",
-			wantArgs:       []string{"-c", "trivy --cache-dir /tmp/trivy/.cache sbom --format json /tmp/scan/bom.json --slow --skip-db-update --output /tmp/scan/result_output.json 2>/tmp/scan/result_output.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_output.json.log; else cat /tmp/scan/result_output.json; fi; exit $rc"},
+			wantArgs:       []string{"-c", "trivy --cache-dir /tmp/trivy/.cache sbom --format json /tmp/scan/bom.json --slow --skip-db-update --output /tmp/scan/result_output.json 2>/tmp/scan/result_output.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_output.json.log && sync; else cat /tmp/scan/result_output.json && sync; fi; exit $rc"},
 			wantCmd:        []string{"/bin/sh"},
 		},
 		{
@@ -99,7 +99,7 @@ func TestGetSbomScanCommandAndArgs(t *testing.T) {
 			serverUrl:      "http://trivy-server:8080",
 			resultFileName: "result_output.json",
 			compressedLogs: "true",
-			wantArgs:       []string{"-c", "trivy --cache-dir /tmp/trivy/.cache sbom --format json --server http://trivy-server:8080 /tmp/scan/bom.json --slow --output /tmp/scan/result_output.json 2>/tmp/scan/result_output.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_output.json.log; else bzip2 -c /tmp/scan/result_output.json | base64; fi; exit $rc"},
+			wantArgs:       []string{"-c", "trivy --cache-dir /tmp/trivy/.cache sbom --format json --server http://trivy-server:8080 /tmp/scan/bom.json --slow --output /tmp/scan/result_output.json 2>/tmp/scan/result_output.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_output.json.log && sync; else bzip2 -c /tmp/scan/result_output.json | base64 && sync; fi; exit $rc"},
 			wantCmd:        []string{"/bin/sh"},
 		},
 		{
@@ -109,7 +109,7 @@ func TestGetSbomScanCommandAndArgs(t *testing.T) {
 			serverUrl:      "http://trivy-server:8080",
 			resultFileName: "result_output.json",
 			compressedLogs: "false",
-			wantArgs:       []string{"-c", "trivy --cache-dir /tmp/trivy/.cache sbom --format json --server http://trivy-server:8080 /tmp/scan/bom.json --slow --output /tmp/scan/result_output.json 2>/tmp/scan/result_output.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_output.json.log; else cat /tmp/scan/result_output.json; fi; exit $rc"},
+			wantArgs:       []string{"-c", "trivy --cache-dir /tmp/trivy/.cache sbom --format json --server http://trivy-server:8080 /tmp/scan/bom.json --slow --output /tmp/scan/result_output.json 2>/tmp/scan/result_output.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_output.json.log && sync; else cat /tmp/scan/result_output.json && sync; fi; exit $rc"},
 			wantCmd:        []string{"/bin/sh"},
 		},
 	}

pkg/plugins/trivy/plugin_test.go

@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image busybox:1.28 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_hello.json 2>/tmp/scan/result_hello.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_hello.json.log; else bzip2 -c /tmp/scan/result_hello.json | base64; fi; exit $rc
+            - trivy image busybox:1.28 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_hello.json 2>/tmp/scan/result_hello.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_hello.json.log && sync; else bzip2 -c /tmp/scan/result_hello.json | base64 && sync; fi; exit $rc
           command:
             - /bin/sh
           env:

tests/envtest/testdata/fixture/cronjob-expected-scan.yaml

@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image quay.io/fluentd_elasticsearch/fluentd:v2.5.2 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_fluentd-elasticsearch.json 2>/tmp/scan/result_fluentd-elasticsearch.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_fluentd-elasticsearch.json.log; else bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64; fi; exit $rc
+            - trivy image quay.io/fluentd_elasticsearch/fluentd:v2.5.2 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_fluentd-elasticsearch.json 2>/tmp/scan/result_fluentd-elasticsearch.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_fluentd-elasticsearch.json.log && sync; else bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64 && sync; fi; exit $rc
           command:
             - /bin/sh
           env:

tests/envtest/testdata/fixture/daemonset-expected-scan.yaml

@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image perl:5.34 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_pi.json 2>/tmp/scan/result_pi.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_pi.json.log; else bzip2 -c /tmp/scan/result_pi.json | base64; fi; exit $rc
+            - trivy image perl:5.34 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_pi.json 2>/tmp/scan/result_pi.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_pi.json.log && sync; else bzip2 -c /tmp/scan/result_pi.json | base64 && sync; fi; exit $rc
           command:
             - /bin/sh
           env:

tests/envtest/testdata/fixture/job-expected-scan.yaml

@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image app-image:app-image-tag --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_app.json 2>/tmp/scan/result_app.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_app.json.log; else bzip2 -c /tmp/scan/result_app.json | base64; fi; exit $rc
+            - trivy image app-image:app-image-tag --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_app.json 2>/tmp/scan/result_app.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_app.json.log && sync; else bzip2 -c /tmp/scan/result_app.json | base64 && sync; fi; exit $rc
           command:
             - /bin/sh
           env:

tests/envtest/testdata/fixture/pod-expected-scan.yaml

@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image wordpress:4.9 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_wordpress.json 2>/tmp/scan/result_wordpress.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_wordpress.json.log; else bzip2 -c /tmp/scan/result_wordpress.json | base64; fi; exit $rc
+            - trivy image wordpress:4.9 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_wordpress.json 2>/tmp/scan/result_wordpress.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_wordpress.json.log && sync; else bzip2 -c /tmp/scan/result_wordpress.json | base64 && sync; fi; exit $rc
           command:
             - /bin/sh
           env:

tests/envtest/testdata/fixture/replicaset-expected-scan.yaml

@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image nginx --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_nginx.json 2>/tmp/scan/result_nginx.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_nginx.json.log; else bzip2 -c /tmp/scan/result_nginx.json | base64; fi; exit $rc
+            - trivy image nginx --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_nginx.json 2>/tmp/scan/result_nginx.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_nginx.json.log && sync; else bzip2 -c /tmp/scan/result_nginx.json | base64 && sync; fi; exit $rc
           command:
             - /bin/sh
           env:

tests/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml

@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image k8s.gcr.io/nginx-slim:0.8 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_nginx.json 2>/tmp/scan/result_nginx.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_nginx.json.log; else bzip2 -c /tmp/scan/result_nginx.json | base64; fi; exit $rc
+            - trivy image k8s.gcr.io/nginx-slim:0.8 --cache-dir /tmp/trivy/.cache --format json --image-config-scanners secret --security-checks vuln,secret --skip-update --slow --output /tmp/scan/result_nginx.json 2>/tmp/scan/result_nginx.json.log ; rc=$?; if [ $rc -eq 1 ]; then cat /tmp/scan/result_nginx.json.log && sync; else bzip2 -c /tmp/scan/result_nginx.json | base64 && sync; fi; exit $rc
           command:
             - /bin/sh
           env: