Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: cve release notes #5678

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

chore: cve release notes #5678

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a4a5e2b
feat: add cve information on the release note
jason1028kr Jan 25, 2025
82df805
chore: add variable group to checkin pipeline
jason1028kr Feb 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .pipelines/.vsts-vhd-builder-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ variables:
- group: aks-vuln-to-kusto
- group: "AKS Node SIG UA Token (KV)"
- group: build_performance

- group: aks-vuln-to-kusto-tme
stages:
- stage: build
jobs:
Expand Down
2 changes: 1 addition & 1 deletion .pipelines/.vsts-vhd-builder.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ variables:
- group: aks-vuln-to-kusto
- group: "AKS Node SIG UA Token (KV)"
- group: build_performance

- group: aks-vuln-to-kusto-tme
stages:
- stage: build
jobs:
Expand Down
11 changes: 8 additions & 3 deletions vhdbuilder/packer/test-scan-and-cleanup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,18 @@ required_env_vars=(
"SIG_GALLERY_NAME"
"OS_VERSION"
"SIG_IMAGE_NAME"
"UMSI_RESOURCE_ID"
"UMSI_PRINCIPAL_ID"
"AZURE_MSI_RESOURCE_STRING"
"UMSI_CLIENT_ID"
"BUILD_RUN_NUMBER"
"VHD_ARTIFACT_NAME"
"DRY_RUN"
"ACCOUNT_NAME"
"UMSI_RESOURCE_ID"
"UMSI_PRINCIPAL_ID"
"UMSI_CLIENT_ID"
"ACCOUNT_NAME_TME"
"UMSI_RESOURCE_ID_TME"
"UMSI_PRINCIPAL_ID_TME"
"UMSI_CLIENT_ID_TME"
)

for v in "${required_env_vars[@]}"; do
Expand Down
20 changes: 20 additions & 0 deletions vhdbuilder/packer/trivy-scan.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ set -euxo pipefail
TRIVY_REPORT_DIRNAME=/opt/azure/containers
TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json
TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt
CVE_DIFF_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-diff.txt
TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db"

TRIVY_VERSION="0.57.0"
Expand Down Expand Up @@ -40,6 +41,8 @@ export SYSTEM_COLLECTIONURI=${26}
export SYSTEM_TEAMPROJECT=${27}
export BUILD_BUILDID=${28}
export IMAGE_VERSION=${29}
CVE_DIFF_UPLOAD_REPORT_NAME=${30}
SCAN_RESOURCE_PREFIX=${31}

retrycmd_if_failure() {
retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
Expand Down Expand Up @@ -187,13 +190,30 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
fi
done

./vuln-to-kusto-vhd query-report query-diff 24h \
--vhd-vhdname=${VHD_ARTIFACT_NAME} \
--vhd-nodeimageversion=${IMAGE_VERSION} \
--severity="HIGH" \
--scan-resource-prefix=${SCAN_RESOURCE_PREFIX} \
--kusto-endpoint=${KUSTO_ENDPOINT} \
--kusto-database=${KUSTO_DATABASE} \
--kusto-table=${KUSTO_TABLE} \
--kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH}

rm ./trivy

chmod a+r "${CVE_DIFF_QUERY_OUTPUT_PATH}"
chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}"
chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}"

login_with_user_assigned_managed_identity ${AZURE_MSI_RESOURCE_STRING}

az storage blob upload --file ${CVE_DIFF_QUERY_OUTPUT_PATH} \
--container-name ${SIG_CONTAINER_NAME} \
--name ${CVE_DIFF_UPLOAD_REPORT_NAME} \
--account-name ${STORAGE_ACCOUNT_NAME} \
--auth-mode login

az storage blob upload --file ${TRIVY_REPORT_ROOTFS_JSON_PATH} \
--container-name ${SIG_CONTAINER_NAME} \
--name ${TRIVY_UPLOAD_REPORT_NAME} \
Expand Down
39 changes: 33 additions & 6 deletions vhdbuilder/packer/vhd-scanning.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,32 @@ if [ -z "$PACKER_BUILD_LOCATION" ]; then
exit 1
fi

CURRENT_TIME=$(date +%s)

TRIVY_SCRIPT_PATH="trivy-scan.sh"
SCAN_RESOURCE_PREFIX="vhd-scanning"
SCAN_VM_NAME="$SCAN_RESOURCE_PREFIX-vm-$(date +%s)-$RANDOM"
SCAN_VM_NAME="$SCAN_RESOURCE_PREFIX-vm-$CURRENT_TIME-$RANDOM"
VHD_IMAGE="$MANAGED_SIG_ID"

SIG_CONTAINER_NAME="vhd-scans"
SCAN_VM_ADMIN_USERNAME="azureuser"

if [ "${ENVIRONMENT,,}" == "tme" ]; then
ACCOUNT_NAME="$ACCOUNT_NAME_TME"
KUSTO_DATABASE="$KUSTO_DATABASE_TME"
KUSTO_TABLE="$KUSTO_TABLE_TME"
KUSTO_ENDPOINT="$KUSTO_ENDPOINT_TME"
UMSI_CLIENT_ID="$UMSI_CLIENT_ID_TME"
UMSI_PRINCIPAL_ID="$UMSI_PRINCIPAL_ID_TME"
UMSI_RESOURCE_ID="$UMSI_RESOURCE_ID_TME"
fi

RELEASE_NOTES_FILEPATH="$(pwd)/release-notes.txt"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we just create the file here instead of erroring out? Or is that a sign of some other issue?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we expect release note to exist at this point, from previous packer build step

if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
echo "${RELEASE_NOTES_FILEPATH} does not exist"
exit 1
fi

# we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs
SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning"
if [ -z "$(az network vnet subnet show --ids $SCANNING_SUBNET_ID | jq -r '.id')" ]; then
Expand All @@ -41,11 +59,11 @@ else
fi

set +x
SCAN_VM_ADMIN_PASSWORD="ScanVM@$(date +%s)"
SCAN_VM_ADMIN_PASSWORD="ScanVM@$CURRENT_TIME"
set -x

RESOURCE_GROUP_NAME="$SCAN_RESOURCE_PREFIX-$(date +%s)-$RANDOM"
az group create --name $RESOURCE_GROUP_NAME --location ${PACKER_BUILD_LOCATION} --tags "source=AgentBaker" "now=$(date +%s)" "branch=${GIT_BRANCH}"
RESOURCE_GROUP_NAME="$SCAN_RESOURCE_PREFIX-$CURRENT_TIME-$RANDOM"
az group create --name $RESOURCE_GROUP_NAME --location ${PACKER_BUILD_LOCATION} --tags "source=AgentBaker" "now=${CURRENT_TIME}" "branch=${GIT_BRANCH}"

function cleanup() {
echo "Deleting resource group ${RESOURCE_GROUP_NAME}"
Expand All @@ -68,7 +86,7 @@ if [ "${OS_TYPE}" == "Linux" ] && grep -q "cvm" <<< "$FEATURE_FLAGS"; then
VM_OPTIONS="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true"
fi

SCANNING_NIC_ID=$(az network nic create --resource-group $RESOURCE_GROUP_NAME --name "scanning$(date +%s)${RANDOM}" --subnet $SCANNING_SUBNET_ID | jq -r '.NewNIC.id')
SCANNING_NIC_ID=$(az network nic create --resource-group $RESOURCE_GROUP_NAME --name "scanning${CURRENT_TIME}${RANDOM}" --subnet $SCANNING_SUBNET_ID | jq -r '.NewNIC.id')
if [ -z "$SCANNING_NIC_ID" ]; then
echo "unable to create new NIC for scanning VM"
exit 1
Expand Down Expand Up @@ -97,6 +115,7 @@ TRIVY_SCRIPT_PATH="$CDIR/$TRIVY_SCRIPT_PATH"
TIMESTAMP=$(date +%s%3N)
TRIVY_UPLOAD_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json"
TRIVY_UPLOAD_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt"
CVE_DIFF_UPLOAD_REPORT_NAME="cve-diff-${BUILD_ID}-${TIMESTAMP}.txt"

# Extract date, revision from build number
BUILD_RUN_NUMBER=$(echo $BUILD_RUN_NUMBER | cut -d_ -f 1)
Expand Down Expand Up @@ -140,17 +159,25 @@ az vm run-command invoke \
"SYSTEM_COLLECTIONURI"=${SYSTEM_COLLECTIONURI} \
"SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
"BUILDID"=${BUILD_ID} \
"IMAGE_VERSION"=${IMAGE_VERSION}
"IMAGE_VERSION"=${IMAGE_VERSION} \
"CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME} \
"SCAN_RESOURCE_PREFIX"=${SCAN_RESOURCE_PREFIX}

capture_benchmark "${SCRIPT_NAME}_run_az_scan_command"

az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --file trivy-report.json --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --file trivy-images-table.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
az storage blob download --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --file cve-diff.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login

az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --auth-mode login
az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --auth-mode login
az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --auth-mode login

capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs"

echo "=== CVEs fixed in version: ${IMAGE_VERSION}" >> ${RELEASE_NOTES_FILEPATH}
cat cve-diff.txt >> ${RELEASE_NOTES_FILEPATH}

echo -e "Trivy Scan Script Completed\n\n\n"
capture_benchmark "${SCRIPT_NAME}_overall" true
process_benchmarks
Loading