feat: add cve information on the release note

jason1028kr · jason1028kr · commit b1e4bed6b6a1 · 2025-01-30T13:15:46.000-08:00
diff --git a/vhdbuilder/packer/trivy-scan.sh b/vhdbuilder/packer/trivy-scan.sh
@@ -4,6 +4,7 @@ set -euxo pipefail
 TRIVY_REPORT_DIRNAME=/opt/azure/containers
 TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json
 TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt
+CVE_DIFF_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-diff.txt
 TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db"
 
 TRIVY_VERSION="0.57.0"
@@ -40,6 +41,8 @@ export SYSTEM_COLLECTIONURI=${26}
 export SYSTEM_TEAMPROJECT=${27}
 export BUILD_BUILDID=${28}
 export IMAGE_VERSION=${29}
+CVE_DIFF_UPLOAD_REPORT_NAME=${30}
+SCAN_RESOURCE_PREFIX=${31}
 
 retrycmd_if_failure() {
     retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
@@ -131,6 +134,7 @@ rm "trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz"
 chmod a+x trivy 
 
 # pull vuln-to-kusto binary
+MODULE_VERSION="v0.0.3-a60608e7896"
 az storage blob download --auth-mode login --account-name ${ACCOUNT_NAME} -c vuln-to-kusto \
     --name ${MODULE_VERSION}/${MODULE_NAME}_linux_${GO_ARCH} \
     --file ./${MODULE_NAME}
@@ -187,13 +191,30 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
     fi
 done
 
+./vuln-to-kusto-vhd query-report query-diff 24h \
+    --vhd-vhdname=${VHD_ARTIFACT_NAME} \
+    --vhd-nodeimageversion=${IMAGE_VERSION} \
+    --severity="HIGH" \
+    --scan-resource-prefix=${SCAN_RESOURCE_PREFIX} \
+    --kusto-endpoint=${KUSTO_ENDPOINT} \
+    --kusto-database=${KUSTO_DATABASE} \
+    --kusto-table=${KUSTO_TABLE} \
+    --kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH}
+
 rm ./trivy
 
+chmod a+r "${CVE_DIFF_QUERY_OUTPUT_PATH}"
 chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}"
 chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}"
 
 login_with_user_assigned_managed_identity ${AZURE_MSI_RESOURCE_STRING}
 
+az storage blob upload --file ${CVE_DIFF_QUERY_OUTPUT_PATH} \
+    --container-name ${SIG_CONTAINER_NAME} \
+    --name ${CVE_DIFF_UPLOAD_REPORT_NAME} \
+    --account-name ${STORAGE_ACCOUNT_NAME} \
+    --auth-mode login
+
 az storage blob upload --file ${TRIVY_REPORT_ROOTFS_JSON_PATH} \
     --container-name ${SIG_CONTAINER_NAME} \
     --name ${TRIVY_UPLOAD_REPORT_NAME} \
diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh
@@ -19,6 +19,12 @@ VHD_IMAGE="$MANAGED_SIG_ID"
 SIG_CONTAINER_NAME="vhd-scans"
 SCAN_VM_ADMIN_USERNAME="azureuser"
 
+RELEASE_NOTES_FILEPATH="$(pwd)/release-notes.txt"
+if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
+    echo "${RELEASE_NOTES_FILEPATH} does not exist"
+    exit 1
+fi
+
 # we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs
 SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning"
 if [ -z "$(az network vnet subnet show --ids $SCANNING_SUBNET_ID | jq -r '.id')" ]; then
@@ -51,10 +57,11 @@ function cleanup() {
     echo "Deleting resource group ${RESOURCE_GROUP_NAME}"
     az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait
 }
-trap cleanup EXIT
+# trap cleanup EXIT
 capture_benchmark "${SCRIPT_NAME}_set_variables_and_create_scan_resource_group"
 
-VM_OPTIONS="--size Standard_D8ds_v5"
+# VM_OPTIONS="--size Standard_D8ds_v5"
+VM_OPTIONS="--size Standard_DS1_v2"
 if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then
     VM_OPTIONS="--size Standard_D8pds_v5"
 fi
@@ -97,6 +104,7 @@ TRIVY_SCRIPT_PATH="$CDIR/$TRIVY_SCRIPT_PATH"
 TIMESTAMP=$(date +%s%3N)
 TRIVY_UPLOAD_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json"
 TRIVY_UPLOAD_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt"
+CVE_DIFF_UPLOAD_REPORT_NAME="cve-diff-${BUILD_ID}-${TIMESTAMP}.txt"
 
 # Extract date, revision from build number
 BUILD_RUN_NUMBER=$(echo $BUILD_RUN_NUMBER | cut -d_ -f 1)
@@ -140,17 +148,25 @@ az vm run-command invoke \
         "SYSTEM_COLLECTIONURI"=${SYSTEM_COLLECTIONURI} \
         "SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
         "BUILDID"=${BUILD_ID} \
-        "IMAGE_VERSION"=${IMAGE_VERSION}
+        "IMAGE_VERSION"=${IMAGE_VERSION} \
+        "CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME} \
+        "SCAN_RESOURCE_PREFIX"=${SCAN_RESOURCE_PREFIX}
 
 capture_benchmark "${SCRIPT_NAME}_run_az_scan_command"
 
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_REPORT_NAME} --file trivy-report.json --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_TABLE_NAME} --file  trivy-images-table.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
+az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${CVE_DIFF_UPLOAD_REPORT_NAME} --file  cve-diff.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 
 az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --auth-mode login
 az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --auth-mode login
+az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --auth-mode login
+
 capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs"
 
+echo "=== CVEs fixed in version: ${IMAGE_VERSION}" >> ${RELEASE_NOTES_FILEPATH}
+cat cve-diff.txt >> ${RELEASE_NOTES_FILEPATH}
+
 echo -e "Trivy Scan Script Completed\n\n\n"
 capture_benchmark "${SCRIPT_NAME}_overall" true
 process_benchmarks
