test: Change target for container vuln scanning tests #343
Conversation
Signed-off-by: Darren Murray <[email protected]>
Signed-off-by: Darren Murray <[email protected]>
Signed-off-by: Darren Murray <[email protected]>
Signed-off-by: Darren Murray <[email protected]>
| @@ -0,0 +1 @@ | |||
| FROM node:latest | |||
There was a problem hiding this comment.
Pin this version instead of using latest
There was a problem hiding this comment.
Wait, the latest Node container is dirty?!!! 😮
There was a problem hiding this comment.
Yup, quick and easy way to get a vulnerable container. Just add NPM.
scripts/prepare_test_resources.sh
Outdated
|
|
||
| build_dirty() { | ||
| echo "building dirty container" | ||
| docker build --no-cache -f "integration/test_resources/vuln_scan/dirty.Dockerfile" -t techallylw/test-cli-dirty . |
There was a problem hiding this comment.
No need for --no-cache on this one
| @@ -224,6 +228,7 @@ workflows: | |||
| branches: | |||
| only: main | |||
| jobs: | |||
| - prepare-test-resources | |||
There was a problem hiding this comment.
Do we only want to run this on nightly?
| tag1 = "ubuntu-1804" | ||
| tag2 = "debian-10" | ||
| registry = "index.docker.io" | ||
| cleanRepository = "techallylw/test-cli-clean" |
There was a problem hiding this comment.
How so you are using the clean docker image? I see it does have one vulnerability:
Two questions:
- Shouldn't we need to assert that the clean image has NO vulnerabilities? (but it does 🤔)
- Shouldn't we be using the dirty image here instead?
There was a problem hiding this comment.
Only if the tests expect vulns we should use dirty container. It was vuln free initially. Having something guaranteed to be vuln free will be difficult. Best we can do is hope that patches happen quickly for new CVE's. Perhaps there's a base image with a focus on quickly patching new cve's?
There was a problem hiding this comment.
But you're right for 1 of the tests that rely on the assessment output from this scan expect vulns. So we should switch to to the dirty container.
Signed-off-by: Darren Murray <[email protected]>
Signed-off-by: Darren Murray <[email protected]>
Replace scan target container in vuln scanning integration tests
Add job to build and push test resources
Signed-off-by: Darren Murray [email protected]