diff --git a/build_all.sh b/build_all.sh index e6a27f9d4..52662678e 100755 --- a/build_all.sh +++ b/build_all.sh @@ -18,6 +18,8 @@ export root_dir="$PWD" # shellcheck source=common_functions.sh source ./common_functions.sh +# shellcheck source=snyk.sh +source ./snyk.sh # summary table array export summary_table_file="${root_dir}/.summary_table" diff --git a/build_latest.sh b/build_latest.sh index 9ceec9657..5c669b8fa 100755 --- a/build_latest.sh +++ b/build_latest.sh @@ -29,6 +29,9 @@ version="9" # shellcheck source=common_functions.sh source ./common_functions.sh +# shellcheck source=snyk.sh +source ./snyk.sh + # shellcheck source=dockerfile_functions.sh source ./dockerfile_functions.sh @@ -206,22 +209,23 @@ function check_build_needed() { # build not needed echo "INFO: Docker image for ${adopt_image_tag} exists and is latest. Docker build NOT needed" } - + # Build the Docker image with the given repo, build, build type and tags. function build_image() { repo=$1; shift; build=$1; shift; btype=$1; shift; - tags="" - for tag in "$@" + local tags=("$@") # copy arguments to local array + for i in "${!tags[@]}" do tags="${tags} -t ${repo}:${tag}" done auto_space_line=" " image_name="${repo}:${tag}" - + printf -v expanded_tags "%s ${repo}:%s " "-t" "${tags[@]}" # concatenate to single string : -t repo:tag -t repo:tag2 + expanded_tags=${expanded_tags%?} # remove trailing space dockerfile="Dockerfile.${vm}.${build}.${btype}" # Check if we need to build this image. check_build_needed "${dockerfile}" "${tags}" @@ -232,7 +236,7 @@ function build_image() { echo "docker push ${repo}:${tag}" >> "${push_cmdfile}" echo "#####################################################" - echo "INFO: docker build --no-cache ${tags} -f ${dockerfile} ." + echo "INFO: docker build --no-cache ${expanded_tags} -f ${dockerfile} ." echo "#####################################################" if [ ! -z "$TARGET_ARCHITECTURE" ]; then echo "using a buildx environment" @@ -262,10 +266,10 @@ function build_image() { docker buildx rm mbuilder else # shellcheck disable=SC2086 # ignoring ${tags} due to whitespace problem - if ! docker build --pull --no-cache ${tags} -f "${dockerfile}" . ; then + if ! docker build --pull --no-cache ${expanded_tags} -f "${dockerfile}" . ; then echo "#############################################" echo - echo "ERROR: Docker build of image: ${tags} from ${dockerfile} failed." + echo "ERROR: Docker build of image: ${expanded_tags} from ${dockerfile} failed." echo echo "#############################################" echo "| ${image_name:0:80}${auto_space_line:0:$((76 - ${#image_name}))} | failure |" >> ${summary_table_file} @@ -276,6 +280,16 @@ function build_image() { exit 1 fi else + if ((SNYK_ENABLED)); then + echo "#####################################################" + echo " Scanning with snyk for vulnerabilities " + echo "#####################################################" + for i in "${!tags[@]}" + do + echo "...scanning ${repo}:${tags[$i]}" + snyk test --docker "${repo}:${tags[$i]}" --file="${dockerfile}" + done + fi echo "| ${image_name:0:80}${auto_space_line:0:$((76 - ${#image_name}))} | success |" >> ${summary_table_file} echo "+------------------------------------------------------------------------------+----------+" >> ${summary_table_file} fi diff --git a/snyk.sh b/snyk.sh new file mode 100755 index 000000000..65e98167c --- /dev/null +++ b/snyk.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +if [ -z "${SNYK_AUTH_TOKEN}" ];then + printf "Snyk authentication token not set, skipping snyk analysis\n" + return +fi +set -o pipefail +export SNYK_ENABLED=0 +if test -f "$HOME/.nvm/nvm.sh"; then + echo "nvm found" +else + echo "No nvm on machine, snyk check will be skipped" + exit 0 +fi + +# shellcheck disable=SC1090 +source "$HOME/.nvm/nvm.sh" + +echo "Installing node..." +nvm install node + +echo "Installing snyk.." +npm install -g snyk + +echo "Snyk version: $(snyk -v)" + +printf "Snyk installed succesfully\n" +printf "Authenticating snyk\n" + +if ! snyk auth "${SNYK_AUTH_TOKEN}"; then + echo "snyk auth failed, snyk disabled" +else + echo "snyk auth succeed, enabling snyk" + export SNYK_ENABLED=1 +fi + +