etcd icon indicating copy to clipboard operation
etcd copied to clipboard

Published 20 hours ago verified publisher icon etcd-io

Add image scan script

Open ivanvc opened this issue 7 months ago • 13 comments

Introduce a new script that can run on stable branches that checks the vulnerabilities for the latest tag (from the given branch).

Adds Trivy as a tool dependency, to keep track of the latest released version.

A periodic Prow job will later execute this. We'll get alerts when a CVE is found in our images, either by a direct vulnerability or for a dependency with a reported vulnerability of high or critical severity.

Part of #19363.

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

ivanvc avatar Apr 26 '25 06:04 ivanvc

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ivanvc Once this PR has been reviewed and has the lgtm label, please assign spzala for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Apr 26 '25 06:04 k8s-ci-robot

Oof, inconsistent dependencies. I'll draft and will undraft once I address those :sweat_smile:.

ivanvc avatar Apr 26 '25 07:04 ivanvc

/test pull-etcd-verify

ivanvc avatar Apr 27 '25 04:04 ivanvc

Adding Trivy as a tool bumped many indirect dependencies, resulting in changes to many go.mods.

ivanvc avatar Apr 27 '25 04:04 ivanvc

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 68.78%. Comparing base (4fec4ca) to head (6461725). :warning: Report is 797 commits behind head on main.

Additional details and impacted files

see 21 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #19804      +/-   ##
==========================================
- Coverage   68.86%   68.78%   -0.08%     
==========================================
  Files         421      421              
  Lines       35863    35858       -5     
==========================================
- Hits        24696    24664      -32     
- Misses       9746     9764      +18     
- Partials     1421     1430       +9

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update aa8238f...6461725. Read the comment docs.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Apr 27 '25 05:04 codecov[bot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Apr 27 '25 11:04 k8s-ci-robot

My understanding is that you only introduce a new dependency on github.com/aquasecurity/trivy, could you move unrelated dependencies bumping into a separate PR to make this PR easier to review?

ahrtr avatar Apr 28 '25 10:04 ahrtr

My understanding is that you only introduce a new dependency on github.com/aquasecurity/trivy, could you move unrelated dependencies bumping into a separate PR to make this PR easier to review?

I opened https://github.com/etcd-io/etcd/pull/19819.

But I wonder if it makes more sense to open a pull request to only bump the existing dependencies without introducing Trivy. Let me know, and I can do that instead.

Edit: I opened #19821, which does the latter.

ivanvc avatar Apr 28 '25 22:04 ivanvc

@ivanvc Probably I did not say it clearly in my previous comment.

Adding dependency github.com/aquasecurity/trivy is OK, because it's required for the image scan script. It's OK to do both things (see below) in one PR,

  • Add dependency github.com/aquasecurity/trivy
  • Add image scan script

But I see that you bumped many other dependencies as well in this PR. Can you move all other dependencies bumping into a separate PR?

ahrtr avatar Apr 29 '25 08:04 ahrtr

@ahrtr, then, please take a look at #19821.

I'll close #19819, then.

ivanvc avatar Apr 29 '25 22:04 ivanvc

Please rebase this PR.

ahrtr avatar May 01 '25 17:05 ahrtr

I'll get back to this shortly. I'm a bit busy and reconsidering how we'll implement this in the stable release branches. Either way, the trivy dependency is required, so it's good that we bumped the indirect dependencies.

ivanvc avatar May 07 '25 16:05 ivanvc

@ivanvc: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci-etcd-robustness-release36-amd64 6461725759aeb09321550866c01f438008e3236d link true /test ci-etcd-robustness-release36-amd64
ci-etcd-robustness-release35-amd64 6461725759aeb09321550866c01f438008e3236d link true /test ci-etcd-robustness-release35-amd64
ci-etcd-robustness-release34-amd64 6461725759aeb09321550866c01f438008e3236d link true /test ci-etcd-robustness-release34-amd64
pull-etcd-govulncheck-main 6461725759aeb09321550866c01f438008e3236d link true /test pull-etcd-govulncheck-main
pull-etcd-govulncheck 6461725759aeb09321550866c01f438008e3236d link true /test pull-etcd-govulncheck

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

k8s-ci-robot avatar Aug 26 '25 10:08 k8s-ci-robot