From 20a9b14d0ea8f1a771dcce26ec632ecccaedf712 Mon Sep 17 00:00:00 2001 From: brais <26645694+braisvq1996@users.noreply.github.com> Date: Mon, 2 Sep 2024 16:28:30 +0200 Subject: [PATCH] Trivy stage maintenance (#1152) --- CHANGELOG.md | 1 + .../partials/odsComponentStageScanWithTrivy.adoc | 10 +++++----- src/org/ods/component/ScanWithTrivyOptions.groovy | 2 +- src/org/ods/component/ScanWithTrivyStage.groovy | 12 ++++++------ src/org/ods/services/TrivyService.groovy | 4 ++-- test/groovy/org/ods/services/TrivyServiceSpec.groovy | 6 +++--- 6 files changed, 18 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1520cb95a..ac24722cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Changed * Enhance SSDS Document Generation Performance using New Atlassian APIs ([#1084](https://github.com/opendevstack/ods-jenkins-shared-library/issues/1084)) +* Deprecation of vuln-type and scanners config in Trivy ([#1150](https://github.com/opendevstack/ods-jenkins-shared-library/issues/1150)) ### Fixed * Fix Tailor deployment drifts for D, Q envs ([#1055](https://github.com/opendevstack/ods-jenkins-shared-library/pull/1055)) diff --git a/docs/modules/jenkins-shared-library/partials/odsComponentStageScanWithTrivy.adoc b/docs/modules/jenkins-shared-library/partials/odsComponentStageScanWithTrivy.adoc index 95540d7ab..9abdc93be 100644 --- a/docs/modules/jenkins-shared-library/partials/odsComponentStageScanWithTrivy.adoc +++ b/docs/modules/jenkins-shared-library/partials/odsComponentStageScanWithTrivy.adoc @@ -62,6 +62,11 @@ _String_ |Name of the Nexus repository where the scan report will be stored. Defaults to `leva-documentation`. +| *pkgType* + +_String_ +|Comma-separated list of vulnerability types to scan. Defaults to `os,library`. + + | *reportFile* + _String_ |Name of the file that will be archived in Jenkins and uploaded in Nexus. @@ -77,9 +82,4 @@ _String_ _String_ |Comma-separated list of what security issues to detect. Defaults to `vuln,config,secret,license`. - -| *vulType* + -_String_ -|Comma-separated list of vulnerability types to scan. Defaults to `os,library`. - |=== diff --git a/src/org/ods/component/ScanWithTrivyOptions.groovy b/src/org/ods/component/ScanWithTrivyOptions.groovy index c858674cb..ff07d29ac 100644 --- a/src/org/ods/component/ScanWithTrivyOptions.groovy +++ b/src/org/ods/component/ScanWithTrivyOptions.groovy @@ -19,7 +19,7 @@ class ScanWithTrivyOptions extends Options { /** * Comma-separated list of vulnerability types to scan. Defaults to `os,library`. */ - String vulType + String pkgType /** * Name of the Nexus repository where the scan report will be stored. Defaults to `leva-documentation`. */ diff --git a/src/org/ods/component/ScanWithTrivyStage.groovy b/src/org/ods/component/ScanWithTrivyStage.groovy index 08b1be4a9..0b1fea7ad 100644 --- a/src/org/ods/component/ScanWithTrivyStage.groovy +++ b/src/org/ods/component/ScanWithTrivyStage.groovy @@ -32,10 +32,10 @@ class ScanWithTrivyStage extends Stage { config.format = 'cyclonedx' } if (!config.scanners) { - config.scanners = 'vuln,config,secret,license' + config.scanners = 'vuln,misconfig,secret,license' } - if (!config.vulType) { - config.vulType = 'os,library' + if (!config.pkgType) { + config.pkgType = 'os,library' } if (!config.additionalFlags) { config.additionalFlags = [] @@ -58,7 +58,7 @@ class ScanWithTrivyStage extends Stage { protected run() { String errorMessages = '' - int returnCode = scanViaCli(options.scanners, options.vulType, options.format, + int returnCode = scanViaCli(options.scanners, options.pkgType, options.format, options.additionalFlags, options.reportFile, options.nexusDataBaseRepository, openShift.getApplicationDomain()) if ([TrivyService.TRIVY_SUCCESS].contains(returnCode)) { @@ -78,14 +78,14 @@ class ScanWithTrivyStage extends Stage { } @SuppressWarnings('ParameterCount') - private int scanViaCli(String scanners, String vulType, String format, + private int scanViaCli(String scanners, String pkgType, String format, List additionalFlags, String reportFile, String nexusDataBaseRepository, String openshiftAppDomain) { logger.startClocked(options.resourceName) String flags = "" additionalFlags.each { flag -> flags += " " + flag } - int returnCode = trivy.scanViaCli(scanners, vulType, format, flags, reportFile, + int returnCode = trivy.scanViaCli(scanners, pkgType, format, flags, reportFile, nexusDataBaseRepository, openshiftAppDomain) switch (returnCode) { case TrivyService.TRIVY_SUCCESS: diff --git a/src/org/ods/services/TrivyService.groovy b/src/org/ods/services/TrivyService.groovy index 59f493fcb..cc6b7fcb9 100644 --- a/src/org/ods/services/TrivyService.groovy +++ b/src/org/ods/services/TrivyService.groovy @@ -19,7 +19,7 @@ class TrivyService { } @SuppressWarnings('ParameterCount') - int scanViaCli(String scanners, String vulType, String format, String flags, + int scanViaCli(String scanners, String pkgType, String format, String flags, String reportFile, String nexusRepository, String openshiftDomain ) { logger.info "Starting to scan via Trivy CLI..." int status = TRIVY_SUCCESS @@ -33,7 +33,7 @@ class TrivyService { --java-db-repository ${nexusRepository}.${openshiftDomain}/aquasecurity/trivy-java-db \ --cache-dir /tmp/.cache \ --scanners ${scanners} \ - --vuln-type ${vulType} \ + --pkg-types ${pkgType} \ --format ${format} \ --output ${reportFile} \ --license-full \ diff --git a/test/groovy/org/ods/services/TrivyServiceSpec.groovy b/test/groovy/org/ods/services/TrivyServiceSpec.groovy index 4e9a27a8c..5a63912b0 100644 --- a/test/groovy/org/ods/services/TrivyServiceSpec.groovy +++ b/test/groovy/org/ods/services/TrivyServiceSpec.groovy @@ -14,7 +14,7 @@ class TrivyServiceSpec extends PipelineSpockTestBase { ]) when: - def result = service.scanViaCli("vuln,config,secret,license", "os,library", + def result = service.scanViaCli("vuln,misconfig,secret,license", "os,library", "cyclonedx", "--debug --timeout=10m", "trivy-sbom.json", "docker-group-ods", "openshift-domain.com") then: @@ -26,8 +26,8 @@ class TrivyServiceSpec extends PipelineSpockTestBase { assert it.script.toString().contains('--db-repository docker-group-ods.openshift-domain.com/aquasecurity/trivy-db') assert it.script.toString().contains('--java-db-repository docker-group-ods.openshift-domain.com/aquasecurity/trivy-java-db') assert it.script.toString().contains('--cache-dir /tmp/.cache') - assert it.script.toString().contains('--scanners vuln,config,secret,license') - assert it.script.toString().contains('--vuln-type os,library') + assert it.script.toString().contains('--scanners vuln,misconfig,secret,license') + assert it.script.toString().contains('--pkg-types os,library') assert it.script.toString().contains('--format cyclonedx') assert it.script.toString().contains('--output trivy-sbom.json') assert it.script.toString().contains('--license-full')