From b8cabda91595b2106974a0445ed69032f3e4b61c Mon Sep 17 00:00:00 2001
From: welpaolo <paolo.sottovia@canonical.com>
Date: Tue, 17 Sep 2024 13:12:14 +0200
Subject: [PATCH] [DPE-5350][DPE-5416] Add sbom generation in CI (#107)

---
 .github/workflows/trivy.yml         | 23 ++++++++++++++++--
 tests/integration/setup-aws-cli.sh  | 37 +++++++++++++++++++++++++----
 tests/integration/utils/s3-utils.sh | 24 +++++++++++++++----
 3 files changed, 73 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 27666359..b1b02a08 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -3,12 +3,13 @@ on:
   push:
     branches:
       - 3.4-22.04/edge
+      - dpe-5350-3.4 # tmp to test new action.
   pull_request:
 jobs:
   build:
     uses: ./.github/workflows/build.yaml
   scan:
-    name: Trivy scan
+    name: Trivy scan and sbom generation
     needs: build
     runs-on: ubuntu-20.04
     steps:
@@ -46,4 +47,22 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         if: always()
         with:
-          sarif_file: 'trivy-results.sarif'
\ No newline at end of file
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          scan-type: 'image'
+          format: 'spdx-json'
+          output: 'dependency-results.sbom.json'
+          image-ref: 'trivy/charmed-spark:test'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+          severity: "MEDIUM,HIGH,CRITICAL"
+          scanners: "vuln"
+      
+      - name: Upload trivy report as a Github artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sbom-report
+          path: '${{ github.workspace }}/dependency-results.sbom.json'
+          retention-days: 90
diff --git a/tests/integration/setup-aws-cli.sh b/tests/integration/setup-aws-cli.sh
index a6386697..9966ffd2 100755
--- a/tests/integration/setup-aws-cli.sh
+++ b/tests/integration/setup-aws-cli.sh
@@ -2,14 +2,41 @@
 
 # Install AWS CLI
 sudo snap install aws-cli --classic
-
+set -x
 
 get_s3_endpoint(){
-    # Get S3 endpoint from MinIO
-    kubectl get service minio -n minio-operator -o jsonpath='{.spec.clusterIP}' 
+  # Print the endpoint where the S3 bucket is exposed on.
+  kubectl get service minio -n minio-operator -o jsonpath='{.spec.clusterIP}'
+}
+
+
+get_s3_access_key(){
+  # Print the S3 Access Key by reading it from K8s secret or by outputting the default value
+    kubectl get secret -n minio-operator microk8s-user-1 &> /dev/null
+    if [ $? -eq 0 ]; then
+        # echo "Use access-key from secret"
+        access_key=$(kubectl get secret -n minio-operator microk8s-user-1 -o jsonpath='{.data.CONSOLE_ACCESS_KEY}' | base64 -d)
+    else
+        # echo "use default access-key"
+        access_key="minio"
+    fi
+    echo "$access_key"
 }
 
 
+get_s3_secret_key(){
+  # Print the S3 Secret Key by reading it from K8s secret or by outputting the default value
+    kubectl get secret -n minio-operator microk8s-user-1 &> /dev/null
+    if [ $? -eq 0 ]; then
+      # echo "Use access-key from secret"
+      secret_key=$(kubectl get secret -n minio-operator microk8s-user-1 -o jsonpath='{.data.CONSOLE_SECRET_KEY}' | base64 -d)
+    else
+      # echo "use default access-key"
+      secret_key="minio123"
+    fi
+    echo "$secret_key"
+}
+
 wait_and_retry(){
     # Retry a command for a number of times by waiting a few seconds.
 
@@ -37,8 +64,8 @@ wait_and_retry get_s3_endpoint
 
 S3_ENDPOINT=$(get_s3_endpoint)
 DEFAULT_REGION="us-east-2"
-ACCESS_KEY=$(kubectl get secret -n minio-operator microk8s-user-1 -o jsonpath='{.data.CONSOLE_ACCESS_KEY}' | base64 -d)
-SECRET_KEY=$(kubectl get secret -n minio-operator microk8s-user-1 -o jsonpath='{.data.CONSOLE_SECRET_KEY}' | base64 -d)
+ACCESS_KEY=$(get_s3_access_key)
+SECRET_KEY=$(get_s3_secret_key)
 
 # Configure AWS CLI credentials
 aws configure set aws_access_key_id $ACCESS_KEY
diff --git a/tests/integration/utils/s3-utils.sh b/tests/integration/utils/s3-utils.sh
index 9008f0e8..7c318aba 100644
--- a/tests/integration/utils/s3-utils.sh
+++ b/tests/integration/utils/s3-utils.sh
@@ -20,14 +20,30 @@ get_s3_endpoint(){
 
 
 get_s3_access_key(){
-  # Print the S3 Access Key by reading it from K8s secret
-  kubectl get secret -n minio-operator microk8s-user-1 -o jsonpath='{.data.CONSOLE_ACCESS_KEY}' | base64 -d
+  # Print the S3 Access Key by reading it from K8s secret or by outputting the default value
+    kubectl get secret -n minio-operator microk8s-user-1 &> /dev/null
+    if [ $? -eq 0 ]; then
+        # echo "Use access-key from secret"
+        access_key=$(kubectl get secret -n minio-operator microk8s-user-1 -o jsonpath='{.data.CONSOLE_ACCESS_KEY}' | base64 -d)
+    else
+        # echo "use default access-key"
+        access_key="minio"
+    fi
+    echo "$access_key"
 }
 
 
 get_s3_secret_key(){
-  # Print the S3 Secret Key by reading it from K8s secret
-  kubectl get secret -n minio-operator microk8s-user-1 -o jsonpath='{.data.CONSOLE_SECRET_KEY}' | base64 -d
+  # Print the S3 Secret Key by reading it from K8s secret or by outputting the default value
+    kubectl get secret -n minio-operator microk8s-user-1 &> /dev/null
+    if [ $? -eq 0 ]; then
+      # echo "Use access-key from secret"
+      secret_key=$(kubectl get secret -n minio-operator microk8s-user-1 -o jsonpath='{.data.CONSOLE_SECRET_KEY}' | base64 -d)
+    else
+      # echo "use default access-key"
+      secret_key="minio123"
+    fi
+    echo "$secret_key"
 }