From 048215a4f8a4ca15e20256e075148e181de8e177 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 31 Jul 2024 11:52:07 -0600 Subject: [PATCH 1/3] Filter SARIF paths on images with >20 paths --- docker-bake.hcl | 4 +- tools/snyk_bake_artifacts.py | 45 ++++++++++++++++++- workbench-for-google-cloud-workstations/.snyk | 14 +++--- workbench-for-microsoft-azure-ml/.snyk | 9 ++-- workbench/.snyk | 9 ++-- 5 files changed, 64 insertions(+), 17 deletions(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index bf9957c3..a203ea39 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -461,12 +461,12 @@ target "workbench-for-google-cloud-workstations" { tags = [ "us-central1-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", "us-central1-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", - "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", - "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", "europe-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", "europe-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", "asia-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", "asia-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", + "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", + "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", ] dockerfile = "Dockerfile.${builds.os}" diff --git a/tools/snyk_bake_artifacts.py b/tools/snyk_bake_artifacts.py index 1983b43e..87281b02 100644 --- a/tools/snyk_bake_artifacts.py +++ b/tools/snyk_bake_artifacts.py @@ -17,6 +17,15 @@ LOGGER = logging.getLogger(__name__) SNYK_ORG = os.getenv("SNYK_ORG") SERVICE_IMAGES = ["workbench-for-microsoft-azure=ml", "workbench-for-google-cloud-workstations"] +SARIF_PATH_FILTERS = { + "connect": ["/opt/rstudio-connect/examples"], + "workbench-for-google-cloud-workstations": [ + "/usr/lib/google-cloud-sdk", + "/usr/share", + "/usr/bin", + "/usr/local/go", + ], +} PROJECT_DIR = Path(__file__).resolve().parents[1] @@ -78,7 +87,8 @@ def build_snyk_command(target_name, target_spec, snyk_command, opts): f"--file={str(docker_file_path)}", "--platform=linux/amd64", f"--project-name={target_spec['tags'][-1]}", - f"--sarif-file-output=container.sarif", + "--sarif-file-output=container.sarif", + "--json-file-output=container.json", "--severity-threshold=high", f"--policy-path={target_spec['context']}", ]) @@ -112,6 +122,36 @@ def build_snyk_command(target_name, target_spec, snyk_command, opts): return cmd +def filter_sarif_file(target_spec): + with open("container.sarif", "r") as f: + c_sarif = json.load(f) + with open("container.json", "r") as f: + c_json = json.load(f) + c_sarif_paths = c_sarif["runs"] + c_sarif_root = c_sarif_paths.pop(0) + c_json_paths = c_json["applications"] + filter_paths = SARIF_PATH_FILTERS.get(target_spec["context"], []) + filtered_c_sarif_paths = [c_sarif_root] + if len(c_sarif_paths) != len(c_json_paths): + LOGGER.error("SARIF and JSON number of discovered paths do not match") + return + for i in range(len(c_sarif_paths)): + if c_json_paths[i]["dependencyCount"] != c_sarif_paths[i]["tool"]["driver"]["properties"]["artifactsScanned"]: + LOGGER.warning( + f"Artifact count in JSON, {c_json_paths[i]['dependencyCount']}, " + f"differs from artifact count in SARIF, " + f"{c_sarif_paths[i]['tool']['driver']['properties']['artifactsScanned']}, for " + f"{c_json_paths[i]['displayTargetFile']}. This may cause incorrect filtering in the SARIF file." + ) + if not any(p in c_json_paths[i]["targetFile"] for p in filter_paths): + filtered_c_sarif_paths.append(c_sarif_paths[i]) + c_sarif["runs"] = filtered_c_sarif_paths + num_filtered_paths = len(c_sarif_paths) - len(filtered_c_sarif_paths) + LOGGER.info(f"Filtered {num_filtered_paths} paths from SARIF file") + with open("container.sarif", "w") as f: + json.dump(c_sarif, f, indent=2) + + def run_cmd(target_name, cmd): LOGGER.info(f"Running tests for {target_name}") LOGGER.info(f"{' '.join(cmd)}") @@ -139,6 +179,9 @@ def main(): if return_code != 0: failed_targets.append(target_name) result = 1 + if target_spec["context"] in SARIF_PATH_FILTERS and args.command == "test": + LOGGER.info("Filtering SARIF output file for excluded paths...") + filter_sarif_file(target_spec) LOGGER.info(f"Failed targets: {failed_targets}") exit(result) diff --git a/workbench-for-google-cloud-workstations/.snyk b/workbench-for-google-cloud-workstations/.snyk index 87558195..909ad99a 100644 --- a/workbench-for-google-cloud-workstations/.snyk +++ b/workbench-for-google-cloud-workstations/.snyk @@ -11,12 +11,10 @@ ignore: created: 2024-07-02T20:33:30.847Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: - '*': - reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-02T20:52:24.627Z - SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285: - - '*': - reason: 'Patched in later version https://cloud.google.com/support/bulletins#gcp-2024-023' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-03T16:16:45.000Z + reason: >- + Confirmed fixed upstream in + https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be + ingested in Workbench 2024.08.0 (expected within 1 week). + expires: 2024-08-07T00:00:00.000Z + created: 2024-07-31T17:46:24.852Z patch: {} diff --git a/workbench-for-microsoft-azure-ml/.snyk b/workbench-for-microsoft-azure-ml/.snyk index 095a845b..909ad99a 100644 --- a/workbench-for-microsoft-azure-ml/.snyk +++ b/workbench-for-microsoft-azure-ml/.snyk @@ -11,7 +11,10 @@ ignore: created: 2024-07-02T20:33:30.847Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: - '*': - reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-02T20:52:24.627Z + reason: >- + Confirmed fixed upstream in + https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be + ingested in Workbench 2024.08.0 (expected within 1 week). + expires: 2024-08-07T00:00:00.000Z + created: 2024-07-31T17:46:24.852Z patch: {} diff --git a/workbench/.snyk b/workbench/.snyk index 095a845b..909ad99a 100644 --- a/workbench/.snyk +++ b/workbench/.snyk @@ -11,7 +11,10 @@ ignore: created: 2024-07-02T20:33:30.847Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: - '*': - reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-02T20:52:24.627Z + reason: >- + Confirmed fixed upstream in + https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be + ingested in Workbench 2024.08.0 (expected within 1 week). + expires: 2024-08-07T00:00:00.000Z + created: 2024-07-31T17:46:24.852Z patch: {} From c50026bf723b6280c50b147f5fc9f4ed9f892d35 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 31 Jul 2024 13:47:36 -0600 Subject: [PATCH 2/3] Add .snyk ignores for r-session-complete and WGCW --- r-session-complete/.snyk | 9 ++++++--- workbench-for-google-cloud-workstations/.snyk | 5 +++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/r-session-complete/.snyk b/r-session-complete/.snyk index 095a845b..909ad99a 100644 --- a/r-session-complete/.snyk +++ b/r-session-complete/.snyk @@ -11,7 +11,10 @@ ignore: created: 2024-07-02T20:33:30.847Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: - '*': - reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-02T20:52:24.627Z + reason: >- + Confirmed fixed upstream in + https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be + ingested in Workbench 2024.08.0 (expected within 1 week). + expires: 2024-08-07T00:00:00.000Z + created: 2024-07-31T17:46:24.852Z patch: {} diff --git a/workbench-for-google-cloud-workstations/.snyk b/workbench-for-google-cloud-workstations/.snyk index 909ad99a..557b169d 100644 --- a/workbench-for-google-cloud-workstations/.snyk +++ b/workbench-for-google-cloud-workstations/.snyk @@ -17,4 +17,9 @@ ignore: ingested in Workbench 2024.08.0 (expected within 1 week). expires: 2024-08-07T00:00:00.000Z created: 2024-07-31T17:46:24.852Z + SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285: + - '*': + reason: Vulnerability in Google Cloud SDK. + expires: 2024-09-01T00:00:00.000Z + created: 2024-07-31T19:45:25.728Z patch: {} From 149995b15a0a689cbdfa8dc911c4678c42faa4f1 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Wed, 31 Jul 2024 13:50:11 -0600 Subject: [PATCH 3/3] Update checkout to v4 --- .github/workflows/build-bake-preview.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-bake-preview.yaml b/.github/workflows/build-bake-preview.yaml index c95dea69..641787f5 100644 --- a/.github/workflows/build-bake-preview.yaml +++ b/.github/workflows/build-bake-preview.yaml @@ -77,7 +77,7 @@ jobs: steps: - name: Check Out main Branch if: github.event.schedule == '0 8 * * *' - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: 'main' @@ -104,7 +104,7 @@ jobs: connect-daily: needs: [versions] - name: Connect Image - Daily + name: Connect - Daily runs-on: ubuntu-latest-4x env: