diff --git a/.github/install-openvas-dependencies.sh b/.github/install-openvas-dependencies.sh index afbbbf2232..d8ba36c9e3 100755 --- a/.github/install-openvas-dependencies.sh +++ b/.github/install-openvas-dependencies.sh @@ -10,6 +10,7 @@ apt-get update && apt-get install --no-install-recommends --no-install-suggests clang-tools \ cmake \ curl \ + git \ lcov \ libgnutls28-dev \ libgpgme-dev \ @@ -28,6 +29,7 @@ apt-get update && apt-get install --no-install-recommends --no-install-suggests libpopt0 \ libcurl4 \ libcurl4-gnutls-dev \ + libhiredis0.14 \ && rm -rf /var/lib/apt/lists/* curl -L -o cgreen.tar.gz https://github.com/cgreen-devs/cgreen/archive/refs/tags/1.6.2.tar.gz -k diff --git a/.github/test.yaml b/.github/test.yaml new file mode 100644 index 0000000000..d7c53e3999 --- /dev/null +++ b/.github/test.yaml @@ -0,0 +1,4 @@ +openvas: + repository: temp-openvas-scanner + pullPolicy: Always + tag: "latest" diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 0000000000..4dfcbd8683 --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,5 @@ +# CI Setup + +- control.yml - is the actual ci definitions it includes all other workflow calls. +- init.yml - set the variables to control jobs. It defines if it is a release, or a commit, if a docker image is used... +- ./push-container.yml - builds and may push container diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml deleted file mode 100644 index 5526873f98..0000000000 --- a/.github/workflows/build-container.yml +++ /dev/null @@ -1,66 +0,0 @@ -name: Build Container - -on: - push: - branches: [ main, stable, oldstable, middleware ] - tags: ["v*"] - paths: - - .github/workflows/build-container.yml - - .docker/build.Dockerfile - pull_request: - branches: [ main, stable, oldstable, middleware ] - paths: - - .github/workflows/build-container.yml - - .docker/build.Dockerfile - workflow_dispatch: - repository_dispatch: - schedule: - # rebuild image every sunday - - cron: "0 0 * * 0" - -jobs: - build: - name: "Upload images for building openvas-scanner" - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup container meta information - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ github.repository }}-build - labels: | - org.opencontainers.image.vendor=Greenbone - org.opencontainers.image.base.name=greenbone/gvm-libs - flavor: latest=false # no latest container tag for git tags - tags: | - # create container tag for git tags - type=ref,event=tag - type=ref,event=pr - # use latest for stable branch - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'stable') }} - type=raw,value=stable,enable=${{ github.ref == format('refs/heads/{0}', 'stable') }} - type=raw,value=oldstable,enable=${{ github.ref == format('refs/heads/{0}', 'oldstable') }} - # use unstable for main branch - type=raw,value=unstable,enable={{is_default_branch}} - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - run: echo "Build and push ${{ steps.meta.outputs.tags }}" - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Build and push - uses: docker/build-push-action@v5 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - file: .docker/build.Dockerfile - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000000..5a1d056391 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,25 @@ +name: "Build" + +on: [workflow_call] + +jobs: + OpenVAS: + runs-on: ubuntu-latest + container: greenbone/gvm-libs:stable + steps: + - uses: actions/checkout@v4 + - name: install dependencies + run: | + sh .github/install-openvas-dependencies.sh + - name: build + run: | + cmake -Bbuild -DCMAKE_C_COMPILER=/usr/share/clang/scan-build-14/libexec/ccc-analyzer + scan-build -o ~/scan-build-report cmake --build build + - name: Upload scan-build report + uses: actions/upload-artifact@v3 + with: + name: scan-build-report + path: ~/scan-build-report/ + retention-days: 7 + OpenVAS_Daemon: + uses: ./.github/workflows/build-rust.yml diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml deleted file mode 100644 index d605f9edde..0000000000 --- a/.github/workflows/build_and_test.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: "openvas-c" - -on: - push: - branches: [ main, stable ] - pull_request: - branches: [ main, stable ] - -jobs: - formatting: - runs-on: ubuntu-latest - steps: - - name: Check out openvas-scanner - uses: actions/checkout@v4 - - name: Check Source Format - run: | - clang-format -i -style=file {src,misc,nasl}/*.{c,h} - git diff --exit-code - compile: - runs-on: ubuntu-latest - strategy: - matrix: - # With the upcoming changes, we require both downwards and upwards compatibility between the OpenVAS C - # code and GVM-libs. This is because, even though we will be using semantic versioning, as long as - # OpenVAS and GVM-libs remain separate repositories, we want to be notified of every change. - gvm-libs-version: - - stable - - unstable - container: greenbone/gvm-libs:${{ matrix.gvm-libs-version }} - steps: - - uses: actions/checkout@v4 - - name: install dependencies - run: | - sh .github/install-openvas-dependencies.sh - - name: Configure and Scan Build - run: | - cmake -Bbuild -DCMAKE_C_COMPILER=/usr/share/clang/scan-build-14/libexec/ccc-analyzer - scan-build -o ~/scan-build-report cmake --build build - - name: Upload scan-build report - uses: actions/upload-artifact@v3 - with: - name: scan-build-report - path: ~/scan-build-report/ - retention-days: 7 - unit-tests: - runs-on: ubuntu-latest - strategy: - matrix: - gvm-libs-version: - - stable - - unstable - container: greenbone/gvm-libs:${{ matrix.gvm-libs-version }} - steps: - - uses: actions/checkout@v4 - - name: install dependencies - run: | - sh .github/install-openvas-dependencies.sh - - name: unit-tests - run: | - cmake -Bbuild -DCMAKE_BUILD_TYPE=Release - CTEST_OUTPUT_ON_FAILURE=1 cmake --build build -- tests test diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..6ea816ab78 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,40 @@ +name: "Linting" + +on: [workflow_call] + +jobs: + OpenVAS: + runs-on: ubuntu-latest + container: greenbone/gvm-libs:stable + steps: + - uses: actions/checkout@v4 + - name: install dependencies + run: | + sh .github/install-openvas-dependencies.sh + - name: Formatting + run: | + clang-format --dry-run --Werror -i -style=file {src,misc,nasl}/*.{c,h} + - name: unit-tests + run: | + cmake -Bbuild -DCMAKE_BUILD_TYPE=Release + CTEST_OUTPUT_ON_FAILURE=1 cmake --build build -- tests test + OpenVAS_Daemon: + runs-on: ubuntu-latest + defaults: + run: + working-directory: rust + steps: + - uses: actions/checkout@v4 + - run: sudo apt update && sudo apt-get install -y libpcap-dev + - run: rustup update stable && rustup default stable || rustup default stable + - run: cargo install cargo-audit + - run: cargo install typos-cli + - name: unit-tests + run: cargo test --lib --tests --workspace + - name: Clippy + run: cargo clippy -- -D warnings + - name: Audit + run: cargo audit + - run: typos + - name: Formatting + run: cargo fmt --check diff --git a/.github/workflows/codeql-analysis-c.yml b/.github/workflows/codeql.yml similarity index 100% rename from .github/workflows/codeql-analysis-c.yml rename to .github/workflows/codeql.yml diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml deleted file mode 100644 index 055538acb4..0000000000 --- a/.github/workflows/container.yml +++ /dev/null @@ -1,155 +0,0 @@ -name: Container - -on: - push: - branches: [main, stable, oldstable, middleware] - tags: ["v*"] - pull_request: - branches: [main, stable, oldstable, middleware] - workflow_dispatch: - repository_dispatch: - -jobs: - rs-build-binaries: - uses: ./.github/workflows/build-rust.yml - - production-image: - runs-on: ubuntu-latest - needs: [rs-build-binaries] - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: "set IS_VERSION_TAG" - run: | - echo "IS_VERSION_TAG=${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'v') }}" >> $GITHUB_ENV - # set defaults - echo "IS_LATEST_TAG=false" >> $GITHUB_ENV - - name: "set IS_LATEST_TAG" - if: ( env.IS_VERSION_TAG ) - run: | - # find the latest version that is not ourself - export LATEST_VERSION=$(git tag -l | grep -v '${{ github.ref_name }}' | sort -r --version-sort) - # get major minor patch versions - IFS='.' read -r latest_major latest_minor latest_patch << EOF - $LATEST_VERSION - EOF - IFS='.' read -r tag_major tag_minor tag_patch << EOF - ${{ github.ref_name }} - EOF - # remove leading v - latest_major=$(echo $latest_major | cut -c2-) - tag_major=$(echo $tag_major | cut -c2-) - echo "$tag_major >= $latest_major" - if [[ $tag_major -ge $latest_major && ($tag_minor -ne 0 || $tag_patch -ne 0) ]]; then - # set this tag to latest and stable - echo "IS_LATEST_TAG=true" >> $GITHUB_ENV - fi - - name: "Setup meta information (IS_VERSION_TAG: ${{ env.IS_VERSION_TAG }}, IS_LATEST_TAG: ${{ env.IS_LATEST_TAG }} )" - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ github.repository }} - labels: | - org.opencontainers.image.vendor=Greenbone - org.opencontainers.image.base.name=greenbone/gvm-libs - flavor: latest=false # no auto latest container tag for git tags - tags: | - # when IS_LATEST_TAG is set create a stable and a latest tag - type=raw,value=latest,enable=${{ env.IS_LATEST_TAG }} - type=raw,value=stable,enable=${{ env.IS_LATEST_TAG }} - # if tag version is set than create a version tags - type=semver,pattern={{version}},enable=${{ env.IS_VERSION_TAG }} - type=semver,pattern={{major}}.{{minor}},enable=${{ env.IS_VERSION_TAG }} - type=semver,pattern={{major}},enable=${{ env.IS_VERSION_TAG }} - # if we are on the main branch set edge - type=edge,branch=main - # use branch-sha otherwise for pushes to branches other then main (will not be uploaded) - type=raw,value={{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} - # use pr-$PR_ID for pull requests (will not be uploaded) - type=ref,event=pr - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - uses: actions/download-artifact@v3 - with: - name: rs-binaries - path: assets - - run: mkdir -p assets/linux/amd64 - - run: mkdir -p assets/linux/arm64 - - run: mv assets/openvasd-aarch64-unknown-linux-gnu assets/linux/arm64/openvasd - - run: mv assets/openvasd-x86_64-unknown-linux-gnu assets/linux/amd64/openvasd - - run: mv assets/nasl-cli-aarch64-unknown-linux-gnu assets/linux/arm64/nasl-cli - - run: mv assets/nasl-cli-x86_64-unknown-linux-gnu assets/linux/amd64/nasl-cli - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Build and push - uses: docker/build-push-action@v5 - with: - context: . - push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} - file: .docker/prod.Dockerfile - build-args: | - REPOSITORY=${{ github.repository }} - platforms: linux/amd64,linux/aarch64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - - name: "Setup meta information debian:oldstable" - id: old_stable_meta - uses: docker/metadata-action@v5 - with: - images: ${{ github.repository }} - labels: | - org.opencontainers.image.vendor=Greenbone - org.opencontainers.image.base.name=greenbone/gvm-libs - flavor: latest=false # no auto latest container tag for git tags - tags: | - # for the images provided for debian:oldstable we just provide - # oldstable on an new version or oldstable-edge when it is on main. - # oldstable-branch-sha on a branch - type=raw,value=oldstable,enable=${{ env.IS_LATEST_TAG }} - type=raw,value=oldstable-edge,enable=${{ github.ref_name == 'main' }} - type=raw,value=oldstable-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} - type=ref,event=pr - - name: Build and push Container image - uses: docker/build-push-action@v5 - with: - context: . - push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} - file: .docker/prod-oldstable.Dockerfile - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.old_stable_meta.outputs.tags }} - labels: ${{ steps.old_stable_meta.outputs.labels }} - - - name: "Setup meta information debian:testing" - id: test_meta - uses: docker/metadata-action@v5 - with: - images: ${{ github.repository }} - labels: | - org.opencontainers.image.vendor=Greenbone - org.opencontainers.image.base.name=greenbone/gvm-libs - flavor: latest=false # no auto latest container tag for git tags - tags: | - # for the images provided for debian:testing we just provide - # testing on an new version or testing-edge when it is on main. - # testing-branch-sha on a branch - type=raw,value=testing,enable=${{ env.IS_LATEST_TAG }} - type=raw,value=testing-edge,enable=${{ github.ref_name == 'main' }} - type=raw,value=testing-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} - type=ref,event=pr - - name: Build and push Container image - uses: docker/build-push-action@v5 - with: - context: . - push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} - file: .docker/prod-testing.Dockerfile - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.test_meta.outputs.tags }} - labels: ${{ steps.test_meta.outputs.labels }} diff --git a/.github/workflows/control.yml b/.github/workflows/control.yml new file mode 100644 index 0000000000..482c28f5ae --- /dev/null +++ b/.github/workflows/control.yml @@ -0,0 +1,39 @@ +name: CI + +on: + push: + branches: [ main] + tags: ["v*"] + pull_request: + workflow_dispatch: + repository_dispatch: + schedule: + # rebuild image every sunday + - cron: "0 0 * * 0" + +jobs: + init: + uses: ./.github/workflows/init.yaml + build: + uses: ./.github/workflows/build.yml + linting: + uses: ./.github/workflows/ci.yml + functional: + needs: [build, init] + uses: ./.github/workflows/functional.yaml + container: + needs: [build, init, functional] + uses: ./.github/workflows/push-container.yml + secrets: + dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN}} + with: + is_latest_tag: ${{needs.init.outputs.is_latest_tag}} + is_version_tag: ${{needs.init.outputs.is_version_tag}} + # although it seems a bit odd, but that way we ensure + # that we test the latest greatest thing. + smoketests: + needs: [container, build, init] + uses: ./.github/workflows/smoketest.yaml + with: + docker_image: ${{needs.init.outputs.docker_image}} diff --git a/.github/workflows/ddependabot.yml b/.github/workflows/ddependabot.yml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.github/workflows/functional.yaml b/.github/workflows/functional.yaml new file mode 100644 index 0000000000..32ffe7ff53 --- /dev/null +++ b/.github/workflows/functional.yaml @@ -0,0 +1,65 @@ +name: functional + +on: + workflow_call: + +# smoke test definition. +# It depends on build.yml that is controlled via control.yml +# +jobs: + # TESTS that are possible before pushing an image + tests: + name: Functional Tests + runs-on: ubuntu-latest + services: + redis: + image: redis + options: >- + --health-cmd "redis-cli ping" + --health-interval 10s + --health-timeout 5s + --health-retries 5 + container: + image: greenbone/gvm-libs:stable + options: --privileged + steps: + - uses: actions/checkout@v4 + - name: install dependencies + run: | + sh .github/install-openvas-dependencies.sh + - name: install openvas + run: | + cmake -Bbuild -DCMAKE_BUILD_TYPE=Release + cmake --build build -- install + - uses: actions/download-artifact@v3 + with: + name: rs-binaries + path: assets + - name: prepare setup + run: | + FEED_DIR="feed/" sh .github/prepare-feed.sh + mv assets/nasl-cli-x86_64-unknown-linux-gnu ./nasl-cli + mv assets/feed-verifier-x86_64-unknown-linux-gnu ./feed-verifier + install -m 755 feed-verifier /usr/local/bin/ + install -m 755 nasl-cli /usr/local/bin/ + echo "db_address = tcp://redis:6379" >> /etc/openvas/openvas.conf + # TODO export as env variable + mv ./feed/* "$(openvas -s | grep plugins_folder | sed 's/plugins_folder = //')/" + - run: openvas -s + - name: verify feed syntax + run: ./nasl-cli syntax --quiet "$(openvas -s | grep plugins_folder | sed 's/plugins_folder = //')/" + - name: verify feed update + run: feed-verifier || (cat /var/log/gvm/openvas.log && false) + - name: verify nasl tests + run: | + mkdir -p /etc/openvas + cd nasl/tests + make check + - uses: actions/setup-go@v5 + with: + go-version: '>=1.16.0' + - name: verify lint + run: | + make build + ./run -e openvas-nasl-lint + working-directory: smoketest_lint diff --git a/.github/workflows/init.yaml b/.github/workflows/init.yaml new file mode 100644 index 0000000000..2bff0ef58e --- /dev/null +++ b/.github/workflows/init.yaml @@ -0,0 +1,65 @@ +name: Initialize + +on: + workflow_call: + outputs: + is_latest_tag: + description: "Is used within push container to verify the tag" + value: ${{ jobs.init.outputs.is_latest_tag }} + is_version_tag: + description: "Is used within push container to verify the tag" + value: ${{ jobs.init.outputs.is_version_tag }} + docker_image: + description: "Is used to smoke test the latest push image" + value: ${{ jobs.init.outputs.docker_tag }} + +jobs: + init: + runs-on: ubuntu-latest + outputs: + is_latest_tag: ${{ steps.version.outputs.is_latest_tag }} + is_version_tag: ${{ steps.version.outputs.is_version_tag }} + docker_tag: ${{ steps.version.output.docker_tag }} + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: "set IS_VERSION_TAG" + run: | + echo "IS_VERSION_TAG=${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'v') }}" >> $GITHUB_ENV + # set defaults + echo "IS_LATEST_TAG=false" >> $GITHUB_ENV + - name: "set IS_LATEST_TAG" + if: ( env.IS_VERSION_TAG == 'true' ) + run: | + # find the latest version that is not ourself + export LATEST_VERSION=$(git tag -l | grep -v '${{ github.ref_name }}' | sort -r --version-sort) + # get major minor patch versions + IFS='.' read -r latest_major latest_minor latest_patch << EOF + $LATEST_VERSION + EOF + IFS='.' read -r tag_major tag_minor tag_patch << EOF + ${{ github.ref_name }} + EOF + # remove leading v + latest_major=$(echo $latest_major | cut -c2-) + tag_major=$(echo $tag_major | cut -c2-) + echo "$tag_major >= $latest_major" + if [[ $tag_major -ge $latest_major && ($tag_minor -ne 0 || $tag_patch -ne 0) ]]; then + # set this tag to latest and stable + echo "IS_LATEST_TAG=true" >> $GITHUB_ENV + fi + echo "VERSION=$tag_major.$tag_minor.$tag_patch" >> $GITHUB_ENV + - name: "set DOCKER_TAG = ${{ env.GITHUB_REPOSITORY }}:edge" + if: ( env.IS_VERSION_TAG != 'true' ) + run: | + echo "DOCKER_TAG=${{ env.GITHUB_REPOSITORY }}:edge" >> $GITHUB_ENV + - name: "set DOCKER_TAG = ${{ env.GITHUB_REPOSITORY }}:${{ env.VERSION }}" + if: ( env.IS_VERSION_TAG == 'true' ) + run: | + echo "DOCKER_TAG=${{ env.GITHUB_REPOSITORY }}:$VERSION" >> $GITHUB_ENV + - name: set output + id: version + run: | + echo "is_latest_tag=$IS_LATEST_TAG" >> "$GITHUB_OUTPUT" + echo "is_version_tag=$IS_VERSION_TAG" >> "$GITHUB_OUTPUT" + echo "docker_tag=$DOCKER_TAG" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/nasl.yml b/.github/workflows/nasl.yml deleted file mode 100644 index c1599250f3..0000000000 --- a/.github/workflows/nasl.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: "NASL" - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -jobs: - nasl-test: - name: test - runs-on: ubuntu-latest - container: greenbone/gvm-libs:unstable - steps: - - uses: actions/checkout@v4 - - name: install dependencies - run: | - sh .github/install-openvas-dependencies.sh - - name: build openvas - run: | - cmake -Bbuild -DCMAKE_BUILD_TYPE=Release - cmake --build build - - name: redis - run: | - apt-get update && apt-get install --no-install-recommends --no-install-suggests -y redis - mkdir /run/redis-openvas - redis-server config/redis-openvas.conf || exit 1 - - name: scripttests - run: | - mkdir -p /etc/openvas - echo "db_address = /run/redis-openvas/redis.sock" >> /etc/openvas/openvas.conf - cd nasl/tests - OPENVAS_NASL=../../build/nasl/openvas-nasl make check - - uses: actions/setup-go@v5 - with: - go-version: '>=1.16.0' - - name: smoketest/lint - run: | - make build - ./run -e ../../build/nasl/openvas-nasl-lint - working-directory: smoketest_lint diff --git a/.github/workflows/push-container-oldstable.yml b/.github/workflows/push-container-oldstable.yml new file mode 100644 index 0000000000..b3fa13bfa5 --- /dev/null +++ b/.github/workflows/push-container-oldstable.yml @@ -0,0 +1,59 @@ +name: Container + +on: + workflow_call: + inputs: + is_latest_tag: + required: true + type: string + is_version_tag: + required: true + type: string + secrets: + dockerhub_user: + required: true + dockerhub_token: + required: true + +jobs: + debian_oldstable: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/download-artifact@v3 + with: + name: rs-binaries + path: assets + # TODO: create correct dir layout while building up + - run: mkdir -p assets/linux/amd64 + - run: mkdir -p assets/linux/arm64 + - run: mv assets/openvasd-aarch64-unknown-linux-gnu assets/linux/arm64/openvasd + - run: mv assets/openvasd-x86_64-unknown-linux-gnu assets/linux/amd64/openvasd + - run: mv assets/nasl-cli-aarch64-unknown-linux-gnu assets/linux/arm64/nasl-cli + - run: mv assets/nasl-cli-x86_64-unknown-linux-gnu assets/linux/amd64/nasl-cli + - name: "Set labels and tags" + id: old_stable_meta + uses: docker/metadata-action@v5 + with: + images: ${{ github.repository }} + labels: | + org.opencontainers.image.vendor=Greenbone + org.opencontainers.image.base.name=greenbone/gvm-libs + flavor: latest=false # no auto latest container tag for git tags + tags: | + # for the images provided for debian:oldstable we just provide + # oldstable on an new version or oldstable-edge when it is on main. + # oldstable-branch-sha on a branch + type=raw,value=oldstable,enable=${{ inputs.is_latest_tag }} + type=raw,value=oldstable-edge,enable=${{ github.ref_name == 'main' }} + type=raw,value=oldstable-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} + type=ref,event=pr + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} + file: .docker/prod-oldstable.Dockerfile + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.old_stable_meta.outputs.tags }} + labels: ${{ steps.old_stable_meta.outputs.labels }} diff --git a/.github/workflows/push-container-testing.yml b/.github/workflows/push-container-testing.yml new file mode 100644 index 0000000000..1883c88df1 --- /dev/null +++ b/.github/workflows/push-container-testing.yml @@ -0,0 +1,59 @@ +name: Container + +on: + workflow_call: + inputs: + is_latest_tag: + required: true + type: string + is_version_tag: + required: true + type: string + secrets: + dockerhub_user: + required: true + dockerhub_token: + required: true + +jobs: + debian_testing: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/download-artifact@v3 + with: + name: rs-binaries + path: assets + # TODO: create correct dir layout while building up + - run: mkdir -p assets/linux/amd64 + - run: mkdir -p assets/linux/arm64 + - run: mv assets/openvasd-aarch64-unknown-linux-gnu assets/linux/arm64/openvasd + - run: mv assets/openvasd-x86_64-unknown-linux-gnu assets/linux/amd64/openvasd + - run: mv assets/nasl-cli-aarch64-unknown-linux-gnu assets/linux/arm64/nasl-cli + - run: mv assets/nasl-cli-x86_64-unknown-linux-gnu assets/linux/amd64/nasl-cli + - name: "Set labels and tags" + id: test_meta + uses: docker/metadata-action@v5 + with: + images: ${{ github.repository }} + labels: | + org.opencontainers.image.vendor=Greenbone + org.opencontainers.image.base.name=greenbone/gvm-libs + flavor: latest=false # no auto latest container tag for git tags + tags: | + # for the images provided for debian:testing we just provide + # testing on an new version or testing-edge when it is on main. + # testing-branch-sha on a branch + type=raw,value=testing,enable=${{ inputs.is_latest_tag }} + type=raw,value=testing-edge,enable=${{ github.ref_name == 'main' }} + type=raw,value=testing-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} + type=ref,event=pr + - name: Build and push Container image + uses: docker/build-push-action@v5 + with: + context: . + push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} + file: .docker/prod-testing.Dockerfile + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.test_meta.outputs.tags }} + labels: ${{ steps.test_meta.outputs.labels }} diff --git a/.github/workflows/push-container.yml b/.github/workflows/push-container.yml new file mode 100644 index 0000000000..1690170ffe --- /dev/null +++ b/.github/workflows/push-container.yml @@ -0,0 +1,75 @@ +name: Container + +on: + workflow_call: + inputs: + is_latest_tag: + required: true + type: string + is_version_tag: + required: true + type: string + secrets: + dockerhub_user: + required: true + dockerhub_token: + required: true + +jobs: + debian_stable: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - uses: actions/download-artifact@v3 + with: + name: rs-binaries + path: assets + - run: mkdir -p assets/linux/amd64 + - run: mkdir -p assets/linux/arm64 + - run: mv assets/openvasd-aarch64-unknown-linux-gnu assets/linux/arm64/openvasd + - run: mv assets/openvasd-x86_64-unknown-linux-gnu assets/linux/amd64/openvasd + - run: mv assets/nasl-cli-aarch64-unknown-linux-gnu assets/linux/arm64/nasl-cli + - run: mv assets/nasl-cli-x86_64-unknown-linux-gnu assets/linux/amd64/nasl-cli + - name: "Set labels and tags" + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ github.repository }} + labels: | + org.opencontainers.image.vendor=Greenbone + org.opencontainers.image.base.name=greenbone/gvm-libs + flavor: latest=false # no auto latest container tag for git tags + tags: | + # when IS_LATEST_TAG is set create a stable and a latest tag + type=raw,value=latest,enable=${{ inputs.is_latest_tag }} + type=raw,value=stable,enable=${{ inputs.is_latest_tag }} + # if tag version is set than create a version tags + type=semver,pattern={{version}},enable=${{ inputs.is_version_tag }} + type=semver,pattern={{major}}.{{minor}},enable=${{ inputs.is_version_tag }} + type=semver,pattern={{major}},enable=${{ inputs.is_version_tag }} + # if on main or a branch TODO calculate upfront + type=raw,value=edge,enable=${{ github.ref_name == 'main' }} + type=raw,value={{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} + # use pr-$PR_ID for pull requests (will not be uploaded) + type=ref,event=pr + - name: Login to DockerHub + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + username: ${{ secrets.dockerhub_user }} + password: ${{ secrets.dockerhub_token }} + + - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-buildx-action@v3 + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} + file: .docker/prod.Dockerfile + build-args: | + REPOSITORY=${{ github.repository }} + platforms: linux/amd64,linux/aarch64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/push-helm-chart.yml b/.github/workflows/push-helm-chart.yml new file mode 100644 index 0000000000..39bc31cf4c --- /dev/null +++ b/.github/workflows/push-helm-chart.yml @@ -0,0 +1,17 @@ +name: "Helm Push" + +on: [workflow_call] + +jobs: + helm: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: greenbone/actions/helm-build-push@v3 + if: github.event_name == 'workflow_dispatch' + with: + chart-name: openvasd + registry: ${{ vars.IMAGE_REGISTRY }} + registry-subpath: helm-charts/ + registry-user: ${{ secrets.GREENBONE_BOT }} + registry-token: ${{ secrets.GREENBONE_BOT_PACKAGES_WRITE_TOKEN }} diff --git a/.github/workflows/rustification.yaml b/.github/workflows/rustification.yaml deleted file mode 100644 index a41b102381..0000000000 --- a/.github/workflows/rustification.yaml +++ /dev/null @@ -1,124 +0,0 @@ -name: rs - -on: - push: - branches: [main, stable, oldstable] - pull_request: - -env: - CARGO_TERM_COLOR: always - -jobs: - unittests: - runs-on: ubuntu-latest - defaults: - run: - working-directory: rust - strategy: - matrix: - toolchain: - - stable - - beta - - nightly - steps: - - uses: actions/checkout@v4 - - run: sudo apt update && sudo apt-get install -y libpcap-dev - - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }} || rustup default ${{ matrix.toolchain }} - - run: cargo test --lib --tests --workspace - clippy: - runs-on: ubuntu-latest - defaults: - run: - working-directory: rust - steps: - - uses: actions/checkout@v4 - - run: rustup update stable && rustup default stable && rustup component add clippy - - run: cargo clippy -- -D warnings - audit: - runs-on: ubuntu-latest - defaults: - run: - working-directory: rust - steps: - - uses: actions/checkout@v4 - - run: rustup update stable && rustup default stable - - run: cargo install cargo-audit - - run: cargo audit - typos: - runs-on: ubuntu-latest - defaults: - run: - working-directory: rust - steps: - - uses: actions/checkout@v4 - - run: rustup update stable && rustup default stable - - run: cargo install typos-cli - - run: typos - formatting: - runs-on: ubuntu-latest - defaults: - run: - working-directory: rust - strategy: - matrix: - crates: - # we verify each dir separately to make it easier to verify formatting issues or even ignore - # crates we deem not important for checking (e.g. feed-verifier) - - nasl-syntax - - storage - - nasl-interpreter - - redis-storage - - json-storage - - nasl-cli - steps: - - uses: actions/checkout@v4 - rs-build-binaries: - uses: ./.github/workflows/build-rust.yml - verify-syntax: - runs-on: ubuntu-latest - needs: [rs-build-binaries] - steps: - - uses: actions/checkout@v4 - - run: FEED_DIR="feed/" sh .github/prepare-feed.sh - - uses: actions/download-artifact@v3 - with: - name: rs-binaries - path: assets - - run: mv assets/nasl-cli-x86_64-unknown-linux-gnu ./nasl-cli - - run: chmod +x ./nasl-cli - - name: verify syntax parsing - run: ./nasl-cli syntax --quiet feed/ - verify-feed-update: - runs-on: ubuntu-latest - needs: [rs-build-binaries] - container: - # maybe better to use builder, build openvas to have - # the version of this checkout rather than a dated official one? - image: greenbone/openvas-scanner:unstable - options: --privileged - services: - redis: - image: redis - options: >- - --health-cmd "redis-cli ping" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - steps: - - uses: actions/checkout@v4 - - run: apt-get update && apt-get install -y docker.io - - run: FEED_DIR="feed/" sh .github/prepare-feed.sh - - uses: actions/download-artifact@v3 - with: - name: rs-binaries - path: assets - - run: mv assets/nasl-cli-x86_64-unknown-linux-gnu ./nasl-cli - - run: mv assets/feed-verifier-x86_64-unknown-linux-gnu ./feed-verifier - - name: prepare setup - run: | - install -m 755 feed-verifier /usr/local/bin/ - install -m 755 nasl-cli /usr/local/bin/ - echo "db_address = tcp://redis:6379" >> /etc/openvas/openvas.conf - mv ./feed/* "$(openvas -s | grep plugins_folder | sed 's/plugins_folder = //')/" - - run: openvas -s - - run: feed-verifier || (cat /var/log/gvm/openvas.log && false) diff --git a/.github/workflows/smoketest.yaml b/.github/workflows/smoketest.yaml new file mode 100644 index 0000000000..0e84a4cdf0 --- /dev/null +++ b/.github/workflows/smoketest.yaml @@ -0,0 +1,43 @@ +name: Smoketests + +on: + workflow_call: + inputs: + docker_image: + required: true + type: string + +# smoke test definition. +# It depends on build.yml that is controlled via control.yml +# +jobs: + OpenVAS_Daemon: + name: SmokeTests Tests + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + # TODO replace tag and repository of openvas into a new values. + - name: Start a local k8s cluster + uses: jupyterhub/action-k3s-helm@v3 + with: + k3s-channel: latest + metrics-enabled: false + - name: deploy openvasd + run: | + cd rust/examples/tls/Self-Signed\ mTLS\ Method + make delete deploy + cd - + + helm uninstall openvasd --namespace openvasd|| true + helm install --namespace openvasd --create-namespace openvasd charts/openvasd/ --values charts/openvasd/values.yaml --values charts/openvasd/mtls-wo-ingress.yaml + + kubectl rollout status --watch --timeout 600s deployment/openvasd --namespace openvasd + echo "OPENVASD_SERVER=https://$(kubectl get svc -n openvasd | awk 'FNR == 2 {print $(3)}')" >> $GITHUB_ENV + - name: smoketest + working-directory: rust/smoketest + env: + SCAN_CONFIG: configs/simple_scan_ssh_only.json + CLIENT_KEY: ../examples/tls/Self-Signed mTLS Method/client.rsa + CLIENT_CERT: ../examples/tls/Self-Signed mTLS Method/client.pem + run: | + make build run