Bump dependencies and include more image details in VulnerabilityRepo…

…rt (#232) * fix typo * update Makefile * add .golangci.yml * extract annotation name to a const * rename parameter * update autogenerated files * update autogenerated files * update and test popeye category parser function * using fmt.Errorf instead of errors.New * extract vuln report name to a function * fix exportloopref * rename parameters * pre alloc slice * ignore .vscode * update k8s.io dependencies to v0.28.3 * add BinaryAssetsDirectory in suite_test.go * bump kube-rbac-proxy to v0.15.0 * update descriptions in plugin CRD * exclude lll linters from tests * exclude lll linter with go directive * update Makefile * bump marvin version to v0.2.1 * bump slok/kube-code-generator to v1.27.0 and regenerate client * bump trivy version to v0.48.2 and update parse functions * bump kubexns to v0.1.2 * requires digest in VulnerabilityReport * add publishedDate and lastModifiedDate fields in vulnerability report * chore: add cluster UID label in clusterissues and vulnerabilityreports
undistro · Jan 12, 2024 · 5162018 · 5162018
1 parent d548f6b
commit 5162018
Show file tree

Hide file tree

Showing 56 changed files with 2,250 additions and 789 deletions.
diff --git a/.gitignore b/.gitignore
@@ -20,6 +20,7 @@ Dockerfile.cross
 
 # editor and IDE paraphernalia
 .idea
+.vscode
 *.swp
 *.swo
 *~

diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,57 @@
+# Copyright 2024 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+run:
+  deadline: 5m
+  allow-parallel-runners: true
+
+issues:
+  # don't skip warning about doc comments
+  # don't exclude the default set of lint
+  exclude-use-default: false
+  # restore some of the defaults
+  # (fill in the rest as needed)
+  exclude-rules:
+    - path: "api/*"
+      linters:
+        - lll
+    - path: "internal/*"
+      linters:
+        - dupl
+        - lll
+    - path: "_test.go"
+      linters:
+        - lll
+linters:
+  disable-all: true
+  enable:
+    - dupl
+    - errcheck
+    - exportloopref
+    - goconst
+    - gocyclo
+    - gofmt
+    - goimports
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - prealloc
+    - staticcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
diff --git a/Makefile b/Makefile
@@ -61,7 +61,7 @@ generate-client:  ## Generate client
 		-e GROUPS_VERSION="zora:v1alpha1" \
 		-e GENERATION_TARGETS="client" \
 		-e BOILERPLATE_PATH="hack/boilerplate.go.txt" \
-		quay.io/slok/kube-code-generator:v1.26.0
+		ghcr.io/slok/kube-code-generator:v1.27.0
 
 .PHONY: generate-helm-docs
 generate-helm-docs: helm-docs ## Generate documentation for helm chart.
@@ -83,6 +83,14 @@ check-license: ## Check license headers.
 test: manifests generate fmt vet envtest ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 
+.PHONY: lint
+lint: golangci-lint ## Run golangci-lint linter & yamllint
+	$(GOLANGCI_LINT) run
+
+.PHONY: lint-fix
+lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
+	$(GOLANGCI_LINT) run --fix
+
 ##@ Build
 
 .PHONY: build
@@ -192,22 +200,23 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 ADDLICENSE ?= $(LOCALBIN)/addlicense
 HELM_DOCS ?= $(LOCALBIN)/helm-docs
 KIND ?= $(LOCALBIN)/kind
+GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.0.0
-CONTROLLER_TOOLS_VERSION ?= v0.11.3
-HELM_DOCS_VERSION ?= v1.11.2
+KUSTOMIZE_VERSION ?= v5.2.1
+CONTROLLER_TOOLS_VERSION ?= v0.13.0
+HELM_DOCS_VERSION ?= v1.12.0
 KIND_VERSION ?= v0.20.0
+GOLANGCI_LINT_VERSION ?= v1.54.2
 
-KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
 $(KUSTOMIZE): $(LOCALBIN)
 	@if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION); then \
 		echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \
 		rm -rf $(LOCALBIN)/kustomize; \
 	fi
-	test -s $(LOCALBIN)/kustomize || { curl -Ss $(KUSTOMIZE_INSTALL_SCRIPT) --output install_kustomize.sh && bash install_kustomize.sh $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN); rm install_kustomize.sh; }
+	test -s $(LOCALBIN)/kustomize || GOBIN=$(LOCALBIN) GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION)
 
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten.
@@ -234,3 +243,11 @@ $(HELM_DOCS): $(LOCALBIN)
 kind: $(KIND) ## Download kind locally if necessary
 $(KIND): $(LOCALBIN)
 	test -s $(LOCALBIN)/kind || GOBIN=$(LOCALBIN) go install sigs.k8s.io/kind@$(KIND_VERSION)
+
+.PHONY: golangci-lint
+golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary
+$(GOLANGCI_LINT): $(LOCALBIN)
+	@[ -f $(GOLANGCI_LINT) ] || { \
+	set -e ;\
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(shell dirname $(GOLANGCI_LINT)) $(GOLANGCI_LINT_VERSION) ;\
+	}
diff --git a/api/zora/v1alpha1/clusterissue_types.go b/api/zora/v1alpha1/clusterissue_types.go
@@ -28,13 +28,14 @@ const (
 	SeverityMedium  ClusterIssueSeverity = "Medium"
 	SeverityHigh    ClusterIssueSeverity = "High"
 
-	LabelScanID   = "scanID"
-	LabelCluster  = "cluster"
-	LabelSeverity = "severity"
-	LabelIssueID  = "id"
-	LabelCategory = "category"
-	LabelPlugin   = "plugin"
-	LabelCustom   = "custom"
+	LabelScanID     = "scanID"
+	LabelCluster    = "cluster"
+	LabelClusterUID = "clusterUID"
+	LabelSeverity   = "severity"
+	LabelIssueID    = "id"
+	LabelCategory   = "category"
+	LabelPlugin     = "plugin"
+	LabelCustom     = "custom"
 )
 
 // ClusterIssueSpec defines the desired state of ClusterIssue

diff --git a/api/zora/v1alpha1/clusterscan_types.go b/api/zora/v1alpha1/clusterscan_types.go
@@ -120,11 +120,11 @@ func (in *ClusterScanStatus) GetPluginStatus(name string) *PluginScanStatus {
 // SyncStatus updates ClusterScan status and time fields based on PluginStatus
 func (in *ClusterScanStatus) SyncStatus() {
 	var names, failed, active, complete []string
-	var sechedule, finishedTime, successful, next *metav1.Time
+	var schedule, finishedTime, successful, next *metav1.Time
 	for name, plugin := range in.Plugins {
 		names = append(names, name)
-		if sechedule == nil || sechedule.Before(plugin.LastScheduleTime) {
-			sechedule = plugin.LastScheduleTime
+		if schedule == nil || schedule.Before(plugin.LastScheduleTime) {
+			schedule = plugin.LastScheduleTime
 		}
 		if finishedTime == nil || finishedTime.Before(plugin.LastFinishedTime) {
 			finishedTime = plugin.LastFinishedTime
@@ -159,7 +159,7 @@ func (in *ClusterScanStatus) SyncStatus() {
 		status = "Active"
 	}
 
-	in.LastScheduleTime = sechedule
+	in.LastScheduleTime = schedule
 	in.LastFinishedTime = finishedTime
 	in.LastSuccessfulTime = successful
 	in.NextScheduleTime = next

diff --git a/api/zora/v1alpha1/vulnerabilityreport_types.go b/api/zora/v1alpha1/vulnerabilityreport_types.go
@@ -20,11 +20,13 @@ import (
 
 // VulnerabilityReportSpec defines the desired state of VulnerabilityReport
 type VulnerabilityReportSpec struct {
-	Cluster    string `json:"cluster"`
-	Image      string `json:"image"`
-	Repository string `json:"repository,omitempty"`
-	Tag        string `json:"tag,omitempty"`
-	Digest     string `json:"digest,omitempty"`
+	Cluster      string   `json:"cluster"`
+	Image        string   `json:"image"`
+	Digest       string   `json:"digest"`
+	Tags         []string `json:"tags,omitempty"`
+	Architecture string   `json:"architecture,omitempty"`
+	OS           string   `json:"os,omitempty"`
+	Distro       *Distro  `json:"distro,omitempty"`
 
 	TotalResources  int                 `json:"totalResources"`
 	Resources       map[string][]string `json:"resources"`
@@ -34,17 +36,24 @@ type VulnerabilityReportSpec struct {
 }
 
 type Vulnerability struct {
-	ID          string `json:"id"`
-	Severity    string `json:"severity"`
-	Title       string `json:"title"`
-	Description string `json:"description,omitempty"`
-	Package     string `json:"package"`
-	Version     string `json:"version"`
-	FixVersion  string `json:"fixVersion,omitempty"`
-	URL         string `json:"url,omitempty"`
-	Status      string `json:"status,omitempty"`
-	Type        string `json:"type,omitempty"`
-	Score       string `json:"score,omitempty"`
+	ID               string       `json:"id"`
+	Severity         string       `json:"severity"`
+	Title            string       `json:"title"`
+	Description      string       `json:"description,omitempty"`
+	Package          string       `json:"package"`
+	Version          string       `json:"version"`
+	FixVersion       string       `json:"fixVersion,omitempty"`
+	URL              string       `json:"url,omitempty"`
+	Status           string       `json:"status,omitempty"`
+	Type             string       `json:"type,omitempty"`
+	Score            string       `json:"score,omitempty"`
+	PublishedDate    *metav1.Time `json:"publishedDate,omitempty"`
+	LastModifiedDate *metav1.Time `json:"lastModifiedDate,omitempty"`
+}
+
+type Distro struct {
+	Name    string `json:"name,omitempty"`
+	Version string `json:"version,omitempty"`
 }
 
 type VulnerabilitySummary struct {

diff --git a/api/zora/v1alpha1/zz_generated.deepcopy.go b/api/zora/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/zora/README.md b/charts/zora/README.md
@@ -82,7 +82,7 @@ The following table lists the configurable parameters of the Zora chart and thei
 | operator.serviceMonitor.enabled | bool | `false` | Specifies whether a Prometheus `ServiceMonitor` should be enabled |
 | operator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `manager` container |
 | operator.rbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | `kube-rbac-proxy` image repository |
-| operator.rbacProxy.image.tag | string | `"v0.14.1"` | `kube-rbac-proxy` image tag |
+| operator.rbacProxy.image.tag | string | `"v0.15.0"` | `kube-rbac-proxy` image tag |
 | operator.rbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | operator.rbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context) to add to `kube-rbac-proxy` container |
 | operator.rbacProxy.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"5m","memory":"64Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `kube-rbac-proxy` container |
@@ -105,18 +105,18 @@ The following table lists the configurable parameters of the Zora chart and thei
 | scan.worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
 | scan.plugins.marvin.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `marvin` container |
 | scan.plugins.marvin.image.repository | string | `"ghcr.io/undistro/marvin"` | marvin plugin image repository |
-| scan.plugins.marvin.image.tag | string | `"v0.2.0"` | marvin plugin image tag |
+| scan.plugins.marvin.image.tag | string | `"v0.2.1"` | marvin plugin image tag |
 | scan.plugins.trivy.ignoreUnfixed | bool | `false` | Specifies whether only fixed vulnerabilities should be reported |
 | scan.plugins.trivy.ignoreDescriptions | bool | `false` | Specifies whether vulnerability descriptions should be ignored |
 | scan.plugins.trivy.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `trivy` container |
 | scan.plugins.trivy.image.repository | string | `"ghcr.io/aquasecurity/trivy"` | trivy plugin image repository |
-| scan.plugins.trivy.image.tag | string | `"0.45.1"` | trivy plugin image tag |
+| scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag |
 | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml |
 | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container |
 | scan.plugins.popeye.image.repository | string | `"ghcr.io/undistro/popeye"` | popeye plugin image repository |
 | scan.plugins.popeye.image.tag | string | `"pr252"` | popeye plugin image tag |
 | kubexnsImage.repository | string | `"ghcr.io/undistro/kubexns"` | kubexns image repository |
-| kubexnsImage.tag | string | `"v0.1.1"` | kubexns image tag |
+| kubexnsImage.tag | string | `"v0.1.2"` | kubexns image tag |
 | customChecksConfigMap | string | `"zora-custom-checks"` | Custom checks ConfigMap name |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

diff --git a/charts/zora/crds/zora.undistro.io_clusterissues.yaml b/charts/zora/crds/zora.undistro.io_clusterissues.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Undistro Authors
+# Copyright 2024 Undistro Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: clusterissues.zora.undistro.io
 spec:
   group: zora.undistro.io

diff --git a/charts/zora/crds/zora.undistro.io_clusters.yaml b/charts/zora/crds/zora.undistro.io_clusters.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Undistro Authors
+# Copyright 2024 Undistro Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,8 +17,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: clusters.zora.undistro.io
 spec:
   group: zora.undistro.io
-Original file line number
+Diff line change
@@ Expand Up / @@ -20,6 +20,7 @@ Dockerfile.cross @@
     # editor and IDE paraphernalia
     .idea
+    .vscode
     *.swp
     *.swo
     *~
@@ Expand Down @@