chore: Add snyk docker scanning feature

Signed-off-by: grzesuav <grzesuav@gmail.com>
AdoptOpenJDK · Jan 24, 2021 · 1617fb5 · 1617fb5
1 parent 6765aa3
commit 1617fb5
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 9 deletions.
diff --git a/build_all.sh b/build_all.sh
@@ -18,6 +18,8 @@ export root_dir="$PWD"
 
 # shellcheck source=common_functions.sh
 source ./common_functions.sh
+# shellcheck source=snyk.sh
+source ./snyk.sh
 
 # summary table array
 export summary_table_file="${root_dir}/.summary_table"

diff --git a/build_latest.sh b/build_latest.sh
@@ -29,6 +29,9 @@ version="9"
 
 # shellcheck source=common_functions.sh
 source ./common_functions.sh
+# shellcheck source=snyk.sh
+source ./snyk.sh
+
 # shellcheck source=dockerfile_functions.sh
 source ./dockerfile_functions.sh
 
@@ -206,22 +209,23 @@ function check_build_needed() {
 	# build not needed
 	echo "INFO: Docker image for ${adopt_image_tag} exists and is latest. Docker build NOT needed"
 }
- 
+
 # Build the Docker image with the given repo, build, build type and tags.
 function build_image() {
 	repo=$1; shift;
 	build=$1; shift;
 	btype=$1; shift;
 
-	tags=""
-	for tag in "$@"
+	local tags=("$@") # copy arguments to local array
+	for i in "${!tags[@]}"
 	do
 		tags="${tags} -t ${repo}:${tag}"
 	done
 
 	auto_space_line="                                                                              "
 	image_name="${repo}:${tag}"
-
+	printf -v expanded_tags "%s ${repo}:%s " "-t" "${tags[@]}" # concatenate to single string : -t repo:tag -t repo:tag2
+	expanded_tags=${expanded_tags%?} # remove trailing space
 	dockerfile="Dockerfile.${vm}.${build}.${btype}"
 	# Check if we need to build this image.
 	check_build_needed "${dockerfile}" "${tags}"
@@ -232,7 +236,7 @@ function build_image() {
 
 	echo "docker push ${repo}:${tag}" >> "${push_cmdfile}"
 	echo "#####################################################"
-	echo "INFO: docker build --no-cache ${tags} -f ${dockerfile} ."
+	echo "INFO: docker build --no-cache ${expanded_tags} -f ${dockerfile} ."
 	echo "#####################################################"
 	if [ ! -z "$TARGET_ARCHITECTURE" ]; then
 		echo "using a buildx environment"
@@ -241,10 +245,10 @@ function build_image() {
 		docker buildx use mbuilder
 		docker buildx inspect --bootstrap
 		# shellcheck disable=SC2086 # ignoring ${tags} due to whitespace problem
-		if ! docker buildx build --platform "$TARGET_ARCHITECTURE" --pull --no-cache ${tags} -f "${dockerfile}" . ; then
+		if ! docker buildx build --platform "$TARGET_ARCHITECTURE" --pull --no-cache ${expanded_tags} -f "${dockerfile}" . ; then
 			echo "#############################################"
 			echo
-			echo "ERROR: Docker build of image: ${tags} from ${dockerfile} failed."
+			echo "ERROR: Docker build of image: ${expanded_tags} from ${dockerfile} failed."
 			echo
 			echo "#############################################"
 			echo "| ${image_name:0:80}${auto_space_line:0:$((76 - ${#image_name}))} | failure  |" >> ${summary_table_file}
@@ -255,17 +259,27 @@ function build_image() {
 				exit 1
 			fi
 		else
+			if ((SNYK_ENABLED)); then
+			echo "#####################################################"
+			echo "        Scanning with snyk for vulnerabilities       "
+			echo "#####################################################"
+				for i in "${!tags[@]}"
+				do
+					echo "...scanning ${repo}:${tags[$i]}"
+					snyk test --docker "${repo}:${tags[$i]}" --file="${dockerfile}"
+				done
+			fi
 			echo "| ${image_name:0:80}${auto_space_line:0:$((76 - ${#image_name}))} | success  |" >> ${summary_table_file}
 			echo "+------------------------------------------------------------------------------+----------+" >> ${summary_table_file}
 		fi
 
 		docker buildx rm mbuilder
 	else
 		# shellcheck disable=SC2086 # ignoring ${tags} due to whitespace problem
-		if ! docker build --pull --no-cache ${tags} -f "${dockerfile}" . ; then
+		if ! docker build --pull --no-cache ${expanded_tags} -f "${dockerfile}" . ; then
 			echo "#############################################"
 			echo
-			echo "ERROR: Docker build of image: ${tags} from ${dockerfile} failed."
+			echo "ERROR: Docker build of image: ${expanded_tags} from ${dockerfile} failed."
 			echo
 			echo "#############################################"
 			echo "| ${image_name:0:80}${auto_space_line:0:$((76 - ${#image_name}))} | failure  |" >> ${summary_table_file}
@@ -276,6 +290,16 @@ function build_image() {
 				exit 1
 			fi
 		else
+		  if ((SNYK_ENABLED)); then
+			echo "#####################################################"
+			echo "        Scanning with snyk for vulnerabilities       "
+			echo "#####################################################"
+				for i in "${!tags[@]}"
+				do
+					echo "...scanning ${repo}:${tags[$i]}"
+					snyk test --docker "${repo}:${tags[$i]}" --file="${dockerfile}"
+				done
+			fi
 			echo "| ${image_name:0:80}${auto_space_line:0:$((76 - ${#image_name}))} | success  |" >> ${summary_table_file}
 			echo "+------------------------------------------------------------------------------+----------+" >> ${summary_table_file}
 		fi

diff --git a/snyk.sh b/snyk.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+if [ -z "${SNYK_AUTH_TOKEN}" ];then
+  printf "Snyk authentication token not set, skipping snyk analysis\n"
+  return
+fi
+set -o pipefail
+export SNYK_ENABLED=0
+if test -f "$HOME/.nvm/nvm.sh"; then
+  echo "nvm found"
+else
+  echo "No nvm on machine, snyk check will be skipped"
+  exit 0
+fi
+
+# shellcheck disable=SC1090
+source "$HOME/.nvm/nvm.sh"
+
+echo "Installing node..."
+nvm install node
+
+echo "Installing snyk.."
+npm install -g snyk
+
+echo "Snyk version: $(snyk -v)"
+
+printf "Snyk installed succesfully\n"
+printf "Authenticating snyk\n"
+
+if ! snyk auth "${SNYK_AUTH_TOKEN}"; then
+  echo "snyk auth failed, snyk disabled"
+else
+  echo "snyk auth succeed, enabling snyk"
+  export SNYK_ENABLED=1
+fi
+
+