Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Adapt pipeline_definition to include SAST linting logs in OCM descriptor #347

Merged
merged 3 commits into from
Mar 3, 2025
Merged

Adapt pipeline_definition to include SAST linting logs in OCM descriptor #347

merged 3 commits into from
Mar 3, 2025

Conversation

aaronfern
Copy link

@aaronfern aaronfern commented Feb 17, 2025
edited
Loading

What this PR does / why we need it:
The PR does the following

  • changes pipeline_definitions to include SAST linting logs in OCM descriptor.
  • Fixes some security vulnerabilities
  • Updated the check make command to run sast

Which issue(s) this PR fixes:
Fixes #331

Special notes for your reviewer:

Release note:

NONE

@aaronfern aaronfern requested review from unmarshall and a team as code owners February 17, 2025 10:50
@gardener-robot gardener-robot added the needs/review Needs review label Feb 17, 2025
@gardener-robot-ci-3
Copy link

This PR proposes changes that would break the pipeline definition:

autoscaler-sast-ocm: Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/concourse/replicator.py", line 141, in render
    definition_descriptor = self._render(definition_descriptor)
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/concourse/replicator.py", line 185, in _render
    'definition': factory.create_pipeline_definition(),
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/concourse/factory.py", line 88, in create_pipeline_definition
    self._apply_traits(variant)
  File "/usr/lib/python3.12/site-packages/concourse/factory.py", line 177, in _apply_traits
    transformer.process_pipeline_args(pipeline_def)
  File "/usr/lib/python3.12/site-packages/concourse/model/traits/release.py", line 520, in process_pipeline_args
    raise ValueError(textwrap.dedent(f'''\
ValueError: asset=BuildstepLogAsset(ocm_labels=[{'name': 'gardener.cloud/purposes', 'value': ['lint', 'sast', 'gosec']}, {'name': 'gardener.cloud/comment', 'value': 'we use gosec (linter) for SAST scans\nsee: https://github.com/securego/gosec\n'}], type='build-step-log', name='check-build-step-log', step_name='check', artefact_type='application/data', artefact_extra_id={}, purposes=['lint', 'sast', 'gosec'], comment='we use gosec (linter) for SAST scans\nsee: https://github.com/securego/gosec\n', upload_as_github_asset=True, github_asset_name=None)'s step_name refers to an absent build-step. If the step in question is
declared branch-specifically, i.e. via `branch.cfg`, and the current branch is
going to be merged with a branch declaring the pipeline step, this error can be
safely ignored, iff the branch is transient only (not used for release).

@gardener-robot gardener-robot added the size/s Size of pull request is small (see gardener-robot robot/bots/size.py) label Feb 17, 2025
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Feb 17, 2025
@gardener-robot
Copy link

@unmarshall You have pull request review open invite, please check

ashwani2k
ashwani2k approved these changes Feb 27, 2025
View reviewed changes
Copy link

@ashwani2k ashwani2k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I ran the report and with GOSEC ignore annotation set the Issues reported were zero.

@gardener-robot-ci-2
Copy link

The pipeline-definition has been fixed.

@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Mar 2, 2025
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Mar 2, 2025
ashwani2k
ashwani2k approved these changes Mar 3, 2025
View reviewed changes
Copy link

@ashwani2k ashwani2k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@aaronfern aaronfern merged commit 6f0899e into gardener:machine-controller-manager-provider Mar 3, 2025
10 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Mar 3, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ashwani2k ashwani2k ashwani2k approved these changes

@unmarshall unmarshall Awaiting requested review from unmarshall unmarshall is a code owner

Assignees
No one assigned
Labels
needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/review Needs review size/s Size of pull request is small (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Introduce gosec for Static Application Security Testing (SAST)
6 participants
@aaronfern @gardener-robot-ci-3 @gardener-robot @gardener-robot-ci-2 @ashwani2k @gardener-robot-ci-1