From 5270df2d68de8b0469ed2b2e4e600e0d2d67ef96 Mon Sep 17 00:00:00 2001 From: =?utf8?q?C=C3=A9dric=20Ollivier?= Date: Wed, 13 Apr 2022 09:43:21 +0200 Subject: [PATCH] Switch from docker scan to grype MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Docker scan allows only 10 runs per months in LFN conditions. Change-Id: I7b28ffa13946423c610e2bb2b83b5b8f79da3a6e Signed-off-by: Cédric Ollivier --- jjb/functest/functest-kubernetes-ng.yaml | 43 +++++++++++++-------------- jjb/functest/functest-kubernetes.yaml | 43 +++++++++++++-------------- jjb/functest/functest.yaml | 51 +++++++++++++++----------------- jjb/functest/xtesting.yaml | 27 ++++++++--------- 4 files changed, 76 insertions(+), 88 deletions(-) diff --git a/jjb/functest/functest-kubernetes-ng.yaml b/jjb/functest/functest-kubernetes-ng.yaml index 4d04569df..af73197ea 100644 --- a/jjb/functest/functest-kubernetes-ng.yaml +++ b/jjb/functest/functest-kubernetes-ng.yaml @@ -382,17 +382,14 @@ - 'functest-kubernetes-ng-{repo}-{container}-{tag}-trivy' - builder: - name: functest-kubernetes-ng-docker-scan + name: functest-kubernetes-ng-grype builders: - shell: | sudo apt-get -o DPkg::Lock::Timeout=300 update && \ sudo DEBIAN_FRONTEND=noninteractive apt-get \ - -o DPkg::Lock::Timeout=300 install curl docker.io -y + -o DPkg::Lock::Timeout=300 install curl -y - mkdir -p ~/.docker/cli-plugins && \ - curl https://github.com/docker/scan-cli-plugin/releases/latest/download/docker-scan_linux_amd64 \ - -L -s -S -o ~/.docker/cli-plugins/docker-scan &&\ - chmod +x ~/.docker/cli-plugins/docker-scan + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b . if [ "{repo}" = "_" ]; then image={container}:{tag} elif [ "{port}" = "None" ]; then @@ -400,17 +397,17 @@ else image={repo}:{port}/{container}:{tag} fi - sudo docker scan --accept-license $image + sudo grype -q $image - job-template: - name: 'functest-kubernetes-ng-{repo}-{container}-{tag}-docker-scan' + name: 'functest-kubernetes-ng-{repo}-{container}-{tag}-grype' triggers: - timed: '@daily' parameters: - functest-kubernetes-ng-slave: slave: '{slave}' builders: - - functest-kubernetes-ng-docker-scan: + - functest-kubernetes-ng-grype: <<: *functest-kubernetes-ng-containers publishers: - email-ext: @@ -420,46 +417,46 @@ recipients: cedric.ollivier@orange.com - project: - name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-core-docker-scan' + name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-core-grype' <<: *functest-kubernetes-ng-params container: 'functest-kubernetes-core' jobs: - - 'functest-kubernetes-ng-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-ng-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-healthcheck-docker-scan' + name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-healthcheck-grype' <<: *functest-kubernetes-ng-params container: 'functest-kubernetes-healthcheck' jobs: - - 'functest-kubernetes-ng-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-ng-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-cnf-docker-scan' + name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-cnf-grype' <<: *functest-kubernetes-ng-params container: 'functest-kubernetes-cnf' jobs: - - 'functest-kubernetes-ng-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-ng-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-security-docker-scan' + name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-security-grype' <<: *functest-kubernetes-ng-params container: 'functest-kubernetes-security' jobs: - - 'functest-kubernetes-ng-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-ng-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-smoke-docker-scan' + name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-smoke-grype' <<: *functest-kubernetes-ng-params container: 'functest-kubernetes-smoke' jobs: - - 'functest-kubernetes-ng-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-ng-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-benchmarking-docker-scan' + name: 'functest-kubernetes-ng-opnfv-functest-kubernetes-benchmarking-grype' <<: *functest-kubernetes-ng-params container: 'functest-kubernetes-benchmarking' jobs: - - 'functest-kubernetes-ng-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-ng-{repo}-{container}-{tag}-grype' - project: name: 'functest-kubernetes-ng' @@ -492,7 +489,7 @@ regex: ^functest-kubernetes-ng-[a-z0-9-.]+-trivy$ - view: - name: functest-kubernetes-ng-docker-scan + name: functest-kubernetes-ng-grype view-type: list columns: - status @@ -501,4 +498,4 @@ - last-success - last-failure - last-duration - regex: ^functest-kubernetes-ng-[a-z0-9.]+-docker-scan$ + regex: ^functest-kubernetes-ng-[a-z0-9.]+-grype$ diff --git a/jjb/functest/functest-kubernetes.yaml b/jjb/functest/functest-kubernetes.yaml index fa8a0b01b..d81ea174c 100644 --- a/jjb/functest/functest-kubernetes.yaml +++ b/jjb/functest/functest-kubernetes.yaml @@ -1283,17 +1283,14 @@ - 'functest-kubernetes-{repo}-{container}-{tag}-trivy' - builder: - name: functest-kubernetes-docker-scan + name: functest-kubernetes-grype builders: - shell: | apt-get -o DPkg::Lock::Timeout=300 update && \ DEBIAN_FRONTEND=noninteractive apt-get \ - -o DPkg::Lock::Timeout=300 install curl docker.io -y + -o DPkg::Lock::Timeout=300 install curl -y - mkdir -p ~/.docker/cli-plugins && \ - curl https://github.com/docker/scan-cli-plugin/releases/latest/download/docker-scan_linux_amd64 \ - -L -s -S -o ~/.docker/cli-plugins/docker-scan &&\ - chmod +x ~/.docker/cli-plugins/docker-scan + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b . if [ "{repo}" = "_" ]; then image={container}:{tag} elif [ "{port}" = "None" ]; then @@ -1301,17 +1298,17 @@ else image={repo}:{port}/{container}:{tag} fi - docker scan --accept-license $image + grype -q $image - job-template: - name: 'functest-kubernetes-{repo}-{container}-{tag}-docker-scan' + name: 'functest-kubernetes-{repo}-{container}-{tag}-grype' triggers: - timed: '@weekly' parameters: - functest-kubernetes-slave: slave: '{slave}' builders: - - functest-kubernetes-docker-scan: + - functest-kubernetes-grype: <<: *functest-kubernetes-containers publishers: - email-ext: @@ -1321,46 +1318,46 @@ recipients: cedric.ollivier@orange.com - project: - name: 'functest-kubernetes-opnfv-functest-kubernetes-core-docker-scan' + name: 'functest-kubernetes-opnfv-functest-kubernetes-core-grype' <<: *functest-kubernetes-params container: 'functest-kubernetes-core' jobs: - - 'functest-kubernetes-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-opnfv-functest-kubernetes-healthcheck-docker-scan' + name: 'functest-kubernetes-opnfv-functest-kubernetes-healthcheck-grype' <<: *functest-kubernetes-params container: 'functest-kubernetes-healthcheck' jobs: - - 'functest-kubernetes-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-opnfv-functest-kubernetes-cnf-docker-scan' + name: 'functest-kubernetes-opnfv-functest-kubernetes-cnf-grype' <<: *functest-kubernetes-params container: 'functest-kubernetes-cnf' jobs: - - 'functest-kubernetes-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-opnfv-functest-kubernetes-security-docker-scan' + name: 'functest-kubernetes-opnfv-functest-kubernetes-security-grype' <<: *functest-kubernetes-params container: 'functest-kubernetes-security' jobs: - - 'functest-kubernetes-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-opnfv-functest-kubernetes-smoke-docker-scan' + name: 'functest-kubernetes-opnfv-functest-kubernetes-smoke-grype' <<: *functest-kubernetes-params container: 'functest-kubernetes-smoke' jobs: - - 'functest-kubernetes-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-{repo}-{container}-{tag}-grype' - project: - name: 'functest-kubernetes-opnfv-functest-kubernetes-benchmarking-docker-scan' + name: 'functest-kubernetes-opnfv-functest-kubernetes-benchmarking-grype' <<: *functest-kubernetes-params container: 'functest-kubernetes-benchmarking' jobs: - - 'functest-kubernetes-{repo}-{container}-{tag}-docker-scan' + - 'functest-kubernetes-{repo}-{container}-{tag}-grype' - project: name: 'functest-kubernetes' @@ -1393,7 +1390,7 @@ regex: (?!functest-kubernetes-pi)(?!functest-kubernetes-ng)^functest-kubernetes-[a-z-0-9.]+-trivy$ - view: - name: functest-kubernetes-docker-scan + name: functest-kubernetes-grype view-type: list columns: - status @@ -1402,4 +1399,4 @@ - last-success - last-failure - last-duration - regex: (?!functest-kubernetes-pi)(?!functest-kubernetes-ng)^functest-kubernetes-[a-z-0-9.]+-docker-scan$ + regex: (?!functest-kubernetes-pi)(?!functest-kubernetes-ng)^functest-kubernetes-[a-z-0-9.]+-grype$ diff --git a/jjb/functest/functest.yaml b/jjb/functest/functest.yaml index f9bf67669..47cc85771 100644 --- a/jjb/functest/functest.yaml +++ b/jjb/functest/functest.yaml @@ -1646,17 +1646,14 @@ - 'functest-{repo}-{container}-{tag}-trivy' - builder: - name: functest-docker-scan + name: functest-grype builders: - shell: | sudo apt-get -o DPkg::Lock::Timeout=300 update && \ sudo DEBIAN_FRONTEND=noninteractive apt-get \ - -o DPkg::Lock::Timeout=300 install curl docker.io -y + -o DPkg::Lock::Timeout=300 install curl -y - mkdir -p ~/.docker/cli-plugins && \ - curl https://github.com/docker/scan-cli-plugin/releases/latest/download/docker-scan_linux_amd64 \ - -L -s -S -o ~/.docker/cli-plugins/docker-scan &&\ - chmod +x ~/.docker/cli-plugins/docker-scan + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b . if [ "{repo}" = "_" ]; then image={container}:{tag} elif [ "{port}" = "None" ]; then @@ -1664,17 +1661,17 @@ else image={repo}:{port}/{container}:{tag} fi - sudo docker scan --accept-license $image + sudo grype -q $image - job-template: - name: 'functest-{repo}-{container}-{tag}-docker-scan' + name: 'functest-{repo}-{container}-{tag}-grype' triggers: - timed: '@weekly' parameters: - functest-slave: slave: '{slave}' builders: - - functest-docker-scan: + - functest-grype: <<: *functest-containers publishers: - email-ext: @@ -1684,60 +1681,60 @@ recipients: cedric.ollivier@orange.com - project: - name: 'functest-opnfv-functest-core-docker-scan' + name: 'functest-opnfv-functest-core-grype' <<: *functest-params container: 'functest-core' jobs: - - 'functest-{repo}-{container}-{tag}-docker-scan' + - 'functest-{repo}-{container}-{tag}-grype' - project: - name: 'functest-opnfv-functest-tempest-docker-scan' + name: 'functest-opnfv-functest-tempest-grype' <<: *functest-params container: 'functest-tempest' jobs: - - 'functest-{repo}-{container}-{tag}-docker-scan' + - 'functest-{repo}-{container}-{tag}-grype' - project: - name: 'functest-opnfv-functest-healthcheck-docker-scan' + name: 'functest-opnfv-functest-healthcheck-grype' <<: *functest-params container: 'functest-healthcheck' jobs: - - 'functest-{repo}-{container}-{tag}-docker-scan' + - 'functest-{repo}-{container}-{tag}-grype' - project: - name: 'functest-opnfv-functest-smoke-docker-scan' + name: 'functest-opnfv-functest-smoke-grype' <<: *functest-params container: 'functest-smoke' jobs: - - 'functest-{repo}-{container}-{tag}-docker-scan' + - 'functest-{repo}-{container}-{tag}-grype' - project: - name: 'functest-opnfv-functest-benchmarking-docker-scan' + name: 'functest-opnfv-functest-benchmarking-grype' <<: *functest-params container: 'functest-benchmarking' jobs: - - 'functest-{repo}-{container}-{tag}-docker-scan' + - 'functest-{repo}-{container}-{tag}-grype' - project: - name: 'functest-opnfv-functest-vnf-docker-scan' + name: 'functest-opnfv-functest-vnf-grype' <<: *functest-params container: 'functest-vnf' jobs: - - 'functest-{repo}-{container}-{tag}-docker-scan' + - 'functest-{repo}-{container}-{tag}-grype' - project: - name: 'functest-opnfv-functest-smoke-cntt-docker-scan' + name: 'functest-opnfv-functest-smoke-cntt-grype' <<: *functest-params container: 'functest-smoke-cntt' jobs: - - 'functest-{repo}-{container}-{tag}-docker-scan' + - 'functest-{repo}-{container}-{tag}-grype' - project: - name: 'functest-opnfv-functest-benchmarking-cntt-docker-scan' + name: 'functest-opnfv-functest-benchmarking-cntt-grype' <<: *functest-params container: 'functest-benchmarking-cntt' jobs: - - 'functest-{repo}-{container}-{tag}-docker-scan' + - 'functest-{repo}-{container}-{tag}-grype' - project: name: 'functest' @@ -1770,7 +1767,7 @@ regex: (?!functest-kubernetes)(?!functest-pi)^functest-[a-z-0-9.]+-trivy$ - view: - name: functest-docker-scan + name: functest-grype view-type: list columns: - status @@ -1779,4 +1776,4 @@ - last-success - last-failure - last-duration - regex: (?!functest-kubernetes)(?!functest-pi)^functest-[a-z-0-9.]+-docker-scan$ + regex: (?!functest-kubernetes)(?!functest-pi)^functest-[a-z-0-9.]+-grype$ diff --git a/jjb/functest/xtesting.yaml b/jjb/functest/xtesting.yaml index b859a2f70..fab7f660d 100644 --- a/jjb/functest/xtesting.yaml +++ b/jjb/functest/xtesting.yaml @@ -850,17 +850,14 @@ - 'xtesting-{repo}-{container}-{tag}-trivy' - builder: - name: xtesting-docker-scan + name: xtesting-grype builders: - shell: | sudo apt-get -o DPkg::Lock::Timeout=300 update && \ sudo DEBIAN_FRONTEND=noninteractive apt-get \ - -o DPkg::Lock::Timeout=300 install curl docker.io -y + -o DPkg::Lock::Timeout=300 install curl -y - mkdir -p ~/.docker/cli-plugins && \ - curl https://github.com/docker/scan-cli-plugin/releases/latest/download/docker-scan_linux_amd64 \ - -L -s -S -o ~/.docker/cli-plugins/docker-scan &&\ - chmod +x ~/.docker/cli-plugins/docker-scan + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b . if [ "{repo}" = "_" ]; then image={container}:{tag} elif [ "{port}" = "None" ]; then @@ -868,17 +865,17 @@ else image={repo}:{port}/{container}:{tag} fi - sudo docker scan --accept-license $image + sudo grype -q $image - job-template: - name: 'xtesting-{repo}-{container}-{tag}-docker-scan' + name: 'xtesting-{repo}-{container}-{tag}-grype' triggers: - timed: '@daily' parameters: - xtesting-slave: slave: '{slave}' builders: - - xtesting-docker-scan: + - xtesting-grype: <<: *xtesting-containers publishers: - email-ext: @@ -888,18 +885,18 @@ recipients: cedric.ollivier@orange.com - project: - name: 'xtesting-opnfv-xtesting-docker-scan' + name: 'xtesting-opnfv-xtesting-grype' <<: *xtesting-params container: 'xtesting' jobs: - - 'xtesting-{repo}-{container}-{tag}-docker-scan' + - 'xtesting-{repo}-{container}-{tag}-grype' - project: - name: 'xtesting-opnfv-xtesting-mts-docker-scan' + name: 'xtesting-opnfv-xtesting-mts-grype' <<: *xtesting-params container: 'xtesting-mts' jobs: - - 'xtesting-{repo}-{container}-{tag}-docker-scan' + - 'xtesting-{repo}-{container}-{tag}-grype' - project: name: 'xtesting' @@ -932,7 +929,7 @@ regex: (?!xtesting-pi)^xtesting-[a-z-0-9.]+-trivy$ - view: - name: xtesting-docker-scan + name: xtesting-grype view-type: list columns: - status @@ -941,4 +938,4 @@ - last-success - last-failure - last-duration - regex: (?!xtesting-pi)^xtesting-[a-z-0-9.]+-docker-scan$ + regex: (?!xtesting-pi)^xtesting-[a-z-0-9.]+-grype$ -- 2.16.6