Skip to content
Snippets Groups Projects
Verified Commit 7ff0fde9 authored by Martin Weise's avatar Martin Weise
Browse files

Added Trivy scanner to the pipeline

parent 30e85ec8
No related branches found
No related tags found
2 merge requests!163Relase 1.3.0,!158Resolve "CI/CD vulnerability scanner"
...@@ -32,6 +32,9 @@ fda-ui/ ...@@ -32,6 +32,9 @@ fda-ui/
# Environment # Environment
.env .env
# scanning
.trivy/trivy-*.json
# Debug # Debug
debug.txt debug.txt
......
...@@ -9,7 +9,9 @@ before_script: ...@@ -9,7 +9,9 @@ before_script:
variables: variables:
HOSTALIASES: ./hosts HOSTALIASES: ./hosts
DOCKER_TLS_CERTDIR: /certs DOCKER_TLS_CERTDIR: /certs
TAG: ${TAG:-latest} TAG: "${TAG:-latest}"
TRIVY_NO_PROGRESS: "true"
TRIVY_CACHE_DIR: ".trivycache/"
cache: cache:
paths: paths:
...@@ -24,6 +26,7 @@ stages: ...@@ -24,6 +26,7 @@ stages:
- test-backend - test-backend
- test-frontend - test-frontend
- build-docker - build-docker
- scan-docker
- release - release
build-metadata-db: build-metadata-db:
...@@ -334,10 +337,298 @@ build-frontend: ...@@ -334,10 +337,298 @@ build-frontend:
script: script:
- make build-frontend - make build-frontend
scan-analyse-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-analyse-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-analyse-service-report.json
scan-authentication-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-authentication-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-authentication-service-report.json
scan-broker-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-broker-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-broker-service-report.json
scan-container-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-container-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-container-service-report.json
scan-database-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-database-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-database-service-report.json
scan-discovery-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-discovery-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-discovery-service-report.json
scan-gateway-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-gateway-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-gateway-service-report.json
scan-identifier-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-identifier-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-identifier-service-report.json
scan-metadata-db:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-metadata-db
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-metadata-db-report.json
scan-metadata-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-metadata-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-metadata-service-report.json
scan-proxy:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-proxy
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-proxy-report.json
scan-query-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-query-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-query-service-report.json
scan-search-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-search-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-search-service-report.json
scan-semantics-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-semantics-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-semantics-service-report.json
scan-table-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-table-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-table-service-report.json
scan-ui:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-ui
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-ui-report.json
scan-user-service:
stage: scan-docker
needs:
- build-docker
allow_failure: true
script:
- make scan-user-service
cache:
paths:
- .trivycache/
artifacts:
when: always
expire_in: 1 days
reports:
container_scanning: ./.trivy/trivy-user-service-report.json
release-latest: release-latest:
stage: release stage: release
needs: needs:
- build-docker - scan-analyse-service
- scan-authentication-service
- scan-broker-service
- scan-container-service
- scan-database-service
- scan-discovery-service
- scan-gateway-service
- scan-identifier-service
- scan-metadata-db
- scan-metadata-service
- scan-proxy
- scan-query-service
- scan-search-service
- scan-semantics-service
- scan-table-service
- scan-ui
- scan-user-service
only: only:
refs: refs:
- dev - dev
...@@ -349,7 +640,23 @@ release-latest: ...@@ -349,7 +640,23 @@ release-latest:
release-version: release-version:
stage: release stage: release
needs: needs:
- build-docker - scan-analyse-service
- scan-authentication-service
- scan-broker-service
- scan-container-service
- scan-database-service
- scan-discovery-service
- scan-gateway-service
- scan-identifier-service
- scan-metadata-db
- scan-metadata-service
- scan-proxy
- scan-query-service
- scan-search-service
- scan-semantics-service
- scan-table-service
- scan-ui
- scan-user-service
only: only:
refs: refs:
- master - master
......
{{- /* Template based on https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format */ -}}
{
"version": "14.0.6",
"vulnerabilities": [
{{- $t_first := true }}
{{- range . }}
{{- $target := .Target }}
{{- $image := $target | regexFind "[^\\s]+" }}
{{- range .Vulnerabilities -}}
{{- if $t_first -}}
{{- $t_first = false -}}
{{ else -}}
,
{{- end }}
{
"id": "{{ .VulnerabilityID }}",
"category": "container_scanning",
"message": {{ .Title | printf "%q" }},
"description": {{ .Description | printf "%q" }},
{{- /* cve is a deprecated key, use id instead */}}
"cve": "{{ .VulnerabilityID }}",
"severity": {{ if eq .Severity "UNKNOWN" -}}
"Unknown"
{{- else if eq .Severity "LOW" -}}
"Low"
{{- else if eq .Severity "MEDIUM" -}}
"Medium"
{{- else if eq .Severity "HIGH" -}}
"High"
{{- else if eq .Severity "CRITICAL" -}}
"Critical"
{{- else -}}
"{{ .Severity }}"
{{- end }},
"solution": {{ if .FixedVersion -}}
"Upgrade {{ .PkgName }} to {{ .FixedVersion }}"
{{- else -}}
"No solution provided"
{{- end }},
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "{{ .PkgName }}"
},
"version": "{{ .InstalledVersion }}"
},
{{- /* TODO: No mapping available - https://github.com/aquasecurity/trivy/issues/332 */}}
"operating_system": "Unknown",
"image": "{{ $image }}"
},
"identifiers": [
{
{{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
"type": "cve",
"name": "{{ .VulnerabilityID }}",
"value": "{{ .VulnerabilityID }}",
"url": "{{ .PrimaryURL }}"
}
],
"links": [
{{- $l_first := true -}}
{{- range .References -}}
{{- if $l_first -}}
{{- $l_first = false }}
{{- else -}}
,
{{- end -}}
{
"url": "{{ regexFind "[^ ]+" . }}"
}
{{- end }}
]
}
{{- end -}}
{{- end }}
],
"remediations": []
}
.PHONY: clean all .PHONY: clean all
TAG ?= latest TAG ?= latest
TRIVY_VERSION ?= v0.41.0
all: all:
...@@ -103,9 +104,6 @@ tag-broker: ...@@ -103,9 +104,6 @@ tag-broker:
tag-search: tag-search:
docker tag dbrepo-search-service:latest "dbrepo/search-service:${TAG}" docker tag dbrepo-search-service:latest "dbrepo/search-service:${TAG}"
tag-user:
docker tag dbrepo-user-service:latest "dbrepo/user-service:${TAG}"
release: build-docker tag release-identifier release-search release-container release-database release-discovery release-gateway release-query release-table release-analyse release-authentication release-metadata-db release-ui release-units release-broker release-metadata release-user release: build-docker tag release-identifier release-search release-container release-database release-discovery release-gateway release-query release-table release-analyse release-authentication release-metadata-db release-ui release-units release-broker release-metadata release-user
release-analyse: tag-analyse release-analyse: tag-analyse
...@@ -192,6 +190,93 @@ test-semantics-service: build-semantics-service ...@@ -192,6 +190,93 @@ test-semantics-service: build-semantics-service
test-analyse-service: build-analyse-service test-analyse-service: build-analyse-service
bash ./dbrepo-analyse-service/test.sh bash ./dbrepo-analyse-service/test.sh
scan: scan-analyse-service scan-authentication-service scan-broker-service scan-container-service scan-database-service scan-discovery-service scan-gateway-service scan-identifier-service scan-metadata-db scan-metadata-service scan-proxy scan-query-service scan-search-service scan-semantics-service scan-table-service scan-ui scan-user-service
scan-analyse-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-analyse-service-report.json dbrepo-analyse-service:latest
trivy image --exit-code 0 dbrepo-analyse-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-analyse-service:latest
scan-authentication-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-authentication-service-report.json dbrepo-authentication-service:latest
trivy image --exit-code 0 dbrepo-authentication-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-authentication-service:latest
scan-broker-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-broker-service-report.json dbrepo-broker-service:latest
trivy image --exit-code 0 dbrepo-broker-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-broker-service:latest
scan-container-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-container-service-report.json dbrepo-container-service:latest
trivy image --exit-code 0 dbrepo-container-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-container-service:latest
scan-database-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-database-service-report.json dbrepo-database-service:latest
trivy image --exit-code 0 dbrepo-database-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-database-service:latest
scan-discovery-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-discovery-service-report.json dbrepo-discovery-service:latest
trivy image --exit-code 0 dbrepo-discovery-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-discovery-service:latest
scan-gateway-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-gateway-service-report.json dbrepo-gateway-service:latest
trivy image --exit-code 0 dbrepo-gateway-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-gateway-service:latest
scan-identifier-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-identifier-service-report.json dbrepo-identifier-service:latest
trivy image --exit-code 0 dbrepo-identifier-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-identifier-service:latest
scan-metadata-db:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-metadata-db-report.json dbrepo-metadata-db:latest
trivy image --exit-code 0 dbrepo-metadata-db:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-metadata-db:latest
scan-metadata-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-metadata-service-report.json dbrepo-metadata-service:latest
trivy image --exit-code 0 dbrepo-metadata-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-metadata-service:latest
scan-proxy:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-proxy-report.json dbrepo-proxy:latest
trivy image --exit-code 0 dbrepo-proxy:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-proxy:latest
scan-query-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-query-service-report.json dbrepo-query-service:latest
trivy image --exit-code 0 dbrepo-query-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-query-service:latest
scan-search-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-search-service-report.json dbrepo-search-service:latest
trivy image --exit-code 0 dbrepo-search-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-search-service:latest
scan-semantics-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-semantics-service-report.json dbrepo-semantics-service:latest
trivy image --exit-code 0 dbrepo-semantics-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-semantics-service:latest
scan-table-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-table-service-report.json dbrepo-table-service:latest
trivy image --exit-code 0 dbrepo-table-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-table-service:latest
scan-ui:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-ui-report.json dbrepo-ui:latest
trivy image --exit-code 0 dbrepo-ui:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-ui:latest
scan-user-service:
trivy image --exit-code 0 --format template --template "@.trivy/gitlab.tpl" -o ./.trivy/trivy-user-service-report.json dbrepo-user-service:latest
trivy image --exit-code 0 dbrepo-user-service:latest
trivy image --exit-code 1 --severity CRITICAL dbrepo-user-service:latest
coverage-frontend: build-frontend coverage-frontend: build-frontend
yarn --cwd ./dbrepo-ui run coverage || true yarn --cwd ./dbrepo-ui run coverage || true
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment