ZeroDownTime/jenkins-podman
3
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Compare commits

base: ZeroDownTime:master
Branches Tags
ZeroDownTime:master
ZeroDownTime:v0.6.0
ZeroDownTime:v0.5.1
ZeroDownTime:v0.5.0
ZeroDownTime:v0.4.6
ZeroDownTime:v0.4.5
ZeroDownTime:v0.4.4
ZeroDownTime:v0.4.3
ZeroDownTime:v0.4.2
ZeroDownTime:v0.4.1
ZeroDownTime:v0.4.0
ZeroDownTime:v0.3.2
ZeroDownTime:v0.3.1
ZeroDownTime:v0.3.0
ZeroDownTime:v0.2.5
ZeroDownTime:v0.2.4
ZeroDownTime:v0.2.3
ZeroDownTime:v0.2.2
..
compare: ZeroDownTime:v0.2.5
Branches Tags
ZeroDownTime:master
ZeroDownTime:v0.6.0
ZeroDownTime:v0.5.1
ZeroDownTime:v0.5.0
ZeroDownTime:v0.4.6
ZeroDownTime:v0.4.5
ZeroDownTime:v0.4.4
ZeroDownTime:v0.4.3
ZeroDownTime:v0.4.2
ZeroDownTime:v0.4.1
ZeroDownTime:v0.4.0
ZeroDownTime:v0.3.2
ZeroDownTime:v0.3.1
ZeroDownTime:v0.3.0
ZeroDownTime:v0.2.5
ZeroDownTime:v0.2.4
ZeroDownTime:v0.2.3
ZeroDownTime:v0.2.2

No commits in common. "master" and "v0.2.5" have entirely different histories.
master ... v0.2.5

17 changed files with 391 additions and 282 deletions
Show Stats Expand all files Collapse all files

16
.ci/README.md
View File

@ -2,22 +2,6 @@
Various toolchain bits and pieces shared between projects
# Quickstart
Create top-level Makefile
```
REGISTRY := <your-registry>
IMAGE := <image_name>
REGION := <AWS region of your registry>
include .ci/podman.mk
```
Add subtree to your project:
```
git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
```
## Jenkins
Shared groovy libraries

63
.ci/ecr_public_lifecycle.py
View File

@ -1,63 +0,0 @@
#!/usr/bin/env python3
import argparse
import boto3
parser = argparse.ArgumentParser(
description='Implement basic public ECR lifecycle policy')
parser.add_argument('--repo', dest='repositoryName', action='store', required=True,
help='Name of the public ECR repository')
parser.add_argument('--keep', dest='keep', action='store', default=10, type=int,
help='number of tagged images to keep, default 10')
parser.add_argument('--dev', dest='delete_dev', action='store_true',
help='also delete in-development images only having tags like v0.1.1-commitNr-githash')
args = parser.parse_args()
client = boto3.client('ecr-public', region_name='us-east-1')
images = client.describe_images(repositoryName=args.repositoryName)[
"imageDetails"]
untagged = []
kept = 0
# actual Image
# imageManifestMediaType: 'application/vnd.oci.image.manifest.v1+json'
# image Index
# imageManifestMediaType: 'application/vnd.oci.image.index.v1+json'
# Sort by date uploaded
for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
# Remove all untagged
# if registry uses image index all actual images will be untagged anyways
if 'imageTags' not in image:
untagged.append({"imageDigest": image['imageDigest']})
# print("Delete untagged image {}".format(image["imageDigest"]))
continue
# check for dev tags
if args.delete_dev:
_delete = True
for tag in image["imageTags"]:
# Look for at least one tag NOT beign a SemVer dev tag
if "-" not in tag:
_delete = False
if _delete:
print("Deleting development image {}".format(image["imageTags"]))
untagged.append({"imageDigest": image['imageDigest']})
continue
if kept < args.keep:
kept = kept+1
print("Keeping tagged image {}".format(image["imageTags"]))
continue
else:
print("Deleting tagged image {}".format(image["imageTags"]))
untagged.append({"imageDigest": image['imageDigest']})
deleted_images = client.batch_delete_image(
repositoryName=args.repositoryName, imageIds=untagged)
if deleted_images["imageIds"]:
print("Deleted images: {}".format(deleted_images["imageIds"]))

107
.ci/podman.mk
View File

@ -1,84 +1,55 @@
# Parse version from latest git semver tag
GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
TAG ::= $(GIT_TAG)
# append branch name to tag if NOT main nor master
ifeq (,$(filter main master, $(GIT_BRANCH)))
# If branch is substring of tag, omit branch name
ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
# only append branch name if not equal tag
ifneq ($(GIT_TAG), $(GIT_BRANCH))
# Sanitize GIT_BRANCH to allowed Docker tag character set
TAG = $(GIT_TAG)-$(shell echo $$GIT_BRANCH | sed -e 's/[^a-zA-Z0-9]/-/g')
endif
endif
ifeq ($(TRIVY_REMOTE),)
TRIVY_OPTS := image
else
TRIVY_OPTS := client --remote ${TRIVY_REMOTE}
endif
ARCH ::= amd64
ALL_ARCHS ::= amd64 arm64
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
.PHONY: build test scan push clean
ifneq ($(TRIVY_REMOTE),)
TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
endif
all: test
.SILENT: ; # no need for @
.ONESHELL: ; # recipes execute in same shell
.NOTPARALLEL: ; # wait for this target to finish
.EXPORT_ALL_VARIABLES: ; # send all vars to shell
.PHONY: all # All targets are accessible for user
.DEFAULT: help # Running Make will run the help target
help: ## Show Help
grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
build:
@docker image exists $(IMAGE):$(TAG) || \
docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
prepare:: ## custom step on the build agent before building
test: build rm-test-image
@test -f Dockerfile.test && \
docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . || \
echo "No Dockerfile.test found, skipping test"
fmt:: ## auto format source
scan: build
@echo "Scanning $(IMAGE):$(TAG) using Trivy"
@trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
lint:: ## Lint source
push: build
@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
@docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest
docker push $(REGISTRY)/$(IMAGE):$(TAG)
docker push $(REGISTRY)/$(IMAGE):latest
build: ## Build the app
buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
clean: rm-test-image rm-image
test:: ## test built artificats
scan: ## Scan image using trivy
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
# first tag and push all actual images
# create new manifest for each tag and add all available TAG-ARCH before pushing
push: ecr-login ## push images to registry
for t in $(TAG) latest $(EXTRA_TAGS); do \
echo "Tagging image with $(REGISTRY)/$(IMAGE):$${t}-$(ARCH)"
buildah tag $(IMAGE):$(TAG)-$(_ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(_ARCH); \
buildah manifest rm $(IMAGE):$$t || true; \
buildah manifest create $(IMAGE):$$t; \
for a in $(ALL_ARCHS); do \
buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$$a; \
done; \
echo "Pushing manifest $(IMAGE):$$t"
buildah manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t; \
done
ecr-login: ## log into AWS ECR public
aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
rm-remote-untagged: ## delete all remote untagged and in-dev images, keep 10 tagged
echo "Removing all untagged and in-dev images from $(IMAGE) in $(REGION)"
.ci/ecr_public_lifecycle.py --repo $(IMAGE) --dev
clean:: ## clean up source folder
# Delete all untagged images
.PHONY: rm-remote-untagged
rm-remote-untagged:
@echo "Removing all untagged images from $(IMAGE) in $(REGION)"
@aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
.PHONY: rm-image
rm-image:
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || docker image rm -f $(IMAGE):$(TAG) > /dev/null
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || echo "Error: Removing image failed"
## some useful tasks during development
ci-pull-upstream: ## pull latest shared .ci subtree
git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
# Ensure we run the tests by removing any previous runs
.PHONY: rm-test-image
rm-test-image:
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
create-repo: ## create new AWS ECR public repository
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
.DEFAULT:
@echo "$@ not implemented. NOOP"

49
.ci/vars/buildPodman.groovy
View File

@ -2,33 +2,24 @@
def call(Map config=[:]) {
pipeline {
options {
disableConcurrentBuilds()
}
agent {
node {
label 'podman-aws-trivy'
}
}
stages {
stage('Prepare') {
// get tags
steps {
sh 'mkdir -p reports'
// we set pull tags as project adv. options
// pull tags
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
// sh 'git fetch -q --tags ${GIT_URL}'
//}
// Optional project specific preparations
sh 'make prepare'
sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
}
}
// Build using rootless podman
stage('Build') {
steps {
sh 'make build GIT_BRANCH=$GIT_BRANCH'
sh 'make build'
}
}
@ -40,13 +31,13 @@ def call(Map config=[:]) {
// Scan via trivy
stage('Scan') {
environment {
TRIVY_FORMAT = "template"
TRIVY_OUTPUT = "reports/trivy.html"
}
steps {
// we always scan and create the full json report
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
// render custom full html report
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
sh 'mkdir -p reports'
sh 'make scan'
publishHTML target: [
allowMissing: true,
alwaysLinkToLastBuild: true,
@ -56,33 +47,19 @@ def call(Map config=[:]) {
reportName: 'TrivyScan',
reportTitles: 'TrivyScan'
]
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
// fail build if issues found above trivy threshold
script {
if ( config.trivyFail ) {
sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
}
}
// Scan again and fail on CRITICAL vulns
sh "[ \"${config.trivyFail}\" == \"NONE\" ] || TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
}
}
// Push to container registry if not PR
// incl. basic registry retention removing any untagged images
// Push to ECR
stage('Push') {
when { not { changeRequest() } }
steps {
sh 'make push'
sh 'make rm-remote-untagged'
}
}
// generic clean
stage('cleanup') {
steps {
sh 'make clean'
}
}
}
}
}

1
.gitignore vendored
View File

@ -1 +0,0 @@
report.html

71
Dockerfile
View File

@ -1,55 +1,56 @@
# https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile
# https://hub.docker.com/r/jenkins/inbound-agent/tags
ARG BASE="4.13-2-alpine-jdk17-preview"
FROM jenkins/inbound-agent:alpine-jdk21@sha256:a7e633f06d8a1af720e30cd5421b8ba58230ec34af250a07d61cba0df88c587b
FROM jenkins/inbound-agent:${BASE}
ARG BUILDUSER=jenkins
ARG USER=jenkins
USER root
RUN echo "@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
apk upgrade -U --available --no-cache && \
apk add --no-cache \
tini \
make \
jq \
yq \
strace \
fuse-overlayfs \
podman \
buildah \
py-boto3 \
aws-cli \
trivy@edge-testing
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
&& apk upgrade -U --available --no-cache \
&& apk add --no-cache \
tini \
make \
yq \
strace \
fuse-overlayfs \
podman \
buildah \
aws-cli \
trivy
# Trivy html template
ADD --chown=$BUILDUSER:$BUILDUSER html.tpl /home/$BUILDUSER
ADD --chown=jenkins:jenkins html.tpl /home/jenkins
# Rootless podman
RUN mkdir -p /home/$BUILDUSER/.config/containers
RUN mkdir -p /home/$USER/.local/share/containers && \
chown $USER:$USER -R /home/$USER
ADD entrypoint.sh /usr/local/bin/entrypoint.sh
# conf/registries.conf will be mounted RO at runtime to inherit worker settings incl. caching proxies
ADD --chown=$BUILDUSER:$BUILDUSER conf/containers.conf conf/storage.conf /home/$BUILDUSER/.config/containers
ADD conf/containers.conf conf/registries.conf conf/storage.conf /etc/containers/
ADD --chown=$USER:$USER conf/podman-containers.conf /home/$USER/.config/containers/containers.conf
RUN echo -e "$BUILDUSER:100000:65535" > /etc/subuid && \
echo -e "$BUILDUSER:100000:65535" > /etc/subgid && \
cd /usr/bin && ln -s podman docker && \
chown $BUILDUSER:$BUILDUSER -R /home/$BUILDUSER
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers \
/var/lib/shared/vfs-images /var/lib/shared/vfs-layers && \
touch /var/lib/shared/overlay-images/images.lock /var/lib/shared/overlay-layers/layers.lock \
/var/lib/shared/vfs-images/images.lock /var/lib/shared/vfs-layers/layers.lock && \
mkdir /tmp/podman-run-1000 && chown $USER:$USER /tmp/podman-run-1000 && chmod 700 /tmp/podman-run-1000 && \
echo -e "$USER:1:999\n$USER:1001:64535" > /etc/subuid && \
echo -e "$USER:1:999\n$USER:1001:64535" > /etc/subgid && \
mkdir /workspace && \
cd /usr/bin && ln -s podman docker
# Patch jenkins-agent to launch podman service
RUN sed -i -e 's/exec \$JAVA_BIN/podman system service -t0\&\n exec \$JAVA_BIN/' /usr/local/bin/jenkins-agent
ENV XDG_RUNTIME_DIR=/home/$BUILDUSER/agent/xdg-run
ENV XDG_CONFIG_HOME=/home/$BUILDUSER/.config
ENV BUILDAH_ISOLATION=chroot
ENV XDG_RUNTIME_DIR=/tmp/podman-run-1000
ENV _CONTAINERS_USERNS_CONFIGURED=""
ENV BUILDAH_ISOLATION=chroot
ENV TRIVY_TEMPLATE="@/home/jenkins/html.tpl"
# Until we setup the logging and metrics pipelines in OTEL
ENV OTEL_LOGS_EXPORTER=none
ENV OTEL_METRICS_EXPORTER=none
USER jenkins
USER $BUILDUSER
# Allow container layers to be stored in PVCs
VOLUME /home/jenkins/.local/share/containers
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/jenkins-agent"]

2
Jenkinsfile vendored
View File

@ -2,4 +2,4 @@ library identifier: 'zdt-lib@master', retriever: modernSCM(
[$class: 'GitSCMSource',
remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
buildPodman name: 'jenkins-podman'
buildPodman name: 'jenkins-podman', trivyFail: 'NONE'

2
README.md
View File

@ -1,6 +1,4 @@
# jenkins-podman
Podman / buildah Jenkins agent.
Public Repo: https://gallery.ecr.aws/zero-downtime/jenkins-podman
# Resources

1
conf/containers.conf
View File

@ -1,5 +1,4 @@
[containers]
volumes = [ "/proc:/proc" ]
netns="host"
userns="host"
ipcns="host"

4
conf/podman-containers.conf Normal file
View File

@ -0,0 +1,4 @@
[containers]
volumes = [
"/proc:/proc",
]

2
conf/registries.conf Normal file
View File

@ -0,0 +1,2 @@
# Note that changing the order here may break lazy devs Dockerfile
unqualified-search-registries = [ "gcr.io", "quay.io", "docker.io", "registry.fedoraproject.org"]

14
conf/storage.conf
View File

@ -1,4 +1,14 @@
[storage]
driver = "overlay"
runroot = "/home/jenkins/agent/containers/run"
graphroot = "/home/jenkins/agent/containers/storage"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options]
additionalimagestores = [
"/var/lib/shared",
]
[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
mountopt = "nodev,fsync=0"
[storage.options.thinpool]

4
entrypoint.sh
View File

@ -1,4 +0,0 @@
#!/bin/sh
mkdir -p $HOME/xdg-run $HOME/containers/run $HOME/containers/storage
/usr/local/bin/jenkins-agent

35
html.tpl
View File

@ -20,7 +20,6 @@
table, th, td {
border: 1px solid black;
border-collapse: collapse;
white-space: nowrap;
padding: .3em;
}
table {
@ -40,7 +39,7 @@
.severity-MEDIUM { background-color: #e9c60060; }
.severity-HIGH { background-color: #ff880060; }
.severity-CRITICAL { background-color: #e4000060; }
.severity-UNKNOWN { background-color: #74747460; }
.severity-UNKNOWN { background-color: #74747430; }
table tr td:first-of-type {
font-weight: bold;
}
@ -83,13 +82,11 @@
</script>
</head>
<body>
<h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding-right:10px";>
Trivy Report - {{ now | date "2006-01-02 15:04:05 -0700" }}</h1>
<table>
<tr><td colspan="7">
<h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding:10px;float:left";>
{{- escapeXML ( index . 0 ).Target }}<br/>Trivy Report - {{ now | date "2006-01-02 15:04:05 -0700" }}</h1>
</td></tr>
{{- range . }}
<tr class="group-header"><th colspan="7">{{ escapeXML .Target }} ({{ .Type | toString | escapeXML }})</th></tr>
<tr class="group-header"><th colspan="7">{{ escapeXML .Target }}({{ escapeXML .Type }})</th></tr>
{{- if (eq (len .Vulnerabilities) 0) }}
<tr><th colspan="7">No Vulnerabilities found</th></tr>
{{- else }}
@ -103,10 +100,10 @@
<th>Links</th>
</tr>
{{- range .Vulnerabilities }}
<tr class="severity-{{ escapeXML .Severity }}">
<tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
<td>{{ escapeXML .VulnerabilityID }}</td>
<td class="severity">{{ escapeXML .Severity }}</td>
<td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
<td>{{ escapeXML .FixedVersion }}</td>
<td>{{ escapeXML .Title }}</td>
@ -147,26 +144,6 @@
</tr>
{{- end }}
{{- end }}
{{- if (eq (len .Secrets) 0) }}
<tr><th colspan="7">No Secrets found</th></tr>
{{- else }}
<tr class="sub-header">
<th colspan="2">Rule ID</th>
<th>Severity</th>
<th>Category</th>
<th colspan="2">Title</th>
<th>Lines</th>
</tr>
{{- range .Secrets }}
<tr class="severity-{{ escapeXML .Severity }}">
<td colspan="2">{{ escapeXML .RuleID }}</td>
<td class="severity">{{ escapeXML .Severity }}</td>
<td>{{ .Category | toString | escapeXML }}</td>
<td colspan="2">{{ escapeXML .Title }}</td>
<td>{{ .StartLine | toString }} - {{ .EndLine | toString }}</td>
</tr>
{{- end }}
{{- end }}
{{- end }}
</table>
{{- else }}

17
junit.tpl
View File

@ -1,5 +1,5 @@
<?xml version="1.0" ?>
<testsuites name="trivy">
<testsuites>
{{- range . -}}
{{- $failures := len .Vulnerabilities }}
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
@ -14,18 +14,5 @@
</testcase>
{{- end }}
</testsuite>
{{- $failures := len .Misconfigurations }}
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
{{- if not (eq .Type "") }}
<properties>
<property name="type" value="{{ .Type }}"></property>
</properties>
{{- end -}}
{{ range .Misconfigurations }}
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
</testcase>
{{- end }}
</testsuite>
{{- end }}
</testsuites>
</testsuites>

9
renovate.json
View File

@ -1,9 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":label(renovate)",
":semanticCommits"
],
"prHourlyLimit": 0
}

276
report.html Normal file
View File

@ -0,0 +1,276 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style>
* {
font-family: Arial, Helvetica, sans-serif;
}
h1 {
text-align: center;
}
.group-header th {
font-size: 200%;
background-color: #E4E4E4;
}
.sub-header th {
font-size: 150%;
}
table, th, td {
border: 1px solid black;
border-collapse: collapse;
padding: .3em;
}
table {
margin: 0 auto;
}
.severity {
text-align: center;
font-weight: bold;
color: #fafafa;
}
.severity-LOW .severity { background-color: #5fbb31; }
.severity-MEDIUM .severity { background-color: #e9c600; }
.severity-HIGH .severity { background-color: #ff8800; }
.severity-CRITICAL .severity { background-color: #e40000; }
.severity-UNKNOWN .severity { background-color: #747474; }
.severity-LOW { background-color: #5fbb3160; }
.severity-MEDIUM { background-color: #e9c60060; }
.severity-HIGH { background-color: #ff880060; }
.severity-CRITICAL { background-color: #e4000060; }
.severity-UNKNOWN { background-color: #74747430; }
table tr td:first-of-type {
font-weight: bold;
}
.links a,
.links[data-more-links=on] a {
display: block;
}
.links[data-more-links=off] a:nth-of-type(1n+5) {
display: none;
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>localhost/jenkins-podman:v0.2.4-3 (alpine 3.15.0) - Trivy Report - 2022-01-25T13:58:07.832142733Z</title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
var links = [].concat.apply([], linkCell.querySelectorAll('a'));
[].sort.apply(links, function(a, b) {
return a.href > b.href ? 1 : -1;
});
links.forEach(function(link, idx) {
if (links.length > 3 && 3 === idx) {
var toggleLink = document.createElement('a');
toggleLink.innerText = "Toggle more links";
toggleLink.href = "#toggleMore";
toggleLink.setAttribute("class", "toggle-more-links");
linkCell.appendChild(toggleLink);
}
linkCell.appendChild(link);
});
});
document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
toggleLink.onclick = function() {
var expanded = toggleLink.parentElement.getAttribute("data-more-links");
toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
return false;
};
});
};
</script>
</head>
<body>
<h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding-right:10px";>
Trivy Report - 2022-01-25T13:58:07.832152637Z</h1>
<table>
<tr class="group-header"><th colspan="7">localhost/jenkins-podman:v0.2.4-3 (alpine 3.15.0)(alpine)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">Java(jar)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/bin/buildah(gobinary)</th></tr>
<tr class="sub-header">
<th>Package</th>
<th>Vulnerability ID</th>
<th>Severity</th>
<th>Installed Version</th>
<th>Fixed Version</th>
<th>Title</th>
<th>Links</th>
</tr>
<tr class="severity-HIGH">
<td class="pkg-name">github.com/containerd/containerd</td>
<td>CVE-2021-41103</td>
<td class="severity">HIGH</td>
<td class="pkg-version">v1.5.5</td>
<td>v1.4.11, v1.5.7</td>
<td>containerd: insufficiently restricted permissions on container root and plugin directories</td>
<td class="links" data-more-links="off">
<a href="https://avd.aquasec.com/nvd/cve-2021-41103" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-41103</a>
</td>
</tr>
<tr class="severity-UNKNOWN">
<td class="pkg-name">github.com/opencontainers/image-spec</td>
<td>GMS-2021-101</td>
<td class="severity">UNKNOWN</td>
<td class="pkg-version">v1.0.2-0.20210819154149-5ad6f50d6283</td>
<td>1.0.2</td>
<td>Clarify `mediaType` handling</td>
<td class="links" data-more-links="off">
<a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
<a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
<a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
<a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
<a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
</td>
</tr>
<tr class="severity-UNKNOWN">
<td class="pkg-name">golang.org/x/text</td>
<td>CVE-2021-38561</td>
<td class="severity">UNKNOWN</td>
<td class="pkg-version">v0.3.6</td>
<td>0.3.7</td>
<td></td>
<td class="links" data-more-links="off">
<a href="https://avd.aquasec.com/nvd/cve-2021-38561" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-38561</a>
</td>
</tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/bin/git-lfs(gobinary)</th></tr>
<tr class="sub-header">
<th>Package</th>
<th>Vulnerability ID</th>
<th>Severity</th>
<th>Installed Version</th>
<th>Fixed Version</th>
<th>Title</th>
<th>Links</th>
</tr>
<tr class="severity-HIGH">
<td class="pkg-name">golang.org/x/crypto</td>
<td>CVE-2020-29652</td>
<td class="severity">HIGH</td>
<td class="pkg-version">v0.0.0-20201112155050-0c6587e931a9</td>
<td>v0.0.0-20201216223049-8b5274cf687f</td>
<td>golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference</td>
<td class="links" data-more-links="off">
<a href="https://avd.aquasec.com/nvd/cve-2020-29652" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2020-29652</a>
</td>
</tr>
<tr class="severity-UNKNOWN">
<td class="pkg-name">golang.org/x/text</td>
<td>CVE-2021-38561</td>
<td class="severity">UNKNOWN</td>
<td class="pkg-version">v0.3.5</td>
<td>0.3.7</td>
<td></td>
<td class="links" data-more-links="off">
<a href="https://avd.aquasec.com/nvd/cve-2021-38561" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-38561</a>
</td>
</tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/bin/podman(gobinary)</th></tr>
<tr class="sub-header">
<th>Package</th>
<th>Vulnerability ID</th>
<th>Severity</th>
<th>Installed Version</th>
<th>Fixed Version</th>
<th>Title</th>
<th>Links</th>
</tr>
<tr class="severity-UNKNOWN">
<td class="pkg-name">github.com/opencontainers/image-spec</td>
<td>GMS-2021-101</td>
<td class="severity">UNKNOWN</td>
<td class="pkg-version">v1.0.2-0.20210819154149-5ad6f50d6283</td>
<td>1.0.2</td>
<td>Clarify `mediaType` handling</td>
<td class="links" data-more-links="off">
<a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
<a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
<a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
<a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
<a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
</td>
</tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/bin/trivy(gobinary)</th></tr>
<tr class="sub-header">
<th>Package</th>
<th>Vulnerability ID</th>
<th>Severity</th>
<th>Installed Version</th>
<th>Fixed Version</th>
<th>Title</th>
<th>Links</th>
</tr>
<tr class="severity-UNKNOWN">
<td class="pkg-name">github.com/opencontainers/image-spec</td>
<td>GMS-2021-101</td>
<td class="severity">UNKNOWN</td>
<td class="pkg-version">v1.0.2-0.20190823105129-775207bd45b6</td>
<td>1.0.2</td>
<td>Clarify `mediaType` handling</td>
<td class="links" data-more-links="off">
<a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
<a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
<a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
<a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
<a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
</td>
</tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/bandwidth(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/bridge(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/dhcp(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/firewall(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/host-device(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/host-local(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/ipvlan(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/loopback(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/macvlan(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/portmap(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/ptp(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/sbr(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/static(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/tuning(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/vlan(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
<tr class="group-header"><th colspan="7">usr/libexec/cni/vrf(gobinary)</th></tr>
<tr><th colspan="7">No Vulnerabilities found</th></tr>
<tr><th colspan="7">No Misconfigurations found</th></tr>
</table>
</body>
</html>