Skip to content

chore: update base image because of the CVE-2024-3596 #4414

chore: update base image because of the CVE-2024-3596

chore: update base image because of the CVE-2024-3596 #4414

Workflow file for this run

name: build-pipeline
on:
pull_request:
branches:
- master
- v*
env:
DOCKER_BUILDKIT: 1 # Enable Docker_buildkit in all build jobs
jobs:
changes:
runs-on: ubuntu-latest
# Set job outputs to values from filter step
outputs:
frontend: ${{ steps.filter.outputs.frontend }}
graphql-server: ${{ steps.filter.outputs.graphql-server }}
authentication: ${{ steps.filter.outputs.authentication }}
subscriber: ${{ steps.filter.outputs.subscriber }}
event-tracker: ${{ steps.filter.outputs.event-tracker }}
# upgrade-agent-cp: ${{ steps.filter.outputs.upgrade-agent-cp }}
# dex-server: ${{ steps.filter.outputs.dex-server }}
steps:
# For pull requests it's not necessary to checkout the code
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
frontend:
- 'chaoscenter/web/**'
graphql-server:
- 'chaoscenter/graphql/server/**'
authentication:
- 'chaoscenter/authentication/**'
subscriber:
- 'chaoscenter/subscriber/**'
event-tracker:
- 'chaoscenter/event-tracker/**'
# upgrade-agent-cp:
# - 'chaoscenter/upgrade-agents/control-plane/**'
# dex-server:
# - 'chaoscenter/dex-server/**'
gitleaks-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run GitLeaks
run: |
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz && \
tar -zxvf gitleaks_8.18.2_linux_x64.tar.gz && \
sudo mv gitleaks /usr/local/bin && gitleaks detect --source . -v
backend-checks:
runs-on: ubuntu-latest
needs: changes
if: needs.changes.outputs.graphql-server == 'true' || needs.changes.outputs.authentication == 'true' || needs.changes.outputs.subscriber == 'true' || needs.changes.outputs.event-tracker == 'true'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: "1.22" # By default, the go version is v1.15 in runner.
- name: Check Golang imports order
uses: Jerome1337/[email protected]
with:
goimports-path: ./chaoscenter
- name: Backend checks
shell: bash
run: |
cd chaoscenter
make backend-services-checks
frontend-checks:
runs-on: ubuntu-latest
needs: changes
if: ${{ needs.changes.outputs.frontend == 'true' }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 16
- name: Frontend checks
shell: bash
run: |
cd chaoscenter
make frontend-services-checks
backend-unit-tests:
runs-on: ubuntu-latest
needs:
- changes
- backend-checks
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: "1.22" # By default, the go version is v1.15 in runner.
- name: Backend unit tests
shell: bash
run: |
cd chaoscenter
make backend-unit-tests
web-unit-tests:
runs-on: ubuntu-latest
needs:
- changes
- frontend-checks
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 16
- name: Chaoscenter web unit tests
shell: bash
run: |
cd chaoscenter
make web-unit-tests
docker-build-graphql-server:
runs-on: ubuntu-latest
needs:
- backend-checks
- changes
# - backend-unit-tests
if: ${{ needs.changes.outputs.graphql-server == 'true' }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build graphql server docker image
shell: bash
run: |
cd chaoscenter/graphql/server
docker build . -f Dockerfile -t docker.io/litmuschaos/litmusportal-server:${{ github.sha }} --build-arg TARGETARCH=amd64
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/litmuschaos/litmusportal-server:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
docker-build-authentication-server:
runs-on: ubuntu-latest
needs:
- backend-checks
- changes
# - backend-unit-tests
if: ${{ needs.changes.outputs.authentication == 'true' }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build auth server docker image
shell: bash
run: |
cd chaoscenter/authentication
docker build . -f Dockerfile -t docker.io/litmuschaos/litmusportal-auth-server:${{ github.sha }} --build-arg TARGETARCH=amd64
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/litmuschaos/litmusportal-auth-server:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
docker-build-subscriber:
runs-on: ubuntu-latest
needs:
- backend-checks
- changes
# - backend-unit-tests
if: ${{ needs.changes.outputs.subscriber == 'true' }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build subscriber docker image
shell: bash
run: |
cd chaoscenter/subscriber
docker build . -f Dockerfile -t docker.io/litmuschaos/litmusportal-subscriber:${{ github.sha }} --build-arg TARGETARCH=amd64
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/litmuschaos/litmusportal-subscriber:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
docker-build-frontend:
runs-on: ubuntu-latest
needs:
- frontend-checks
- changes
if: ${{ needs.changes.outputs.frontend == 'true' }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: yarn build check
run: |
cd chaoscenter/web && yarn && yarn build
- name: web docker build check
shell: bash
run: |
cd chaoscenter/web
docker build . -f Dockerfile --build-arg TARGETARCH=amd64 -t docker.io/litmuschaos/litmusportal-frontend:${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/litmuschaos/litmusportal-frontend:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
docker-build-event-tracker:
runs-on: ubuntu-latest
needs:
- backend-checks
- changes
# - backend-unit-tests
if: ${{ needs.changes.outputs.event-tracker == 'true' }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build event tracker docker image
shell: bash
run: |
cd chaoscenter/event-tracker
docker build . -f Dockerfile -t docker.io/litmuschaos/litmusportal-event-tracker:${{ github.sha }} --build-arg TARGETARCH=amd64
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/litmuschaos/litmusportal-event-tracker:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
# docker-build-upgrade-agent-cp:
# runs-on: ubuntu-latest
# needs:
# - backend-checks
# - changes
# - backend-unit-tests
# if: ${{ needs.changes.outputs.upgrade-agent-cp == 'true' }}
# steps:
# - name: Checkout code
# uses: actions/checkout@v2
# - name: Build control plane upgrade agent docker image
# shell: bash
# run: |
# cd chaoscenter/upgrade-agents/control-plane
# docker build . -f Dockerfile -t docker.io/litmuschaos/upgrade-agent-cp:${{ github.sha }} --build-arg TARGETARCH=amd64
# - name: Run Trivy vulnerability scanner
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: 'docker.io/litmuschaos/upgrade-agent-cp:${{ github.sha }}'
# format: 'table'
# exit-code: '1'
# ignore-unfixed: true
# vuln-type: 'os,library'
# severity: 'CRITICAL,HIGH'
# docker-build-dex-server:
# runs-on: ubuntu-latest
# needs:
# - backend-checks
# - changes
# - backend-unit-tests
# if: needs.changes.outputs.dex-server == 'true'
# steps:
# - name: Checkout code
# uses: actions/checkout@v2
# - name: Build dex-server docker image
# shell: bash
# run: |
# cd chaoscenter/dex-server
# docker images && docker build . -f Dockerfile --build-arg TARGETARCH=amd64