Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Perform actions when aqua scan detects security vulnerabilities with solutions #1147

Merged
merged 58 commits into from
Aug 14, 2024
Merged

Perform actions when aqua scan detects security vulnerabilities with solutions #1147

merged 58 commits into from
Aug 14, 2024

Conversation

valituguran
Copy link
Contributor

@valituguran valituguran commented Aug 8, 2024
edited by hrcornejo
Loading

Actions performed:

  • Failing a pipeline when a security vulnerability with a solution is found
  • Deleting the vulnerable image
  • Checking that the scan runs correctly
  • Add a blocking entry to the code insight sent to Bitbucket

zxBCN Valeriu_Tuguran,Constantin (IT EDP) EXTERNAL added 30 commits July 29, 2024 17:12
Log aqua json.
680c24a
EDPC-2334 Fail pipeline in case of remote critical with solution vuln…
a6b2963 
…erabilities.
EDPC-2334 Fail pipeline in case of remote critical with solution vuln…
b050678 
…erabilities.
EDPC-2334 Fail pipeline in case of remote critical with solution vuln…
058fb71 
…erabilities.
EDPC-2334 Fail pipeline in case of remote critical with solution vuln…
41102d0 
…erabilities.
EDPC-2334 Fail pipeline in case of remote critical with solution vuln…
bbe2780 
…erabilities.
EDPC-2334 Test pipeline failure.
22a154d
EDPC-2334 Test pipeline failure.
81a2832
EDPC-2334 Test pipeline failure.
ec0806a
EDPC-2334 Test pipeline failure.
4a56e8b
EDPC-2334 Test pipeline failure.
0e25e4c
EDPC-2334 Test pipeline failure.
3111d55
EDPC-2334 Test pipeline failure.
bb9ae40
EDPC-2334 Test pipeline failure.
4becefc
EDPC-2334 Test pipeline failure.
6978417
EDPC-2334 Test pipeline failure.
2cfdee9
EDPC-2334 Test pipeline failure.
3c5cb1b
EDPC-2334 Test pipeline failure.
603036a
EDPC-2334 Test pipeline failure.
8663fae
EDPC-2334 Test pipeline failure.
bd377e9
EDPC-2334 Test pipeline failure.
ca4004e
EDPC-2334 Test pipeline failure.
bfef8c4
EDPC-2334 Test pipeline failure.
e5b8353
EDPC-2334 Test pipeline failure.
b4497de
EDPC-2334 Test pipeline failure.
1e0b4e1
EDPC-2334 Test pipeline failure.
6fa64a3
EDPC-2334 Test pipeline failure.
b9875c2
EDPC-2334 Test pipeline failure.
f215e3a
EDPC-2334 Test pipeline failure.
6cb3e0b
EDPC-2334 Test pipeline failure.
0f4a06f
@valituguran valituguran changed the title Security scan when creating container images Aqua security scan when creating container images Aug 8, 2024
@valituguran valituguran changed the title Aqua security scan when creating container images Perform actions when aqua scan detects security vulnerabilities with solutions Aug 8, 2024
zxBCN Valeriu_Tuguran,Constantin (IT EDP) EXTERNAL added 2 commits August 8, 2024 16:26
@hrcornejo hrcornejo self-requested a review August 8, 2024 14:30
tbugfinder
tbugfinder reviewed Aug 8, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@tbugfinder
Copy link
Contributor

Doc should also be updated.
https://github.com/opendevstack/ods-jenkins-shared-library/blob/master/docs/modules/jenkins-shared-library/partials/odsComponentStageScanWithAqua.adoc

hrcornejo
hrcornejo requested changes Aug 9, 2024
View reviewed changes
src/org/ods/component/ScanWithAquaStage.groovy Outdated
aquaJsonMap.resources.each { it ->
(it as Map).vulnerabilities.each { vul ->
Map vulnerability = vul as Map
if ((vulnerability?.exploit_type as String)?.equalsIgnoreCase("remote")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use constant for "remote" and "critical"

src/org/ods/component/ScanWithAquaStage.groovy
@@ -199,13 +215,28 @@ class ScanWithAquaStage extends Stage {
[ title: "Messages", value: prepareMessageToBitbucket(messages), ]
])
}
if (actionableVulnerabilities?.size() > 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not add a new message per actionableVulnerabilitie like: title: "Explotable vulnerability", value: Information about the vulnerability (using prepareMessageToBitbucket)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need this specific entry to be present in the data structure as a marker: {
"title": "Blocking",
"type": "TEXT",
"value": "Yes"
}

src/org/ods/component/ScanWithAquaStage.groovy Outdated
value: "Yes"
])
} else {
data.put("messages", [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try to avoid duplicate parts. If "messages" is needed, add it and later add the information

hrcornejo
hrcornejo reviewed Aug 9, 2024
View reviewed changes
src/org/ods/component/ScanWithAquaStage.groovy Outdated

bitbucket.createCodeInsightReport(data, context.repoName, context.gitCommit)
}

private createBitbucketCodeInsightReport(String messages) {
String title = "Aqua Security"
String details = "There was some problems with Aqua:"
String details = "There were some problems with Aqua"
Copy link
Contributor

@hrcornejo hrcornejo Aug 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maintain the ":" at the end (to be coherent with other messages -the fix of was is right-):
image

zxBCN Valeriu_Tuguran,Constantin (IT EDP) EXTERNAL added 4 commits August 12, 2024 09:22
@valituguran valituguran requested a review from hrcornejo August 12, 2024 13:06
@hrcornejo
Copy link
Contributor

Release Manager with a component containing security vulnerabilities with a solution:

  • Failing a pipeline when a security vulnerability with a solution is found
    image
    image
  • Deleting the vulnerable image
    image
    Non existing tag:
    image
  • Add a blocking entry to the code insight sent to Bitbucket
    image
  • Checking that the scan runs correctly
    image

Single component containing security vulnerabilities with a solution:

  • Also failing the pipeline, deleting image:
    image

@valituguran valituguran merged commit 95ab157 into master Aug 14, 2024
3 checks passed
@valituguran valituguran deleted the test-aqua branch August 14, 2024 07:27
@BraisVQ BraisVQ mentioned this pull request Oct 10, 2024
Merged
BraisVQ pushed a commit that referenced this pull request Oct 23, 2024
@valituguran @BraisVQ
Perform actions when aqua scan detects security vulnerabilities with …
b853ec8 
…solutions (#1147)

Fail pipeline in case of remote critical with solution vulnerabilities.
BraisVQ pushed a commit that referenced this pull request Oct 23, 2024
@valituguran @BraisVQ
Perform actions when aqua scan detects security vulnerabilities with …
cc385ee 
…solutions (#1147)

Fail pipeline in case of remote critical with solution vulnerabilities.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tbugfinder tbugfinder tbugfinder left review comments

@hrcornejo hrcornejo hrcornejo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@valituguran @tbugfinder @hrcornejo