test: full append

jason1028kr · jason1028kr · commit ad0cbea5d77d · 2025-01-30T10:49:20.000-08:00
diff --git a/.pipelines/templates/.builder-release-template.yaml b/.pipelines/templates/.builder-release-template.yaml
@@ -111,17 +111,18 @@ steps:
       echo "##vso[task.setvariable variable=SKU_NAME]$SKU_NAME"
       echo "Set SKU_NAME to $SKU_NAME"
     displayName: Set SKU Name
-  # - bash: make -f packer.mk run-packer
-  #   displayName: Build VHD
-  #   retryCountOnTaskFailure: 3
-  #   env:
-  #     OS_TYPE: Linux
-  #     GIT_VERSION: $(Build.SourceVersion)
-  #     BRANCH: $(Build.SourceBranch)
-  #     BUILD_NUMBER: $(Build.BuildNumber)
-  #     BUILD_ID: $(Build.BuildId)
-  #     BUILD_DEFINITION_NAME: $(Build.DefinitionName)
-  #     UA_TOKEN: $(ua-token)
+  
+  - bash: make -f packer.mk run-packer
+    displayName: Build VHD
+    retryCountOnTaskFailure: 3
+    env:
+      OS_TYPE: Linux
+      GIT_VERSION: $(Build.SourceVersion)
+      BRANCH: $(Build.SourceBranch)
+      BUILD_NUMBER: $(Build.BuildNumber)
+      BUILD_ID: $(Build.BuildId)
+      BUILD_DEFINITION_NAME: $(Build.DefinitionName)
+      UA_TOKEN: $(ua-token)
 
   - bash: |
       PACKER_VNET_RESOURCE_GROUP_NAME="$(cat vhdbuilder/packer/settings.json | grep "vnet_resource_group_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
@@ -137,11 +138,11 @@ steps:
       echo "##vso[task.setvariable variable=SIG_IMAGE_NAME]${SIG_IMAGE_NAME}" && \
       echo "##vso[task.setvariable variable=CAPTURED_SIG_VERSION]${CAPTURED_SIG_VERSION}" && \
       echo "##vso[task.setvariable variable=IMPORTED_IMAGE_NAME]$(cat vhdbuilder/packer/settings.json | grep "imported_image_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
-      echo "##vso[task.setvariable variable=OS_DISK_URI]" && \
-      echo "##vso[task.setvariable variable=MANAGED_SIG_ID]/subscriptions/c4c3550e-a965-4993-a50c-628fd38cd3e1/resourceGroups/aksvhdtestbuildrg/providers/Microsoft.Compute/galleries/PackerSigGalleryEastUS/images/2204containerd/versions/1.1738120749.14404" && \
-      echo "##vso[task.setvariable variable=SIG_GALLERY_NAME]PackerSigGalleryEastUS" && \
+      echo "##vso[task.setvariable variable=OS_DISK_URI]$(cat packer-output | grep "OSDiskUri:" | cut -d " " -f 2)" && \
+      echo "##vso[task.setvariable variable=MANAGED_SIG_ID]$(cat packer-output | grep "ManagedImageSharedImageGalleryId:" | cut -d " " -f 2)" && \
+      echo "##vso[task.setvariable variable=SIG_GALLERY_NAME]$(cat vhdbuilder/packer/settings.json | grep "sig_gallery_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
       echo "##vso[task.setvariable variable=PERFORMANCE_DATA_FILE]vhd-build-performance-data.json" && \
-      echo "##vso[task.setvariable variable=PKR_RG_NAME]aksvhdtestbuildrg" && \
+      echo "##vso[task.setvariable variable=PKR_RG_NAME]$(cat packer-output | grep "ResourceGroupName" | cut -d "'" -f 2 | head -1)" && \
       echo "##vso[task.setvariable variable=IS_NOT_1804]$( [[ "${OS_VERSION}" != "18.04" ]] && echo true || echo false )" && \
       echo "##vso[task.setvariable variable=OS_NAME]Linux" && \
       echo "##vso[task.setvariable variable=OS_TYPE]Linux" && \
@@ -171,7 +172,6 @@ steps:
       PACKER_VNET_NAME: $(PACKER_VNET_NAME)
       SKIP_SCANNING: $(SKIP_SCANNING)
       DRY_RUN: $(DRY_RUN)
-      DEFAULT_WORKING_DIRECTORY: $(System.DefaultWorkingDirectory)
 
   - task: PublishPipelineArtifact@0
     condition: always()
diff --git a/vhdbuilder/packer/trivy-scan.sh b/vhdbuilder/packer/trivy-scan.sh
@@ -42,6 +42,7 @@ export SYSTEM_TEAMPROJECT=${27}
 export BUILD_BUILDID=${28}
 export IMAGE_VERSION=${29}
 CVE_DIFF_UPLOAD_REPORT_NAME=${30}
+SCAN_RESOURCE_PREFIX=${31}
 
 retrycmd_if_failure() {
     retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
@@ -133,7 +134,7 @@ rm "trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz"
 chmod a+x trivy 
 
 # pull vuln-to-kusto binary
-MODULE_VERSION="v0.0.3-03a822ef770"
+MODULE_VERSION="v0.0.3-a60608e7896"
 az storage blob download --auth-mode login --account-name ${ACCOUNT_NAME} -c vuln-to-kusto \
     --name ${MODULE_VERSION}/${MODULE_NAME}_linux_${GO_ARCH} \
     --file ./${MODULE_NAME}
@@ -190,15 +191,19 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
     fi
 done
 
-./vuln-to-kusto-vhd query-report query-diff 12h\
+./vuln-to-kusto-vhd query-report query-diff 24h \
     --vhd-vhdname=${VHD_ARTIFACT_NAME} \
+    --vhd-nodeimageversion=${IMAGE_VERSION} \
+    --severity="HIGH" \
+    --scan-resource-prefix=${SCAN_RESOURCE_PREFIX} \
     --kusto-endpoint=${KUSTO_ENDPOINT} \
     --kusto-database=${KUSTO_DATABASE} \
     --kusto-table=${KUSTO_TABLE} \
     --kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH}
 
 rm ./trivy
 
+chmod a+r "${CVE_DIFF_QUERY_OUTPUT_PATH}"
 chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}"
 chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}"
 
diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh
@@ -22,10 +22,10 @@ SIG_CONTAINER_NAME="vhd-scans"
 SCAN_VM_ADMIN_USERNAME="azureuser"
 
 RELEASE_NOTES_FILEPATH="${DEFAULT_WORKING_DIRECTORY}/release-notes.txt"
-# if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
-#     echo "${RELEASE_NOTES_FILEPATH} does not exist"
-#     exit 1
-# fi
+if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
+    echo "${RELEASE_NOTES_FILEPATH} does not exist"
+    exit 1
+fi
 
 # we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs
 SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning"
@@ -59,7 +59,7 @@ function cleanup() {
     echo "Deleting resource group ${RESOURCE_GROUP_NAME}"
     az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait
 }
-trap cleanup EXIT
+# trap cleanup EXIT
 capture_benchmark "${SCRIPT_NAME}_set_variables_and_create_scan_resource_group"
 
 # VM_OPTIONS="--size Standard_D8ds_v5"
@@ -151,7 +151,8 @@ az vm run-command invoke \
         "SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
         "BUILDID"=${BUILD_ID} \
         "IMAGE_VERSION"=${IMAGE_VERSION} \
-        "CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME}
+        "CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME} \
+        "SCAN_RESOURCE_PREFIX"=${SCAN_RESOURCE_PREFIX}
 
 capture_benchmark "${SCRIPT_NAME}_run_az_scan_command"
 
@@ -165,14 +166,8 @@ az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name $
 
 capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs"
 
-if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
-    echo "${RELEASE_NOTES_FILEPATH} does not exist"
-    exit 1
-fi
-
-echo "This is a new line" >> ${RELEASE_NOTES_FILEPATH}
-
-cat ${RELEASE_NOTES_FILEPATH}
+echo "=== CVEs fixed in version: ${IMAGE_VERSION}"
+cat cve-diff.txt >> ${RELEASE_NOTES_FILEPATH}
 
 echo -e "Trivy Scan Script Completed\n\n\n"
 capture_benchmark "${SCRIPT_NAME}_overall" true
