test: Test snyk auth token from same repository

AdoptOpenJDK · Mar 25, 2020 · ae493cb · ae493cb
1 parent b4326a1
commit ae493cb
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 9 deletions.
diff --git a/build_all.sh b/build_all.sh
@@ -16,6 +16,8 @@ set -o pipefail
 
 # shellcheck source=common_functions.sh
 source ./common_functions.sh
+# shellcheck source=snyk.sh
+source ./snyk.sh
 
 for ver in ${supported_versions}
 do

diff --git a/build_latest.sh b/build_latest.sh
@@ -21,6 +21,9 @@ version="9"
 
 # shellcheck source=common_functions.sh
 source ./common_functions.sh
+# shellcheck source=snyk.sh
+source ./snyk.sh
+
 # shellcheck source=dockerfile_functions.sh
 source ./dockerfile_functions.sh
 
@@ -43,25 +46,36 @@ function build_image() {
 	build=$1; shift;
 	btype=$1; shift;
 
-	tags=""
-	for tag in "$@"
+	local tags=("$@") # copy arguments to local array
+	for i in "${!tags[@]}"
 	do
-		tags="${tags} -t ${repo}:${tag}"
-		echo "docker push ${repo}:${tag}" >> "${push_cmdfile}"
+		echo "docker push ${repo}:${tags[$i]}" >> "${push_cmdfile}"
 	done
-
+	printf -v expanded_tags "%s ${repo}:%s " "-t" "${tags[@]}" # concatenate to single strin : -t repo:tag -t repo:tag2
+	expanded_tags=${expanded_tags%?} # remove trailing space
 	dockerfile="Dockerfile.${vm}.${build}.${btype}"
 
 	echo "#####################################################"
-	echo "INFO: docker build --no-cache ${tags} -f ${dockerfile} ."
+	echo "INFO: docker build --no-cache ${expanded_tags} -f ${dockerfile} ."
 	echo "#####################################################"
 	# shellcheck disable=SC2086 # ignoring ${tags} due to whitespace problem
-	if ! docker build --pull --no-cache ${tags} -f "${dockerfile}" . ; then
+	if ! docker build --pull --no-cache ${expanded_tags} -f "${dockerfile}" . ; then
 		echo "#############################################"
 		echo
-		echo "ERROR: Docker build of image: ${tags} from ${dockerfile} failed."
+		echo "ERROR: Docker build of image: ${expanded_tags} from ${dockerfile} failed."
 		echo
 		echo "#############################################"
+	else
+		if ((SNYK_ENABLED)); then
+			echo "#####################################################"
+			echo "        Scanning with snyk for vulnerabilities       "
+			echo "#####################################################"
+				for i in "${!tags[@]}"
+				do
+					echo "...scanning ${repo}:${tags[$i]}"
+					snyk test --docker "${repo}:${tags[$i]}" --file=="${dockerfile}"
+				done
+		fi
 	fi
 }
 
@@ -138,7 +152,7 @@ do
 		get_shasums "${version}" "${vm}" "${package}" "${build}"
 		# Source the generated shasums file to access the array
 		if [ -f "${vm}"_shasums_latest.sh ]; then
-		  # shellcheck disable=SC1090
+			# shellcheck disable=SC1090
 			source ./"${vm}"_shasums_latest.sh
 		else
 			continue;

diff --git a/snyk.sh b/snyk.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+if [ -z "${SNYK_AUTH_TOKEN}" ];then
+  printf "Snyk authentication token not set, skipping snyk analysis\n"
+  return
+fi
+set -o pipefail
+export SNYK_ENABLED=0
+if test -f "$HOME/.nvm/nvm.sh"; then
+  echo "nvm found"
+else
+  echo "No nvm on machine, snyk check will be skipped"
+  exit 0
+fi
+
+# shellcheck disable=SC1090
+source "$HOME/.nvm/nvm.sh"
+
+echo "Installing node..."
+nvm install node
+
+echo "Installing snyk.."
+npm install -g snyk
+
+echo "Snyk version: $(snyk -v)"
+
+export SNYK_ENABLED=1
+printf "Snyk installed succesfully\n"
+printf "Authenticating snyk\n"
+
+snyk auth "${SNYK_AUTH_TOKEN}"
+
+