This topic describes how you can upgrade Supply Chain Security Tools - Scan from the Tanzu Application Platform package repository.
Note This topic uses SCST - Scan 1.0. SCST - Scan 1.0 is deprecated in Tanzu Application Platform v1.9 and later. In Tanzu Application Platform v1.9, SCST - Scan 1.0 is still the default in Supply Chain with Testing. For more information, see Add testing and scanning to your application. VMware recommends using SCST - Scan 2.0 as SCST - Scan 1.0 will be removed in a future version and SCST - Scan 2.0 will be the default. For more information, see SCST - Scan versions.
You can perform a fresh install of SCST - Scan by following the instructions in Install Supply Chain Security Tools - Scan.
Before you upgrade SCST - Scan, upgrade the Tanzu Application Platform by following the instructions in Upgrading Tanzu Application Platform.
When you're upgrading to any version of SCST - Scan these are some factors to accomplish this task:
-
Inspect the Release Notes for the version you're upgrading to. There you can find any breaking changes for the installation.
-
Get the values schema for the package version you're upgrading to by running:
tanzu package available get scanning.apps.tanzu.vmware.com/$VERSION --values-schema -n tap-installWhere
$VERSIONis the new version. This gives you insights on the values you can configure in yourtap-values.yamlfor the new version.
This section describes how to upgrade a supported scanner in all namespaces. The procedure is different depending on the installation method:
- Installation by using Namespace Provisioner
- Manual installation
All scanners installed by the Namespace Provisioner in all managed namespaces are upgraded automatically. For example, if you upgrade your installation of Tanzu Application Platform and the version of Grype is updated, all Grype scanners installed by the Namespace Provisioner for all managed namespaces are automatically upgraded.
-
If a scanner, such as Grype Scanner, was installed as part of Tanzu Application Platform by using the full profile, run to upgrade:
tanzu package installed update tap -p tap.tanzu.vmware.com -v VERSION --values-file tap-values.yaml -n tap-installWhere
VERSIONis your Tanzu Application Platform version. -
If a scanner, such as Grype Scanner, was installed by using component installation you must manually run:
tanzu package installed update grype -p grype.scanning.apps.tanzu.vmware.com -v GRYPE-VERSION --values-file grype-values.yaml -n NAMESPACEWhere:
GRYPE-VERSIONis the version of Grype that you are upgrading to.NAMESPACEis the namespace in which Grype is installed in.
To upgrade from a previous version of SCST - Scan to the version v1.2.0:
-
Change the
SecretExportsfrom SCST - Store.SCST - Scan needs information to connect to the SCST - Store deployment, you must change where these secrets are exported to enable the connection with the version
v1.2.0of SCST - Scan.-
For a single cluster deployment:
-
Edit the
tap-values.yamlfile you used to deploy SCST - Store to export the CA certificate to your developer namespace.metadata_store: ns_for_export_app_cert: "DEV-NAMESPACE"
Note The
ns_for_export_app_certsupports one namespace at a time. If you have multiple namespaces you can replace this value with a*, but this exports the CA certificate to all namespaces. Consider whether this increased visibility presents a risk. -
Update Tanzu Application Platform to apply the changes:
tanzu package installed update tap -f tap-values.yaml -n tap-install
-
-
For a multicluster deployment:
You must reapply the SecretExport by changing the
toNamespace: scan-link-systemtotoNamespace: DEV-NAMESPACE:--- apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretExport metadata: name: store-ca-cert namespace: metadata-store-secrets spec: toNamespace: "DEV-NAMESPACE" --- apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretExport metadata: name: store-auth-token namespace: metadata-store-secrets spec: toNamespace: "DEV-NAMESPACE"
-
-
Update your
tap-values.yamlfile.The installation of the SCST - Scan and the Grype scanner have some changes. The connection to the SCST - Store component have moved to the Grype scanner package. To deactivate the connection from the SCST - Scan, which is still present for backwards compatibility, but is deprecated and is removed in
v1.3.0.# Deactivate scan controller embedded Supply Chain Security Tools - Store integration scanning: metadataStore: url: "" # Install Grype Scanner v1.2.0 grype: namespace: "DEV-NAMESPACE" # The developer namespace where the ScanTemplates are going to be deployed metadataStore: url: "METADATA-STORE-URL" # The base URL where the Store deployment can be reached caSecret: name: "CA-SECRET-NAME" # The name of the secret containing the ca.crt importFromNamespace: "SECRET-NAMESPACE" # The namespace where Store is deployed (if single cluster) or where the connection secrets were created (if multi-cluster) authSecret: name: "TOKEN-SECRET-NAME" # The name of the secret containing the auth token to connect to Store importFromNamespace: "SECRET-NAMESPACE" # The namespace where the connection secrets were created (if multi-cluster)
For more insights on how to install Grype, see Install Supply Chain Security Tools - Scan (Grype Scanner).
Note If a mix of Grype templates, such as earlier than v1.2.0 and v1.2.0 and later, are used, both
scanningandgrypemust configure the parameters. The secret must also export to both scan-link-system and the developer namespace. Do this by exporting to*or by defining multiple secrets and exports. If Grype is installed to multiple namespaces there must be corresponding exports. See Install Supply Chain Security Tools - Scan (Grype Scanner). -
Update Tanzu Application Platform to apply the changes:
tanzu package installed update tap -f tap-values.yaml -n tap-install -
Update the
ScanPolicyto include the latest structure changes forv1.2.0.To update to the latest valid Rego File in the
ScanPolicy, Enforce compliance policy using Open Policy Agent.v1.2.0introduced some breaking changes in the Rego File structure used for theScanPolicies. For more information, see the Release Notes. -
Verify the upgrade.
You can run any
ImageScanorSourceScanin yourDEV-NAMESPACEwhere the Grype Scanner was installed, and it finishes. Here is a sample you can try to run to detect if everything upgraded.-
Create the
verify-upgrade.yamlfile in your system with the following content:--- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ScanPolicy metadata: name: scan-policy labels: 'app.kubernetes.io/part-of': 'enable-in-gui' spec: regoFile: | package main # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" notAllowedSeverities := ["Critical", "High", "UnknownSeverity"] ignoreCves := [] contains(array, elem) = true { array[_] = elem } else = false { true } isSafe(match) { severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } some i fails := contains(notAllowedSeverities, severities[i]) not fails } isSafe(match) { ignore := contains(ignoreCves, match.id) ignore } deny[msg] { comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } some i comp := comps[i] vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } some j vuln := vulns[j] ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } not isSafe(vuln) msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) } --- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ImageScan metadata: name: sample-public-image-scan spec: registry: image: "nginx:1.16" scanTemplate: public-image-scan-template scanPolicy: scan-policy
-
Deploy the resources:
kubectl apply -f verify-upgrade.yaml -n DEV-NAMESPACE -
View the scan results:
kubectl describe imagescan sample-public-image-scan -n DEV-NAMESPACE
If it is successful, the
ImageScangoes to theFailedphase and shows the results of the scan in theStatus. -