Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: use table instead of list for Snyk scans #10141

Merged
merged 3 commits into from
Aug 17, 2022
Merged

docs: use table instead of list for Snyk scans #10141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9adf48a
docs: use table instead of list for Snyk scans
crenshaw-dev Jul 29, 2022
0158594
merge master
crenshaw-dev Aug 4, 2022
b86ce7e
mistake when merging
crenshaw-dev Aug 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
492 changes: 492 additions & 0 deletions docs/snyk/v2.2.12/haproxy:2.0.29-alpine.html
View file
Open in desktop

Large diffs are not rendered by default.

492 changes: 492 additions & 0 deletions docs/snyk/v2.2.12/redis:6.2.7-alpine.html
View file
Open in desktop

Large diffs are not rendered by default.

492 changes: 492 additions & 0 deletions docs/snyk/v2.3.7/haproxy:2.0.29-alpine.html
View file
Open in desktop

Large diffs are not rendered by default.

492 changes: 492 additions & 0 deletions docs/snyk/v2.3.7/redis:6.2.7-alpine.html
View file
Open in desktop

Large diffs are not rendered by default.

492 changes: 492 additions & 0 deletions docs/snyk/v2.4.8/haproxy:2.0.29-alpine.html
View file
Open in desktop

Large diffs are not rendered by default.

492 changes: 492 additions & 0 deletions docs/snyk/v2.4.8/redis:7.0.4-alpine.html
View file
Open in desktop

Large diffs are not rendered by default.

45 changes: 25 additions & 20 deletions hack/snyk-report.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,23 +66,27 @@ for version in $versions; do
# || [ $? == 1 ] ignores errors due to vulnerabilities.
snyk test --all-projects --exclude=docs,site,ui-test --org=argoproj --policy-path=.snyk --sarif-file-output=/tmp/argocd-test.sarif --json-file-output=/tmp/argocd-test.json || [ $? == 1 ]
snyk-to-html -i /tmp/argocd-test.json -o "$argocd_dir/docs/snyk/$version/argocd-test.html"
printf '%s' "* [dependencies (golang and JavaScript)]($version/argocd-test.html) — " >> "$argocd_dir/docs/snyk/index.md"
{ echo "| | Critical | High | Medium | Low |"
echo "|---:|:--------:|:----:|:------:|:---:|"
} >> "$argocd_dir/docs/snyk/index.md"
jq 'map(
{
# Collect all the vulnerabilities severities. Group by id to avoid double-counting.
severity: (.vulnerabilities | group_by(.id) | map(.[0])[].severity),
displayTargetFile: (.displayTargetFile)
}
)
# Group by target file (e.g. go.mod) so we can see where the vulnerabilities are.
| group_by(.displayTargetFile)
| map(
.[0].displayTargetFile
+ ": \(map(select(.severity == "critical")) | length) critical, "
+ "\(map(select(.severity == "high")) | length) high, "
+ "\(map(select(.severity == "medium")) | length) medium, "
+ "\(map(select(.severity == "low")) | length) low")
| join("; ")' -r /tmp/argocd-test.json >> "$argocd_dir/docs/snyk/index.md"
{
# Collect all the vulnerabilities severities. Group by id to avoid double-counting.
severity: (.vulnerabilities | group_by(.id) | map(.[0])[].severity),
displayTargetFile: (.displayTargetFile)
}
)
# Hack to make sure even if there are no vulnerabilities, a row is added to the table.
+ [{displayTargetFile: "go.mod"}, {displayTargetFile: "ui/yarn.lock"}]
# Group by target file (e.g. go.mod) so we can see where the vulnerabilities are.
| group_by(.displayTargetFile)
| map(
"| [\(.[0].displayTargetFile)](\($version)/argocd-test.html) "
+ "| \(map(select(.severity == "critical")) | length) "
+ "| \(map(select(.severity == "high")) | length) "
+ "| \(map(select(.severity == "medium")) | length) "
+ "| \(map(select(.severity == "low")) | length) |")
| join("\n")' --arg version "$version" -r /tmp/argocd-test.json >> "$argocd_dir/docs/snyk/index.md"


images=$(grep 'image: ' manifests/install.yaml manifests/namespace-install.yaml manifests/ha/install.yaml | sed 's/.*image: //' | sort | uniq)
Expand All @@ -101,7 +105,7 @@ for version in $versions; do

snyk-to-html -i "/tmp/${image//[\/:]/_}.json" -o "$argocd_dir/docs/snyk/$version/${image//[\/:]/_}.html"

printf '%s' "* [(image) $image]($version/${image//[\/:]/_}.html) " >> "$argocd_dir/docs/snyk/index.md"
printf '%s' "| [${image/*\//}]($version/${image//[\/:]/_}.html) | " >> "$argocd_dir/docs/snyk/index.md"

# Add severity counts to index.
jq '[
Expand All @@ -111,18 +115,19 @@ for version in $versions; do
# Get the severity of the first vulnerability in the group (should be the same for every item in the group).
| map(.[0])[].severity
# Construct a summary using the counts of each severity level.
] | "\(map(select(. == "critical")) | length) critical, \(map(select(. == "high")) | length) high, \(map(select(. == "medium")) | length) medium, \(map(select(. == "low")) | length) low"' -r "/tmp/${image//\//_}.json" >> "$argocd_dir/docs/snyk/index.md"
] | "\(map(select(. == "critical")) | length) | \(map(select(. == "high")) | length) | \(map(select(. == "medium")) | length) | \(map(select(. == "low")) | length) |"
' -r "/tmp/${image//[\/:]/_}.json" >> "$argocd_dir/docs/snyk/index.md"
done <<< "$images"

# || [ $? == 1 ] ignores errors due to vulnerabilities.
snyk iac test manifests/install.yaml --org=argoproj --policy-path=.snyk --sarif-file-output=/tmp/argocd-iac-install.sarif --json-file-output=/tmp/argocd-iac-install.json || [ $? == 1 ]
snyk-to-html -i /tmp/argocd-iac-install.json -o "$argocd_dir/docs/snyk/$version/argocd-iac-install.html"
echo "* [(IaC) manifests/install.yaml]($version/argocd-iac-install.html)" >> "$argocd_dir/docs/snyk/index.md"
echo "| [install.yaml]($version/argocd-iac-install.html) | - | - | - | - |" >> "$argocd_dir/docs/snyk/index.md"

# || [ $? == 1 ] ignores errors due to vulnerabilities.
snyk iac test manifests/namespace-install.yaml --org=argoproj --policy-path=.snyk --sarif-file-output=/tmp/argocd-iac-namespace-install.sarif --json-file-output=/tmp/argocd-iac-namespace-install.json || [ $? == 1 ]
snyk-to-html -i /tmp/argocd-iac-namespace-install.json -o "$argocd_dir/docs/snyk/$version/argocd-iac-namespace-install.html"
echo "* [(IaC) manifests/namespace-install.yaml]($version/argocd-iac-namespace-install.html)" >> "$argocd_dir/docs/snyk/index.md"
echo "| [namespace-install.yaml]($version/argocd-iac-namespace-install.html) | - | - | - | - |" >> "$argocd_dir/docs/snyk/index.md"
done

# clean up
Expand Down
2 changes: 1 addition & 1 deletion manifests/ha/base/redis-ha/chart/upstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1303,7 +1303,7 @@ spec:
{}

- name: split-brain-fix
image: redis:7.0.0-alpine
image: redis:7.0.4-alpine
imagePullPolicy: IfNotPresent
command:
- sh
Expand Down
2 changes: 1 addition & 1 deletion manifests/ha/install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12009,7 +12009,7 @@ spec:
value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
- name: SENTINEL_ID_2
value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
image: redis:7.0.0-alpine
image: redis:7.0.4-alpine
imagePullPolicy: IfNotPresent
name: split-brain-fix
resources: {}
Expand Down
2 changes: 1 addition & 1 deletion manifests/ha/namespace-install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2714,7 +2714,7 @@ spec:
value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
- name: SENTINEL_ID_2
value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
image: redis:7.0.0-alpine
image: redis:7.0.4-alpine
imagePullPolicy: IfNotPresent
name: split-brain-fix
resources: {}
Expand Down