From 22831f642feb01871ec5f36006030bbdbec75add Mon Sep 17 00:00:00 2001 From: Brett Tofel Date: Wed, 18 Oct 2023 22:07:02 +0200 Subject: [PATCH 1/5] Add static FIPS compliance checking via external Calls the check-payload (currently works with 0.3.1-10-ge7b7392f-dirty version) github.com/openshift/check-payload.git --- cmd/index/bundles/command.go | 186 +++++++++++++++++++++++++++++++--- docs/DEV_GUIDE_ACTIONS.md | 28 +++++ docs/DEV_GUIDE_ADDING_CMDS.md | 115 +++++++++++++++++++++ docs/DEV_GUIDE_CUSTOM.md | 47 +++++++++ docs/DEV_GUIDE_EXT_TOOLS.md | 40 ++++++++ docs/DEV_GUIDE_MODELS.md | 8 ++ docs/DEV_GUIDE_VALIDATION.md | 10 ++ pkg/actions/run_scorecard.go | 4 +- pkg/reports/bundles/flags.go | 25 ++--- 9 files changed, 436 insertions(+), 27 deletions(-) create mode 100644 docs/DEV_GUIDE_ACTIONS.md create mode 100644 docs/DEV_GUIDE_ADDING_CMDS.md create mode 100644 docs/DEV_GUIDE_CUSTOM.md create mode 100644 docs/DEV_GUIDE_EXT_TOOLS.md create mode 100644 docs/DEV_GUIDE_MODELS.md create mode 100644 docs/DEV_GUIDE_VALIDATION.md diff --git a/cmd/index/bundles/command.go b/cmd/index/bundles/command.go index 22617946..526a6d52 100644 --- a/cmd/index/bundles/command.go +++ b/cmd/index/bundles/command.go @@ -21,6 +21,7 @@ import ( "fmt" "io" "os" + "os/exec" "strings" "github.com/operator-framework/audit/pkg/actions" @@ -28,7 +29,7 @@ import ( "github.com/spf13/cobra" - // To allow create connection to query the index database + // For connecting to query the legacy index database _ "github.com/mattn/go-sqlite3" "github.com/operator-framework/api/pkg/operators/v1alpha1" log "github.com/sirupsen/logrus" @@ -76,7 +77,8 @@ By running this command audit tool will: if err := cmd.MarkFlagRequired("index-image"); err != nil { log.Fatalf("Failed to mark `index-image` flag for `index` sub-command as required") } - + cmd.Flags().BoolVar(&flags.StaticCheckFIPSCompliance, "static-check-fips-compliance", false, + "If set, the tool will perform a static check for FIPS compliance on all bundle images.") cmd.Flags().StringVar(&flags.Filter, "filter", "", "filter by the packages names which are like *filter*") cmd.Flags().StringVar(&flags.OutputFormat, "output", pkg.JSON, @@ -107,6 +109,128 @@ By running this command audit tool will: return cmd } +// CheckFIPSAnnotations searches for variants of the FIPS annotations. +func CheckFIPSAnnotations(csv *v1alpha1.ClusterServiceVersion) (bool, error) { + fipsAnnotationPatterns := []string{ + "features.operators.openshift.io/fips-compliant", + "operators.openshift.io/infrastructure-features", + } + + for _, pattern := range fipsAnnotationPatterns { + if value, exists := csv.Annotations[pattern]; exists && + (strings.Contains(value, "fips") || strings.Contains(value, "true")) { + return true, nil + } + } + return false, nil +} + +// ExtractUniqueImageReferences get a unique list of operator image and related images +func ExtractUniqueImageReferences(operatorBundlePath string, csv *v1alpha1.ClusterServiceVersion) ([]string, error) { + var imageRefs []string + // Extract image references from RelatedImages slice + for _, relatedImage := range csv.Spec.RelatedImages { + imageRefs = append(imageRefs, relatedImage.Image) + } + imageRefs = append(imageRefs, operatorBundlePath) + // Remove duplicates + uniqueRefs := removeDuplicates(imageRefs) + return uniqueRefs, nil +} + +func removeDuplicates(elements []string) []string { + encountered := map[string]bool{} + result := []string{} + + for v := range elements { + if !encountered[elements[v]] { + encountered[elements[v]] = true + result = append(result, elements[v]) + } + } + + return result +} + +// ExecuteExternalValidator runs the external validator on the provided image reference. +func ExecuteExternalValidator(imageRef string) (bool, []string, []string, error) { + extValidatorCmd := "check-payload scan operator --spec " + imageRef + " --log_file=/dev/null --output-format=csv" + cmd := exec.Command("bash", "-c", extValidatorCmd) + + // Log the command being executed for debugging purposes + log.Infof("Executing external validator with command: %s", extValidatorCmd) + + output, err := cmd.CombinedOutput() + if err != nil { + return false, nil, nil, err + } + + lines := strings.Split(string(output), "\n") + processingMode := "" // can be "warning", "error", or empty + hasReports := false + + var warnings, errors []string + for _, line := range lines { + if line == "---- Warning Report" { + processingMode = "warning" + hasReports = true + continue + } else if line == "---- Error Report" { + processingMode = "error" + hasReports = true + continue + } else if strings.HasPrefix(line, "Operator Name,Executable Name,Status,Image") { + continue + } + + if processingMode == "" { + continue + } + + columns := strings.Split(line, ",") + if len(columns) < 4 { + continue + } + operatorName, executableName, status, image := columns[0], columns[1], columns[2], columns[3] + if processingMode == "warning" { + warnings = append(warnings, fmt.Sprintf("Warning for Operator '%s', Executable '%s': %s (Image: %s)", + operatorName, executableName, status, image)) + } else if processingMode == "error" { + errors = append(errors, fmt.Sprintf("Error for Operator '%s', Executable '%s': %s (Image: %s)", + operatorName, executableName, status, image)) + } + } + + if !hasReports { + successMessage := fmt.Sprintf("FIPS compliance check passed successfully for image: %s", imageRef) + warnings = append(warnings, successMessage) // or choose a different way to report this success + } + + return true, warnings, errors, nil +} + +// ProcessValidatorResults takes the results from the external validator and appends them to the report data. +func ProcessValidatorResults(success bool, warnings, errors []string, report *index.Data) { + // Create a slice to hold combined errors and warnings + combinedErrors := make([]string, 0) + + // If the external validator fails, append the errors + if !success { + combinedErrors = append(combinedErrors, errors...) + } + + // Prepend warnings with "WARNING:" and append to combinedErrors + for _, warning := range warnings { + combinedErrors = append(combinedErrors, "WARNING: "+warning) + } + + // Assuming there's a mechanism to identify which bundle is being processed + // Here, I'm just using the last bundle in the report as an example + if len(report.AuditBundle) > 0 { + report.AuditBundle[len(report.AuditBundle)-1].Errors = combinedErrors + } +} + func validation(cmd *cobra.Command, args []string) error { if flags.Limit < 0 { @@ -181,22 +305,40 @@ func run(cmd *cobra.Command, args []string) error { // check here to see if it's index.db or file-based catalogs if IsFBC(flags.IndexImage) { - reportData, err = GetDataFromFBC(reportData) + reportData, _ = GetDataFromFBC(reportData) } else { - reportData, err = GetDataFromIndexDB(reportData) - } - if err != nil { - return err + reportData, _ = GetDataFromIndexDB(reportData) } - - log.Info("Generating output...") if err := reportData.OutputReport(); err != nil { return err } - pkg.CleanupTemporaryDirs() log.Info("Operation completed.") + return nil +} +func handleFIPS(operatorBundlePath string, csv *v1alpha1.ClusterServiceVersion, reportData index.Data) error { + isClaimingFIPSCompliant, err := CheckFIPSAnnotations(csv) + if err != nil { + return err + } + if !isClaimingFIPSCompliant { + return nil + } + uniqueImageRefs, err := ExtractUniqueImageReferences(operatorBundlePath, csv) + if err != nil { + return err + } + + for _, imageRef := range uniqueImageRefs { + success, warnings, errors, err := ExecuteExternalValidator(imageRef) + if err != nil { + log.Errorf("Error while executing FIPS compliance check on image: %s. Error: %s", + imageRef, err.Error()) + return err + } + ProcessValidatorResults(success, warnings, errors, &reportData) + } return nil } @@ -236,10 +378,10 @@ func GetDataFromFBC(report index.Data) (index.Data, error) { for _, Bundle := range Channel.Bundles { log.Infof("Generating data from the bundle (%s)", Bundle.Name) auditBundle = models.NewAuditBundle(Bundle.Name, Bundle.Image) - var csvStruct *v1alpha1.ClusterServiceVersion - err := json.Unmarshal([]byte(Bundle.CsvJSON), &csvStruct) + var csv *v1alpha1.ClusterServiceVersion + err := json.Unmarshal([]byte(Bundle.CsvJSON), &csv) if err == nil { - auditBundle.CSVFromIndexDB = csvStruct + auditBundle.CSVFromIndexDB = csv } else { auditBundle.Errors = append(auditBundle.Errors, fmt.Errorf("unable to parse the csv from the index.db: %s", err).Error()) @@ -264,6 +406,24 @@ func GetDataFromFBC(report index.Data) (index.Data, error) { auditBundle.IsHeadOfChannel = true } } + if flags.StaticCheckFIPSCompliance { + err = handleFIPS(auditBundle.OperatorBundleImagePath, csv, report) + if err != nil { + // Check for specific error types and provide more informative messages + if exitError, ok := err.(*exec.ExitError); ok { + if exitError.ExitCode() == 127 { + auditBundle.Errors = append(auditBundle.Errors, + "Failed to run FIPS external validator: Command not found.") + } else { + auditBundle.Errors = append(auditBundle.Errors, + fmt.Sprintf("FIPS external validator returned with exit code %d.", exitError.ExitCode())) + } + } else { + auditBundle.Errors = append(auditBundle.Errors, + fmt.Sprintf("Difficulty running FIPS external validator: %s", err.Error())) + } + } + } report.AuditBundle = append(report.AuditBundle, *auditBundle) } } diff --git a/docs/DEV_GUIDE_ACTIONS.md b/docs/DEV_GUIDE_ACTIONS.md new file mode 100644 index 00000000..87a5cd75 --- /dev/null +++ b/docs/DEV_GUIDE_ACTIONS.md @@ -0,0 +1,28 @@ +## PKG/ACTIONS Directory Run Down + +The `pkg/actions` directory focuses on core actions and functionalities of the audit tool. + +### run_validators.go + +- **RunValidators**: Main function to run various validators. +- **checkBundleAgainstCommonCriteria**: Checks bundles against common criteria. +- **fromOCPValidator**: Related to OCP validation. +- **fromAuditValidatorsBundleSize**: Checks bundle sizes as part of the validation. + +### run_scorecard.go + +- **RunScorecard**: Main function to run the scorecard functionality. +- **writeScorecardConfig**: Writes or updates the configuration for the scorecard. + +### get_bundle.go + +- **GetDataFromBundleImage**: Fetches data from a bundle image. +- **createBundleDir**: Creates a directory for the bundle. +- **extractBundleFromImage**: Extracts bundle data from an image. +- **cleanupBundleDir**: Cleans up the bundle directory after processing. +- **DownloadImage**: Downloads an image for further processing or analysis. + +### extract_index.go + +- **ExtractIndexDBorCatalogs**: Extracts database or catalogs from an index. +- **GetVersionTagFromImage**: Retrieves the version tag from an image. diff --git a/docs/DEV_GUIDE_ADDING_CMDS.md b/docs/DEV_GUIDE_ADDING_CMDS.md new file mode 100644 index 00000000..e760d79d --- /dev/null +++ b/docs/DEV_GUIDE_ADDING_CMDS.md @@ -0,0 +1,115 @@ +# Commands and Sub-Commands Development Guide + +This section of the development guide focuses on understanding, adding, and modifying commands and sub-commands within +the audit tool. By following the described patterns, developers can seamlessly introduce new functionalities. + +## Adding a New Primary Command + +1. **Define Your Command**: + Begin by defining your command structure using the `cobra.Command` type, including: + - `Use`: Command's name. + - `Short`: A brief description. + - `Long`: An extended description. + + Example from the `audit-tool`: + ```go + rootCmd := &cobra.Command{ + Use: "audit-tool", + Short: "An analytic tool to audit operator bundles and index catalogs", + Long: "The audit is an analytic tool which uses the Operator Framework solutions ...", + } + ``` + +2. **Add Sub-Commands (if necessary)**: + For embedding sub-commands to your main command, employ the `AddCommand` method. As observed in the `audit-tool`, + sub-commands like `index` and `custom` are integrated as: + ```go + rootCmd.AddCommand(index.NewCmd()) + rootCmd.AddCommand(custom.NewCmd()) + ``` + +3. **Execute the Command**: + Ensure the primary command's execution in the `main` function: + ```go + if err := rootCmd.Execute(); err != nil { + log.Fatal(err) + } + ``` + +## Tutorial: Add a Sub-Command to the `index` Command + +The `index` command has sub-commands like `bundles` and `eus`. To introduce a new sub-command: + +1. **Create a Sub-directory**: + Organize by creating a sub-directory within `index`. Name it as per your sub-command. E.g., for a sub-command + named `sample`, formulate a `sample` directory. + +2. **Define Your Sub-Command**: + In this directory, create a `command.go` file and define your sub-command structure: + ```go + package sample + + import ( + "github.com/spf13/cobra" + ) + + func NewCmd() *cobra.Command { + cmd := &cobra.Command{ + Use: "sample", + Short: "Short description of sample", + Long: "Detailed description of sample...", + } + return cmd + } + ``` + +3. **Add Flags (optional)**: + For flag additions to your sub-command, utilize the `Flags` method. For instance, to integrate a `--test` flag: + ```go + cmd.Flags().BoolP("test", "t", false, "Description of test flag") + ``` + +4. **Integrate Sub-Command**: + Navigate back to the `main.go` of `index` and add your new sub-command: + ```go + indexCmd.AddCommand(sample.NewCmd()) + ``` + +--- + +## Adding Flags with parameters to the `sample` Sub-Command + +Flags offer flexibility to commands by allowing users to specify options or provide additional input. Here, we'll delve +into adding both boolean flags and flags that accept parameters to the `sample` sub-command. + +1. **Boolean Flag**: + A flag that signifies a simple `true` or `false` option. + + Example: Adding a `--test` flag to the `sample` sub-command: + ```go + cmd.Flags().BoolP("test", "t", false, "Description of test flag") + ``` + Use: `audit-tool index sample --test` + +2. **Flag with Parameter**: + A flag that necessitates an accompanying value. + + Example: Introducing a `--input` flag which requires a string parameter: + ```go + cmd.Flags().StringP("input", "i", "", "Provide input data for the sample command") + ``` + Use: `audit-tool index sample --input "This is sample input"` + +3. **Utilize Flag Parameters in Command Logic**: + To harness the values provided through flags, use the `cmd.Flag("flag-name").Value.String()` method. + + Example: Using the `--input` flag's value within the `sample` sub-command: + ```go + var input string = cmd.Flag("input").Value.String() + if input != "" { + fmt.Println("Received input:", input) + } else { + fmt.Println("No input provided.") + } + ``` + This code snippet checks if the `--input` flag has been provided a value, and if so, it prints the received input. diff --git a/docs/DEV_GUIDE_CUSTOM.md b/docs/DEV_GUIDE_CUSTOM.md new file mode 100644 index 00000000..53aa0d59 --- /dev/null +++ b/docs/DEV_GUIDE_CUSTOM.md @@ -0,0 +1,47 @@ +## CUSTOM Directory Run Down + +The `custom` directory focuses on providing specific functionalities that are tailored to the unique requirements of the +audit tool. These functionalities are organized as sub-commands, each having its own directory. + +### NewCmd + +This function initializes the overarching command for the 'custom' functionalities. It sets up the primary CLI structure +for the custom operations, guiding users to its specific sub-commands. + +### Subdirectories: + +Each subdirectory represents a specific custom functionality or operation. Here are the details: + +#### validator + +- **NewCmd**: This function sets up the command structure for the 'validator' functionality. It provides a brief + description to the user about its purpose and defines available flags and options. +- **validation**: This function validates the provided flags and arguments specific to the 'validator' operation. It + ensures that necessary inputs are present and correctly formatted. +- **run**: This function drives the core logic of the 'validator' functionality, making necessary calls to validate the + data as per the defined criteria. + +#### deprecate + +- **NewCmd**: This function initializes the command for the 'deprecate' functionality, defining its purpose and + available flags. +- **validation**: This function checks the provided flags and arguments to ensure they align with the 'deprecate' + operation requirements. +- **run**: This function manages the 'deprecate' operation, handling the necessary steps to mark certain data as + deprecated. + +#### qa + +- **NewCmd**: This function sets up the command for the 'qa' functionality, providing a brief description and defining + the available flags. +- **validation**: This function validates user input, ensuring it matches the criteria set for the 'qa' operation. +- **run**: This function handles the 'qa' operation, performing quality assurance checks on the provided data. + +#### multiarch + +- **NewCmd**: This function initializes the command for the 'multiarch' functionality. It provides a description and + lists available flags for the user. +- **validation**: This function checks the flags and arguments to ensure they fit the 'multiarch' operation's + requirements. +- **run**: This function manages the 'multiarch' functionality, handling operations and checks related to multiple + architectures. diff --git a/docs/DEV_GUIDE_EXT_TOOLS.md b/docs/DEV_GUIDE_EXT_TOOLS.md new file mode 100644 index 00000000..aa3a4f10 --- /dev/null +++ b/docs/DEV_GUIDE_EXT_TOOLS.md @@ -0,0 +1,40 @@ +# External Tool Integration in the Audit Tool + +This document showcases how external tools have been integrated into the Audit Tool. By examining these specific +implementations, developers can gain insights into adding similar integrations in the future. + +## `operator-sdk` Integration + +1. **Tool Purpose**: The `operator-sdk` tool assists in building, testing, and deploying Operator projects. +2. **Invocation in the Audit Tool**: The binary is invoked in the audit tool via system command calls. For instance: + ```go + cmd := exec.Command("operator-sdk", "bundle", "validate", "--select-optional", "suite=operatorframework") + ``` +3. **Handling Results**: Output and errors from the tool are captured and processed. For example: + ```go + output, err := cmd.CombinedOutput() + if err != nil { + log.Errorf("operator-sdk validation failed: %s", output) + } + ``` + +## `check-payload` Integration + +1. **Tool Purpose**: The `check-payload` tool scans operator images to ensure compliance with specific standards. +2. **Invocation in the Audit Tool**: The binary is invoked similarly to the `operator-sdk`, but with different + arguments: + ```go + cmd := exec.Command("/path/to/check-payload", "scan", "operator", "--spec", imageRef) + ``` +3. **Handling Results**: Output, warnings, and errors from this tool are captured and processed. Here's an example of + how these results can be processed and incorporated into the audit tool's report: + ```go + output, err := cmd.CombinedOutput() + if err != nil { + // Handle error, potentially adding it to the report + } else { + // Process the output and distinguish between warnings and errors + // Add warnings and errors to the report as appropriate + } + ``` + diff --git a/docs/DEV_GUIDE_MODELS.md b/docs/DEV_GUIDE_MODELS.md new file mode 100644 index 00000000..2bd70ec8 --- /dev/null +++ b/docs/DEV_GUIDE_MODELS.md @@ -0,0 +1,8 @@ +## PKG/MODELS Directory Run Down + +The `pkg/models` directory contains data structures or models that provide a representation of the core entities within +the system. + +### bundle.go + +- **AuditBundle**: Represents the model for an audit bundle. diff --git a/docs/DEV_GUIDE_VALIDATION.md b/docs/DEV_GUIDE_VALIDATION.md new file mode 100644 index 00000000..e0d409de --- /dev/null +++ b/docs/DEV_GUIDE_VALIDATION.md @@ -0,0 +1,10 @@ +## PKG/VALIDATION Directory Run Down + +The `pkg/validation` directory contains code related to validation checks and functionalities within the application. + +### bundle_size.go + +- **validateBundleSizeValidator**: A function related to validating the size of a bundle. +- **validateBundleSize**: Function focused on bundle size validation. +- **checkBundleSize**: Checks the size of a bundle. +- **formatBytesInUnit**: Utility function to format bytes into a specific unit (e.g., KB, MB). diff --git a/pkg/actions/run_scorecard.go b/pkg/actions/run_scorecard.go index b44f627f..543eb4d0 100644 --- a/pkg/actions/run_scorecard.go +++ b/pkg/actions/run_scorecard.go @@ -41,7 +41,7 @@ func RunScorecard(bundleDir string, auditBundle *models.AuditBundle) *models.Aud scorecardTestsPath := filepath.Join(bundleDir, "tests", "scorecard") annotationsPath := filepath.Join(bundleDir, "metadata", "annotations.yaml") - // If find the annotations file then, check for the scorecard path on it. + // If we find the annotations file then, check for the scorecard path on it. if _, err := os.Stat(annotationsPath); err == nil && !os.IsNotExist(err) { annFile, err := pkg.ReadFile(annotationsPath) if err != nil { @@ -63,7 +63,7 @@ func RunScorecard(bundleDir string, auditBundle *models.AuditBundle) *models.Aud } } - // Check if has scorecard manifests + // Check if it has scorecard manifests if _, err := os.Stat(scorecardTestsPath); err != nil { if os.IsNotExist(err) { if err := os.MkdirAll(scorecardTestsPath, os.ModePerm); err != nil { diff --git a/pkg/reports/bundles/flags.go b/pkg/reports/bundles/flags.go index 86b86119..7c99d6a3 100644 --- a/pkg/reports/bundles/flags.go +++ b/pkg/reports/bundles/flags.go @@ -16,16 +16,17 @@ package bundles // BindFlags define the flags used to generate the bundle report type BindFlags struct { - IndexImage string `json:"image"` - Limit int32 `json:"limit"` - HeadOnly bool `json:"headOnly"` - DisableScorecard bool `json:"disableScorecard"` - DisableValidators bool `json:"disableValidators"` - ServerMode bool `json:"serverMode"` - Label string `json:"label"` - LabelValue string `json:"labelValue"` - Filter string `json:"filter"` - OutputPath string `json:"outputPath"` - OutputFormat string `json:"outputFormat"` - ContainerEngine string `json:"containerEngine"` + IndexImage string `json:"image"` + Limit int32 `json:"limit"` + HeadOnly bool `json:"headOnly"` + DisableScorecard bool `json:"disableScorecard"` + DisableValidators bool `json:"disableValidators"` + StaticCheckFIPSCompliance bool `json:"staticCheckFIPSCompliance"` + ServerMode bool `json:"serverMode"` + Label string `json:"label"` + LabelValue string `json:"labelValue"` + Filter string `json:"filter"` + OutputPath string `json:"outputPath"` + OutputFormat string `json:"outputFormat"` + ContainerEngine string `json:"containerEngine"` } From d2530a7f55aae27245ceb6e6f05d6b1af555880e Mon Sep 17 00:00:00 2001 From: Brett Tofel Date: Thu, 2 Nov 2023 18:05:17 +0100 Subject: [PATCH 2/5] Call check-payload as root b/c podman mount --- cmd/index/bundles/command.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/index/bundles/command.go b/cmd/index/bundles/command.go index 526a6d52..a186b04b 100644 --- a/cmd/index/bundles/command.go +++ b/cmd/index/bundles/command.go @@ -154,7 +154,7 @@ func removeDuplicates(elements []string) []string { // ExecuteExternalValidator runs the external validator on the provided image reference. func ExecuteExternalValidator(imageRef string) (bool, []string, []string, error) { - extValidatorCmd := "check-payload scan operator --spec " + imageRef + " --log_file=/dev/null --output-format=csv" + extValidatorCmd := "sudo check-payload scan operator --spec " + imageRef + " --log_file=/dev/null --output-format=csv" cmd := exec.Command("bash", "-c", extValidatorCmd) // Log the command being executed for debugging purposes From 6a330e8c597fb701c29f7ce0e3e58c6e76c77aba Mon Sep 17 00:00:00 2001 From: Brett Tofel Date: Tue, 7 Nov 2023 16:06:43 +0100 Subject: [PATCH 3/5] rmi image that check-payload downloads --- cmd/index/bundles/command.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cmd/index/bundles/command.go b/cmd/index/bundles/command.go index a186b04b..80b2d06b 100644 --- a/cmd/index/bundles/command.go +++ b/cmd/index/bundles/command.go @@ -160,6 +160,11 @@ func ExecuteExternalValidator(imageRef string) (bool, []string, []string, error) // Log the command being executed for debugging purposes log.Infof("Executing external validator with command: %s", extValidatorCmd) + // Remove the image that check-payload has downloaded using the rmi command + log.Infof("Removing image with command: %s rmi %s", flags.ContainerEngine, imageRef) + rmiCmd := exec.Command(flags.ContainerEngine, "rmi", imageRef) + _, _ = pkg.RunCommand(rmiCmd) + output, err := cmd.CombinedOutput() if err != nil { return false, nil, nil, err From 8822a9cc57856673f3bfba25522907682e738ba0 Mon Sep 17 00:00:00 2001 From: Brett Tofel Date: Tue, 7 Nov 2023 19:00:51 +0100 Subject: [PATCH 4/5] fips checks for head bundles only --- cmd/index/bundles/command.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/index/bundles/command.go b/cmd/index/bundles/command.go index 80b2d06b..b15b0777 100644 --- a/cmd/index/bundles/command.go +++ b/cmd/index/bundles/command.go @@ -411,7 +411,7 @@ func GetDataFromFBC(report index.Data) (index.Data, error) { auditBundle.IsHeadOfChannel = true } } - if flags.StaticCheckFIPSCompliance { + if flags.StaticCheckFIPSCompliance && auditBundle.IsHeadOfChannel { err = handleFIPS(auditBundle.OperatorBundleImagePath, csv, report) if err != nil { // Check for specific error types and provide more informative messages From b19b63ee4fbf1847aa181e7b00879bb7cc4e8883 Mon Sep 17 00:00:00 2001 From: Brett Tofel Date: Thu, 9 Nov 2023 17:01:46 +0100 Subject: [PATCH 5/5] Revert "fips checks for head bundles only" This reverts commit 8822a9cc57856673f3bfba25522907682e738ba0. --- cmd/index/bundles/command.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/index/bundles/command.go b/cmd/index/bundles/command.go index b15b0777..80b2d06b 100644 --- a/cmd/index/bundles/command.go +++ b/cmd/index/bundles/command.go @@ -411,7 +411,7 @@ func GetDataFromFBC(report index.Data) (index.Data, error) { auditBundle.IsHeadOfChannel = true } } - if flags.StaticCheckFIPSCompliance && auditBundle.IsHeadOfChannel { + if flags.StaticCheckFIPSCompliance { err = handleFIPS(auditBundle.OperatorBundleImagePath, csv, report) if err != nil { // Check for specific error types and provide more informative messages