Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

chore: Adding step for install (#37276)

Browse Source 
## Description
Adding installation step.

Fixes #`37036`  

## Automation

/ok-to-test tags=""

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!CAUTION]  
> If you modify the content in this section, you are likely to disrupt
the CI result for your PR.

<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Enhanced vulnerability scanning with new checks for Docker Scout and
Trivy vulnerabilities.
- Added automatic logging and failure alerts for detected
vulnerabilities.

- **Bug Fixes**
- Improved error handling and control flow during Trivy installation and
scanning processes.

- **Chores**
- Updated scripts for better installation logic and output formatting
related to vulnerability data.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
Sagar Khalasi 2024-11-07 15:39:33 +05:30 committed by GitHub
parent 15824af382
commit 879fb6d4a3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 67 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/test-vulnerabilities-data.yml vendored
View File

@ -61,7 +61,7 @@ jobs:
"${{ github.event.pull_request.number }}" \ "${{ github.event.pull_request.number }}" \
"${{ github.event.pull_request.html_url }}" \ "${{ github.event.pull_request.html_url }}" \
"${{ github.run_id }}" "${{ github.run_id }}"
- name: Check for new vulnerabilities in Scout and Trivy files - name: Check for new vulnerabilities in Scout and Trivy files
if: always() if: always()
run: | run: |
@ -71,7 +71,7 @@ jobs:
cat scout_new_vulnerabilities.csv cat scout_new_vulnerabilities.csv
exit 1 # Fail the job if data exists exit 1 # Fail the job if data exists
fi fi
# Check if Trivy vulnerabilities file is not empty # Check if Trivy vulnerabilities file is not empty
if [ -s "trivy_new_vulnerabilities.csv" ]; then if [ -s "trivy_new_vulnerabilities.csv" ]; then
echo "Trivy vulnerabilities detected." echo "Trivy vulnerabilities detected."

65
scripts/scout_vulnerabilities_data.sh
View File

@ -21,6 +21,69 @@ GITHUB_PR_LINK="$3"
GITHUB_RUN_ID="$4" GITHUB_RUN_ID="$4"
OLD_VULN_FILE="${5:-vulnerability_base_data.csv}" OLD_VULN_FILE="${5:-vulnerability_base_data.csv}"
# Function to install Docker Scout
install_docker_scout() {
echo "Installing Docker Scout..."
local attempts=0
while [ $attempts -lt 5 ]; do
echo "Attempt $((attempts + 1))..."
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
sh install-scout.sh &> install_scout_log.txt
if [ $? -eq 0 ]; then
echo "Docker Scout installed successfully."
return 0
fi
echo "Attempt $((attempts + 1)) failed. Check install_scout_log.txt for details."
((attempts++))
sleep 2
done
echo "Error: Docker Scout installation failed after $attempts attempts."
exit 1
}
# Check if Docker is installed
if ! command -v docker &> /dev/null; then
echo "Error: Docker is not installed. Please install Docker and try again."
exit 1
fi
# Ensure Docker is running
if ! systemctl is-active --quiet docker; then
echo "Starting Docker..."
sudo systemctl start docker
fi
# Check if Docker Scout is installed
if ! command -v scout &> /dev/null; then
install_docker_scout
fi
# Prepare the output CSV file
CSV_OUTPUT_FILE="scout_vulnerabilities.csv"
rm -f "$CSV_OUTPUT_FILE"
# Extract the product name from the image name
case "$IMAGE" in
*appsmith/appsmith-ce:*) product_name="CE" ;;
*appsmith/appsmith-ee:*) product_name="EE" ;;
*appsmith/cloud-services:*) product_name="CLOUD" ;;
*) product_name="UNKNOWN" ;;
esac
# Fetch vulnerabilities and format the output correctly
docker scout cves "$IMAGE" | grep -E "✗ |CVE-" | awk -v product_name="$product_name" -F' ' '
{
# Check for valid vulnerability data and format it correctly
if ($2 != "" && $3 ~ /^CVE-/) {
# Extract severity level, CVE ID, and format output correctly
print $3","product_name",""SCOUT"","$2
}
}' | sort -u > "$CSV_OUTPUT_FILE"
# Check if the CSV output file is empty
[ -s "$CSV_OUTPUT_FILE" ] || echo "No vulnerabilities found for image: $IMAGE" > "$CSV_OUTPUT_FILE"
# Compare each vulnerability with the database and store new ones in a CSV file # Compare each vulnerability with the database and store new ones in a CSV file
compare_and_store_vulns() { compare_and_store_vulns() {
local new_vulns_file="scout_new_vulnerabilities.csv" local new_vulns_file="scout_new_vulnerabilities.csv"
@ -68,4 +131,4 @@ if [ -s "$CSV_OUTPUT_FILE" ]; then
compare_and_store_vulns compare_and_store_vulns
else else
echo "No vulnerabilities to process." echo "No vulnerabilities to process."
fi fi

3
scripts/trivy_vulnerabilities_data.sh
View File

@ -88,7 +88,6 @@ else
echo "No vulnerabilities found." > "$NEW_VULN_FILE" echo "No vulnerabilities found." > "$NEW_VULN_FILE"
fi fi
# Compare each vulnerability with the database and store new ones in a CSV file # Compare each vulnerability with the database and store new ones in a CSV file
compare_and_store_vulns() { compare_and_store_vulns() {
local new_vulns_file="trivy_new_vulnerabilities.csv" local new_vulns_file="trivy_new_vulnerabilities.csv"
@ -154,4 +153,4 @@ else
fi fi
# Cleanup # Cleanup
rm -f "trivy_vulnerabilities.json" rm -f "trivy_vulnerabilities.json"