Security Scans: Exclude windows container scans (#69977)

* Exclude windows container scans * Fixes according to reviewer's comments
2025-02-25 18:55:37 -06:00 · 2023-06-13 10:38:18 +03:00
parent fb290235fd
commit fa70fba0e3
6 changed files with 35 additions and 31 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -7050,17 +7050,13 @@ steps:
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana-ci-deploy:1.3.3
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM alpine:3.17.1
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM byrnedo/alpine-curl:0.1.8
-  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM mcr.microsoft.com/windows:1809
-  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/ci-wix:0.1.1
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM golang:1.20.4
-  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/grafana-ci-windows-test:0.1.0
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM plugins/slack
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM postgres:12.3-alpine
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM mysql:5.7.39
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM mysql:8.0.32
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM redis:6.2.11-alpine
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM memcached:1.6.9-alpine
-  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM docker:windowsservercore-1809
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM us.gcr.io/kubernetes-dev/package-publish:latest
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM osixia/openldap:1.4.0
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/drone-downstream
@@ -7076,17 +7072,13 @@ steps:
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana-ci-deploy:1.3.3
  - trivy --exit-code 1 --severity HIGH,CRITICAL alpine:3.17.1
  - trivy --exit-code 1 --severity HIGH,CRITICAL byrnedo/alpine-curl:0.1.8
-  - trivy --exit-code 1 --severity HIGH,CRITICAL mcr.microsoft.com/windows:1809
-  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/ci-wix:0.1.1
  - trivy --exit-code 1 --severity HIGH,CRITICAL golang:1.20.4
-  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/grafana-ci-windows-test:0.1.0
  - trivy --exit-code 1 --severity HIGH,CRITICAL plugins/slack
  - trivy --exit-code 1 --severity HIGH,CRITICAL postgres:12.3-alpine
  - trivy --exit-code 1 --severity HIGH,CRITICAL mysql:5.7.39
  - trivy --exit-code 1 --severity HIGH,CRITICAL mysql:8.0.32
  - trivy --exit-code 1 --severity HIGH,CRITICAL redis:6.2.11-alpine
  - trivy --exit-code 1 --severity HIGH,CRITICAL memcached:1.6.9-alpine
-  - trivy --exit-code 1 --severity HIGH,CRITICAL docker:windowsservercore-1809
  - trivy --exit-code 1 --severity HIGH,CRITICAL us.gcr.io/kubernetes-dev/package-publish:latest
  - trivy --exit-code 1 --severity HIGH,CRITICAL osixia/openldap:1.4.0
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/drone-downstream
@@ -7316,6 +7308,6 @@ kind: secret
 name: delivery-bot-app-private-key
 ---
 kind: signature
-hmac: 44f95e0e3d9eb3fc8891e94f7205c18e85adacab25b69906d3c5212875baa383
+hmac: b3f3cd5171763ddaf3c62e0c83dad0f9705496e53ba7416f6dd3581fa9a5ec27

 ...
--- a/scripts/drone/pipelines/ci_images.star
+++ b/scripts/drone/pipelines/ci_images.star
@@ -11,8 +11,8 @@ load(
    "from_secret",
 )
 load(
-    "scripts/drone/utils/images.star",
-    "images",
+    "scripts/drone/utils/windows_images.star",
+    "windows_images",
 )

 def publish_ci_windows_test_image_pipeline():
@@ -28,7 +28,7 @@ def publish_ci_windows_test_image_pipeline():
        steps = [
            {
                "name": "clone",
-                "image": images["wix_image"],
+                "image": windows_images["wix_image"],
                "environment": {
                    "GITHUB_TOKEN": from_secret("github_token"),
                },
@@ -39,7 +39,7 @@ def publish_ci_windows_test_image_pipeline():
            },
            {
                "name": "build-and-publish",
-                "image": images["windows_server_core_image"],
+                "image": windows_images["windows_server_core_image"],
                "environment": {
                    "DOCKER_USERNAME": from_secret("docker_username"),
                    "DOCKER_PASSWORD": from_secret("docker_password"),
--- a/scripts/drone/pipelines/windows.star
+++ b/scripts/drone/pipelines/windows.star
@@ -15,8 +15,8 @@ load(
    "windows_wire_install_step",
 )
 load(
-    "scripts/drone/utils/images.star",
-    "images",
+    "scripts/drone/utils/windows_images.star",
+    "windows_images",
 )

 def windows_test_backend(trigger, edition, ver_mode):
@@ -39,7 +39,7 @@ def windows_test_backend(trigger, edition, ver_mode):
    else:
        steps.extend([{
            "name": "windows-init",
-            "image": images["windows_go_image"],
+            "image": windows_images["windows_go_image"],
            "depends_on": ["clone"],
            "commands": [],
        }])
--- a/scripts/drone/steps/lib.star
+++ b/scripts/drone/steps/lib.star
@@ -11,6 +11,10 @@ load(
    "scripts/drone/utils/images.star",
    "images",
 )
+load(
+    "scripts/drone/utils/windows_images.star",
+    "windows_images",
+)

 grabpl_version = "v3.0.38"

@@ -56,7 +60,7 @@ def wire_install_step():
 def windows_wire_install_step(edition):
    return {
        "name": "wire-install",
-        "image": images["windows_go_image"],
+        "image": windows_images["windows_go_image"],
        "commands": [
            "go install github.com/google/wire/cmd/wire@v0.5.0",
            "wire gen -tags {} ./pkg/server".format(edition),
@@ -78,7 +82,7 @@ def identify_runner_step(platform = "linux"):
    else:
        return {
            "name": "identify-runner",
-            "image": images["windows_image"],
+            "image": windows_images["1809_image"],
            "commands": [
                "echo $env:DRONE_RUNNER_NAME",
            ],
@@ -235,7 +239,7 @@ def windows_init_enterprise_steps(ver_mode):
            download_grabpl_step(platform = "windows"),
            {
                "name": "clone",
-                "image": images["wix_image"],
+                "image": windows_images["wix_image"],
                "environment": {
                    "GITHUB_TOKEN": from_secret("github_token"),
                },
@@ -243,7 +247,7 @@ def windows_init_enterprise_steps(ver_mode):
            },
            {
                "name": "windows-init",
-                "image": images["wix_image"],
+                "image": windows_images["wix_image"],
                "commands": init_cmds,
                "depends_on": ["clone"],
                "environment": {"GITHUB_TOKEN": from_secret("github_token")},
@@ -256,7 +260,7 @@ def download_grabpl_step(platform = "linux"):
    if platform == "windows":
        return {
            "name": "grabpl",
-            "image": images["wix_image"],
+            "image": windows_images["wix_image"],
            "commands": [
                '$$ProgressPreference = "SilentlyContinue"',
                "Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/{}/windows/grabpl.exe -OutFile grabpl.exe".format(
@@ -692,7 +696,7 @@ def test_backend_step(image = images["build_image"]):
    }

 def windows_test_backend_step():
-    step = test_backend_step(image = images["windows_go_image"])
+    step = test_backend_step(image = windows_images["windows_go_image"])
    return step

 def test_backend_integration_step():
@@ -1415,7 +1419,7 @@ def publish_linux_packages_step(edition, package_manager = "deb"):
 def windows_clone_step():
    return {
        "name": "clone",
-        "image": images["wix_image"],
+        "image": windows_images["wix_image"],
        "environment": {
            "GITHUB_TOKEN": from_secret("github_token"),
        },
@@ -1475,7 +1479,7 @@ def get_windows_steps(edition, ver_mode):
            [
                {
                    "name": "clone",
-                    "image": images["wix_image"],
+                    "image": windows_images["wix_image"],
                    "environment": {
                        "GITHUB_TOKEN": from_secret("github_token"),
                    },
@@ -1483,7 +1487,7 @@ def get_windows_steps(edition, ver_mode):
                },
                {
                    "name": "windows-init",
-                    "image": images["wix_image"],
+                    "image": windows_images["wix_image"],
                    "commands": init_cmds,
                    "depends_on": ["clone"],
                    "environment": {"GITHUB_TOKEN": from_secret("github_token")},
@@ -1502,7 +1506,7 @@ def get_windows_steps(edition, ver_mode):
            [
                {
                    "name": "windows-init",
-                    "image": images["wix_image"],
+                    "image": windows_images["wix_image"],
                    "commands": init_cmds,
                },
            ],
@@ -1577,7 +1581,7 @@ def get_windows_steps(edition, ver_mode):
        steps.append(
            {
                "name": "build-windows-installer",
-                "image": images["wix_image"],
+                "image": windows_images["wix_image"],
                "depends_on": [
                    "windows-init",
                ],
--- a/scripts/drone/utils/images.star
+++ b/scripts/drone/utils/images.star
@@ -8,17 +8,13 @@ images = {
    "publish_image": "grafana/grafana-ci-deploy:1.3.3",
    "alpine_image": "alpine:3.17.1",
    "curl_image": "byrnedo/alpine-curl:0.1.8",
-    "windows_image": "mcr.microsoft.com/windows:1809",
-    "wix_image": "grafana/ci-wix:0.1.1",
    "go_image": "golang:1.20.4",
-    "windows_go_image": "grafana/grafana-ci-windows-test:0.1.0",
    "plugins_slack_image": "plugins/slack",
    "postgres_alpine_image": "postgres:12.3-alpine",
    "mysql5_image": "mysql:5.7.39",
    "mysql8_image": "mysql:8.0.32",
    "redis_alpine_image": "redis:6.2.11-alpine",
    "memcached_alpine_image": "memcached:1.6.9-alpine",
-    "windows_server_core_image": "docker:windowsservercore-1809",
    "package_publish_image": "us.gcr.io/kubernetes-dev/package-publish:latest",
    "openldap_image": "osixia/openldap:1.4.0",
    "drone_downstream_image": "grafana/drone-downstream",
--- a/scripts/drone/utils/windows_images.star
+++ b/scripts/drone/utils/windows_images.star
@@ -0,0 +1,12 @@
+"""
+This module contains all the windows docker images that are used to build test and publish Grafana.
+All the windows images needed to be in a different file than the other images, since they cannot be scanned
+by trivy. Related issue: https://github.com/aquasecurity/trivy/issues/1392
+"""
+
+windows_images = {
+    "1809_image": "mcr.microsoft.com/windows:1809",
+    "wix_image": "grafana/ci-wix:0.1.1",
+    "windows_server_core_image": "docker:windowsservercore-1809",
+    "windows_go_image": "grafana/grafana-ci-windows-test:0.1.0",
+}