Compare commits
69 Commits
Author | SHA1 | Date | |
---|---|---|---|
16dcaef4f7 | |||
2579cc7f00 | |||
5d782faa02 | |||
7bd5dc4093 | |||
33d242f69a | |||
f7fcfd53ad | |||
6de66df1a9 | |||
dbdc24fe53 | |||
bda8c643c6 | |||
4161f32529 | |||
d504595922 | |||
a270f8481e | |||
c7bc209fd8 | |||
1c02becff6 | |||
2a2081b01b | |||
ab32348082 | |||
aa92aa43c1 | |||
1ec7cd94e2 | |||
76d259c9fd | |||
7b7b2ca3b5 | |||
752977effe | |||
ab2f4423a1 | |||
0c3f7306d9 | |||
ddff588aa5 | |||
9485a52765 | |||
69b2522187 | |||
6c14bc7602 | |||
b0cadc63d0 | |||
677265037d | |||
dde944be55 | |||
5e8acc37e0 | |||
68020d36f8 | |||
0d605e2f80 | |||
d8b6e1daf9 | |||
205881747d | |||
3ce9d5497f | |||
c476640823 | |||
4fedfc9266 | |||
2edae95107 | |||
cfbf550484 | |||
25aeec5c58 | |||
a0d5ad8179 | |||
5b4fa361b0 | |||
143939ffee | |||
ac3c63e488 | |||
6f07c768f0 | |||
d175bf3e08 | |||
632076a98d | |||
d56b907116 | |||
ac7a5eec79 | |||
c25e2a4322 | |||
e6758a0e25 | |||
5fa1eb19c3 | |||
b953681901 | |||
21748adf93 | |||
9a3986e194 | |||
506127c306 | |||
11dc86109b | |||
73239a2249 | |||
604b1f8f11 | |||
5b99b9c135 | |||
cae7dfec2e | |||
f93b715dde | |||
43063d1ffa | |||
664f10daf2 | |||
8a0c8f66d5 | |||
c69ea98418 | |||
9d26711bc4 | |||
7a707c781a |
|
@ -2,6 +2,22 @@
|
||||||
|
|
||||||
Various toolchain bits and pieces shared between projects
|
Various toolchain bits and pieces shared between projects
|
||||||
|
|
||||||
|
# Quickstart
|
||||||
|
Create top-level Makefile
|
||||||
|
```
|
||||||
|
REGISTRY := <your-registry>
|
||||||
|
IMAGE := <image_name>
|
||||||
|
REGION := <AWS region of your registry>
|
||||||
|
|
||||||
|
include .ci/podman.mk
|
||||||
|
```
|
||||||
|
|
||||||
|
Add subtree to your project:
|
||||||
|
```
|
||||||
|
git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Jenkins
|
## Jenkins
|
||||||
Shared groovy libraries
|
Shared groovy libraries
|
||||||
|
|
||||||
|
|
63
.ci/ecr_public_lifecycle.py
Executable file
63
.ci/ecr_public_lifecycle.py
Executable file
|
@ -0,0 +1,63 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import argparse
|
||||||
|
import boto3
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser(
|
||||||
|
description='Implement basic public ECR lifecycle policy')
|
||||||
|
parser.add_argument('--repo', dest='repositoryName', action='store', required=True,
|
||||||
|
help='Name of the public ECR repository')
|
||||||
|
parser.add_argument('--keep', dest='keep', action='store', default=10, type=int,
|
||||||
|
help='number of tagged images to keep, default 10')
|
||||||
|
parser.add_argument('--dev', dest='delete_dev', action='store_true',
|
||||||
|
help='also delete in-development images only having tags like v0.1.1-commitNr-githash')
|
||||||
|
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
client = boto3.client('ecr-public', region_name='us-east-1')
|
||||||
|
|
||||||
|
images = client.describe_images(repositoryName=args.repositoryName)[
|
||||||
|
"imageDetails"]
|
||||||
|
|
||||||
|
untagged = []
|
||||||
|
kept = 0
|
||||||
|
|
||||||
|
# actual Image
|
||||||
|
# imageManifestMediaType: 'application/vnd.oci.image.manifest.v1+json'
|
||||||
|
# image Index
|
||||||
|
# imageManifestMediaType: 'application/vnd.oci.image.index.v1+json'
|
||||||
|
|
||||||
|
# Sort by date uploaded
|
||||||
|
for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
|
||||||
|
# Remove all untagged
|
||||||
|
# if registry uses image index all actual images will be untagged anyways
|
||||||
|
if 'imageTags' not in image:
|
||||||
|
untagged.append({"imageDigest": image['imageDigest']})
|
||||||
|
# print("Delete untagged image {}".format(image["imageDigest"]))
|
||||||
|
continue
|
||||||
|
|
||||||
|
# check for dev tags
|
||||||
|
if args.delete_dev:
|
||||||
|
_delete = True
|
||||||
|
for tag in image["imageTags"]:
|
||||||
|
# Look for at least one tag NOT beign a SemVer dev tag
|
||||||
|
if "-" not in tag:
|
||||||
|
_delete = False
|
||||||
|
if _delete:
|
||||||
|
print("Deleting development image {}".format(image["imageTags"]))
|
||||||
|
untagged.append({"imageDigest": image['imageDigest']})
|
||||||
|
continue
|
||||||
|
|
||||||
|
if kept < args.keep:
|
||||||
|
kept = kept+1
|
||||||
|
print("Keeping tagged image {}".format(image["imageTags"]))
|
||||||
|
continue
|
||||||
|
else:
|
||||||
|
print("Deleting tagged image {}".format(image["imageTags"]))
|
||||||
|
untagged.append({"imageDigest": image['imageDigest']})
|
||||||
|
|
||||||
|
deleted_images = client.batch_delete_image(
|
||||||
|
repositoryName=args.repositoryName, imageIds=untagged)
|
||||||
|
|
||||||
|
if deleted_images["imageIds"]:
|
||||||
|
print("Deleted images: {}".format(deleted_images["imageIds"]))
|
107
.ci/podman.mk
107
.ci/podman.mk
|
@ -1,55 +1,84 @@
|
||||||
# Parse version from latest git semver tag
|
# Parse version from latest git semver tag
|
||||||
GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
||||||
TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
|
GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
|
||||||
|
|
||||||
ifeq ($(TRIVY_REMOTE),)
|
TAG ::= $(GIT_TAG)
|
||||||
TRIVY_OPTS := image
|
# append branch name to tag if NOT main nor master
|
||||||
else
|
ifeq (,$(filter main master, $(GIT_BRANCH)))
|
||||||
TRIVY_OPTS := client --remote ${TRIVY_REMOTE}
|
# If branch is substring of tag, omit branch name
|
||||||
|
ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
|
||||||
|
# only append branch name if not equal tag
|
||||||
|
ifneq ($(GIT_TAG), $(GIT_BRANCH))
|
||||||
|
# Sanitize GIT_BRANCH to allowed Docker tag character set
|
||||||
|
TAG = $(GIT_TAG)-$(shell echo $$GIT_BRANCH | sed -e 's/[^a-zA-Z0-9]/-/g')
|
||||||
|
endif
|
||||||
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
.PHONY: build test scan push clean
|
ARCH ::= amd64
|
||||||
|
ALL_ARCHS ::= amd64 arm64
|
||||||
|
_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
|
||||||
|
|
||||||
all: test
|
ifneq ($(TRIVY_REMOTE),)
|
||||||
|
TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
|
||||||
|
endif
|
||||||
|
|
||||||
|
.SILENT: ; # no need for @
|
||||||
|
.ONESHELL: ; # recipes execute in same shell
|
||||||
|
.NOTPARALLEL: ; # wait for this target to finish
|
||||||
|
.EXPORT_ALL_VARIABLES: ; # send all vars to shell
|
||||||
|
.PHONY: all # All targets are accessible for user
|
||||||
|
.DEFAULT: help # Running Make will run the help target
|
||||||
|
|
||||||
build:
|
help: ## Show Help
|
||||||
@docker image exists $(IMAGE):$(TAG) || \
|
grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
|
||||||
docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
|
|
||||||
|
|
||||||
test: build rm-test-image
|
prepare:: ## custom step on the build agent before building
|
||||||
@test -f Dockerfile.test && \
|
|
||||||
docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . || \
|
|
||||||
echo "No Dockerfile.test found, skipping test"
|
|
||||||
|
|
||||||
scan: build
|
fmt:: ## auto format source
|
||||||
@echo "Scanning $(IMAGE):$(TAG) using Trivy"
|
|
||||||
@trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
|
|
||||||
|
|
||||||
push: build
|
lint:: ## Lint source
|
||||||
@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
|
|
||||||
@docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest
|
|
||||||
docker push $(REGISTRY)/$(IMAGE):$(TAG)
|
|
||||||
docker push $(REGISTRY)/$(IMAGE):latest
|
|
||||||
|
|
||||||
clean: rm-test-image rm-image
|
build: ## Build the app
|
||||||
|
buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
|
||||||
|
|
||||||
# Delete all untagged images
|
test:: ## test built artificats
|
||||||
.PHONY: rm-remote-untagged
|
|
||||||
rm-remote-untagged:
|
scan: ## Scan image using trivy
|
||||||
@echo "Removing all untagged images from $(IMAGE) in $(REGION)"
|
echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
|
||||||
@aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
|
trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
|
||||||
|
|
||||||
|
# first tag and push all actual images
|
||||||
|
# create new manifest for each tag and add all available TAG-ARCH before pushing
|
||||||
|
push: ecr-login ## push images to registry
|
||||||
|
for t in $(TAG) latest $(EXTRA_TAGS); do \
|
||||||
|
echo "Tagging image with $(REGISTRY)/$(IMAGE):$${t}-$(ARCH)"
|
||||||
|
buildah tag $(IMAGE):$(TAG)-$(_ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(_ARCH); \
|
||||||
|
buildah manifest rm $(IMAGE):$$t || true; \
|
||||||
|
buildah manifest create $(IMAGE):$$t; \
|
||||||
|
for a in $(ALL_ARCHS); do \
|
||||||
|
buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$$a; \
|
||||||
|
done; \
|
||||||
|
echo "Pushing manifest $(IMAGE):$$t"
|
||||||
|
buildah manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t; \
|
||||||
|
done
|
||||||
|
|
||||||
|
ecr-login: ## log into AWS ECR public
|
||||||
|
aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
|
||||||
|
|
||||||
|
rm-remote-untagged: ## delete all remote untagged and in-dev images, keep 10 tagged
|
||||||
|
echo "Removing all untagged and in-dev images from $(IMAGE) in $(REGION)"
|
||||||
|
.ci/ecr_public_lifecycle.py --repo $(IMAGE) --dev
|
||||||
|
|
||||||
|
clean:: ## clean up source folder
|
||||||
|
|
||||||
.PHONY: rm-image
|
|
||||||
rm-image:
|
rm-image:
|
||||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || docker image rm -f $(IMAGE):$(TAG) > /dev/null
|
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
|
||||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || echo "Error: Removing image failed"
|
test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
|
||||||
|
|
||||||
# Ensure we run the tests by removing any previous runs
|
## some useful tasks during development
|
||||||
.PHONY: rm-test-image
|
ci-pull-upstream: ## pull latest shared .ci subtree
|
||||||
rm-test-image:
|
git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
|
||||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
|
|
||||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
|
|
||||||
|
|
||||||
.DEFAULT:
|
create-repo: ## create new AWS ECR public repository
|
||||||
@echo "$@ not implemented. NOOP"
|
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
|
||||||
|
|
|
@ -2,24 +2,33 @@
|
||||||
|
|
||||||
def call(Map config=[:]) {
|
def call(Map config=[:]) {
|
||||||
pipeline {
|
pipeline {
|
||||||
|
options {
|
||||||
|
disableConcurrentBuilds()
|
||||||
|
}
|
||||||
agent {
|
agent {
|
||||||
node {
|
node {
|
||||||
label 'podman-aws-trivy'
|
label 'podman-aws-trivy'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
stages {
|
stages {
|
||||||
stage('Prepare') {
|
stage('Prepare') {
|
||||||
// get tags
|
|
||||||
steps {
|
steps {
|
||||||
sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
|
sh 'mkdir -p reports'
|
||||||
|
|
||||||
|
// we set pull tags as project adv. options
|
||||||
|
// pull tags
|
||||||
|
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
||||||
|
// sh 'git fetch -q --tags ${GIT_URL}'
|
||||||
|
//}
|
||||||
|
// Optional project specific preparations
|
||||||
|
sh 'make prepare'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Build using rootless podman
|
// Build using rootless podman
|
||||||
stage('Build') {
|
stage('Build') {
|
||||||
steps {
|
steps {
|
||||||
sh 'make build'
|
sh 'make build GIT_BRANCH=$GIT_BRANCH'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,13 +40,13 @@ def call(Map config=[:]) {
|
||||||
|
|
||||||
// Scan via trivy
|
// Scan via trivy
|
||||||
stage('Scan') {
|
stage('Scan') {
|
||||||
environment {
|
|
||||||
TRIVY_FORMAT = "template"
|
|
||||||
TRIVY_OUTPUT = "reports/trivy.html"
|
|
||||||
}
|
|
||||||
steps {
|
steps {
|
||||||
sh 'mkdir -p reports'
|
// we always scan and create the full json report
|
||||||
sh 'make scan'
|
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
|
||||||
|
|
||||||
|
// render custom full html report
|
||||||
|
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
|
||||||
|
|
||||||
publishHTML target: [
|
publishHTML target: [
|
||||||
allowMissing: true,
|
allowMissing: true,
|
||||||
alwaysLinkToLastBuild: true,
|
alwaysLinkToLastBuild: true,
|
||||||
|
@ -47,19 +56,33 @@ def call(Map config=[:]) {
|
||||||
reportName: 'TrivyScan',
|
reportName: 'TrivyScan',
|
||||||
reportTitles: 'TrivyScan'
|
reportTitles: 'TrivyScan'
|
||||||
]
|
]
|
||||||
|
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
|
||||||
|
|
||||||
// Scan again and fail on CRITICAL vulns
|
// fail build if issues found above trivy threshold
|
||||||
sh "[ \"${config.trivyFail}\" == \"NONE\" ] || TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
|
script {
|
||||||
|
if ( config.trivyFail ) {
|
||||||
|
sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Push to ECR
|
// Push to container registry if not PR
|
||||||
|
// incl. basic registry retention removing any untagged images
|
||||||
stage('Push') {
|
stage('Push') {
|
||||||
|
when { not { changeRequest() } }
|
||||||
steps {
|
steps {
|
||||||
sh 'make push'
|
sh 'make push'
|
||||||
|
sh 'make rm-remote-untagged'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// generic clean
|
||||||
|
stage('cleanup') {
|
||||||
|
steps {
|
||||||
|
sh 'make clean'
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
report.html
|
71
Dockerfile
71
Dockerfile
|
@ -1,56 +1,55 @@
|
||||||
# https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile
|
# https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile
|
||||||
|
# https://hub.docker.com/r/jenkins/inbound-agent/tags
|
||||||
|
|
||||||
ARG BASE="4.13-2-alpine-jdk17-preview"
|
|
||||||
|
|
||||||
FROM jenkins/inbound-agent:${BASE}
|
FROM jenkins/inbound-agent:alpine-jdk21@sha256:a7e633f06d8a1af720e30cd5421b8ba58230ec34af250a07d61cba0df88c587b
|
||||||
|
|
||||||
ARG USER=jenkins
|
ARG BUILDUSER=jenkins
|
||||||
|
|
||||||
USER root
|
USER root
|
||||||
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
|
RUN echo "@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
|
||||||
&& apk upgrade -U --available --no-cache \
|
apk upgrade -U --available --no-cache && \
|
||||||
&& apk add --no-cache \
|
apk add --no-cache \
|
||||||
tini \
|
tini \
|
||||||
make \
|
make \
|
||||||
yq \
|
jq \
|
||||||
strace \
|
yq \
|
||||||
fuse-overlayfs \
|
strace \
|
||||||
podman \
|
fuse-overlayfs \
|
||||||
buildah \
|
podman \
|
||||||
aws-cli \
|
buildah \
|
||||||
trivy
|
py-boto3 \
|
||||||
|
aws-cli \
|
||||||
|
trivy@edge-testing
|
||||||
|
|
||||||
# Trivy html template
|
# Trivy html template
|
||||||
ADD --chown=jenkins:jenkins html.tpl /home/jenkins
|
ADD --chown=$BUILDUSER:$BUILDUSER html.tpl /home/$BUILDUSER
|
||||||
|
|
||||||
# Rootless podman
|
# Rootless podman
|
||||||
RUN mkdir -p /home/$USER/.local/share/containers && \
|
RUN mkdir -p /home/$BUILDUSER/.config/containers
|
||||||
chown $USER:$USER -R /home/$USER
|
|
||||||
|
|
||||||
ADD conf/containers.conf conf/registries.conf conf/storage.conf /etc/containers/
|
ADD entrypoint.sh /usr/local/bin/entrypoint.sh
|
||||||
ADD --chown=$USER:$USER conf/podman-containers.conf /home/$USER/.config/containers/containers.conf
|
# conf/registries.conf will be mounted RO at runtime to inherit worker settings incl. caching proxies
|
||||||
|
ADD --chown=$BUILDUSER:$BUILDUSER conf/containers.conf conf/storage.conf /home/$BUILDUSER/.config/containers
|
||||||
|
|
||||||
RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers \
|
RUN echo -e "$BUILDUSER:100000:65535" > /etc/subuid && \
|
||||||
/var/lib/shared/vfs-images /var/lib/shared/vfs-layers && \
|
echo -e "$BUILDUSER:100000:65535" > /etc/subgid && \
|
||||||
touch /var/lib/shared/overlay-images/images.lock /var/lib/shared/overlay-layers/layers.lock \
|
cd /usr/bin && ln -s podman docker && \
|
||||||
/var/lib/shared/vfs-images/images.lock /var/lib/shared/vfs-layers/layers.lock && \
|
chown $BUILDUSER:$BUILDUSER -R /home/$BUILDUSER
|
||||||
mkdir /tmp/podman-run-1000 && chown $USER:$USER /tmp/podman-run-1000 && chmod 700 /tmp/podman-run-1000 && \
|
|
||||||
echo -e "$USER:1:999\n$USER:1001:64535" > /etc/subuid && \
|
|
||||||
echo -e "$USER:1:999\n$USER:1001:64535" > /etc/subgid && \
|
|
||||||
mkdir /workspace && \
|
|
||||||
cd /usr/bin && ln -s podman docker
|
|
||||||
|
|
||||||
# Patch jenkins-agent to launch podman service
|
# Patch jenkins-agent to launch podman service
|
||||||
RUN sed -i -e 's/exec \$JAVA_BIN/podman system service -t0\&\n exec \$JAVA_BIN/' /usr/local/bin/jenkins-agent
|
RUN sed -i -e 's/exec \$JAVA_BIN/podman system service -t0\&\n exec \$JAVA_BIN/' /usr/local/bin/jenkins-agent
|
||||||
|
|
||||||
ENV XDG_RUNTIME_DIR=/tmp/podman-run-1000
|
ENV XDG_RUNTIME_DIR=/home/$BUILDUSER/agent/xdg-run
|
||||||
ENV _CONTAINERS_USERNS_CONFIGURED=""
|
ENV XDG_CONFIG_HOME=/home/$BUILDUSER/.config
|
||||||
|
|
||||||
ENV BUILDAH_ISOLATION=chroot
|
ENV BUILDAH_ISOLATION=chroot
|
||||||
ENV TRIVY_TEMPLATE="@/home/jenkins/html.tpl"
|
ENV _CONTAINERS_USERNS_CONFIGURED=""
|
||||||
|
|
||||||
USER jenkins
|
# Until we setup the logging and metrics pipelines in OTEL
|
||||||
|
ENV OTEL_LOGS_EXPORTER=none
|
||||||
|
ENV OTEL_METRICS_EXPORTER=none
|
||||||
|
|
||||||
# Allow container layers to be stored in PVCs
|
USER $BUILDUSER
|
||||||
VOLUME /home/jenkins/.local/share/containers
|
|
||||||
|
|
||||||
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/jenkins-agent"]
|
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]
|
||||||
|
|
2
Jenkinsfile
vendored
2
Jenkinsfile
vendored
|
@ -2,4 +2,4 @@ library identifier: 'zdt-lib@master', retriever: modernSCM(
|
||||||
[$class: 'GitSCMSource',
|
[$class: 'GitSCMSource',
|
||||||
remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
|
remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
|
||||||
|
|
||||||
buildPodman name: 'jenkins-podman', trivyFail: 'NONE'
|
buildPodman name: 'jenkins-podman'
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
# jenkins-podman
|
# jenkins-podman
|
||||||
|
Podman / buildah Jenkins agent.
|
||||||
|
|
||||||
Public Repo: https://gallery.ecr.aws/zero-downtime/jenkins-podman
|
Public Repo: https://gallery.ecr.aws/zero-downtime/jenkins-podman
|
||||||
|
|
||||||
# Resources
|
# Resources
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
[containers]
|
[containers]
|
||||||
|
volumes = [ "/proc:/proc" ]
|
||||||
netns="host"
|
netns="host"
|
||||||
userns="host"
|
userns="host"
|
||||||
ipcns="host"
|
ipcns="host"
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
[containers]
|
|
||||||
volumes = [
|
|
||||||
"/proc:/proc",
|
|
||||||
]
|
|
|
@ -1,2 +0,0 @@
|
||||||
# Note that changing the order here may break lazy devs Dockerfile
|
|
||||||
unqualified-search-registries = [ "gcr.io", "quay.io", "docker.io", "registry.fedoraproject.org"]
|
|
|
@ -1,14 +1,4 @@
|
||||||
[storage]
|
[storage]
|
||||||
driver = "overlay"
|
driver = "overlay"
|
||||||
runroot = "/run/containers/storage"
|
runroot = "/home/jenkins/agent/containers/run"
|
||||||
graphroot = "/var/lib/containers/storage"
|
graphroot = "/home/jenkins/agent/containers/storage"
|
||||||
|
|
||||||
[storage.options]
|
|
||||||
additionalimagestores = [
|
|
||||||
"/var/lib/shared",
|
|
||||||
]
|
|
||||||
|
|
||||||
[storage.options.overlay]
|
|
||||||
mount_program = "/usr/bin/fuse-overlayfs"
|
|
||||||
mountopt = "nodev,fsync=0"
|
|
||||||
[storage.options.thinpool]
|
|
||||||
|
|
4
entrypoint.sh
Executable file
4
entrypoint.sh
Executable file
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
mkdir -p $HOME/xdg-run $HOME/containers/run $HOME/containers/storage
|
||||||
|
/usr/local/bin/jenkins-agent
|
35
html.tpl
35
html.tpl
|
@ -20,6 +20,7 @@
|
||||||
table, th, td {
|
table, th, td {
|
||||||
border: 1px solid black;
|
border: 1px solid black;
|
||||||
border-collapse: collapse;
|
border-collapse: collapse;
|
||||||
|
white-space: nowrap;
|
||||||
padding: .3em;
|
padding: .3em;
|
||||||
}
|
}
|
||||||
table {
|
table {
|
||||||
|
@ -39,7 +40,7 @@
|
||||||
.severity-MEDIUM { background-color: #e9c60060; }
|
.severity-MEDIUM { background-color: #e9c60060; }
|
||||||
.severity-HIGH { background-color: #ff880060; }
|
.severity-HIGH { background-color: #ff880060; }
|
||||||
.severity-CRITICAL { background-color: #e4000060; }
|
.severity-CRITICAL { background-color: #e4000060; }
|
||||||
.severity-UNKNOWN { background-color: #74747430; }
|
.severity-UNKNOWN { background-color: #74747460; }
|
||||||
table tr td:first-of-type {
|
table tr td:first-of-type {
|
||||||
font-weight: bold;
|
font-weight: bold;
|
||||||
}
|
}
|
||||||
|
@ -82,11 +83,13 @@
|
||||||
</script>
|
</script>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding-right:10px";>
|
|
||||||
Trivy Report - {{ now | date "2006-01-02 15:04:05 -0700" }}</h1>
|
|
||||||
<table>
|
<table>
|
||||||
|
<tr><td colspan="7">
|
||||||
|
<h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding:10px;float:left";>
|
||||||
|
{{- escapeXML ( index . 0 ).Target }}<br/>Trivy Report - {{ now | date "2006-01-02 15:04:05 -0700" }}</h1>
|
||||||
|
</td></tr>
|
||||||
{{- range . }}
|
{{- range . }}
|
||||||
<tr class="group-header"><th colspan="7">{{ escapeXML .Target }}({{ escapeXML .Type }})</th></tr>
|
<tr class="group-header"><th colspan="7">{{ escapeXML .Target }} ({{ .Type | toString | escapeXML }})</th></tr>
|
||||||
{{- if (eq (len .Vulnerabilities) 0) }}
|
{{- if (eq (len .Vulnerabilities) 0) }}
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
||||||
{{- else }}
|
{{- else }}
|
||||||
|
@ -100,10 +103,10 @@
|
||||||
<th>Links</th>
|
<th>Links</th>
|
||||||
</tr>
|
</tr>
|
||||||
{{- range .Vulnerabilities }}
|
{{- range .Vulnerabilities }}
|
||||||
<tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
|
<tr class="severity-{{ escapeXML .Severity }}">
|
||||||
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
|
<td class="pkg-name">{{ escapeXML .PkgName }}</td>
|
||||||
<td>{{ escapeXML .VulnerabilityID }}</td>
|
<td>{{ escapeXML .VulnerabilityID }}</td>
|
||||||
<td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
|
<td class="severity">{{ escapeXML .Severity }}</td>
|
||||||
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
|
<td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
|
||||||
<td>{{ escapeXML .FixedVersion }}</td>
|
<td>{{ escapeXML .FixedVersion }}</td>
|
||||||
<td>{{ escapeXML .Title }}</td>
|
<td>{{ escapeXML .Title }}</td>
|
||||||
|
@ -144,6 +147,26 @@
|
||||||
</tr>
|
</tr>
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if (eq (len .Secrets) 0) }}
|
||||||
|
<tr><th colspan="7">No Secrets found</th></tr>
|
||||||
|
{{- else }}
|
||||||
|
<tr class="sub-header">
|
||||||
|
<th colspan="2">Rule ID</th>
|
||||||
|
<th>Severity</th>
|
||||||
|
<th>Category</th>
|
||||||
|
<th colspan="2">Title</th>
|
||||||
|
<th>Lines</th>
|
||||||
|
</tr>
|
||||||
|
{{- range .Secrets }}
|
||||||
|
<tr class="severity-{{ escapeXML .Severity }}">
|
||||||
|
<td colspan="2">{{ escapeXML .RuleID }}</td>
|
||||||
|
<td class="severity">{{ escapeXML .Severity }}</td>
|
||||||
|
<td>{{ .Category | toString | escapeXML }}</td>
|
||||||
|
<td colspan="2">{{ escapeXML .Title }}</td>
|
||||||
|
<td>{{ .StartLine | toString }} - {{ .EndLine | toString }}</td>
|
||||||
|
</tr>
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
</table>
|
</table>
|
||||||
{{- else }}
|
{{- else }}
|
||||||
|
|
17
junit.tpl
17
junit.tpl
|
@ -1,5 +1,5 @@
|
||||||
<?xml version="1.0" ?>
|
<?xml version="1.0" ?>
|
||||||
<testsuites>
|
<testsuites name="trivy">
|
||||||
{{- range . -}}
|
{{- range . -}}
|
||||||
{{- $failures := len .Vulnerabilities }}
|
{{- $failures := len .Vulnerabilities }}
|
||||||
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
|
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
|
||||||
|
@ -14,5 +14,18 @@
|
||||||
</testcase>
|
</testcase>
|
||||||
{{- end }}
|
{{- end }}
|
||||||
</testsuite>
|
</testsuite>
|
||||||
|
{{- $failures := len .Misconfigurations }}
|
||||||
|
<testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
|
||||||
|
{{- if not (eq .Type "") }}
|
||||||
|
<properties>
|
||||||
|
<property name="type" value="{{ .Type }}"></property>
|
||||||
|
</properties>
|
||||||
|
{{- end -}}
|
||||||
|
{{ range .Misconfigurations }}
|
||||||
|
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
|
||||||
|
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
|
||||||
|
</testcase>
|
||||||
|
{{- end }}
|
||||||
|
</testsuite>
|
||||||
{{- end }}
|
{{- end }}
|
||||||
</testsuites>
|
</testsuites>
|
||||||
|
|
9
renovate.json
Normal file
9
renovate.json
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||||
|
"extends": [
|
||||||
|
"config:recommended",
|
||||||
|
":label(renovate)",
|
||||||
|
":semanticCommits"
|
||||||
|
],
|
||||||
|
"prHourlyLimit": 0
|
||||||
|
}
|
276
report.html
276
report.html
|
@ -1,276 +0,0 @@
|
||||||
<!DOCTYPE html>
|
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
||||||
<style>
|
|
||||||
* {
|
|
||||||
font-family: Arial, Helvetica, sans-serif;
|
|
||||||
}
|
|
||||||
h1 {
|
|
||||||
text-align: center;
|
|
||||||
}
|
|
||||||
.group-header th {
|
|
||||||
font-size: 200%;
|
|
||||||
background-color: #E4E4E4;
|
|
||||||
}
|
|
||||||
.sub-header th {
|
|
||||||
font-size: 150%;
|
|
||||||
}
|
|
||||||
table, th, td {
|
|
||||||
border: 1px solid black;
|
|
||||||
border-collapse: collapse;
|
|
||||||
padding: .3em;
|
|
||||||
}
|
|
||||||
table {
|
|
||||||
margin: 0 auto;
|
|
||||||
}
|
|
||||||
.severity {
|
|
||||||
text-align: center;
|
|
||||||
font-weight: bold;
|
|
||||||
color: #fafafa;
|
|
||||||
}
|
|
||||||
.severity-LOW .severity { background-color: #5fbb31; }
|
|
||||||
.severity-MEDIUM .severity { background-color: #e9c600; }
|
|
||||||
.severity-HIGH .severity { background-color: #ff8800; }
|
|
||||||
.severity-CRITICAL .severity { background-color: #e40000; }
|
|
||||||
.severity-UNKNOWN .severity { background-color: #747474; }
|
|
||||||
.severity-LOW { background-color: #5fbb3160; }
|
|
||||||
.severity-MEDIUM { background-color: #e9c60060; }
|
|
||||||
.severity-HIGH { background-color: #ff880060; }
|
|
||||||
.severity-CRITICAL { background-color: #e4000060; }
|
|
||||||
.severity-UNKNOWN { background-color: #74747430; }
|
|
||||||
table tr td:first-of-type {
|
|
||||||
font-weight: bold;
|
|
||||||
}
|
|
||||||
.links a,
|
|
||||||
.links[data-more-links=on] a {
|
|
||||||
display: block;
|
|
||||||
}
|
|
||||||
.links[data-more-links=off] a:nth-of-type(1n+5) {
|
|
||||||
display: none;
|
|
||||||
}
|
|
||||||
a.toggle-more-links { cursor: pointer; }
|
|
||||||
</style>
|
|
||||||
<title>localhost/jenkins-podman:v0.2.4-3 (alpine 3.15.0) - Trivy Report - 2022-01-25T13:58:07.832142733Z</title>
|
|
||||||
<script>
|
|
||||||
window.onload = function() {
|
|
||||||
document.querySelectorAll('td.links').forEach(function(linkCell) {
|
|
||||||
var links = [].concat.apply([], linkCell.querySelectorAll('a'));
|
|
||||||
[].sort.apply(links, function(a, b) {
|
|
||||||
return a.href > b.href ? 1 : -1;
|
|
||||||
});
|
|
||||||
links.forEach(function(link, idx) {
|
|
||||||
if (links.length > 3 && 3 === idx) {
|
|
||||||
var toggleLink = document.createElement('a');
|
|
||||||
toggleLink.innerText = "Toggle more links";
|
|
||||||
toggleLink.href = "#toggleMore";
|
|
||||||
toggleLink.setAttribute("class", "toggle-more-links");
|
|
||||||
linkCell.appendChild(toggleLink);
|
|
||||||
}
|
|
||||||
linkCell.appendChild(link);
|
|
||||||
});
|
|
||||||
});
|
|
||||||
document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
|
|
||||||
toggleLink.onclick = function() {
|
|
||||||
var expanded = toggleLink.parentElement.getAttribute("data-more-links");
|
|
||||||
toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
|
|
||||||
return false;
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
</script>
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
<h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding-right:10px";>
|
|
||||||
Trivy Report - 2022-01-25T13:58:07.832152637Z</h1>
|
|
||||||
<table>
|
|
||||||
<tr class="group-header"><th colspan="7">localhost/jenkins-podman:v0.2.4-3 (alpine 3.15.0)(alpine)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">Java(jar)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/bin/buildah(gobinary)</th></tr>
|
|
||||||
<tr class="sub-header">
|
|
||||||
<th>Package</th>
|
|
||||||
<th>Vulnerability ID</th>
|
|
||||||
<th>Severity</th>
|
|
||||||
<th>Installed Version</th>
|
|
||||||
<th>Fixed Version</th>
|
|
||||||
<th>Title</th>
|
|
||||||
<th>Links</th>
|
|
||||||
</tr>
|
|
||||||
<tr class="severity-HIGH">
|
|
||||||
<td class="pkg-name">github.com/containerd/containerd</td>
|
|
||||||
<td>CVE-2021-41103</td>
|
|
||||||
<td class="severity">HIGH</td>
|
|
||||||
<td class="pkg-version">v1.5.5</td>
|
|
||||||
<td>v1.4.11, v1.5.7</td>
|
|
||||||
<td>containerd: insufficiently restricted permissions on container root and plugin directories</td>
|
|
||||||
<td class="links" data-more-links="off">
|
|
||||||
<a href="https://avd.aquasec.com/nvd/cve-2021-41103" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-41103</a>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="severity-UNKNOWN">
|
|
||||||
<td class="pkg-name">github.com/opencontainers/image-spec</td>
|
|
||||||
<td>GMS-2021-101</td>
|
|
||||||
<td class="severity">UNKNOWN</td>
|
|
||||||
<td class="pkg-version">v1.0.2-0.20210819154149-5ad6f50d6283</td>
|
|
||||||
<td>1.0.2</td>
|
|
||||||
<td>Clarify `mediaType` handling</td>
|
|
||||||
<td class="links" data-more-links="off">
|
|
||||||
<a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
|
|
||||||
<a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="severity-UNKNOWN">
|
|
||||||
<td class="pkg-name">golang.org/x/text</td>
|
|
||||||
<td>CVE-2021-38561</td>
|
|
||||||
<td class="severity">UNKNOWN</td>
|
|
||||||
<td class="pkg-version">v0.3.6</td>
|
|
||||||
<td>0.3.7</td>
|
|
||||||
<td></td>
|
|
||||||
<td class="links" data-more-links="off">
|
|
||||||
<a href="https://avd.aquasec.com/nvd/cve-2021-38561" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-38561</a>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/bin/git-lfs(gobinary)</th></tr>
|
|
||||||
<tr class="sub-header">
|
|
||||||
<th>Package</th>
|
|
||||||
<th>Vulnerability ID</th>
|
|
||||||
<th>Severity</th>
|
|
||||||
<th>Installed Version</th>
|
|
||||||
<th>Fixed Version</th>
|
|
||||||
<th>Title</th>
|
|
||||||
<th>Links</th>
|
|
||||||
</tr>
|
|
||||||
<tr class="severity-HIGH">
|
|
||||||
<td class="pkg-name">golang.org/x/crypto</td>
|
|
||||||
<td>CVE-2020-29652</td>
|
|
||||||
<td class="severity">HIGH</td>
|
|
||||||
<td class="pkg-version">v0.0.0-20201112155050-0c6587e931a9</td>
|
|
||||||
<td>v0.0.0-20201216223049-8b5274cf687f</td>
|
|
||||||
<td>golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference</td>
|
|
||||||
<td class="links" data-more-links="off">
|
|
||||||
<a href="https://avd.aquasec.com/nvd/cve-2020-29652" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2020-29652</a>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
<tr class="severity-UNKNOWN">
|
|
||||||
<td class="pkg-name">golang.org/x/text</td>
|
|
||||||
<td>CVE-2021-38561</td>
|
|
||||||
<td class="severity">UNKNOWN</td>
|
|
||||||
<td class="pkg-version">v0.3.5</td>
|
|
||||||
<td>0.3.7</td>
|
|
||||||
<td></td>
|
|
||||||
<td class="links" data-more-links="off">
|
|
||||||
<a href="https://avd.aquasec.com/nvd/cve-2021-38561" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-38561</a>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/bin/podman(gobinary)</th></tr>
|
|
||||||
<tr class="sub-header">
|
|
||||||
<th>Package</th>
|
|
||||||
<th>Vulnerability ID</th>
|
|
||||||
<th>Severity</th>
|
|
||||||
<th>Installed Version</th>
|
|
||||||
<th>Fixed Version</th>
|
|
||||||
<th>Title</th>
|
|
||||||
<th>Links</th>
|
|
||||||
</tr>
|
|
||||||
<tr class="severity-UNKNOWN">
|
|
||||||
<td class="pkg-name">github.com/opencontainers/image-spec</td>
|
|
||||||
<td>GMS-2021-101</td>
|
|
||||||
<td class="severity">UNKNOWN</td>
|
|
||||||
<td class="pkg-version">v1.0.2-0.20210819154149-5ad6f50d6283</td>
|
|
||||||
<td>1.0.2</td>
|
|
||||||
<td>Clarify `mediaType` handling</td>
|
|
||||||
<td class="links" data-more-links="off">
|
|
||||||
<a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
|
|
||||||
<a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/bin/trivy(gobinary)</th></tr>
|
|
||||||
<tr class="sub-header">
|
|
||||||
<th>Package</th>
|
|
||||||
<th>Vulnerability ID</th>
|
|
||||||
<th>Severity</th>
|
|
||||||
<th>Installed Version</th>
|
|
||||||
<th>Fixed Version</th>
|
|
||||||
<th>Title</th>
|
|
||||||
<th>Links</th>
|
|
||||||
</tr>
|
|
||||||
<tr class="severity-UNKNOWN">
|
|
||||||
<td class="pkg-name">github.com/opencontainers/image-spec</td>
|
|
||||||
<td>GMS-2021-101</td>
|
|
||||||
<td class="severity">UNKNOWN</td>
|
|
||||||
<td class="pkg-version">v1.0.2-0.20190823105129-775207bd45b6</td>
|
|
||||||
<td>1.0.2</td>
|
|
||||||
<td>Clarify `mediaType` handling</td>
|
|
||||||
<td class="links" data-more-links="off">
|
|
||||||
<a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
|
|
||||||
<a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
|
|
||||||
<a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/bandwidth(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/bridge(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/dhcp(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/firewall(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/host-device(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/host-local(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/ipvlan(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/loopback(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/macvlan(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/portmap(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/ptp(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/sbr(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/static(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/tuning(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/vlan(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
<tr class="group-header"><th colspan="7">usr/libexec/cni/vrf(gobinary)</th></tr>
|
|
||||||
<tr><th colspan="7">No Vulnerabilities found</th></tr>
|
|
||||||
<tr><th colspan="7">No Misconfigurations found</th></tr>
|
|
||||||
</table>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
Loading…
Reference in New Issue
Block a user