feat: set openvex output file in action #29
Conversation
Vombato
force-pushed
the
feature/add-vuln-output
branch
from
e6f2238 to
38c1649
Compare
Vombato
force-pushed
the
feature/add-vuln-output
branch
from
10428a3 to
042b660
Compare
|
Ty @sozercan for the review, I added the output format option, I also added the full command on https://github.com/project-copacetic/copa-action/blob/main/.github/workflows/build.yaml#L53-L55 Still need to add tests to the |
Vombato
force-pushed
the
feature/add-vuln-output
branch
2 times, most recently
from
481de36 to
46f4ff4
Compare
Signed-off-by: Sertac Ozercan <sozercan@gmail.com> Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com> Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com> Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
This reverts commit 1c9061b. Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Vombato
force-pushed
the
feature/add-vuln-output
branch
from
8b9a488 to
0bde097
Compare
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
|
@Vombato can you rebase when you get a chance? looks like there are some extra commits in the PR. Thanks! |
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
This reverts commit 1c9061b. Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
…copa-action into feature/add-vuln-output
I might have made a mess but it should be rebased now 😕 |
| # run copa to patch image | ||
| if copa patch -i "$image" -r ./data/"$report" -t "$patched_tag" --addr tcp://127.0.0.1:8888 --timeout $timeout; | ||
| if copa patch -i "$image" -r ./data/"$report" -t "$patched_tag" --addr tcp://127.0.0.1:8888 --timeout $timeout $output; |
There was a problem hiding this comment.
since this is created from inside the container, output json won't have user read permissions. do we need to set up permissions? how does other actions handle this case?
There was a problem hiding this comment.
since this is created from inside the container, output json won't have user read permissions. do we need to set up permissions? how does other actions handle this case?
This should be true only for the "build" action that produces the copa-action but not for the copa-action itself, since here: https://github.com/Vombato/copa-action/blob/45ad120c0502d23e649ab235a843ea2f24097602/action.yaml#L53C1-L53C434
the workspace path is mounted in the /data directory which should also be the directory in which copa writes the output file.
Am I missing something? Do we have means to test this?
There was a problem hiding this comment.
You can run the action against your branch. Here's my test: https://github.com/sozercan/copa-action/actions/runs/7674100022/job/20918050594#step:6:11
-rw-r--r-- 1 root root 753475 Jan 26 22:28 report.json
-rw------- 1 root root 49735 Jan 26 22:28 test.json
report is the trivy report, test is the copa vex output
There was a problem hiding this comment.
@sozercan @Vombato
The GitHub action for Trivy has an open issue from two months ago, addressing the exact same behavior.
Examining another related issue reveals that the problem arises because the user is not specified in the action's Dockerfile, forcing the container to run as root.
However, specifying the user results in the loss of some functionalities.
At this point, the simplest course of action seems to be adding the command to change the file permissions directly in our entrypoint script (after copacetic produces it).
What do you think?
There was a problem hiding this comment.
@R3DRUN3 good find! can we set it to 444 like trivy action does?
There was a problem hiding this comment.
@R3DRUN3 good find! can we set it to
444like trivy action does?
I added a chmod 444 that should solve the issue, tests were ok, please check for yourself and give us feedback if needed 😃
Signed-off-by: Luca Bandini <luca.vombato@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
This PR fixes #28
I added a feature to allow the user to explicit an output file for the
copacommand in the OpenVEX format (see: doc ref).I think this could be useful to have a report after running the
copacommand and to extract information on what has been patched.I tested the entrypoint with a local buildkit instance and by running the following command:
entrypoint.sh docker.io/library/python:3.10.10-alpine3.17 report.json patched 5m vex.outThe output file I obtained is the following:
{ "@context": "https://openvex.dev/ns", "@id": "https://openvex.dev/docs/public/vex-fd2a8fc4cbe0bd771e15c6f4066dd6827f2e8799c259d65893f99c657fd8defe", "author": "Project Copacetic", "timestamp": "2024-01-19T11:08:54.228148+01:00", "version": 1, "tooling": "Project Copacetic", "statements": [ { "vulnerability": { "@id": "CVE-2023-5363" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.12-r0?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.12-r0?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-1255" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.8-r4?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.8-r4?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-2650" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.9-r0?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.9-r0?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-2975" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.9-r2?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.9-r2?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-3446" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.9-r3?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.9-r3?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-3817" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.10-r0?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.10-r0?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-5678" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.12-r1?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.12-r1?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-6129" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.12-r2?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.12-r2?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-6237" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/libcrypto3@3.0.12-r3?arch=amd64" }, { "@id": "pkg:apk/alpine/libssl3@3.0.12-r3?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-29491" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/ncurses-libs@6.3_p20221119-r1?arch=amd64" }, { "@id": "pkg:apk/alpine/ncurses-terminfo-base@6.3_p20221119-r1?arch=amd64" } ] } ], "status": "fixed" }, { "vulnerability": { "@id": "CVE-2023-7104" }, "products": [ { "@id": "pkg:oci/docker.io/library/python:patched", "subcomponents": [ { "@id": "pkg:apk/alpine/sqlite-libs@3.40.1-r1?arch=amd64" } ] } ], "status": "fixed" } ] }