add Java / JDK image scan option #115
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
/test all |
|
/test all |
|
/test all |
tchughesiv
force-pushed
the
java
branch
4 times, most recently
from
5a24bcd to
f8022c1
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
internal/podman/podman.go
Outdated
| return stdout, fmt.Errorf("podman error (args=%v) (stderr=%v) (error=%w)", args, stderr.String(), err) | ||
| } | ||
| return stdout, nil | ||
| } | ||
|
|
||
| func ScanJava(ctx context.Context, image string, javaDisabledAlgorithms []string) (string, error) { | ||
| javaFilePath, _, err := releases.GetJavaFile() | ||
| defer os.Remove(javaFilePath) |
There was a problem hiding this comment.
why is there a remove of this file?
There was a problem hiding this comment.
The defer here needs cleaned up... It should be after the err check.
dist/releases/embeds.go
Outdated
| if err != nil { | ||
| return "", "", err | ||
| } | ||
| fileModeRO := os.FileMode(syscall.S_IRUSR) | os.FileMode(syscall.S_IRGRP) | os.FileMode(syscall.S_IROTH) |
There was a problem hiding this comment.
If any of the if statements here error the temp file isn't cleaned up. This function should defer cleanup the tempfile.
internal/podman/podman.go
Outdated
| } | ||
|
|
||
| algFilePath, algFile, err := releases.GetAlgorithmFile(javaDisabledAlgorithms) | ||
| defer os.Remove(algFilePath) |
|
This looks good after the few fixes requested! Thanks! |
tchughesiv
force-pushed
the
java
branch
2 times, most recently
from
d5a7aaa to
6cf1f76
Compare
|
tks @rphillips ... fixes have been applied |
dist/releases/embeds.go
Outdated
| names := make([]string, len(dirs)) | ||
| for i, d := range dirs { | ||
| names[i] = d.Name() | ||
| names := []string{} |
There was a problem hiding this comment.
I think you can still benefit from the optimization (that this commit removes) of knowing the slice length. You just use capacity rather than size for make.
dist/releases/embeds.go
Outdated
| names[i] = d.Name() | ||
| names := []string{} | ||
| for _, d := range dirs { | ||
| if d.Name() != "java" { |
There was a problem hiding this comment.
if name := d.Name(); name != "java" {
names = append(names, name)
}(so that we don't call d.Name() twice).
dist/releases/embeds.go
Outdated
|
|
||
| semver "github.com/Masterminds/semver/v3" | ||
| ) | ||
|
|
||
| //go:embed */* | ||
| var configs embed.FS | ||
| var JavaFips = "FIPS.java" |
There was a problem hiding this comment.
is this supposed to be a constant?
dist/releases/embeds.go
Outdated
| return createTempFile(r.Bytes(), "disabledAlgorithms") | ||
| } | ||
|
|
||
| // createTempFile returns a temporary file with specified content and prefix, created in the OS's default temp folder |
dist/releases/embeds.go
Outdated
| } | ||
|
|
||
| // createTempFile returns a temporary file with specified content and prefix, created in the OS's default temp folder | ||
| // Closing of the file (defer os.Remove(file.Name())) is the caller's responsibility |
dist/releases/embeds.go
Outdated
| r := bytes.NewBuffer([]byte{}) | ||
| for i := range javaDisabledAlgorithms { | ||
| r.WriteString(javaDisabledAlgorithms[i] + "\n") | ||
| } | ||
|
|
||
| return createTempFile(r.Bytes(), "disabledAlgorithms") |
There was a problem hiding this comment.
I think you can replace this with something like
return createTempFile([]byte(strings.Join(javaDisabledAlgorithms, "\n")), "disabledAlgorithms")(with an intermediate variable, if you prefer it that way)
dist/releases/embeds.go
Outdated
| // createTempFile returns a temporary file with specified content and prefix, created in the OS's default temp folder | ||
| // Closing of the file (defer os.Remove(file.Name())) is the caller's responsibility | ||
| func createTempFile(content []byte, prefix string) (fileFullPath, fileName string, err error) { | ||
| file, err := os.CreateTemp(os.TempDir(), prefix) |
There was a problem hiding this comment.
s/os.TempDir()/""/
because
If dir is the empty string, CreateTemp uses the default directory for temporary files, as returned by TempDir.
internal/podman/podman.go
Outdated
| } | ||
|
|
||
| if validations.JavaClassLessThan52.Check(javaClassVersion) { | ||
| return "", fmt.Errorf("this scan tool supports java 1.8+") |
There was a problem hiding this comment.
nit: s/fmt.Errorf/errors.New/
internal/podman/podman.go
Outdated
| return "", err | ||
| } | ||
|
|
||
| cmdArgs2 := []string{"run", "--rm", "--entrypoint", "", "-v", javaFilePath + ":" + jInfo.WorkingDir + "/" + releases.JavaFips + ":z", "-v", algFilePath + ":" + jInfo.WorkingDir + "/" + algFile + ":z", image} |
There was a problem hiding this comment.
maybe use better names than cmdArgs1 and cmdArgs2. Or just reuse cmdArgs variable.
internal/podman/podman.go
Outdated
| } else { | ||
| cmdArgs2 = append(cmdArgs2, []string{"java", releases.JavaFips, algFile}...) | ||
| } | ||
| stdout2, err := runPodman(ctx, cmdArgs2...) |
There was a problem hiding this comment.
you can definitely reuse stdout variable here.
internal/podman/podman.go
Outdated
| } | ||
| stdout2, err := runPodman(ctx, cmdArgs2...) | ||
| if err != nil { | ||
| fmt.Println(stdout2.String()) |
internal/scan/scan.go
Outdated
| @@ -231,6 +231,25 @@ func validateTag(ctx context.Context, tag *v1.TagReference, cfg *types.Config) * | |||
| // - skip per-tag and per-component config rules. | |||
| return rpmRootScan(ctx, cfg, mountPath) | |||
| } | |||
|
|
|||
| // java | |||
There was a problem hiding this comment.
IMO this comment adds no value.
internal/scan/scan.go
Outdated
| // openssl related results should be a warning for java. | ||
| // java has its own native implementation of SSL |
There was a problem hiding this comment.
nit: please use complete sentences.
tchughesiv
force-pushed
the
java
branch
2 times, most recently
from
7deac77 to
6143d5b
Compare
|
@kolyshkin thanks for the review! i've made those fixes. sorry for the sloppy code :) |
internal/podman/podman.go
Outdated
| @@ -58,11 +64,82 @@ func runPodman(ctx context.Context, args ...string) (bytes.Buffer, error) { | |||
| cmd.Stdout = &stdout | |||
| cmd.Stderr = &stderr | |||
| if err := cmd.Run(); err != nil { | |||
| // Exit code 8 is used to differentiate valid java scan returns from other execution errors. | |||
| var exiterr *exec.ExitError | |||
| if errors.As(err, &exiterr); exiterr.ExitCode() == 8 { | |||
There was a problem hiding this comment.
Let's define a constant for the 8.
tchughesiv
force-pushed
the
java
branch
2 times, most recently
from
a7cc253 to
061b1d1
Compare
|
/lgtm |
|
@tchughesiv can you please squash the commits and I will re-review? |
|
@kolyshkin done |
dist/releases/embeds.go
Outdated
| names := make([]string, len(dirs)) | ||
| for i, d := range dirs { | ||
| names[i] = d.Name() | ||
| names := make([]string, 0, cap(dirs)) |
There was a problem hiding this comment.
nit: I think it should be len(dirs) here (because the cap could be more than len, and we won't add more elements than len).
Signed-off-by: Tommy Hughes <tohughes@redhat.com>
|
@tchughesiv: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kolyshkin, tchughesiv The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
% sudo ./check-payload scan java -h Usage: check-payload scan java-image [image pull spec] [flags] Aliases: java-image, java Flags: --disabled-algorithms strings additional algorithms that java should be disabling in FIPS mode -h, --help help for java-image --rpm-scan use RPM scan (same as during node scan) --spec string java payload urlRequirements to run -
example printer outputs -
Future enhancements?