IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Security Scans: Exclude windows container scans (#69977)

Browse Source 
* Exclude windows container scans

* Fixes according to reviewer's comments
This commit is contained in:
Dimitris Sotirakis
2023-06-13 10:38:18 +03:00
committed by GitHub
parent fb290235fd
commit fa70fba0e3
6 changed files with 35 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.drone.yml
View File

@@ -7050,17 +7050,13 @@ steps:
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana-ci-deploy:1.3.3 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana-ci-deploy:1.3.3
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM alpine:3.17.1 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM alpine:3.17.1
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM byrnedo/alpine-curl:0.1.8 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM byrnedo/alpine-curl:0.1.8
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM mcr.microsoft.com/windows:1809
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/ci-wix:0.1.1
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM golang:1.20.4 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM golang:1.20.4
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana-ci-windows-test:0.1.0
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM plugins/slack - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM plugins/slack
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM postgres:12.3-alpine - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM postgres:12.3-alpine
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM mysql:5.7.39 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM mysql:5.7.39
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM mysql:8.0.32 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM mysql:8.0.32
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM redis:6.2.11-alpine - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM redis:6.2.11-alpine
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM memcached:1.6.9-alpine - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM memcached:1.6.9-alpine
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM docker:windowsservercore-1809
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us.gcr.io/kubernetes-dev/package-publish:latest - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us.gcr.io/kubernetes-dev/package-publish:latest
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM osixia/openldap:1.4.0 - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM osixia/openldap:1.4.0
- trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/drone-downstream - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/drone-downstream
@@ -7076,17 +7072,13 @@ steps:
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana-ci-deploy:1.3.3 - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana-ci-deploy:1.3.3
- trivy --exit-code 1 --severity HIGH,CRITICAL alpine:3.17.1 - trivy --exit-code 1 --severity HIGH,CRITICAL alpine:3.17.1
- trivy --exit-code 1 --severity HIGH,CRITICAL byrnedo/alpine-curl:0.1.8 - trivy --exit-code 1 --severity HIGH,CRITICAL byrnedo/alpine-curl:0.1.8
- trivy --exit-code 1 --severity HIGH,CRITICAL mcr.microsoft.com/windows:1809
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/ci-wix:0.1.1
- trivy --exit-code 1 --severity HIGH,CRITICAL golang:1.20.4 - trivy --exit-code 1 --severity HIGH,CRITICAL golang:1.20.4
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana-ci-windows-test:0.1.0
- trivy --exit-code 1 --severity HIGH,CRITICAL plugins/slack - trivy --exit-code 1 --severity HIGH,CRITICAL plugins/slack
- trivy --exit-code 1 --severity HIGH,CRITICAL postgres:12.3-alpine - trivy --exit-code 1 --severity HIGH,CRITICAL postgres:12.3-alpine
- trivy --exit-code 1 --severity HIGH,CRITICAL mysql:5.7.39 - trivy --exit-code 1 --severity HIGH,CRITICAL mysql:5.7.39
- trivy --exit-code 1 --severity HIGH,CRITICAL mysql:8.0.32 - trivy --exit-code 1 --severity HIGH,CRITICAL mysql:8.0.32
- trivy --exit-code 1 --severity HIGH,CRITICAL redis:6.2.11-alpine - trivy --exit-code 1 --severity HIGH,CRITICAL redis:6.2.11-alpine
- trivy --exit-code 1 --severity HIGH,CRITICAL memcached:1.6.9-alpine - trivy --exit-code 1 --severity HIGH,CRITICAL memcached:1.6.9-alpine
- trivy --exit-code 1 --severity HIGH,CRITICAL docker:windowsservercore-1809
- trivy --exit-code 1 --severity HIGH,CRITICAL us.gcr.io/kubernetes-dev/package-publish:latest - trivy --exit-code 1 --severity HIGH,CRITICAL us.gcr.io/kubernetes-dev/package-publish:latest
- trivy --exit-code 1 --severity HIGH,CRITICAL osixia/openldap:1.4.0 - trivy --exit-code 1 --severity HIGH,CRITICAL osixia/openldap:1.4.0
- trivy --exit-code 1 --severity HIGH,CRITICAL grafana/drone-downstream - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/drone-downstream
@@ -7316,6 +7308,6 @@ kind: secret
name: delivery-bot-app-private-key name: delivery-bot-app-private-key
--- ---
kind: signature kind: signature
hmac: 44f95e0e3d9eb3fc8891e94f7205c18e85adacab25b69906d3c5212875baa383 hmac: b3f3cd5171763ddaf3c62e0c83dad0f9705496e53ba7416f6dd3581fa9a5ec27
... ...

8
scripts/drone/pipelines/ci_images.star
View File

@@ -11,8 +11,8 @@ load(
"from_secret", "from_secret",
) )
load( load(
"scripts/drone/utils/images.star", "scripts/drone/utils/windows_images.star",
"images", "windows_images",
) )
def publish_ci_windows_test_image_pipeline(): def publish_ci_windows_test_image_pipeline():
@@ -28,7 +28,7 @@ def publish_ci_windows_test_image_pipeline():
steps = [ steps = [
{ {
"name": "clone", "name": "clone",
"image": images["wix_image"], "image": windows_images["wix_image"],
"environment": { "environment": {
"GITHUB_TOKEN": from_secret("github_token"), "GITHUB_TOKEN": from_secret("github_token"),
}, },
@@ -39,7 +39,7 @@ def publish_ci_windows_test_image_pipeline():
}, },
{ {
"name": "build-and-publish", "name": "build-and-publish",
"image": images["windows_server_core_image"], "image": windows_images["windows_server_core_image"],
"environment": { "environment": {
"DOCKER_USERNAME": from_secret("docker_username"), "DOCKER_USERNAME": from_secret("docker_username"),
"DOCKER_PASSWORD": from_secret("docker_password"), "DOCKER_PASSWORD": from_secret("docker_password"),

6
scripts/drone/pipelines/windows.star
View File

@@ -15,8 +15,8 @@ load(
"windows_wire_install_step", "windows_wire_install_step",
) )
load( load(
"scripts/drone/utils/images.star", "scripts/drone/utils/windows_images.star",
"images", "windows_images",
) )
def windows_test_backend(trigger, edition, ver_mode): def windows_test_backend(trigger, edition, ver_mode):
@@ -39,7 +39,7 @@ def windows_test_backend(trigger, edition, ver_mode):
else: else:
steps.extend([{ steps.extend([{
"name": "windows-init", "name": "windows-init",
"image": images["windows_go_image"], "image": windows_images["windows_go_image"],
"depends_on": ["clone"], "depends_on": ["clone"],
"commands": [], "commands": [],
}]) }])

26
scripts/drone/steps/lib.star
View File

@@ -11,6 +11,10 @@ load(
"scripts/drone/utils/images.star", "scripts/drone/utils/images.star",
"images", "images",
) )
load(
"scripts/drone/utils/windows_images.star",
"windows_images",
)
grabpl_version = "v3.0.38" grabpl_version = "v3.0.38"
@@ -56,7 +60,7 @@ def wire_install_step():
def windows_wire_install_step(edition): def windows_wire_install_step(edition):
return { return {
"name": "wire-install", "name": "wire-install",
"image": images["windows_go_image"], "image": windows_images["windows_go_image"],
"commands": [ "commands": [
"go install github.com/google/wire/cmd/wire@v0.5.0", "go install github.com/google/wire/cmd/wire@v0.5.0",
"wire gen -tags {} ./pkg/server".format(edition), "wire gen -tags {} ./pkg/server".format(edition),
@@ -78,7 +82,7 @@ def identify_runner_step(platform = "linux"):
else: else:
return { return {
"name": "identify-runner", "name": "identify-runner",
"image": images["windows_image"], "image": windows_images["1809_image"],
"commands": [ "commands": [
"echo $env:DRONE_RUNNER_NAME", "echo $env:DRONE_RUNNER_NAME",
], ],
@@ -235,7 +239,7 @@ def windows_init_enterprise_steps(ver_mode):
download_grabpl_step(platform = "windows"), download_grabpl_step(platform = "windows"),
{ {
"name": "clone", "name": "clone",
"image": images["wix_image"], "image": windows_images["wix_image"],
"environment": { "environment": {
"GITHUB_TOKEN": from_secret("github_token"), "GITHUB_TOKEN": from_secret("github_token"),
}, },
@@ -243,7 +247,7 @@ def windows_init_enterprise_steps(ver_mode):
}, },
{ {
"name": "windows-init", "name": "windows-init",
"image": images["wix_image"], "image": windows_images["wix_image"],
"commands": init_cmds, "commands": init_cmds,
"depends_on": ["clone"], "depends_on": ["clone"],
"environment": {"GITHUB_TOKEN": from_secret("github_token")}, "environment": {"GITHUB_TOKEN": from_secret("github_token")},
@@ -256,7 +260,7 @@ def download_grabpl_step(platform = "linux"):
if platform == "windows": if platform == "windows":
return { return {
"name": "grabpl", "name": "grabpl",
"image": images["wix_image"], "image": windows_images["wix_image"],
"commands": [ "commands": [
'$$ProgressPreference = "SilentlyContinue"', '$$ProgressPreference = "SilentlyContinue"',
"Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/{}/windows/grabpl.exe -OutFile grabpl.exe".format( "Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/{}/windows/grabpl.exe -OutFile grabpl.exe".format(
@@ -692,7 +696,7 @@ def test_backend_step(image = images["build_image"]):
} }
def windows_test_backend_step(): def windows_test_backend_step():
step = test_backend_step(image = images["windows_go_image"]) step = test_backend_step(image = windows_images["windows_go_image"])
return step return step
def test_backend_integration_step(): def test_backend_integration_step():
@@ -1415,7 +1419,7 @@ def publish_linux_packages_step(edition, package_manager = "deb"):
def windows_clone_step(): def windows_clone_step():
return { return {
"name": "clone", "name": "clone",
"image": images["wix_image"], "image": windows_images["wix_image"],
"environment": { "environment": {
"GITHUB_TOKEN": from_secret("github_token"), "GITHUB_TOKEN": from_secret("github_token"),
}, },
@@ -1475,7 +1479,7 @@ def get_windows_steps(edition, ver_mode):
[ [
{ {
"name": "clone", "name": "clone",
"image": images["wix_image"], "image": windows_images["wix_image"],
"environment": { "environment": {
"GITHUB_TOKEN": from_secret("github_token"), "GITHUB_TOKEN": from_secret("github_token"),
}, },
@@ -1483,7 +1487,7 @@ def get_windows_steps(edition, ver_mode):
}, },
{ {
"name": "windows-init", "name": "windows-init",
"image": images["wix_image"], "image": windows_images["wix_image"],
"commands": init_cmds, "commands": init_cmds,
"depends_on": ["clone"], "depends_on": ["clone"],
"environment": {"GITHUB_TOKEN": from_secret("github_token")}, "environment": {"GITHUB_TOKEN": from_secret("github_token")},
@@ -1502,7 +1506,7 @@ def get_windows_steps(edition, ver_mode):
[ [
{ {
"name": "windows-init", "name": "windows-init",
"image": images["wix_image"], "image": windows_images["wix_image"],
"commands": init_cmds, "commands": init_cmds,
}, },
], ],
@@ -1577,7 +1581,7 @@ def get_windows_steps(edition, ver_mode):
steps.append( steps.append(
{ {
"name": "build-windows-installer", "name": "build-windows-installer",
"image": images["wix_image"], "image": windows_images["wix_image"],
"depends_on": [ "depends_on": [
"windows-init", "windows-init",
], ],

4
scripts/drone/utils/images.star
View File

@@ -8,17 +8,13 @@ images = {
"publish_image": "grafana/grafana-ci-deploy:1.3.3", "publish_image": "grafana/grafana-ci-deploy:1.3.3",
"alpine_image": "alpine:3.17.1", "alpine_image": "alpine:3.17.1",
"curl_image": "byrnedo/alpine-curl:0.1.8", "curl_image": "byrnedo/alpine-curl:0.1.8",
"windows_image": "mcr.microsoft.com/windows:1809",
"wix_image": "grafana/ci-wix:0.1.1",
"go_image": "golang:1.20.4", "go_image": "golang:1.20.4",
"windows_go_image": "grafana/grafana-ci-windows-test:0.1.0",
"plugins_slack_image": "plugins/slack", "plugins_slack_image": "plugins/slack",
"postgres_alpine_image": "postgres:12.3-alpine", "postgres_alpine_image": "postgres:12.3-alpine",
"mysql5_image": "mysql:5.7.39", "mysql5_image": "mysql:5.7.39",
"mysql8_image": "mysql:8.0.32", "mysql8_image": "mysql:8.0.32",
"redis_alpine_image": "redis:6.2.11-alpine", "redis_alpine_image": "redis:6.2.11-alpine",
"memcached_alpine_image": "memcached:1.6.9-alpine", "memcached_alpine_image": "memcached:1.6.9-alpine",
"windows_server_core_image": "docker:windowsservercore-1809",
"package_publish_image": "us.gcr.io/kubernetes-dev/package-publish:latest", "package_publish_image": "us.gcr.io/kubernetes-dev/package-publish:latest",
"openldap_image": "osixia/openldap:1.4.0", "openldap_image": "osixia/openldap:1.4.0",
"drone_downstream_image": "grafana/drone-downstream", "drone_downstream_image": "grafana/drone-downstream",

12
scripts/drone/utils/windows_images.star Normal file
View File

@@ -0,0 +1,12 @@
"""
This module contains all the windows docker images that are used to build test and publish Grafana.
All the windows images needed to be in a different file than the other images, since they cannot be scanned
by trivy. Related issue: https://github.com/aquasecurity/trivy/issues/1392
"""
windows_images = {
"1809_image": "mcr.microsoft.com/windows:1809",
"wix_image": "grafana/ci-wix:0.1.1",
"windows_server_core_image": "docker:windowsservercore-1809",
"windows_go_image": "grafana/grafana-ci-windows-test:0.1.0",
}