From dcfa8b81265212e085a99350c26dee1947590e69 Mon Sep 17 00:00:00 2001
From: Matheus Moraes <matheusfaria.moraes@gmail.com>
Date: Fri, 26 Apr 2024 12:33:37 -0300
Subject: [PATCH 1/4] bump kubexns version from v0.1.3 to v0.1.4 (#279)

---
 charts/zora/README.md   | 2 +-
 charts/zora/values.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/zora/README.md b/charts/zora/README.md
index 439bdfcb..dc560d58 100644
--- a/charts/zora/README.md
+++ b/charts/zora/README.md
@@ -133,7 +133,7 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. |
 | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
-| kubexnsImage.tag | string | `"v0.1.3"` | kubexns image tag |
+| kubexnsImage.tag | string | `"v0.1.4"` | kubexns image tag |
 | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |
 | httpsProxy | string | `""` | HTTPS proxy URL |
 | noProxy | string | `"kubernetes.default.svc.*,127.0.0.1,localhost"` | Comma-separated list of URL patterns to be excluded from going through the proxy |
diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml
index f8847c41..08542699 100644
--- a/charts/zora/values.yaml
+++ b/charts/zora/values.yaml
@@ -276,7 +276,7 @@ kubexnsImage:
   # -- kubexns image repository
   repository: ghcr.io/undistro/kubexns
   # -- kubexns image tag
-  tag: v0.1.3
+  tag: v0.1.4
 
 # -- Custom checks ConfigMap name
 customChecksConfigMap: zora-custom-checks

From 8e3638055f57986cb51d70f43e494d3a1138db74 Mon Sep 17 00:00:00 2001
From: Kevin Conner <kev.conner@getupcloud.com>
Date: Tue, 7 May 2024 06:55:44 -0700
Subject: [PATCH 2/4] UD-1423: Update charts to use the floating tags

---
 charts/zora/README.md                     |  7 +++++--
 charts/zora/templates/plugins/marvin.yaml |  3 +++
 charts/zora/templates/plugins/popeye.yaml |  3 +++
 charts/zora/templates/plugins/trivy.yaml  |  7 ++++---
 charts/zora/values.yaml                   | 12 +++++++++---
 5 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/charts/zora/README.md b/charts/zora/README.md
index dc560d58..bd915f15 100644
--- a/charts/zora/README.md
+++ b/charts/zora/README.md
@@ -108,6 +108,7 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.marvin.podAnnotations | object | `{}` | Annotations added to the marvin pods |
 | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
 | scan.plugins.marvin.image.tag | string | `"v0.2.3"` | marvin plugin image tag |
+| scan.plugins.marvin.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | scan.plugins.marvin.env | list | `[]` | List of environment variables to set in marvin container. |
 | scan.plugins.marvin.envFrom | list | `[]` | List of sources to populate environment variables in marvin container. |
 | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
@@ -115,7 +116,8 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
 | scan.plugins.trivy.podAnnotations | object | `{}` | Annotations added to the trivy pods |
 | scan.plugins.trivy.image.repository | string | `"ghcr.io/undistro/trivy"` | trivy plugin image repository |
-| scan.plugins.trivy.image.tag | string | `"0.50.1-1"` | trivy plugin image tag |
+| scan.plugins.trivy.image.tag | float | `0.51` | trivy plugin image tag |
+| scan.plugins.trivy.image.pullPolicy | string | `"Always"` | Image pull policy |
 | scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. |
 | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. |
 | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout |
@@ -129,7 +131,8 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
 | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods |
 | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |
-| scan.plugins.popeye.image.tag | string | `"0.21.3-6"` | popeye plugin image tag |
+| scan.plugins.popeye.image.tag | float | `0.21` | popeye plugin image tag |
+| scan.plugins.popeye.image.pullPolicy | string | `"Always"` | Image pull policy |
 | scan.plugins.popeye.env | list | `[]` | List of environment variables to set in popeye container. |
 | scan.plugins.popeye.envFrom | list | `[]` | List of sources to populate environment variables in popeye container. |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
diff --git a/charts/zora/templates/plugins/marvin.yaml b/charts/zora/templates/plugins/marvin.yaml
index 0394b139..cca0c28a 100644
--- a/charts/zora/templates/plugins/marvin.yaml
+++ b/charts/zora/templates/plugins/marvin.yaml
@@ -21,6 +21,9 @@ metadata:
 spec:
   type: misconfiguration
   image: "{{ .Values.scan.plugins.marvin.image.repository }}:{{ .Values.scan.plugins.marvin.image.tag }}"
+  {{- if .Values.scan.plugins.marvin.image.pullPolicy }}
+  imagePullPolicy: "{{ .Values.scan.plugins.marvin.image.pullPolicy }}"
+  {{- end }}
   {{- if .Values.scan.plugins.marvin.resources }}
   resources:
     {{- toYaml .Values.scan.plugins.marvin.resources | nindent 4 }}
diff --git a/charts/zora/templates/plugins/popeye.yaml b/charts/zora/templates/plugins/popeye.yaml
index 4d9e35b9..97897378 100644
--- a/charts/zora/templates/plugins/popeye.yaml
+++ b/charts/zora/templates/plugins/popeye.yaml
@@ -21,6 +21,9 @@ metadata:
 spec:
   type: misconfiguration
   image: "{{ .Values.scan.plugins.popeye.image.repository }}:{{ .Values.scan.plugins.popeye.image.tag }}"
+  {{- if .Values.scan.plugins.popeye.image.pullPolicy }}
+  imagePullPolicy: "{{ .Values.scan.plugins.popeye.image.pullPolicy }}"
+  {{- end }}
   {{- if .Values.scan.plugins.popeye.resources }}
   resources:
     {{- toYaml .Values.scan.plugins.popeye.resources | nindent 4 }}
diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml
index 22a2d497..222dd49a 100644
--- a/charts/zora/templates/plugins/trivy.yaml
+++ b/charts/zora/templates/plugins/trivy.yaml
@@ -21,6 +21,9 @@ metadata:
 spec:
   type: vulnerability
   image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}"
+  {{- if .Values.scan.plugins.trivy.image.pullPolicy }}
+  imagePullPolicy: "{{ .Values.scan.plugins.trivy.image.pullPolicy }}"
+  {{- end }}
   {{- if .Values.scan.plugins.trivy.resources }}
   resources:
     {{- toYaml .Values.scan.plugins.trivy.resources | nindent 4 }}
@@ -58,7 +61,6 @@ spec:
       time trivy k8s \
         --debug \
         --no-progress \
-        --all-namespaces \
         --scanners=vuln \
         -f=json \
         --cache-dir=/tmp/trivy-cache \
@@ -69,8 +71,7 @@ spec:
         --ignore-unfixed \
         {{- end }}
         --timeout={{ .Values.scan.plugins.trivy.timeout | quote }} \
-        -o $(DONE_DIR)/results.json \
-        cluster
+        -o $(DONE_DIR)/results.json
 
       exitcode=$(echo $?)
       if [ $exitcode -ne 0 ]; then
diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml
index 08542699..c67d50c4 100644
--- a/charts/zora/values.yaml
+++ b/charts/zora/values.yaml
@@ -191,6 +191,8 @@ scan:
         repository: ghcr.io/undistro/marvin
         # -- marvin plugin image tag
         tag: v0.2.3
+        # -- Image pull policy
+        pullPolicy: IfNotPresent
       # -- List of environment variables to set in marvin container.
       env: []
       # -- List of sources to populate environment variables in marvin container.
@@ -209,7 +211,9 @@ scan:
         # -- trivy plugin image repository
         repository: ghcr.io/undistro/trivy
         # -- trivy plugin image tag
-        tag: 0.50.1-1
+        tag: 0.51
+        # -- Image pull policy
+        pullPolicy: Always
       # -- List of environment variables to set in trivy container.
       env: []
       #  - name: AWS_REGION
@@ -266,7 +270,9 @@ scan:
         # -- popeye plugin image repository
         repository: ghcr.io/undistro/popeye
         # -- popeye plugin image tag
-        tag: 0.21.3-6
+        tag: 0.21
+        # -- Image pull policy
+        pullPolicy: Always
       # -- List of environment variables to set in popeye container.
       env: []
       # -- List of sources to populate environment variables in popeye container.
@@ -288,4 +294,4 @@ noProxy: kubernetes.default.svc.*,127.0.0.1,localhost
 
 # -- (bool) Specifies whether CRDs should be updated by operator at startup
 # @default -- `true` for upgrades
-updateCRDs:
\ No newline at end of file
+updateCRDs:

From e03a7335d8aa61a216a9075f871f0f4ca9cb5561 Mon Sep 17 00:00:00 2001
From: Kevin Conner <kev.conner@getupcloud.com>
Date: Tue, 7 May 2024 06:47:29 -0700
Subject: [PATCH 3/4] UD-1425: set the trivy security contest to run as
 non-root, preventing POP-302,POP-306

---
 charts/zora/templates/plugins/trivy.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml
index 222dd49a..f25c1c5a 100644
--- a/charts/zora/templates/plugins/trivy.yaml
+++ b/charts/zora/templates/plugins/trivy.yaml
@@ -30,6 +30,7 @@ spec:
   {{- end }}
   mountCustomChecksVolume: false
   securityContext:
+    runAsNonRoot: true
     allowPrivilegeEscalation: false
     privileged: false
   {{- with .Values.scan.plugins.trivy.envFrom }}

From 4b07723d306cd4a8d2a1b7263960ac68a6a508dd Mon Sep 17 00:00:00 2001
From: Kevin Conner <kev.conner@getupcloud.com>
Date: Tue, 7 May 2024 06:38:45 -0700
Subject: [PATCH 4/4] UD-1424: delay start of popeye plugin to allow other
 scans to start, preventing POP-203,POP-204,POP-207

---
 charts/zora/templates/plugins/popeye.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/zora/templates/plugins/popeye.yaml b/charts/zora/templates/plugins/popeye.yaml
index 97897378..e059fcd5 100644
--- a/charts/zora/templates/plugins/popeye.yaml
+++ b/charts/zora/templates/plugins/popeye.yaml
@@ -54,6 +54,7 @@ spec:
     - /bin/sh
     - -c
     - |
+      sleep 30
       start=$(date +%s)
       echo Scanning...
       {{- if .Values.scan.plugins.popeye.skipInternalResources }}