From 146a0793a47e19e346d0ae5058661e4d45f0eee3 Mon Sep 17 00:00:00 2001 From: Giuseppe Iannelli Date: Thu, 26 Sep 2024 10:39:50 +0200 Subject: [PATCH] docs(cve-scan-patching): update HOW_TO --- CVEs/HOW_TO.md | 13 +++++++------ scripts/patch_images_with_copacetic.sh | 1 + 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/CVEs/HOW_TO.md b/CVEs/HOW_TO.md index d93fd68..bdc1208 100644 --- a/CVEs/HOW_TO.md +++ b/CVEs/HOW_TO.md @@ -15,12 +15,13 @@ This guide explains how to generate a new report (in MarkDown) for a version of 1) Create a new folder with the name of the version of KFD and create a new `furyctl.yaml` file with cluster name `sighup` and the same distribution version with kind KFDDistribution (everything can be disabled, we only need to download the dependencies): `furyctl create config --name sighup --version v1.X.Y --kind KFDDistribution --config v1.X.Y/furyctl.yaml` 2) Execute `make download-deps KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE` 3) Execute `make kustomize-build-all KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE` -4) Execute `make gen-image-list KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`, this command will output an `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/images.txt` file with all the images found in the build kustomize manifest. -5) Execute `make scan-vulns KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`, this script will output a `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/README.md` file in the current directory with a table with all the CRITICAL CVEs -6) Check the `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/README.md` and commit the directory +4) Execute `make trivy-download-db` +5) Execute `make gen-image-list KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`, this command will output an `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/images.txt` file with all the images found in the build kustomize manifest. +6) Execute `make scan-vulns KFD_VERSION=SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE`, this script will output a `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/README.md` file in the current directory with a table with all the CRITICAL CVEs +7) Check the `SOME_VALID_KFD_VERSION_WITH_A_FURYCTLYAML_INSIDE/README.md` and commit the directory ### Scan all KFD versions -1) Execute `make all` -2) Check the `README.md` files in each version directory and commit them. - +1) Execute `make trivy-download-db` +2) Execute `make all` +3) Check the `README.md` and `PATCHED.md` files in each version directory diff --git a/scripts/patch_images_with_copacetic.sh b/scripts/patch_images_with_copacetic.sh index 8b4a3cb..28787cc 100755 --- a/scripts/patch_images_with_copacetic.sh +++ b/scripts/patch_images_with_copacetic.sh @@ -81,6 +81,7 @@ function patch_image() { echo "FROM $image-patched" | DOCKER_BUILDKIT=0 docker build \ ${DOCKER_LABELS} \ --label io.sighup.secured.image.created="$(date -u +"%Y-%m-%dT%H:%M:%S.%3NZ")" \ + --label io.sighup.secured.image.from.hash="$src_image_hash" \ -t "$secured_image" \ -f - "$DOCKERFILE_OUTPUT_DIR" &> /dev/null secured_labeled_image_hash=$(docker inspect "$secured_image" --format '{{.Id}}')