Skip to content

Commit

Permalink
Adding signing and reviewing licence (#617)
Browse files Browse the repository at this point in the history
  • Loading branch information
rashmichandrashekar authored Oct 4, 2023
1 parent e2be19c commit 3333773
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 108 deletions.
192 changes: 84 additions & 108 deletions .pipelines/azure-pipeline-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,12 @@ jobs:
# Load in amd64 image to run vulnerability scan
docker buildx build . --file Dockerfile -t $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/targetallocator/metadata.json
fi
MEDIA_TYPE=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType')
DIGEST=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.digest')
SIZE=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.size')
cat <<EOF >>$(Build.ArtifactStagingDirectory)/targetallocator/payload.json
{"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}}
EOF
workingDirectory: $(Build.SourcesDirectory)/otelcollector/otel-allocator
displayName: "Build: build and push target allocator image to dev ACR"
- bash: |
Expand All @@ -471,6 +477,42 @@ jobs:
workingDirectory: $(Build.SourcesDirectory)
displayName: "Build: run trivy scan"
condition: eq(variables.IS_PR, false)
- task: EsrpCodeSigning@3
displayName: "ESRP CodeSigning for TargetAllocator"
inputs:
ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages"
FolderPath: $(Build.ArtifactStagingDirectory)/targetallocator/
Pattern: "*.json"
signConfigType: inlineSignParams
inlineOperation: |
[
{
"keyCode": "CP-469451",
"operationSetCode": "NotaryCoseSign",
"parameters": [
{
"parameterName": "CoseFlags",
"parameterValue": "chainunprotected"
}
],
"toolName": "sign",
"toolVersion": "1.0"
}
]
- bash: |
set -euxo pipefail
curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_1.0.0_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_1.0.0_*.tar.gz oras-install/
oras attach $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) \
--artifact-type 'application/vnd.cncf.notary.signature' \
./payload.json:application/cose \
-a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]"
workingDirectory: $(Build.ArtifactStagingDirectory)/targetallocator/
displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/targetallocator/"
condition: eq(variables.IS_MAIN_BRANCH, true)
- job: Linux_ConfigReader
displayName: Build linux image for config reader
Expand All @@ -482,57 +524,8 @@ jobs:
# This is necessary because of: https://github.com/moby/moby/issues/37965
DOCKER_BUILDKIT: 1
steps:

- task: CodeQL3000Init@0
displayName: 'SDL: init codeql'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))

- task: GoTool@0
displayName: "Build: specify golang version"
inputs:
version: '1.19'

- bash: |
sudo apt-get install build-essential -y
make
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
workingDirectory: $(Build.SourcesDirectory)/otelcollector/configuration-reader-builder/
displayName: "SDL: build configuration reader for scanning"
- task: BinSkim@4
displayName: 'SDL: run binskim'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
inputs:
InputType: 'CommandLine'
arguments: 'analyze --rich-return-code $(Build.SourcesDirectory)/otelcollector/configuration-reader-builder/configurationreader'

- task: Gosec@1
displayName: 'SDL: run gosec'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
inputs:
targetPattern: 'gosecPattern'
targetGosecPattern: '$(Build.SourcesDirectory)/otelcollector'

- bash: |
wget https://github.com/microsoft/DevSkim/releases/download/v0.6.9/DevSkim_linux_0.6.9.zip
unzip DevSkim_linux_0.6.9.zip
chmod 775 DevSkim_linux_0.6.9/devskim
./DevSkim_linux_0.6.9/devskim analyze $(Build.SourcesDirectory)/otelcollector --ignore-globs **/deploy/dashboard/**,**/react/static/** --severity critical,important
displayName: 'SDL: run devskim'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
workingDirectory: $(Build.SourcesDirectory)
- bash: |
ruby --version
sudo apt-get install ruby-full
ruby --version
sudo gem install brakeman -v 5.4.1
brakeman $(Build.SourcesDirectory)/otelcollector/configmapparser --force
displayName: 'SDL: run brakeman'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
- bash: |
mkdir -p $(Build.ArtifactStagingDirectory)/linux
mkdir -p $(Build.ArtifactStagingDirectory)/linuxcfgreader
# Necessary due to necessary due to https://stackoverflow.com/questions/60080264/docker-cannot-build-multi-platform-images-with-docker-buildx
sudo apt-get update && sudo apt-get -y install qemu binfmt-support qemu-user-static
Expand All @@ -552,6 +545,12 @@ jobs:
# Load in amd64 image to run vulnerability scan
docker buildx build . --file ./build/linux/configuration-reader/Dockerfile -t $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/linux/configuration-reader/metadata.json
fi
MEDIA_TYPE=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType')
DIGEST=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.digest')
SIZE=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.size')
cat <<EOF >>$(Build.ArtifactStagingDirectory)/linuxcfgreader/payload.json
{"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}}
EOF
workingDirectory: $(Build.SourcesDirectory)/otelcollector/
displayName: "Build: build and push configuration reader image to dev ACR"
Expand All @@ -563,66 +562,43 @@ jobs:
displayName: "Build: run trivy scan"
condition: eq(variables.IS_PR, false)
- task: CodeQL3000Finalize@0
displayName: 'SDL: run codeql'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))

- task: ComponentGovernanceComponentDetection@0
displayName: "SDL: run component governance"
condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true))
inputs:
scanType: 'Register'
verbosity: 'Verbose'
dockerImagesToScan: '$(LINUX_CONFIG_READER_FULL_IMAGE_NAME)'
alertWarningLevel: 'High'

- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
displayName: "Ev2: Generate image artifacts"
condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true))
inputs:
BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux'
DockerImagesToScan: '$(LINUX_CONFIG_READER_FULL_IMAGE_NAME)'

- task: SdtReport@2
displayName: 'SDL: generate report'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
inputs:
GdnExportAllTools: false
GdnExportGdnToolBinSkim: true
GdnExportGdnToolBinSkimSeverity: 'Note'
GdnExportGdnToolGosec: true
GdnExportGdnToolGosecSeverity: 'Note'
GdnExportGdnToolSemmle: true
GdnExportGdnToolSemmleSeverity: 'Note'

- task: PublishSecurityAnalysisLogs@3
displayName: 'SDL: publish report'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
inputs:
ArtifactName: 'CodeAnalysisLogs'
ArtifactType: 'Container'
PublishProcessedResults: true
AllTools: true
ToolLogsNotFoundAction: 'Standard'

- task: PublishBuildArtifacts@1
displayName: "Ev2: Publish image artifacts"
condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true))
- task: EsrpCodeSigning@3
displayName: "ESRP CodeSigning for Config Reader"
inputs:
pathToPublish: '$(Build.ArtifactStagingDirectory)'
artifactName: drop
ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages"
FolderPath: $(Build.ArtifactStagingDirectory)/linuxcfgreader/
Pattern: "*.json"
signConfigType: inlineSignParams
inlineOperation: |
[
{
"keyCode": "CP-469451",
"operationSetCode": "NotaryCoseSign",
"parameters": [
{
"parameterName": "CoseFlags",
"parameterValue": "chainunprotected"
}
],
"toolName": "sign",
"toolVersion": "1.0"
}
]
- task: PostAnalysis@2
displayName: 'SDL: Post-Build Analysis'
condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true))
inputs:
GdnBreakAllTools: false
GdnBreakGdnToolBinSkim: true
GdnBreakGdnToolBinSkimSeverity: 'Warning'
GdnBreakGdnToolGosec: true
GdnBreakGdnToolGosecSeverity: 'Warning'
GdnBreakGdnToolSemmle: true
GdnBreakGdnToolSemmleSeverity: 'Warning'
- bash: |
set -euxo pipefail
curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_1.0.0_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_1.0.0_*.tar.gz oras-install/
oras attach $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) \
--artifact-type 'application/vnd.cncf.notary.signature' \
./payload.json:application/cose \
-a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]"
workingDirectory: $(Build.ArtifactStagingDirectory)/linuxcfgreader/
displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linuxcfgreader/"
condition: eq(variables.IS_MAIN_BRANCH, true)
- job: Windows2019
displayName: "Build windows 2019 image"
Expand Down
1 change: 1 addition & 0 deletions NOTICE
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ This repository incorporates material as listed below or described in the code.

OpenTelemetry Collector
https://github.com/open-telemetry/opentelemetry-collector
https://github.com/open-telemetry/opentelemetry-operator/


Apache License
Expand Down

0 comments on commit 3333773

Please sign in to comment.