build kubectl and cni plugins from source if vuln found in the base i…

…mage (#4253)

Signed-off-by: zhangzujian <[email protected]>

.github/workflows/build-arm64-image.yaml

@@ -39,8 +39,10 @@ jobs:
           check-latest: true
           cache: false
 
-      - name: Export Go full version
-        run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV"
+      - name: Setup environment variables
+        run: |
+          echo "TAG=$(cat VERSION)" >> "$GITHUB_ENV"
+          echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV"
 
       - name: Go Cache
         uses: actions/cache@v4
@@ -51,6 +53,46 @@ jobs:
           key: ${{ runner.os }}-${{ env.GO_FULL_VER }}-arm64-${{ hashFiles('**/go.sum') }}
           restore-keys: ${{ runner.os }}-${{ env.GO_FULL_VER }}-arm64-
 
+      - name: Scan base image
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: image
+          scanners: vuln
+          image-ref: docker.io/kubeovn/kube-ovn-base:${{ env.TAG }}
+          format: json
+          output: trivy-result.json
+          ignore-unfixed: true
+          trivyignores: .trivyignore
+          vuln-type: library
+
+      - name: Build kubectl and CNI plugins from source
+        run: |
+          cat trivy-result.json
+          dockerfile=${{ github.workspace }}/dist/images/Dockerfile
+          export GOBIN=`dirname "$dockerfile"`
+          jq -r '.Results[] | select((.Type=="gobinary") and (.Vulnerabilities!=null)) | .Target' trivy-result.json | while read f; do
+            bin=`basename $f`
+            case $bin in
+              loopback|macvlan)
+                echo "Building $bin from source..."
+                sh -c "cd .. && go install -v -mod=mod github.com/containernetworking/plugins/plugins/main/$bin"
+                echo "COPY $bin /$f" >> "$dockerfile"
+                ;;
+              portmap)
+                echo "Building $bin from source..."
+                sh -c "cd .. && go install -v -mod=mod github.com/containernetworking/plugins/plugins/meta/$bin"
+                echo "COPY $bin /$f" >> "$dockerfile"
+                ;;
+              kubectl)
+                echo "Building $bin from source..."
+                go install -v -mod=mod k8s.io/kubernetes/cmd/kubectl
+                echo "COPY $bin /$f" >> "$dockerfile"
+                ;;
+              *)
+                ;;
+            esac
+          done
+
       - name: Build
         run: make release-arm
 

.github/workflows/build-x86-image.yaml

@@ -148,8 +148,10 @@ jobs:
           check-latest: true
           cache: false
 
-      - name: Export Go full version
-        run: echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV"
+      - name: Setup environment variables
+        run: |
+          echo "TAG=$(cat VERSION)" >> "$GITHUB_ENV"
+          echo "GO_FULL_VER=$(go env GOVERSION)" >> "$GITHUB_ENV"
 
       - name: Go cache
         uses: actions/cache@v4
@@ -182,7 +184,10 @@ jobs:
 
       - name: Load base images
         if: needs.build-kube-ovn-base.outputs.build-base == 1
-        run: docker load --input image-amd64.tar
+        run: |
+          docker load --input image-amd64.tar
+          docker tag kubeovn/kube-ovn-base:$TAG-amd64 kubeovn/kube-ovn-base:$TAG
+          docker tag kubeovn/kube-ovn-base:$TAG-debug-amd64 kubeovn/kube-ovn-base:$TAG-debug
 
       - name: Download dpdk base images
         if: needs.build-kube-ovn-dpdk-base.outputs.build-dpdk-base == 1
@@ -192,17 +197,56 @@ jobs:
 
       - name: Load dpdk base images
         if: needs.build-kube-ovn-dpdk-base.outputs.build-dpdk-base == 1
-        run: docker load --input image-amd64-dpdk.tar
+        run: |
+          docker load --input image-amd64-dpdk.tar
+          docker tag kubeovn/kube-ovn-base:$TAG-amd64-dpdk kubeovn/kube-ovn-base:$TAG-dpdk
+
+      - name: Scan base image
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: image
+          scanners: vuln
+          image-ref: docker.io/kubeovn/kube-ovn-base:${{ env.TAG }}
+          format: json
+          output: trivy-result.json
+          ignore-unfixed: true
+          trivyignores: .trivyignore
+          vuln-type: library
+
+      - name: Build kubectl and CNI plugins from source
+        run: |
+          cat trivy-result.json
+          dockerfile=${{ github.workspace }}/dist/images/Dockerfile
+          export GOBIN=`dirname "$dockerfile"`
+          jq -r '.Results[] | select((.Type=="gobinary") and (.Vulnerabilities!=null)) | .Target' trivy-result.json | while read f; do
+            bin=`basename $f`
+            case $bin in
+              loopback|macvlan)
+                echo "Building $bin from source..."
+                sh -c "cd .. && go install -v -mod=mod github.com/containernetworking/plugins/plugins/main/$bin"
+                echo "COPY $bin /$f" >> "$dockerfile"
+                ;;
+              portmap)
+                echo "Building $bin from source..."
+                sh -c "cd .. && go install -v -mod=mod github.com/containernetworking/plugins/plugins/meta/$bin"
+                echo "COPY $bin /$f" >> "$dockerfile"
+                ;;
+              kubectl)
+                echo "Building $bin from source..."
+                go install -v -mod=mod k8s.io/kubernetes/cmd/kubectl
+                echo "COPY $bin /$f" >> "$dockerfile"
+                ;;
+              *)
+                ;;
+            esac
+          done
 
       - name: Build
         run: |
           go mod tidy
-          git diff --exit-code
+          git diff --exit-code go.mod go.sum
           make lint
           if [ ${{ needs.build-kube-ovn-base.outputs.build-base || 0 }} = 1 ]; then
-            TAG=$(cat VERSION)
-            docker tag kubeovn/kube-ovn-base:$TAG-amd64 kubeovn/kube-ovn-base:$TAG
-            docker tag kubeovn/kube-ovn-base:$TAG-debug-amd64 kubeovn/kube-ovn-base:$TAG-debug
             make build-kube-ovn
           else
             make image-kube-ovn
@@ -212,8 +256,6 @@ jobs:
       - name: Build dpdk
         run: |
           if [ ${{ needs.build-kube-ovn-dpdk-base.outputs.build-dpdk-base || 0 }} = 1 ]; then
-            TAG=$(cat VERSION)
-            docker tag kubeovn/kube-ovn-base:$TAG-amd64-dpdk kubeovn/kube-ovn-base:$TAG-dpdk
             make build-kube-ovn-dpdk
           else
             make image-kube-ovn-dpdk

go.mod

@@ -33,15 +33,15 @@ require (
 	github.com/scylladb/go-set v1.0.2
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	go.uber.org/mock v0.4.0
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/mod v0.19.0
 	golang.org/x/sys v0.22.0
 	golang.org/x/time v0.5.0
-	google.golang.org/grpc v1.64.0
-	google.golang.org/protobuf v1.34.1
+	google.golang.org/grpc v1.65.0
+	google.golang.org/protobuf v1.34.2
 	gopkg.in/k8snetworkplumbingwg/multus-cni.v4 v4.0.2
 	k8s.io/api v0.27.14
 	k8s.io/apimachinery v0.27.14
@@ -57,11 +57,10 @@ require (
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
-	github.com/cenk/hub v1.0.1 // indirect
-	github.com/cenkalti/hub v1.0.1 // indirect
-	github.com/cenkalti/rpc2 v0.0.0-20210604223624-c1acbc6ec984 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/containerd/cgroups/v3 v3.0.2 // indirect
+	github.com/cenkalti/hub v1.0.2 // indirect
+	github.com/cenkalti/rpc2 v1.0.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/containerd/cgroups/v3 v3.0.3 // indirect
 	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/coreos/prometheus-operator v0.38.0 // indirect
@@ -77,14 +76,14 @@ require (
 	github.com/go-kit/kit v0.12.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.2.0 // indirect
+	github.com/golang/glog v1.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -137,7 +136,6 @@ require (
 	github.com/spf13/cast v1.5.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/viper v1.16.0 // indirect
-	github.com/stretchr/objx v0.5.1 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
@@ -151,7 +149,7 @@ require (
 	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/tools v0.22.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect