Skip to content

Commit

Permalink
docs(cve-scan-patching): update HOW_TO
Browse files Browse the repository at this point in the history
  • Loading branch information
@g-iannelli
g-iannelli committed Sep 26, 2024
1 parent 03bad62 commit 146a079
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 6 deletions.
13 changes: 7 additions & 6 deletions CVEs/HOW_TO.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,13 @@ This guide explains how to generate a new report (in MarkDown) for a version of
1) Create a new folder with the name of the version of KFD and create a new `furyctl.yaml` file with cluster name `sighup` and the same distribution version with kind KFDDistribution (everything can be disabled, we only need to download the dependencies): `furyctl create config --name sighup --version v1.X.Y --kind KFDDistribution --config v1.X.Y/furyctl.yaml`
2) Execute `make download-deps KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`
3) Execute `make kustomize-build-all KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`
4) Execute `make gen-image-list KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`, this command will output an `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/images.txt` file with all the images found in the build kustomize manifest.
5) Execute `make scan-vulns KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`, this script will output a `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/README.md` file in the current directory with a table with all the CRITICAL CVEs
6) Check the `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/README.md` and commit the directory
4) Execute `make trivy-download-db`
5) Execute `make gen-image-list KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`, this command will output an `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/images.txt` file with all the images found in the build kustomize manifest.
6) Execute `make scan-vulns KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`, this script will output a `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/README.md` file in the current directory with a table with all the CRITICAL CVEs
7) Check the `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/README.md` and commit the directory

### Scan all KFD versions

1) Execute `make all`
2) Check the `README.md` files in each version directory and commit them.

1) Execute `make trivy-download-db`
2) Execute `make all`
3) Check the `README.md` and `PATCHED.md` files in each version directory
1 change: 1 addition & 0 deletions scripts/patch_images_with_copacetic.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ function patch_image() {
echo "FROM $image-patched" | DOCKER_BUILDKIT=0 docker build \
${DOCKER_LABELS} \
--label io.sighup.secured.image.created="$(date -u +"%Y-%m-%dT%H:%M:%S.%3NZ")" \
--label io.sighup.secured.image.from.hash="$src_image_hash" \
-t "$secured_image" \
-f - "$DOCKERFILE_OUTPUT_DIR" &> /dev/null
secured_labeled_image_hash=$(docker inspect "$secured_image" --format '{{.Id}}')
Expand Down

0 comments on commit 146a079

Please sign in to comment.