Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RELEASE #1541

Merged
merged 3 commits into from
Oct 23, 2024
Merged

RELEASE #1541

Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -486,7 +486,9 @@ workflows:
MERGE_TO_STAGING:
jobs:
- build_image:
context: analysis_test-enrichment
context:
- analysis_test-enrichment
- go-private-modules
filters:
branches:
only:
Expand Down Expand Up @@ -543,7 +545,9 @@ workflows:
- staging
- master
- build_image:
context: analysis_test-enrichment
context:
- analysis_test-enrichment
- go-private-modules
requires:
- Scan repository for secrets
- Security Scans
Expand Down
28 changes: 17 additions & 11 deletions .snyk
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,26 @@ version: v1.25.0
ignore:
SNYK-JS-BRACES-6838727:
- '*':
reason: >-
Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727
expires: 2024-12-19T12:00:00.000Z
created: 2024-05-16T12:00:00.000Z
SNYK-JS-MICROMATCH-6838728:
reason: devDependency
expires: 2025-12-01T12:00:00.000Z
created: 2024-10-23T12:00:00.000Z
SNYK-JS-INFLIGHT-6095116:
- '*':
reason: Waiting for upstream fix
expires: 2025-01-10T12:00:00.000Z
created: 2024-10-23T12:00:00.000Z
SNYK-JS-REQUEST-3361831:
- '*':
reason: >-
Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728
expires: 2024-12-19T12:00:00.000Z
created: 2024-05-16T12:00:00.000Z
SNYK-JS-JSONPATHPLUS-7945884:
Waiting for @kubernetes/client-node fetch migration
https://github.com/kubernetes-client/javascript/blob/master/FETCH_MIGRATION.md
expires: 2025-01-10T12:00:00.000Z
created: 2024-10-23T12:00:00.000Z
SNYK-JS-TOUGHCOOKIE-5672873:
- '*':
reason: >-
Waiting for transient dependency to update
expires: 2024-12-19T12:00:00.000Z
Waiting for @kubernetes/client-node fetch migration
https://github.com/kubernetes-client/javascript/blob/master/FETCH_MIGRATION.md
expires: 2025-01-10T12:00:00.000Z
created: 2024-10-23T12:00:00.000Z
patch: {}
21 changes: 11 additions & 10 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
#---------------------------------------------------------------------
# STAGE 1: Build credential helpers inside a temporary container
#---------------------------------------------------------------------
FROM golang:alpine AS cred-helpers-build

RUN apk update
RUN apk upgrade
RUN apk --no-cache add git
FROM --platform=linux/amd64 golang:1.23 AS cred-helpers-build

RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@bef5bd9384b752e5c645659165746d5af23a098a
RUN go install github.com/chrismellard/docker-credential-acr-env@82a0ddb2758901b711d9d1614755b77e401598a1
RUN --mount=type=secret,id=gh_token,required=true \
git config --global url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf "https://github.com/snyk" && \
go env -w GOPRIVATE=github.com/snyk && \
go install github.com/snyk/docker-credential-acr-env@8fa416c5b20b174e9032df1899843b4ebe2adda8 && \
git config --global --unset url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf

#---------------------------------------------------------------------
# STAGE 2: Build the kubernetes-monitor
# STAGE 2: Build kubernetes-monitor application
#---------------------------------------------------------------------
FROM node:18-alpine3.20
FROM --platform=linux/amd64 node:18-alpine3.20

LABEL name="Snyk Controller" \
maintainer="[email protected]" \
Expand All @@ -23,7 +23,7 @@ LABEL name="Snyk Controller" \

COPY LICENSE /licenses/LICENSE

ENV NODE_ENV production
ENV NODE_ENV=production

RUN apk update
RUN apk upgrade
Expand All @@ -34,7 +34,8 @@ RUN adduser -S -G snyk -h /srv/app -u 10001 snyk

# Install gcloud
RUN curl -sL https://sdk.cloud.google.com > /install.sh
RUN bash /install.sh --disable-prompts --install-dir=/ && rm -rf /google-cloud-sdk/platform
RUN bash /install.sh --disable-prompts --install-dir=/ && \
rm -rf /google-cloud-sdk/platform /google-cloud-sdk/bin/anthoscli /google-cloud-sdk/bin/gcloud-crc32c
ENV PATH=/google-cloud-sdk/bin:$PATH
RUN rm /install.sh
RUN apk del curl bash
Expand Down
42 changes: 17 additions & 25 deletions Dockerfile.ubi9
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
# syntax=docker/dockerfile:1
#---------------------------------------------------------------------
# PRE-BUILD STAGE: Build the acr credential helper binary
# This is due to the fact that the acr credential helper is not being actively released
# STAGE 1: Build credential helpers inside a temporary container
#---------------------------------------------------------------------
FROM --platform=linux/amd64 golang:1.16 as cred-helpers-build
FROM --platform=linux/amd64 golang:1.23 as cred-helpers-build

RUN go install github.com/chrismellard/docker-credential-acr-env@82a0ddb2758901b711d9d1614755b77e401598a1
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@bef5bd9384b752e5c645659165746d5af23a098a
RUN --mount=type=secret,id=gh_token,required=true \
git config --global url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf "https://github.com/snyk" && \
go env -w GOPRIVATE=github.com/snyk && \
go install github.com/snyk/docker-credential-acr-env@8fa416c5b20b174e9032df1899843b4ebe2adda8 && \
git config --global --unset url."https://$(cat /run/secrets/gh_token):[email protected]/snyk".insteadOf

#---------------------------------------------------------------------
# STAGE 1: Build kubernetes-monitor application
# STAGE 2: Build kubernetes-monitor application
#---------------------------------------------------------------------
FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/nodejs-18:1-84 AS build
FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/nodejs-18:1-123 AS build

ENV NODE_ENV production

Expand All @@ -26,14 +29,14 @@ COPY --chown=1001:1001 . ./
RUN npm run build

#---------------------------------------------------------------------
# STAGE 2: Install containers-common to obtain configuration files
# STAGE 3: Install containers-common to obtain configuration files
#---------------------------------------------------------------------
FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi:9.4 AS containers-common

RUN dnf install -y containers-common

#---------------------------------------------------------------------
# STAGE 3: Build the kubernetes-monitor final image
# STAGE 4: Build the kubernetes-monitor final image
#---------------------------------------------------------------------
FROM --platform=linux/amd64 registry.access.redhat.com/ubi9/ubi:9.4

Expand All @@ -43,14 +46,8 @@ ARG NODE_18_LATEST_VERSION_TAR_GZ_FILE_SHASUM256
ARG DUMB_INIT_VERSION=1.2.5
ARG DUMB_INIT_BINARY_FILE_SHASUM256=e874b55f3279ca41415d290c512a7ba9d08f98041b28ae7c2acb19a545f1c4df
# https://github.com/lework/skopeo-binary/releases
ARG SKOPEO_VERSION=1.13.2
ARG SKOPEO_BINARY_FILE_SHASUM256=2f00be6ee1c4cbfa7f2452be90a1a2ce88fd92a6d0f6a2e9d901bd2087bd9092
# https://github.com/awslabs/amazon-ecr-credential-helper/releases
# for sha: download SHA256 for the linux-amd64/docker-credential-ecr-login, then `cat docker-credential-ecr-login.sha256`
ARG ECR_CREDENTIAL_HELPER_VERSION=0.9.0
ARG ECR_CREDENTIAL_HELPER_BINARY_FILE_SHASUM256=dd6bd933e439ddb33b9f005ad5575705a243d4e1e3d286b6c82928bcb70e949a
# since this is built from a commit, you will need to build it locally to get the sha
ARG ACR_CREDENTIAL_HELPER_BINARY_SHASUM256=598bbd4ad2741ae2e68ac55e938a4542e71952e418e6278a74baf6213ef8ce76
ARG SKOPEO_VERSION=1.16.1
ARG SKOPEO_BINARY_FILE_SHASUM256=8813fb7fcd7a723196ac287683dd929d280f6fe7f0782eace452fe1e3ff2b7eb

LABEL name="Snyk Controller" \
maintainer="[email protected]" \
Expand All @@ -60,7 +57,7 @@ LABEL name="Snyk Controller" \

COPY LICENSE /licenses/LICENSE

ENV NODE_ENV production
ENV NODE_ENV=production

RUN yum upgrade -y

Expand All @@ -83,17 +80,12 @@ COPY --chown=snyk:snyk --from=containers-common /etc/containers/registries.d/def
COPY --chown=snyk:snyk --from=containers-common /etc/containers/policy.json /etc/containers/policy.json

# Install credential helpers
RUN curl -sSfLo /usr/local/bin/docker-credential-ecr-login "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_CREDENTIAL_HELPER_VERSION}/linux-amd64/docker-credential-ecr-login" && \
chmod 755 /usr/local/bin/docker-credential-ecr-login && \
echo "${ECR_CREDENTIAL_HELPER_BINARY_FILE_SHASUM256} /usr/local/bin/docker-credential-ecr-login" | sha256sum --check --status
COPY --chown=snyk:snyk --from=cred-helpers-build /go/bin/docker-credential-ecr-login /usr/bin/docker-credential-ecr-login
COPY --chown=snyk:snyk --from=cred-helpers-build /go/bin/docker-credential-acr-env /usr/local/bin/docker-credential-acr-env
RUN echo "${ACR_CREDENTIAL_HELPER_BINARY_SHASUM256} /usr/local/bin/docker-credential-acr-env" | sha256sum --check --status


# Install gcloud
RUN curl -sSfL https://sdk.cloud.google.com | bash -s -- --disable-prompts --install-dir=/ && \
rm -f /google-cloud-sdk/bin/anthoscli && \
rm -rf /google-cloud-sdk/platform
rm -rf /google-cloud-sdk/platform /google-cloud-sdk/bin/anthoscli /google-cloud-sdk/bin/gcloud-crc32c
ENV PATH=/google-cloud-sdk/bin:$PATH

# Install node
Expand Down
19 changes: 19 additions & 0 deletions jest-environment-fail-fast.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
import type { Circus } from '@jest/types';
import { TestEnvironment } from 'jest-environment-node';

class FailFastEnvironment extends TestEnvironment {
failedTest = false;

async handleTestEvent(event: Circus.Event, state: Circus.State) {
if (event.name === 'hook_failure' || event.name === 'test_fn_failure') {
this.failedTest = true;
} else if (this.failedTest && event.name === 'test_start') {
event.test.mode = 'skip';
}

// @ts-ignore
if (super.handleTestEvent) await super.handleTestEvent(event, state);
}
}

export default FailFastEnvironment;
9 changes: 3 additions & 6 deletions jest.config.js
Original file line number Diff line number Diff line change
@@ -1,19 +1,16 @@
module.exports = {
preset: "ts-jest",
testEnvironment: "node",
testEnvironment: './jest-environment-fail-fast.ts',
testRunner: 'jest-circus/runner',
testMatch: ["<rootDir>/test/**/*.spec.ts"],
testTimeout: 900000, // 15 minutes. Must match UPSTREAM_POLLING_CONFIGURATION in test/helpers/kubernetes-upstream.ts
bail: true,
clearMocks: true,
errorOnDeprecated: true,

/** https://github.com/facebook/jest/issues/2867#issuecomment-546592968 */
setupFilesAfterEnv: ["./jest.setup-after-env.js"],

// TODO: This is here until a bug in Jest (which in turn affects ts-jest) is resolved.
// This is here until a bug in Jest (which in turn affects ts-jest) is resolved.
// It affects our CI/CD runs and makes the machine run out of memory.
// https://github.com/facebook/jest/issues/10550
// https://snyk.slack.com/archives/CLW30N31V/p1602232569018000?thread_ts=1602230753.017500&cid=CLW30N31V
globals: {
"ts-jest": {
isolatedModules: true,
Expand Down
4 changes: 0 additions & 4 deletions jest.setup-after-env.js

This file was deleted.

Loading
Loading