diff --git a/Makefile b/Makefile index 5c3833881748..31c457f0c828 100644 --- a/Makefile +++ b/Makefile @@ -144,6 +144,8 @@ HADOLINT_FAILURE_THRESHOLD = warning SHELLCHECK_VER := v0.9.0 +TRIVY_VER := 0.44.1 + KPROMO_VER := v3.6.0 KPROMO_BIN := kpromo KPROMO := $(abspath $(TOOLS_BIN_DIR)/$(KPROMO_BIN)-$(KPROMO_VER)) @@ -600,7 +602,7 @@ APIDIFF_OLD_COMMIT ?= $(shell git rev-parse origin/main) apidiff: $(GO_APIDIFF) ## Check for API differences $(GO_APIDIFF) $(APIDIFF_OLD_COMMIT) --print-compatible -ALL_VERIFY_CHECKS = doctoc boilerplate shellcheck tiltfile modules gen conversions doctoc capi-book-summary +ALL_VERIFY_CHECKS = licenses boilerplate shellcheck tiltfile modules gen conversions doctoc capi-book-summary .PHONY: verify verify: $(addprefix verify-,$(ALL_VERIFY_CHECKS)) lint-dockerfiles ## Run all verify-* targets @@ -652,7 +654,11 @@ verify-tiltfile: ## Verify Tiltfile format .PHONY: verify-container-images verify-container-images: ## Verify container images - TRACE=$(TRACE) ./hack/verify-container-images.sh + TRACE=$(TRACE) ./hack/verify-container-images.sh $(TRIVY_VER) + +.PHONY: verify-licenses +verify-licenses: ## Verify licenses + TRACE=$(TRACE) ./hack/verify-licenses.sh $(TRIVY_VER) ## -------------------------------------- ## Binaries diff --git a/hack/ensure-trivy.sh b/hack/ensure-trivy.sh new file mode 100644 index 000000000000..c5689b93bcc3 --- /dev/null +++ b/hack/ensure-trivy.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# Copyright 2023 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +if [[ "${TRACE-0}" == "1" ]]; then + set -o xtrace +fi + +VERSION=${1} + +GO_OS="$(go env GOOS)" +if [[ "${GO_OS}" == "linux" ]]; then + TRIVY_OS="Linux" +elif [[ "${GO_OS}" == "darwin"* ]]; then + TRIVY_OS="macOS" +fi + +GO_ARCH="$(go env GOARCH)" +if [[ "${GO_ARCH}" == "amd" ]]; then + TRIVY_ARCH="32bit" +elif [[ "${GO_ARCH}" == "amd64"* ]]; then + TRIVY_ARCH="64bit" +elif [[ "${GO_ARCH}" == "arm" ]]; then + TRIVY_ARCH="ARM" +elif [[ "${GO_ARCH}" == "arm64" ]]; then + TRIVY_ARCH="ARM64" +fi + +TOOL_BIN=hack/tools/bin +mkdir -p ${TOOL_BIN} + +TRIVY="$(dirname "$0")/tools/bin/trivy/${VERSION}/trivy" + +# Downloads trivy scanner +if [ ! -f "$TRIVY" ]; then + curl -L -o ${TOOL_BIN}/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz" + mkdir -p "$(dirname "$0")/tools/bin/trivy/${VERSION}" + tar -xf "${TOOL_BIN}/trivy.tar.gz" -C "${TOOL_BIN}/trivy/${VERSION}" + chmod +x "${TOOL_BIN}/trivy/${VERSION}/trivy" + rm "${TOOL_BIN}/trivy.tar.gz" +fi diff --git a/hack/verify-container-images.sh b/hack/verify-container-images.sh index 5d8977a7e9b0..5b33b2e03cbb 100755 --- a/hack/verify-container-images.sh +++ b/hack/verify-container-images.sh @@ -22,48 +22,25 @@ if [[ "${TRACE-0}" == "1" ]]; then set -o xtrace fi -TRIVY_VERSION=0.34.0 +VERSION=${1} -GO_OS="$(go env GOOS)" -if [[ "${GO_OS}" == "linux" ]]; then - TRIVY_OS="Linux" -elif [[ "${GO_OS}" == "darwin"* ]]; then - TRIVY_OS="macOS" -fi - -GO_ARCH="$(go env GOARCH)" -if [[ "${GO_ARCH}" == "amd" ]]; then - TRIVY_ARCH="32bit" -elif [[ "${GO_ARCH}" == "amd64"* ]]; then - TRIVY_ARCH="64bit" -elif [[ "${GO_ARCH}" == "arm" ]]; then - TRIVY_ARCH="ARM" -elif [[ "${GO_ARCH}" == "arm64" ]]; then - TRIVY_ARCH="ARM64" -fi - -TOOL_BIN=hack/tools/bin -mkdir -p ${TOOL_BIN} - -# Downloads trivy scanner -curl -L -o ${TOOL_BIN}/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_OS}-${TRIVY_ARCH}.tar.gz" +REPO_ROOT=$(git rev-parse --show-toplevel) +source "${REPO_ROOT}/hack/ensure-trivy.sh" -tar -xf "${TOOL_BIN}/trivy.tar.gz" -C "${TOOL_BIN}" trivy -chmod +x ${TOOL_BIN}/trivy -rm ${TOOL_BIN}/trivy.tar.gz +TRIVY="${REPO_ROOT}/hack/tools/bin/trivy/${VERSION}/trivy" # Builds all the container images to be scanned and cleans up changes to ./*manager_image_patch.yaml ./*manager_pull_policy.yaml. make REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent TAG=dev docker-build make clean-release-git # Scan the images -${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/clusterctl-"${GO_ARCH}":dev && R1=$? || R1=$? -${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/test-extension-"${GO_ARCH}":dev && R2=$? || R2=$? -${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller-"${GO_ARCH}":dev && R3=$? || R3=$? -${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller-"${GO_ARCH}":dev && R4=$? || R4=$? -${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/cluster-api-controller-"${GO_ARCH}":dev && R5=$? || R5=$? -${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/capd-manager-"${GO_ARCH}":dev && R6=$? || R6=$? -${TOOL_BIN}/trivy image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/capim-manager-"${GO_ARCH}":dev && R6=$? || R6=$? +"${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/clusterctl-"${GO_ARCH}":dev && R1=$? || R1=$? +"${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/test-extension-"${GO_ARCH}":dev && R2=$? || R2=$? +"${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller-"${GO_ARCH}":dev && R3=$? || R3=$? +"${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/kubeadm-bootstrap-controller-"${GO_ARCH}":dev && R4=$? || R4=$? +"${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/cluster-api-controller-"${GO_ARCH}":dev && R5=$? || R5=$? +"${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/capd-manager-"${GO_ARCH}":dev && R6=$? || R6=$? +"${TRIVY}" image -q --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL gcr.io/k8s-staging-cluster-api/capim-manager-"${GO_ARCH}":dev && R6=$? || R6=$? echo "" BRed='\033[1;31m' diff --git a/hack/verify-licenses.sh b/hack/verify-licenses.sh new file mode 100755 index 000000000000..ddc525b05a31 --- /dev/null +++ b/hack/verify-licenses.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# Copyright 2023 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +if [[ "${TRACE-0}" == "1" ]]; then + set -o xtrace +fi + +VERSION=${1} + +REPO_ROOT=$(git rev-parse --show-toplevel) +source "${REPO_ROOT}/hack/ensure-trivy.sh" + +TRIVY="${REPO_ROOT}/hack/tools/bin/trivy/${VERSION}/trivy" + +$TRIVY filesystem . --license-full --ignored-licenses MPL-2.0 --scanners license --exit-code 1 --severity MEDIUM,HIGH,CRITICAL