Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload Trivy DBs to GHCR #4430

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Upload Trivy DBs to GHCR #4430

wants to merge 9 commits into from
+58 −0

Conversation

asteel-gsa
Copy link
Contributor

@asteel-gsa asteel-gsa commented Nov 4, 2024
edited
Loading

Per this comment it was recommended to store the trivy DBs in our GHCR to reduce ratelimiting and TOOMANYREQUESTS.

This appears, at first glance, to be a lot more reliable, giving multiple sources pointing to the trivy dbs, so we will monitor this closely to determine if our daily TOOMANYREQUESTS is now solved.

2024-11-04T15:45:49Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/gsa-tts/fac/trivy-db:2"
2024-11-04T15:45:49Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-04T15:45:49Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-11-04T15:45:49Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/gsa-tts/fac/trivy-java-db:1"
2024-11-04T15:45:49Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="public.ecr.aws/aquasecurity/trivy-java-db:1"
2024-11-04T15:45:49Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="ghcr.io/aquasecurity/trivy-java-db:1"

PR Checklist: Submitter

  • Link to an issue if possible. If there’s no issue, describe what your branch does. Even if there is an issue, a brief description in the PR is still useful.
  • List any special steps reviewers have to follow to test the PR. For example, adding a local environment variable, creating a local test file, etc.
  • For extra credit, submit a screen recording like this one.
  • Make sure you’ve merged main into your branch shortly before creating the PR. (You should also be merging main into your branch regularly during development.)
  • Make sure you’ve accounted for any migrations. When you’re about to create the PR, bring up the application locally and then run git status | grep migrations. If there are any results, you probably need to add them to the branch for the PR. Your PR should have only one new migration file for each of the component apps, except in rare circumstances; you may need to delete some and re-run python manage.py makemigrations to reduce the number to one. (Also, unless in exceptional circumstances, your PR should not delete any migration files.)
  • Make sure that whatever feature you’re adding has tests that cover the feature. This includes test coverage to make sure that the previous workflow still works, if applicable.
  • Make sure the full-submission.cy.js Cypress test passes, if applicable.
  • Do manual testing locally. Our tests are not good enough yet to allow us to skip this step. If that’s not applicable for some reason, check this box.
  • Verify that no Git surgery was necessary, or, if it was necessary at any point, repeat the testing after it’s finished.
  • Once a PR is merged, keep an eye on it until it’s deployed to dev, and do enough testing on dev to verify that it deployed successfully, the feature works as expected, and the happy path for the broad feature area (such as submission) still works.
  • Ensure that prior to merging, the working branch is up to date with main and the terraform plan is what you expect.

PR Checklist: Reviewer

  • Pull the branch to your local environment and run make docker-clean; make docker-first-run && docker compose up; then run docker compose exec web /bin/bash -c "python manage.py test"
  • Manually test out the changes locally, or check this box to verify that it wasn’t applicable in this case.
  • Check that the PR has appropriate tests. Look out for changes in HTML/JS/JSON Schema logic that may need to be captured in Python tests even though the logic isn’t in Python.
  • Verify that no Git surgery is necessary at any point (such as during a merge party), or, if it was, repeat the testing after it’s finished.

The larger the PR, the stricter we should be about these points.

Pre Merge Checklist: Merger

  • Ensure that prior to approving, the terraform plan is what we expect it to be. -/+ resource "null_resource" "cors_header" should be destroying and recreating its self and ~ resource "cloudfoundry_app" "clamav_api" might be updating its sha256 for the fac-file-scanner and fac-av-${ENV} by default.
  • Ensure that the branch is up to date with main.
  • Ensure that a terraform plan has been recently generated for the pull request.

@asteel-gsa asteel-gsa requested a review from a team November 4, 2024 15:43
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 4, 2024
edited
Loading

Terraform plan for meta

No changes. Your infrastructure matches the configuration. 
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Warning: Argument is deprecated

  with module.s3-backups.cloudfoundry_service_instance.bucket,
  on /tmp/terraform-data-dir/modules/s3-backups/s3/main.tf line 14, in resource "cloudfoundry_service_instance" "bucket":
  14:   recursive_delete = var.recursive_delete

Since CF API v3, recursive delete is always done on the cloudcontroller side.
This will be removed in future releases

📝 Plan generated in Pull Request Checks #3890

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 4, 2024
edited
Loading

Terraform plan for dev

Plan: 1 to add, 2 to change, 1 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.dev.module.clamav.cloudfoundry_app.clamav_api will be updated in-place
!~  resource "cloudfoundry_app" "clamav_api" {
!~      docker_image                    = "ghcr.io/gsa-tts/fac/clamav@sha256:e6f7ded85a1a59c9c8d9ea24d7165d1bb8332f49291e211e2d6e12fc13ac9131" -> "ghcr.io/gsa-tts/fac/clamav@sha256:d9939eb2fb908460f98dac636d4a9d7cb7f0befa08db7ae67bacbee9fa4967a2"
        id                              = "779bbc51-f78a-4186-90eb-5acb68d7d746"
        name                            = "fac-av-dev"
#        (17 unchanged attributes hidden)

#        (1 unchanged block hidden)
    }

  # module.dev.module.cors.null_resource.cors_header must be replaced
-/+ resource "null_resource" "cors_header" {
!~      id       = "*******************" -> (known after apply)
!~      triggers = { # forces replacement
!~          "always_run" = "2024-10-31T16:57:29Z" -> (known after apply)
        }
    }

  # module.dev.module.file_scanner_clamav.cloudfoundry_app.clamav_api will be updated in-place
!~  resource "cloudfoundry_app" "clamav_api" {
!~      docker_image                    = "ghcr.io/gsa-tts/fac/clamav@sha256:e6f7ded85a1a59c9c8d9ea24d7165d1bb8332f49291e211e2d6e12fc13ac9131" -> "ghcr.io/gsa-tts/fac/clamav@sha256:d9939eb2fb908460f98dac636d4a9d7cb7f0befa08db7ae67bacbee9fa4967a2"
        id                              = "65c83416-4126-4785-99c2-5e1adb810422"
        name                            = "fac-av-dev-fs"
#        (17 unchanged attributes hidden)

#        (1 unchanged block hidden)
    }

Plan: 1 to add, 2 to change, 1 to destroy.

Warning: Argument is deprecated

  with module.dev-backups-bucket.cloudfoundry_service_instance.bucket,
  on /tmp/terraform-data-dir/modules/dev-backups-bucket/s3/main.tf line 14, in resource "cloudfoundry_service_instance" "bucket":
  14:   recursive_delete = var.recursive_delete

Since CF API v3, recursive delete is always done on the cloudcontroller side.
This will be removed in future releases

(and 6 more similar warnings elsewhere)

📝 Plan generated in Pull Request Checks #3890

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 4, 2024

Code Coverage

Package Line Rate Branch Rate Health
. 100% 100%
api 98% 90%
audit 97% 87%
audit.cross_validation 98% 86%
audit.fixtures 84% 50%
audit.intakelib 90% 81%
audit.intakelib.checks 92% 85%
audit.intakelib.common 98% 82%
audit.intakelib.transforms 100% 94%
audit.management.commands 78% 17%
audit.migrations 100% 100%
audit.models 93% 75%
audit.templatetags 100% 100%
audit.views 61% 40%
census_historical_migration 96% 65%
census_historical_migration.migrations 100% 100%
census_historical_migration.sac_general_lib 92% 84%
census_historical_migration.transforms 95% 90%
census_historical_migration.workbooklib 68% 69%
config 78% 17%
curation 100% 100%
curation.curationlib 57% 100%
curation.migrations 100% 100%
dissemination 91% 72%
dissemination.migrations 97% 25%
dissemination.searchlib 74% 64%
dissemination.templatetags 100% 100%
djangooidc 53% 38%
djangooidc.tests 100% 94%
report_submission 93% 88%
report_submission.migrations 100% 100%
report_submission.templatetags 74% 100%
support 95% 78%
support.management.commands 96% 100%
support.migrations 100% 100%
support.models 97% 83%
tools 98% 50%
users 98% 100%
users.fixtures 100% 83%
users.management 100% 100%
users.management.commands 100% 100%
users.migrations 100% 100%
Summary 91% (17130 / 18906) 77% (2115 / 2764)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@asteel-gsa