From 3333773ee43627ba4eccecaf5d8f0198f7d62932 Mon Sep 17 00:00:00 2001 From: rashmichandrashekar Date: Tue, 3 Oct 2023 17:30:41 -0700 Subject: [PATCH] Adding signing and reviewing licence (#617) --- .pipelines/azure-pipeline-build.yml | 192 ++++++++++++---------------- NOTICE | 1 + 2 files changed, 85 insertions(+), 108 deletions(-) diff --git a/.pipelines/azure-pipeline-build.yml b/.pipelines/azure-pipeline-build.yml index c96a9b570..8086943d0 100644 --- a/.pipelines/azure-pipeline-build.yml +++ b/.pipelines/azure-pipeline-build.yml @@ -463,6 +463,12 @@ jobs: # Load in amd64 image to run vulnerability scan docker buildx build . --file Dockerfile -t $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/targetallocator/metadata.json fi + MEDIA_TYPE=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType') + DIGEST=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.digest') + SIZE=$(docker manifest inspect -v $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) | jq '.Descriptor.size') + cat <>$(Build.ArtifactStagingDirectory)/targetallocator/payload.json + {"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}} + EOF workingDirectory: $(Build.SourcesDirectory)/otelcollector/otel-allocator displayName: "Build: build and push target allocator image to dev ACR" - bash: | @@ -471,6 +477,42 @@ jobs: workingDirectory: $(Build.SourcesDirectory) displayName: "Build: run trivy scan" condition: eq(variables.IS_PR, false) + - task: EsrpCodeSigning@3 + displayName: "ESRP CodeSigning for TargetAllocator" + inputs: + ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages" + FolderPath: $(Build.ArtifactStagingDirectory)/targetallocator/ + Pattern: "*.json" + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-469451", + "operationSetCode": "NotaryCoseSign", + "parameters": [ + { + "parameterName": "CoseFlags", + "parameterValue": "chainunprotected" + } + ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + - bash: | + set -euxo pipefail + curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz" + mkdir -p oras-install/ + tar -zxf oras_1.0.0_*.tar.gz -C oras-install/ + sudo mv oras-install/oras /usr/local/bin/ + rm -rf oras_1.0.0_*.tar.gz oras-install/ + oras attach $(TARGET_ALLOCATOR_FULL_IMAGE_NAME) \ + --artifact-type 'application/vnd.cncf.notary.signature' \ + ./payload.json:application/cose \ + -a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]" + workingDirectory: $(Build.ArtifactStagingDirectory)/targetallocator/ + displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/targetallocator/" + condition: eq(variables.IS_MAIN_BRANCH, true) - job: Linux_ConfigReader displayName: Build linux image for config reader @@ -482,57 +524,8 @@ jobs: # This is necessary because of: https://github.com/moby/moby/issues/37965 DOCKER_BUILDKIT: 1 steps: - - - task: CodeQL3000Init@0 - displayName: 'SDL: init codeql' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - - - task: GoTool@0 - displayName: "Build: specify golang version" - inputs: - version: '1.19' - - bash: | - sudo apt-get install build-essential -y - make - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - workingDirectory: $(Build.SourcesDirectory)/otelcollector/configuration-reader-builder/ - displayName: "SDL: build configuration reader for scanning" - - - task: BinSkim@4 - displayName: 'SDL: run binskim' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - inputs: - InputType: 'CommandLine' - arguments: 'analyze --rich-return-code $(Build.SourcesDirectory)/otelcollector/configuration-reader-builder/configurationreader' - - - task: Gosec@1 - displayName: 'SDL: run gosec' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - inputs: - targetPattern: 'gosecPattern' - targetGosecPattern: '$(Build.SourcesDirectory)/otelcollector' - - - bash: | - wget https://github.com/microsoft/DevSkim/releases/download/v0.6.9/DevSkim_linux_0.6.9.zip - unzip DevSkim_linux_0.6.9.zip - chmod 775 DevSkim_linux_0.6.9/devskim - ./DevSkim_linux_0.6.9/devskim analyze $(Build.SourcesDirectory)/otelcollector --ignore-globs **/deploy/dashboard/**,**/react/static/** --severity critical,important - displayName: 'SDL: run devskim' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - workingDirectory: $(Build.SourcesDirectory) - - - bash: | - ruby --version - sudo apt-get install ruby-full - ruby --version - sudo gem install brakeman -v 5.4.1 - brakeman $(Build.SourcesDirectory)/otelcollector/configmapparser --force - displayName: 'SDL: run brakeman' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - - - bash: | - mkdir -p $(Build.ArtifactStagingDirectory)/linux + mkdir -p $(Build.ArtifactStagingDirectory)/linuxcfgreader # Necessary due to necessary due to https://stackoverflow.com/questions/60080264/docker-cannot-build-multi-platform-images-with-docker-buildx sudo apt-get update && sudo apt-get -y install qemu binfmt-support qemu-user-static @@ -552,6 +545,12 @@ jobs: # Load in amd64 image to run vulnerability scan docker buildx build . --file ./build/linux/configuration-reader/Dockerfile -t $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) --metadata-file $(Build.ArtifactStagingDirectory)/linux/configuration-reader/metadata.json fi + MEDIA_TYPE=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.mediaType') + DIGEST=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.digest') + SIZE=$(docker manifest inspect -v $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) | jq '.Descriptor.size') + cat <>$(Build.ArtifactStagingDirectory)/linuxcfgreader/payload.json + {"targetArtifact":{"mediaType":$MEDIA_TYPE,"digest":$DIGEST,"size":$SIZE}} + EOF workingDirectory: $(Build.SourcesDirectory)/otelcollector/ displayName: "Build: build and push configuration reader image to dev ACR" @@ -563,66 +562,43 @@ jobs: displayName: "Build: run trivy scan" condition: eq(variables.IS_PR, false) - - task: CodeQL3000Finalize@0 - displayName: 'SDL: run codeql' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - - - task: ComponentGovernanceComponentDetection@0 - displayName: "SDL: run component governance" - condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) - inputs: - scanType: 'Register' - verbosity: 'Verbose' - dockerImagesToScan: '$(LINUX_CONFIG_READER_FULL_IMAGE_NAME)' - alertWarningLevel: 'High' - - - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: "Ev2: Generate image artifacts" - condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) - inputs: - BuildDropPath: '$(Build.ArtifactStagingDirectory)/linux' - DockerImagesToScan: '$(LINUX_CONFIG_READER_FULL_IMAGE_NAME)' - - - task: SdtReport@2 - displayName: 'SDL: generate report' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - inputs: - GdnExportAllTools: false - GdnExportGdnToolBinSkim: true - GdnExportGdnToolBinSkimSeverity: 'Note' - GdnExportGdnToolGosec: true - GdnExportGdnToolGosecSeverity: 'Note' - GdnExportGdnToolSemmle: true - GdnExportGdnToolSemmleSeverity: 'Note' - - - task: PublishSecurityAnalysisLogs@3 - displayName: 'SDL: publish report' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - inputs: - ArtifactName: 'CodeAnalysisLogs' - ArtifactType: 'Container' - PublishProcessedResults: true - AllTools: true - ToolLogsNotFoundAction: 'Standard' - - - task: PublishBuildArtifacts@1 - displayName: "Ev2: Publish image artifacts" - condition: and(eq(variables.IS_PR, false), eq(variables.IS_MAIN_BRANCH, true)) + - task: EsrpCodeSigning@3 + displayName: "ESRP CodeSigning for Config Reader" inputs: - pathToPublish: '$(Build.ArtifactStagingDirectory)' - artifactName: drop + ConnectedServiceName: "ESRPServiceConnectionForPrometheusImages" + FolderPath: $(Build.ArtifactStagingDirectory)/linuxcfgreader/ + Pattern: "*.json" + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-469451", + "operationSetCode": "NotaryCoseSign", + "parameters": [ + { + "parameterName": "CoseFlags", + "parameterValue": "chainunprotected" + } + ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] - - task: PostAnalysis@2 - displayName: 'SDL: Post-Build Analysis' - condition: or(eq(variables.IS_PR, true), eq(variables.IS_MAIN_BRANCH, true)) - inputs: - GdnBreakAllTools: false - GdnBreakGdnToolBinSkim: true - GdnBreakGdnToolBinSkimSeverity: 'Warning' - GdnBreakGdnToolGosec: true - GdnBreakGdnToolGosecSeverity: 'Warning' - GdnBreakGdnToolSemmle: true - GdnBreakGdnToolSemmleSeverity: 'Warning' + - bash: | + set -euxo pipefail + curl -LO "https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_linux_amd64.tar.gz" + mkdir -p oras-install/ + tar -zxf oras_1.0.0_*.tar.gz -C oras-install/ + sudo mv oras-install/oras /usr/local/bin/ + rm -rf oras_1.0.0_*.tar.gz oras-install/ + oras attach $(LINUX_CONFIG_READER_FULL_IMAGE_NAME) \ + --artifact-type 'application/vnd.cncf.notary.signature' \ + ./payload.json:application/cose \ + -a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]" + workingDirectory: $(Build.ArtifactStagingDirectory)/linuxcfgreader/ + displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linuxcfgreader/" + condition: eq(variables.IS_MAIN_BRANCH, true) - job: Windows2019 displayName: "Build windows 2019 image" diff --git a/NOTICE b/NOTICE index eb4a6acc0..5dba63ff4 100644 --- a/NOTICE +++ b/NOTICE @@ -4,6 +4,7 @@ This repository incorporates material as listed below or described in the code. OpenTelemetry Collector https://github.com/open-telemetry/opentelemetry-collector +https://github.com/open-telemetry/opentelemetry-operator/ Apache License