Skip to content

Commit

Permalink
fix(ci/cve-scanning): up retries and use a unique category for each c…
Browse files Browse the repository at this point in the history 
…hart (#1177)

otherwise the last run overrides the earlier, see
<https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit>
  • Loading branch information
@cwrau
cwrau authored Sep 20, 2024
1 parent 27dcacb commit 51e250b
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions .github/scripts/generate-sarif-reports.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ function createSarifReports() {
# shellcheck disable=SC2046
yq -r '.annotations["artifacthub.io/images"]' "$chart/Chart.yaml" |
yq -r '.[] | .image' |
parallel ${GITHUB_JOB+--bar} --retries 3 -P 0 -k generateSarifReport "$chart" "{}" "reports/$chartName-{#}.json"
parallel ${GITHUB_JOB+--bar} --retries 10 -P 0 -k generateSarifReport "$chart" "{}" "reports/$chartName-{#}.json"
# shellcheck disable=SC1009
cat "reports/$chartName-"*.json | jq -r -s '{"$schema": .[0]["$schema"], version: .[0].version, runs: [reduce map(.runs[])[] as $run (null; .+$run as $new | .tool.driver.rules |= (.+$run.tool.driver.rules|unique_by(.id)) | $new*. | .results += ($run.results | map(.locations |= (([.[] | select(.physicalLocation)][0].physicalLocation.artifactLocation) as $physicalLocation | .[] | select(.logicalLocations)[] | map({physicalLocation:{artifactLocation:{uri:"\(.fullyQualifiedName)/\($run.properties.imageName)/\($run.originalUriBaseIds[$physicalLocation.uriBaseId].uri)\($physicalLocation.uri)"}}})))) | del(.properties, .originalUriBaseIds))]}' >"reports/$chartName.json.sarif"
}
Expand All @@ -34,7 +34,7 @@ function generateSarifReport() {
locationsJson="$(yq --arg image "$image" -r '.annotations["artifacthub.io/images"] | split("\n")[] | select(contains($image))' "$chart/Chart.yaml" |
awk '{print $NF}' |
jq -r -c -Rn '[inputs] | map({fullyQualifiedName: .})')"
if trivy image "$image" -f sarif --quiet --ignore-unfixed | jq -r --argjson locations "$locationsJson" --arg category "${GITHUB_JOB:-local}/$chart" '.runs |= map(.results |= map(.locations += [{logicalLocations: $locations}])) | .runs |= map(.automationDetails = {id: $category})' >"$tmpFile"; then
if trivy image "$image" -f sarif --quiet --ignore-unfixed | jq -r --argjson locations "$locationsJson" --arg category "$chart/${GITHUB_JOB:-local}" '.runs |= map(.results |= map(.locations += [{logicalLocations: $locations}])) | .runs |= map(.automationDetails = {id: $category})' >"$tmpFile"; then
mv "${tmpFile}" "${outFile}"
else
rm "$tmpFile"
Expand Down

0 comments on commit 51e250b

Please sign in to comment.