From f06258364b9695e435e1e30c343b1f36036524de Mon Sep 17 00:00:00 2001 From: Eugene Ivantsov Date: Wed, 31 Jul 2024 01:27:07 +0000 Subject: [PATCH] Merged in CLIP-1907-update-skuk-threshold (pull request #176) Update snyk threshold for ubi tags * Update snyk threshold for ubi tags Approved-by: Yifei Zhang --- .snyk | 19 ------------------- bitbucket-pipelines.yml | 10 ++++++++++ bitbucket-pipelines.yml.j2 | 7 +++++++ pipelines-generator.py | 1 + 4 files changed, 18 insertions(+), 19 deletions(-) diff --git a/.snyk b/.snyk index b855289..f8a9252 100644 --- a/.snyk +++ b/.snyk @@ -2,22 +2,3 @@ # Un-comment everything below this line to enable. # version: v1.19.0 - -# According to https://access.redhat.com/security/cve/cve-2024-2961#Mitigation ubi tags aren't vulnerable -ignore: - SNYK-RHEL9-PYTHON3SETUPTOOLS-7547262: - - '*': - reason: Waiting for a fix - expires: 2024-09-01T00:00:00.000Z - SNYK-RHEL9-PYTHON3SETUPTOOLSWHEEL-7547266: - - '*': - reason: Waiting for a fix - expires: 2024-09-01T00:00:00.000Z - SNYK-RHEL9-PYTHON3LIBS-6675303: - - '*': - reason: Waiting for a fix - expires: 2024-09-01T00:00:00.000Z - SNYK-RHEL9-PYTHON3-6675327: - - '*': - reason: Waiting for a fix - expires: 2024-09-01T00:00:00.000Z diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml index 0584d7f..524b5dc 100644 --- a/bitbucket-pipelines.yml +++ b/bitbucket-pipelines.yml @@ -956,6 +956,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --update \ @@ -983,6 +984,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --update \ @@ -1010,6 +1012,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --update \ @@ -1037,6 +1040,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --update \ @@ -1064,6 +1068,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --update \ @@ -1091,6 +1096,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --update \ @@ -1118,6 +1124,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --update \ @@ -1145,6 +1152,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --update \ @@ -1232,6 +1240,7 @@ pipelines: - export CONFLUENCE_VERSION="8.9.4" # remove it after 9.0.0 is out - docker build --build-arg CONFLUENCE_VERSION=${CONFLUENCE_VERSION} -t test-image-ubi . -f Dockerfile.ubi - export IS_RELEASE=false + - export SEV_THRESHOLD=critical - /usr/src/app/post_build.sh test-image-ubi $IS_RELEASE custom: @@ -1371,6 +1380,7 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + - export SEV_THRESHOLD=critical - > python /usr/src/app/make-releases.py \ --create \ diff --git a/bitbucket-pipelines.yml.j2 b/bitbucket-pipelines.yml.j2 index 79f836b..46767ac 100644 --- a/bitbucket-pipelines.yml.j2 +++ b/bitbucket-pipelines.yml.j2 @@ -39,6 +39,9 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + {% if appdata.snyk_threshold is defined %} + - export SEV_THRESHOLD={{ appdata.snyk_threshold }} + {% endif %} - > python /usr/src/app/make-releases.py \ --update \ @@ -138,6 +141,7 @@ pipelines: - export CONFLUENCE_VERSION="8.9.4" # remove it after 9.0.0 is out - docker build --build-arg CONFLUENCE_VERSION=${CONFLUENCE_VERSION} -t test-image-ubi . -f Dockerfile.ubi - export IS_RELEASE=false + - export SEV_THRESHOLD=critical - /usr/src/app/post_build.sh test-image-ubi $IS_RELEASE custom: @@ -161,6 +165,9 @@ pipelines: - for i in {1..3}; do echo ${DOCKER_BOT_PASSWORD} | docker login ${DOCKER_REGISTRY} --username ${DOCKER_BOT_USERNAME} --password-stdin && break || sleep 5; done; if [ $? -ne 0 ]; then echo "Failed to login to container registry after 3 attempts" && exit 1; fi - docker buildx create --name container --driver docker-container --use - docker buildx ls + {% if appdata.snyk_threshold is defined %} + - export SEV_THRESHOLD={{ appdata.snyk_threshold }} + {% endif %} - > python /usr/src/app/make-releases.py \ --create \ diff --git a/pipelines-generator.py b/pipelines-generator.py index 5e68a7d..f0de62e 100755 --- a/pipelines-generator.py +++ b/pipelines-generator.py @@ -54,6 +54,7 @@ images = { 'tag_suffixes': ['ubi9','ubi9-jdk17'], 'dockerfile': 'Dockerfile.ubi', 'docker_repos': REPOS, + 'snyk_threshold': 'critical' } }, }