1+ #! /usr/bin/env bash
2+ # Copyright 2022 The Kubernetes Authors.
3+ #
4+ # Licensed under the Apache License, Version 2.0 (the "License");
5+ # you may not use this file except in compliance with the License.
6+ # You may obtain a copy of the License at
7+ #
8+ # http://www.apache.org/licenses/LICENSE-2.0
9+ #
10+ # Unless required by applicable law or agreed to in writing, software
11+ # distributed under the License is distributed on an "AS IS" BASIS,
12+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+ # See the License for the specific language governing permissions and
14+ # limitations under the License.
15+
16+ set -euo pipefail
17+ apt update && apt -y install jq
18+ wget -q -O /usr/local/bin/snyk https://static.snyk.io/cli/latest/snyk-linux && chmod +x /usr/local/bin/snyk
19+ mkdir -p " ${ARTIFACTS} "
20+ if [ -z " ${SNYK_TOKEN} " ; then
21+ echo " SNYK_TOKEN env var is not set, required for snyk scan"
22+ exit 1
23+ fi
24+ echo " Running snyk scan .."
25+ EXIT_CODE=0
26+ RESULT_UNFILTERED=$( snyk test -d --json) || EXIT_CODE=$?
27+ if [ $EXIT_CODE -gt 1 ]; then
28+ echo " Failed to run snyk scan with exit code $EXIT_CODE "
29+ exit 1
30+ fi
31+ RESULT=$( echo $RESULT_UNFILTERED | jq \
32+ ' {vulnerabilities: .vulnerabilities | map(select((.type != "license") and (.version != "0.0.0"))) | select(length > 0) }' )
33+ if [[ ${RESULT} ]]; then
34+ CVE_IDs=$( echo $RESULT | jq ' .vulnerabilities[].identifiers.CVE | unique[]' | sort -u)
35+ # convert string to array
36+ CVE_IDs_array=(` echo ${CVE_IDs} `
37+ # TODO:Implement deduplication of CVE IDs in future
38+ for i in " ${CVE_IDs_array[@]} "
39+ do
40+ if [[ " $i " == * " CVE" * ]]; then
41+ # Look for presence of GitHub Issues for detected CVEs. If no issues are present, this CVE needs triage
42+ # Once the job fails, CVE is triaged by SIG Security and a tracking issue is created.
43+ # This will allow in the next run for the job to pass again
44+ TOTAL_COUNT=$( curl -H " Accept: application/vnd.github.v3+json" " https://api.github.com/search/issues?q=repo:kubernetes/kubernetes+${i} " | jq .total_count)
45+ if [[ $TOTAL_COUNT -eq 0 ]]; then
46+ echo " Vulnerability filtering failed"
47+ exit 1
48+ fi
49+ fi
50+ done
51+ fi
52+ echo " Build time dependency scan completed"
53+
54+ # container images scan
55+ echo " Fetch the list of k8s images"
56+ curl -Ls https://sbom.k8s.io/$( curl -Ls https://dl.k8s.io/release/latest.txt) | grep " SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed ' s/-/\//' | sed ' s/-v1/:v1/' > images
57+ while read image; do
58+ echo " Running container image scan.."
59+ EXIT_CODE=0
60+ RESULT_UNFILTERED=$( snyk container test $image -d --json) || EXIT_CODE=$?
61+ if [ $EXIT_CODE -gt 1 ]; then
62+ echo " Failed to run snyk scan with exit code $EXIT_CODE . Error message: $RESULT_UNFILTERED "
63+ exit 1
64+ fi
65+ RESULT=$( echo $RESULT_UNFILTERED | jq \
66+ ' {vulnerabilities: .vulnerabilities | map(select(.isUpgradable == true or .isPatchable == true)) | select(length > 0) }' )
67+ if [[ ${RESULT} ]]; then
68+ echo " Vulnerability filtering failed"
69+ # exit 1 (To allow other images to be scanned even if one fails)
70+ else
71+ echo " Scan completed image $image "
72+ fi
73+ done < images
0 commit comments