-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: Change target for container vuln scanning tests #343
Conversation
Signed-off-by: Darren Murray <[email protected]>
Signed-off-by: Darren Murray <[email protected]>
Signed-off-by: Darren Murray <[email protected]>
Signed-off-by: Darren Murray <[email protected]>
@@ -0,0 +1 @@ | |||
FROM node:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pin this version instead of using latest
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, the latest Node container is dirty?!!! 😮
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, quick and easy way to get a vulnerable container. Just add NPM.
scripts/prepare_test_resources.sh
Outdated
|
||
build_dirty() { | ||
echo "building dirty container" | ||
docker build --no-cache -f "integration/test_resources/vuln_scan/dirty.Dockerfile" -t techallylw/test-cli-dirty . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need for --no-cache on this one
@@ -224,6 +228,7 @@ workflows: | |||
branches: | |||
only: main | |||
jobs: | |||
- prepare-test-resources |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we only want to run this on nightly?
tag1 = "ubuntu-1804" | ||
tag2 = "debian-10" | ||
registry = "index.docker.io" | ||
cleanRepository = "techallylw/test-cli-clean" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How so you are using the clean docker image? I see it does have one vulnerability:
Two questions:
- Shouldn't we need to assert that the clean image has NO vulnerabilities? (but it does 🤔)
- Shouldn't we be using the dirty image here instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only if the tests expect vulns we should use dirty container. It was vuln free initially. Having something guaranteed to be vuln free will be difficult. Best we can do is hope that patches happen quickly for new CVE's. Perhaps there's a base image with a focus on quickly patching new cve's?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But you're right for 1 of the tests that rely on the assessment output from this scan expect vulns. So we should switch to to the dirty container.
Signed-off-by: Darren Murray <[email protected]>
Signed-off-by: Darren Murray <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace scan target container in vuln scanning integration tests
Add job to build and push test resources
Signed-off-by: Darren Murray [email protected]