Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin Grype db for tests #120 #119

Merged
merged 10 commits into from Sep 13, 2021
Merged

Pin Grype db for tests #120 #119

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
babbfee
Fix doc references to v2
kzantow Sep 7, 2021
9edeb10
Stop dumping Grype to logs; update snapshots
kzantow Sep 10, 2021
ae9bd6d
Erroneous comment
kzantow Sep 10, 2021
096ce17
Remove jest-summary-reporter
kzantow Sep 10, 2021
491f489
output grype output in debug mode, not tests
kzantow Sep 10, 2021
82d16db
download pinned grype db for tests
kzantow Sep 10, 2021
606c2ef
download pinned grype db for tests
kzantow Sep 10, 2021
ac01d9f
download pinned grype db for tests
kzantow Sep 10, 2021
972a95a
download pinned grype db for tests
kzantow Sep 10, 2021
991f593
download pinned grype db for tests
kzantow Sep 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/test.yml
View file
Open in desktop
Expand Up @@ -36,9 +36,13 @@ jobs:
for distro in alpine centos debian; do
docker buildx imagetools inspect localhost:5000/match-coverage/$distro:latest
done
- run: |
echo Downloading a pinned Grype DB for testing...
mkdir -p grype-db/3
curl -sL https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v3_2021-09-10T08:18:17Z.tar.gz | tar zxf - -C grype-db/3
- run: npm ci
- run: npm audit --production
- run: npm test
- run: GRYPE_DB_AUTO_UPDATE=false GRYPE_DB_CACHE_DIR=./grype-db npm test

functional:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Expand Up @@ -115,6 +115,9 @@ typings/
/venv/*
/tests/functional/__pycache__/*

# grype db for tests
/grype-db

# Action temporary files
results.sarif
vulnerabilities.json
4 changes: 2 additions & 2 deletions .jest/setEnvVars.js
View file
Open in desktop
@@ -1,2 +1,2 @@
process.env['RUNNER_TOOL_CACHE'] = '/tmp/actions/cache';
process.env['RUNNER_TEMP'] = '/tmp/actions/temp';
process.env["RUNNER_TOOL_CACHE"] = "/tmp/actions/cache";
process.env["RUNNER_TEMP"] = "/tmp/actions/temp";
12 changes: 6 additions & 6 deletions README.md
View file
Open in desktop
Expand Up @@ -51,7 +51,7 @@ The simplest workflow for scanning a `localbuild/testimage` container:
load: true

- name: Scan image
uses: anchore/scan-action@v2
uses: anchore/scan-action@v3
with:
image: "localbuild/testimage:latest"
```
Expand All @@ -62,7 +62,7 @@ To scan a directory, add the following step:

```yaml
- name: Scan current project
uses: anchore/scan-action@v2
uses: anchore/scan-action@v3
with:
path: "."
```
Expand All @@ -77,7 +77,7 @@ With a different severity level:

```yaml
- name: Scan image
uses: anchore/scan-action@v2
uses: anchore/scan-action@v3
with:
image: "localbuild/testimage:latest"
fail-build: true
Expand All @@ -88,7 +88,7 @@ Optionally, change the `fail-build` field to `false` to avoid failing the build

```yaml
- name: Scan image
uses: anchore/scan-action@v2
uses: anchore/scan-action@v3
with:
image: "localbuild/testimage:latest"
fail-build: false
Expand Down Expand Up @@ -127,7 +127,7 @@ jobs:
- uses: actions/checkout@v2
- name: Build the container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: anchore/scan-action@v2
- uses: anchore/scan-action@v3
with:
image: "localbuild/testimage:latest"
fail-build: true
Expand All @@ -147,7 +147,7 @@ jobs:
- uses: actions/checkout@v2
- name: Build the Container image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- uses: anchore/scan-action@v2
- uses: anchore/scan-action@v3
id: scan
with:
image: "localbuild/testimage:latest"
Expand Down
36 changes: 26 additions & 10 deletions dist/index.js
View file
Open in desktop
Expand Up @@ -9,6 +9,7 @@ const cache = __webpack_require__(784);
const core = __webpack_require__(186);
const { exec } = __webpack_require__(514);
const fs = __webpack_require__(747);
const stream = __webpack_require__(413);

const grypeBinary = "grype";
const grypeVersion = "0.17.0";
Expand Down Expand Up @@ -502,21 +503,36 @@ async function runScan({
cmdArgs.push(severityCutoff.toLowerCase());
}
cmdArgs.push(source);
const cmdOpts = {};
cmdOpts.listeners = {
stdout: (data = Buffer) => {
cmdOutput += data.toString();

// This /dev/null writable stream is required so the entire Grype output
// is not written to the GitHub action log. the listener below
// will actually capture the output
const outStream = new stream.Writable({
write(buffer, encoding, next) {
next();
},
};
});

cmdOpts.ignoreReturnCode = true;
const cmdOpts = {
ignoreReturnCode: true,
outStream,
listeners: {
stdout: (data = Buffer) => {
cmdOutput += data.toString();
},
},
};

core.info("\nAnalyzing: " + source);

const exitCode = await core.group("Grype Output", () => {
core.info(`Executing: ${cmd} ` + cmdArgs.join(" "));
return exec(cmd, cmdArgs, cmdOpts);
});
core.info(`Executing: ${cmd} ` + cmdArgs.join(" "));

const exitCode = await exec(cmd, cmdArgs, cmdOpts);

if (core.isDebug()) {
core.debug("Grype output:");
core.debug(cmdOutput);
}

let grypeVulnerabilities = JSON.parse(cmdOutput);

Expand Down
36 changes: 26 additions & 10 deletions index.js
View file
Open in desktop
Expand Up @@ -2,6 +2,7 @@ const cache = require("@actions/tool-cache");
const core = require("@actions/core");
const { exec } = require("@actions/exec");
const fs = require("fs");
const stream = require("stream");

const grypeBinary = "grype";
const grypeVersion = "0.17.0";
Expand Down Expand Up @@ -495,21 +496,36 @@ async function runScan({
cmdArgs.push(severityCutoff.toLowerCase());
}
cmdArgs.push(source);
const cmdOpts = {};
cmdOpts.listeners = {
stdout: (data = Buffer) => {
cmdOutput += data.toString();

// This /dev/null writable stream is required so the entire Grype output
// is not written to the GitHub action log. the listener below
// will actually capture the output
const outStream = new stream.Writable({
write(buffer, encoding, next) {
next();
},
};
});

cmdOpts.ignoreReturnCode = true;
const cmdOpts = {
ignoreReturnCode: true,
outStream,
listeners: {
stdout: (data = Buffer) => {
cmdOutput += data.toString();
},
},
};

core.info("\nAnalyzing: " + source);

const exitCode = await core.group("Grype Output", () => {
core.info(`Executing: ${cmd} ` + cmdArgs.join(" "));
return exec(cmd, cmdArgs, cmdOpts);
});
core.info(`Executing: ${cmd} ` + cmdArgs.join(" "));

const exitCode = await exec(cmd, cmdArgs, cmdOpts);

if (core.isDebug()) {
core.debug("Grype output:");
core.debug(cmdOutput);
}

let grypeVulnerabilities = JSON.parse(cmdOutput);

Expand Down
1 change: 0 additions & 1 deletion jest.config.js
View file
Open in desktop
Expand Up @@ -2,5 +2,4 @@ module.exports = {
setupFiles: ["<rootDir>/.jest/setEnvVars.js"],
verbose: true,
testPathIgnorePatterns: ["action.test.js"],
reporters: [["jest-summary-reporter", { failuresOnly: false }]],
};
9 changes: 0 additions & 9 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Expand Up @@ -10,6 +10,7 @@
"scripts": {
"lint": "eslint index.js",
"test": "eslint index.js && jest",
"update-snapshots": "eslint index.js && jest --updateSnapshot",
"build": "ncc build ./index.js",
"precommit": "pretty-quick --staged && npm run build && git add dist/",
"prettier": "prettier -w index.js"
Expand Down Expand Up @@ -40,7 +41,6 @@
"eslint": "^6.8.0",
"husky": "^3.1.0",
"jest": "^25.5.4",
"jest-summary-reporter": "0.0.2",
"prettier": "^2.3.2",
"pretty-quick": "^3.1.1"
}
Expand Down