Merge pull request 'chore(deps): update jenkins/inbound-agent:alpine-jdk17 docker digest to 38484c0' (#7) from renovate/jenkins-inbound-agent-alpine-jdk17 into master

Reviewed-on: #7

.ci/ecr_public_lifecycle.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+
+import argparse
+import boto3
+
+parser = argparse.ArgumentParser(
+    description='Implement basic public ECR lifecycle policy')
+parser.add_argument('--repo', dest='repositoryName', action='store', required=True,
+                    help='Name of the public ECR repository')
+parser.add_argument('--keep', dest='keep', action='store', default=10, type=int,
+                    help='number of tagged images to keep, default 10')
+parser.add_argument('--dev', dest='delete_dev', action='store_true',
+                    help='also delete in-development images only having tags like v0.1.1-commitNr-githash')
+
+args = parser.parse_args()
+
+client = boto3.client('ecr-public', region_name='us-east-1')
+
+images = client.describe_images(repositoryName=args.repositoryName)[
+    "imageDetails"]
+
+untagged = []
+kept = 0
+
+# actual Image
+# imageManifestMediaType: 'application/vnd.oci.image.manifest.v1+json'
+# image Index
+# imageManifestMediaType: 'application/vnd.oci.image.index.v1+json'
+
+# Sort by date uploaded
+for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
+    # Remove all untagged
+    # if registry uses image index all actual images will be untagged anyways
+    if 'imageTags' not in image:
+        untagged.append({"imageDigest": image['imageDigest']})
+        # print("Delete untagged image {}".format(image["imageDigest"]))
+        continue
+
+    # check for dev tags
+    if args.delete_dev:
+        _delete = True
+        for tag in image["imageTags"]:
+            # Look for at least one tag NOT beign a SemVer dev tag
+            if "-" not in tag:
+                _delete = False
+        if _delete:
+            print("Deleting development image {}".format(image["imageTags"]))
+            untagged.append({"imageDigest": image['imageDigest']})
+            continue
+
+    if kept < args.keep:
+        kept = kept+1
+        print("Keeping tagged image {}".format(image["imageTags"]))
+        continue
+    else:
+        print("Deleting tagged image {}".format(image["imageTags"]))
+        untagged.append({"imageDigest": image['imageDigest']})
+
+deleted_images = client.batch_delete_image(
+    repositoryName=args.repositoryName, imageIds=untagged)
+
+if deleted_images["imageIds"]:
+    print("Deleted images: {}".format(deleted_images["imageIds"]))

.ci/podman.mk

@@ -1,12 +1,26 @@
 # Parse version from latest git semver tag
-GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
-TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
-ARCH := amd64
+GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
+GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
 
-# EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }')
+TAG ::= $(GIT_TAG)
+# append branch name to tag if NOT main nor master
+ifeq (,$(filter main master, $(GIT_BRANCH)))
+	# If branch is substring of tag, omit branch name
+	ifeq ($(findstring $(GIT_BRANCH), $(GIT_TAG)),)
+		# only append branch name if not equal tag
+		ifneq ($(GIT_TAG), $(GIT_BRANCH))
+			# Sanitize GIT_BRANCH to allowed Docker tag character set
+			TAG = $(GIT_TAG)-$(shell echo $$GIT_BRANCH | sed -e 's/[^a-zA-Z0-9]/-/g')
+		endif
+	endif
+endif
+
+ARCH ::= amd64
+ALL_ARCHS ::= amd64 arm64
+_ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))
 
 ifneq ($(TRIVY_REMOTE),)
-  TRIVY_OPTS := --server $(TRIVY_REMOTE)
+	TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
 endif
 
 .SILENT: ; # no need for @
@@ -19,51 +33,52 @@ endif
 help: ## Show Help
 	grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
-build: ## Build the app
-	docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(ARCH) --platform linux/$(ARCH) .
+prepare:: ## custom step on the build agent before building
 
-test: rm-test-image ## Execute Dockerfile.test
-	test -f Dockerfile.test && \
-		{ docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test --platform linux/$(ARCH) . && \
-			docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH)-test; } || \
-		echo "No Dockerfile.test found, skipping test"
+fmt:: ## auto format source
+
+lint:: ## Lint source
+
+build: ## Build the app
+	buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
+
+test:: ## test built artificats
 
 scan: ## Scan image using trivy
-	echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) using Trivy $(TRIVY_REMOTE)"
-	trivy image $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH)
+	echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
+	trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
 
-# We create new manifest and add TAG-ARCH image
-# if manigest exists already, get it and add TAG-ARCH to eg. add arm64 to existing amd64
-push: ## push images to registry
-	for t in $(TAG) latest $(EXTRA_TAGS); \
-		do echo "creating and pushing: $$t"; \
-		docker tag $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(ARCH) && \
-		docker push $(REGISTRY)/$(IMAGE):$${t}-$(ARCH); \
-		podman manifest exists $(IMAGE):$$t || podman manifest create $(IMAGE):$$t; \
-		buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) && docker manifest push $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$$t; \
+# first tag and push all actual images
+# create new manifest for each tag and add all available TAG-ARCH before pushing
+push: ecr-login ## push images to registry
+	for t in $(TAG) latest $(EXTRA_TAGS); do \
+		echo "Tagging image with $(REGISTRY)/$(IMAGE):$${t}-$(ARCH)"
+		buildah tag $(IMAGE):$(TAG)-$(_ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(_ARCH); \
+		buildah manifest rm $(IMAGE):$$t || true; \
+		buildah manifest create $(IMAGE):$$t; \
+		for a in $(ALL_ARCHS); do \
+			buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$$a; \
+		done; \
+		echo "Pushing manifest $(IMAGE):$$t"
+		buildah manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t; \
 	done
 
 ecr-login: ## log into AWS ECR public
-	aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
+	aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
 
-clean: rm-test-image rm-image ## delete local built container and test images
+rm-remote-untagged: ## delete all remote untagged and in-dev images, keep 10 tagged
+	echo "Removing all untagged and in-dev images from $(IMAGE) in $(REGION)"
+	.ci/ecr_public_lifecycle.py --repo $(IMAGE) --dev
 
-rm-remote-untagged: ## delete all remote untagged images
-	echo "Removing all untagged images from $(IMAGE) in $(REGION)"
-	IMAGE_IDS=$$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done) ; \
-	  [ -n "$$IMAGE_IDS" ] && aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$IMAGE_IDS || echo "No image to remove"
+clean:: ## clean up source folder
 
 rm-image:
-	test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH))" || docker image rm -f $(IMAGE):$(TAG)-$(ARCH) > /dev/null
-	test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH))" || echo "Error: Removing image failed"
-
-# Ensure we run the tests by removing any previous runs
-rm-test-image:
-	test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH)-test)" || docker image rm -f $(IMAGE):$(TAG)-$(ARCH)-test > /dev/null
-	test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH)-test)" || echo "Error: Removing test image failed"
+	test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
+	test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
 
+## some useful tasks during development
 ci-pull-upstream: ## pull latest shared .ci subtree
-	git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
+	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
 
 create-repo: ## create new AWS ECR public repository
 	aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)

.ci/vars/buildPodman.groovy

@@ -2,24 +2,33 @@
 
 def call(Map config=[:]) {
     pipeline {
+      options {
+        disableConcurrentBuilds()
+      }
       agent {
         node {
           label 'podman-aws-trivy'
         }
       }
-
       stages {
         stage('Prepare') {
-          // get tags
           steps {
-            sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
+            sh 'mkdir -p reports'
+
+            // we set pull tags as project adv. options
+            // pull tags
+            //withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
+            //  sh 'git fetch -q --tags ${GIT_URL}'
+            //}
+            // Optional project specific preparations
+            sh 'make prepare'
           }
         }
 
         // Build using rootless podman
         stage('Build') {
           steps {
-            sh 'make build'
+            sh 'make build GIT_BRANCH=$GIT_BRANCH'
           }
         }
 
@@ -31,13 +40,13 @@ def call(Map config=[:]) {
 
         // Scan via trivy
         stage('Scan') {
-          environment {
-            TRIVY_FORMAT = "template"
-            TRIVY_OUTPUT = "reports/trivy.html"
-          }
           steps {
-            sh 'mkdir -p reports'
-            sh 'make scan'
+            // we always scan and create the full json report
+            sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
+
+            // render custom full html report
+            sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
+
             publishHTML target: [
               allowMissing: true,
               alwaysLinkToLastBuild: true,
@@ -47,25 +56,33 @@ def call(Map config=[:]) {
               reportName: 'TrivyScan',
               reportTitles: 'TrivyScan'
             ]
+            sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
 
-            // Scan again and fail on CRITICAL vulns, if not overridden
+            // fail build if issues found above trivy threshold
             script {
-              if (config.trivyFail == 'NONE') {
-                echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
-              } else {
-                sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
+              if ( config.trivyFail ) {
+                sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
               }
             }
           }
         }
 
-        // Push to ECR
+        // Push to container registry if not PR
+        // incl. basic registry retention removing any untagged images
         stage('Push') {
+          when { not { changeRequest() } }
           steps {
-            sh 'make ecr-login push'
+            sh 'make push'
+            sh 'make rm-remote-untagged'
           }
         }
 
+        // generic clean
+        stage('cleanup') {
+          steps {
+            sh 'make clean'
+          }
+        }
       }
     }
   }

.gitignore

@@ -0,0 +1 @@
+report.html

Dockerfile

@@ -1,9 +1,8 @@
 # https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile
 # https://hub.docker.com/r/jenkins/inbound-agent/tags
 
-ARG BASE="alpine-jdk17"
 
-FROM jenkins/inbound-agent:${BASE}
+FROM jenkins/inbound-agent:alpine-jdk17@sha256:38484c0f035a57b3cab5838468fb6c5c2b3f3051e7a2c8b39c99a30823f393ce
 
 ARG BUILDUSER=jenkins
 
@@ -13,11 +12,13 @@ RUN echo "@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /e
     apk add --no-cache \
       tini \
       make \
+      jq \
       yq \
       strace \
+      fuse-overlayfs \
       podman \
       buildah \
-      py3-pip \
+      py-boto3 \
       aws-cli \
       trivy@edge-testing
 
@@ -31,8 +32,8 @@ ADD entrypoint.sh /usr/local/bin/entrypoint.sh
 # conf/registries.conf will be mounted RO at runtime to inherit worker settings incl. caching proxies
 ADD --chown=$BUILDUSER:$BUILDUSER conf/containers.conf conf/storage.conf /home/$BUILDUSER/.config/containers
 
-RUN echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subuid && \
-    echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid && \
+RUN echo -e "$BUILDUSER:100000:65535" > /etc/subuid && \
+    echo -e "$BUILDUSER:100000:65535" > /etc/subgid && \
     cd /usr/bin && ln -s podman docker && \
     chown $BUILDUSER:$BUILDUSER -R /home/$BUILDUSER
 
@@ -42,12 +43,12 @@ RUN sed -i -e 's/exec \$JAVA_BIN/podman system service -t0\&\n        exec \$JAV
 ENV XDG_RUNTIME_DIR=/home/$BUILDUSER/agent/xdg-run
 ENV BUILDAH_ISOLATION=chroot
 ENV _CONTAINERS_USERNS_CONFIGURED=""
-ENV TRIVY_TEMPLATE="@/home/jenkins/html.tpl"
+ENV HOME=/home/$BUILDUSER
+
+# Until we setup the logging and metrics pipelines in OTEL
+ENV OTEL_LOGS_EXPORTER=none
+ENV OTEL_METRICS_EXPORTER=none
 
 USER $BUILDUSER
 
-# Install detect-secrets
-ENV PATH=$PATH:/home/${BUILDUSER}/.local/bin
-RUN pip install detect-secrets --user
-
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]

entrypoint.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 
-mkdir -p $HOME/agent/xdg-run
+mkdir -p $HOME/agent/xdg-run $HOME/agent/containers/run $HOME/agent/containers/storage
 /usr/local/bin/jenkins-agent

html.tpl

@@ -20,6 +20,7 @@
       table, th, td {
         border: 1px solid black;
         border-collapse: collapse;
+        white-space: nowrap;
         padding: .3em;
       }
       table {
@@ -39,7 +40,7 @@
       .severity-MEDIUM { background-color: #e9c60060; }
       .severity-HIGH { background-color: #ff880060; }
       .severity-CRITICAL { background-color: #e4000060; }
-      .severity-UNKNOWN { background-color: #74747430; }
+      .severity-UNKNOWN { background-color: #74747460; }
       table tr td:first-of-type {
         font-weight: bold;
       }
@@ -82,11 +83,13 @@
     </script>
   </head>
   <body>
-    <h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding-right:10px";>
-    Trivy Report - {{ now | date "2006-01-02 15:04:05 -0700" }}</h1>
     <table>
+    <tr><td colspan="7">
+    <h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding:10px;float:left";>
+    {{- escapeXML ( index . 0 ).Target }}<br/>Trivy Report - {{ now | date "2006-01-02 15:04:05 -0700" }}</h1>
+    </td></tr>
     {{- range . }}
-      <tr class="group-header"><th colspan="7">{{ escapeXML .Target }}({{ escapeXML .Type }})</th></tr>
+      <tr class="group-header"><th colspan="7">{{ escapeXML .Target }} ({{ .Type | toString | escapeXML }})</th></tr>
       {{- if (eq (len .Vulnerabilities) 0) }}
       <tr><th colspan="7">No Vulnerabilities found</th></tr>
       {{- else }}
@@ -100,10 +103,10 @@
         <th>Links</th>
       </tr>
       {{- range .Vulnerabilities }}
-      <tr class="severity-{{ escapeXML .Vulnerability.Severity }}">
+      <tr class="severity-{{ escapeXML .Severity }}">
         <td class="pkg-name">{{ escapeXML .PkgName }}</td>
         <td>{{ escapeXML .VulnerabilityID }}</td>
-        <td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
         <td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
         <td>{{ escapeXML .FixedVersion }}</td>
         <td>{{ escapeXML .Title }}</td>
@@ -144,6 +147,26 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Secrets) 0) }}
+      <tr><th colspan="7">No Secrets found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th colspan="2">Rule ID</th>
+        <th>Severity</th>
+        <th>Category</th>
+        <th colspan="2">Title</th>
+        <th>Lines</th>
+      </tr>
+      {{- range .Secrets }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td colspan="2">{{ escapeXML .RuleID }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td>{{ .Category | toString | escapeXML }}</td>
+        <td colspan="2">{{ escapeXML .Title }}</td>
+        <td>{{ .StartLine | toString }} - {{ .EndLine | toString }}</td>
+      </tr>
+      {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

junit.tpl

@@ -1,5 +1,5 @@
 <?xml version="1.0" ?>
-<testsuites>
+<testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
     <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
@@ -14,5 +14,18 @@
         </testcase>
     {{- end }}
     </testsuite>
+{{- $failures := len .Misconfigurations }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Misconfigurations }}
+        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
 {{- end }}
-</testsuites>
+</testsuites>

renovate.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":label(renovate)",
+    ":semanticCommits"
+  ],
+  "prHourlyLimit": 0
+}

report.html

@@ -1,276 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-    <style>
-      * {
-        font-family: Arial, Helvetica, sans-serif;
-      }
-      h1 {
-        text-align: center;
-      }
-      .group-header th {
-        font-size: 200%;
-        background-color: #E4E4E4;
-      }
-      .sub-header th {
-        font-size: 150%;
-      }
-      table, th, td {
-        border: 1px solid black;
-        border-collapse: collapse;
-        padding: .3em;
-      }
-      table {
-        margin: 0 auto;
-      }
-      .severity {
-        text-align: center;
-        font-weight: bold;
-        color: #fafafa;
-      }
-      .severity-LOW .severity { background-color: #5fbb31; }
-      .severity-MEDIUM .severity { background-color: #e9c600; }
-      .severity-HIGH .severity { background-color: #ff8800; }
-      .severity-CRITICAL .severity { background-color: #e40000; }
-      .severity-UNKNOWN .severity { background-color: #747474; }
-      .severity-LOW { background-color: #5fbb3160; }
-      .severity-MEDIUM { background-color: #e9c60060; }
-      .severity-HIGH { background-color: #ff880060; }
-      .severity-CRITICAL { background-color: #e4000060; }
-      .severity-UNKNOWN { background-color: #74747430; }
-      table tr td:first-of-type {
-        font-weight: bold;
-      }
-      .links a,
-      .links[data-more-links=on] a {
-        display: block;
-      }
-      .links[data-more-links=off] a:nth-of-type(1n+5) {
-        display: none;
-      }
-      a.toggle-more-links { cursor: pointer; }
-    </style>
-    <title>localhost/jenkins-podman:v0.2.4-3 (alpine 3.15.0) - Trivy Report - 2022-01-25T13:58:07.832142733Z</title>
-    <script>
-      window.onload = function() {
-        document.querySelectorAll('td.links').forEach(function(linkCell) {
-          var links = [].concat.apply([], linkCell.querySelectorAll('a'));
-          [].sort.apply(links, function(a, b) {
-            return a.href > b.href ? 1 : -1;
-          });
-          links.forEach(function(link, idx) {
-            if (links.length > 3 && 3 === idx) {
-              var toggleLink = document.createElement('a');
-              toggleLink.innerText = "Toggle more links";
-              toggleLink.href = "#toggleMore";
-              toggleLink.setAttribute("class", "toggle-more-links");
-              linkCell.appendChild(toggleLink);
-            }
-            linkCell.appendChild(link);
-          });
-        });
-        document.querySelectorAll('a.toggle-more-links').forEach(function(toggleLink) {
-          toggleLink.onclick = function() {
-            var expanded = toggleLink.parentElement.getAttribute("data-more-links");
-            toggleLink.parentElement.setAttribute("data-more-links", "on" === expanded ? "off" : "on");
-            return false;
-          };
-        });
-      };
-    </script>
-  </head>
-  <body>
-    <h1><img src="https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png" style="padding-right:10px";>
-    Trivy Report - 2022-01-25T13:58:07.832152637Z</h1>
-    <table>
-      <tr class="group-header"><th colspan="7">localhost/jenkins-podman:v0.2.4-3 (alpine 3.15.0)(alpine)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">Java(jar)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/bin/buildah(gobinary)</th></tr>
-      <tr class="sub-header">
-        <th>Package</th>
-        <th>Vulnerability ID</th>
-        <th>Severity</th>
-        <th>Installed Version</th>
-        <th>Fixed Version</th>
-        <th>Title</th>
-        <th>Links</th>
-      </tr>
-      <tr class="severity-HIGH">
-        <td class="pkg-name">github.com/containerd/containerd</td>
-        <td>CVE-2021-41103</td>
-        <td class="severity">HIGH</td>
-        <td class="pkg-version">v1.5.5</td>
-        <td>v1.4.11, v1.5.7</td>
-        <td>containerd: insufficiently restricted permissions on container root and plugin directories</td>
-        <td class="links" data-more-links="off">
-          <a href="https://avd.aquasec.com/nvd/cve-2021-41103" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-41103</a>
-        </td>
-      </tr>
-      <tr class="severity-UNKNOWN">
-        <td class="pkg-name">github.com/opencontainers/image-spec</td>
-        <td>GMS-2021-101</td>
-        <td class="severity">UNKNOWN</td>
-        <td class="pkg-version">v1.0.2-0.20210819154149-5ad6f50d6283</td>
-        <td>1.0.2</td>
-        <td>Clarify `mediaType` handling</td>
-        <td class="links" data-more-links="off">
-          <a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
-          <a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
-          <a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
-          <a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
-          <a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
-        </td>
-      </tr>
-      <tr class="severity-UNKNOWN">
-        <td class="pkg-name">golang.org/x/text</td>
-        <td>CVE-2021-38561</td>
-        <td class="severity">UNKNOWN</td>
-        <td class="pkg-version">v0.3.6</td>
-        <td>0.3.7</td>
-        <td></td>
-        <td class="links" data-more-links="off">
-          <a href="https://avd.aquasec.com/nvd/cve-2021-38561" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-38561</a>
-        </td>
-      </tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/bin/git-lfs(gobinary)</th></tr>
-      <tr class="sub-header">
-        <th>Package</th>
-        <th>Vulnerability ID</th>
-        <th>Severity</th>
-        <th>Installed Version</th>
-        <th>Fixed Version</th>
-        <th>Title</th>
-        <th>Links</th>
-      </tr>
-      <tr class="severity-HIGH">
-        <td class="pkg-name">golang.org/x/crypto</td>
-        <td>CVE-2020-29652</td>
-        <td class="severity">HIGH</td>
-        <td class="pkg-version">v0.0.0-20201112155050-0c6587e931a9</td>
-        <td>v0.0.0-20201216223049-8b5274cf687f</td>
-        <td>golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference</td>
-        <td class="links" data-more-links="off">
-          <a href="https://avd.aquasec.com/nvd/cve-2020-29652" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2020-29652</a>
-        </td>
-      </tr>
-      <tr class="severity-UNKNOWN">
-        <td class="pkg-name">golang.org/x/text</td>
-        <td>CVE-2021-38561</td>
-        <td class="severity">UNKNOWN</td>
-        <td class="pkg-version">v0.3.5</td>
-        <td>0.3.7</td>
-        <td></td>
-        <td class="links" data-more-links="off">
-          <a href="https://avd.aquasec.com/nvd/cve-2021-38561" target="_blank" rel="noopener noreferrer">https://avd.aquasec.com/nvd/cve-2021-38561</a>
-        </td>
-      </tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/bin/podman(gobinary)</th></tr>
-      <tr class="sub-header">
-        <th>Package</th>
-        <th>Vulnerability ID</th>
-        <th>Severity</th>
-        <th>Installed Version</th>
-        <th>Fixed Version</th>
-        <th>Title</th>
-        <th>Links</th>
-      </tr>
-      <tr class="severity-UNKNOWN">
-        <td class="pkg-name">github.com/opencontainers/image-spec</td>
-        <td>GMS-2021-101</td>
-        <td class="severity">UNKNOWN</td>
-        <td class="pkg-version">v1.0.2-0.20210819154149-5ad6f50d6283</td>
-        <td>1.0.2</td>
-        <td>Clarify `mediaType` handling</td>
-        <td class="links" data-more-links="off">
-          <a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
-          <a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
-          <a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
-          <a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
-          <a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
-        </td>
-      </tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/bin/trivy(gobinary)</th></tr>
-      <tr class="sub-header">
-        <th>Package</th>
-        <th>Vulnerability ID</th>
-        <th>Severity</th>
-        <th>Installed Version</th>
-        <th>Fixed Version</th>
-        <th>Title</th>
-        <th>Links</th>
-      </tr>
-      <tr class="severity-UNKNOWN">
-        <td class="pkg-name">github.com/opencontainers/image-spec</td>
-        <td>GMS-2021-101</td>
-        <td class="severity">UNKNOWN</td>
-        <td class="pkg-version">v1.0.2-0.20190823105129-775207bd45b6</td>
-        <td>1.0.2</td>
-        <td>Clarify `mediaType` handling</td>
-        <td class="links" data-more-links="off">
-          <a href="https://github.com/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/advisories/GHSA-77vh-xpmg-72qh</a>
-          <a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a>
-          <a href="https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c</a>
-          <a href="https://github.com/opencontainers/image-spec/releases/tag/v1.0.2" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/releases/tag/v1.0.2</a>
-          <a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh" target="_blank" rel="noopener noreferrer">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a>
-        </td>
-      </tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/bandwidth(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/bridge(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/dhcp(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/firewall(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/host-device(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/host-local(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/ipvlan(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/loopback(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/macvlan(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/portmap(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/ptp(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/sbr(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/static(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/tuning(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/vlan(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-      <tr class="group-header"><th colspan="7">usr/libexec/cni/vrf(gobinary)</th></tr>
-      <tr><th colspan="7">No Vulnerabilities found</th></tr>
-      <tr><th colspan="7">No Misconfigurations found</th></tr>
-    </table>
-  </body>
-</html>