Revert last invalid commit

This reverts commit 025fef8.

Author: Vitaly Korolev

Jenkinsfile

@@ -149,7 +149,8 @@ void imageScan() {
     sh '''rm -f dep-image-scan.txt'''
 
     // trigger BlackDuck scan
-    def imageList = readFile(file: 'helm_image.list').trim()
+    def rawImageList = readFile(file: 'helm_image.list').trim()
+    def imageList = rawImageList.endsWith(',') ? rawImageList[0..-2] : rawImageList
     build job: 'securityscans/Blackduck/KubeNinjas/kubernetes-helm', wait: false, parameters: [ string(name: 'branch', value: "${env.BRANCH_NAME}"), string(name: 'CONTAINER_IMAGES', value: "${imageList}") ]
 }
 

makefile

@@ -229,65 +229,15 @@ upgrade-test: prepare
 #***************************************************************************
 ## Find and scan dependent Docker images for security vulnerabilities
 ## Options:
-## * [saveOutput] optional. Save the output to a text file. Example: saveOutput=true
+## * [saveOutput] optional. Save the output to a xml file. Example: saveOutput=true
 .PHONY: image-scan
 image-scan:
+
 	@rm -f helm_image.list dep-image-scan.txt
-	@$(if $(saveOutput), > dep-image-scan.txt)
 	@echo "=====Scan dependent Docker images in charts/values.yaml" $(if $(saveOutput), | tee -a dep-image-scan.txt,)
-	set -e; \
-	scanned_images_tracker_file="$$(mktemp)"; \
-	scan_image() { \
-	  img="$$1"; \
-	  src_file="$$2"; \
-	  if [ -z "$$img" ]; then \
-	    echo "Warning: Empty image name provided from $$src_file. Skipping." $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    return; \
-	  fi; \
-	  if grep -Fxq "$$img" "$$scanned_images_tracker_file"; then \
-	    echo "= $$img (from $$src_file) - Already Processed" $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    return; \
-	  fi; \
-	  echo "= Scanning $$img (from $$src_file)" $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	  if ! docker pull "$$img"; then \
-	    echo "Error: Failed to pull Docker image $$img. Skipping scan." $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    echo "$$img" >> "$$scanned_images_tracker_file"; \
-	    return; \
-	  fi; \
-	  echo "$$img" >> "$$scanned_images_tracker_file"; \
-	  printf "%s," "$${img}" >> helm_image.list ; \
-	  grype_json_output=$$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest --output json "$$img" 2>/dev/null); \
-	  if [ -z "$$grype_json_output" ]; then \
-	    echo "Warning: Grype produced no output for $$img. Command might have failed or image not found/supported by grype." $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    echo $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    return; \
-	  fi; \
-	  if ! echo "$$grype_json_output" | jq -e '.descriptor.name' > /dev/null; then \
-	    echo "Warning: Grype output for $$img is not valid JSON or image metadata is missing. Output was:" $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    echo "$$grype_json_output" $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    echo $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    return; \
-	  fi; \
-	  summary=$$(echo "$$grype_json_output" | jq -r '([.matches[]?.vulnerability.severity] // []) as $$all_severities | reduce ["Critical","High","Medium","Low","Negligible","Unknown"][] as $$sev ( {Critical:0,High:0,Medium:0,Low:0,Negligible:0,Unknown:0} ; .[$$sev] = ([$$all_severities[] | select(. == $$sev)] | length) ) | "Critical=\(.Critical) High=\(.High) Medium=\(.Medium) Low=\(.Low) Negligible=\(.Negligible) Unknown=\(.Unknown)"'); \
-	  echo "Summary: $$summary" $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	  if echo "$$grype_json_output" | jq -e '.matches == null or (.matches | length == 0)' > /dev/null; then \
-	    echo "No vulnerabilities found to tabulate for $$img." $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	  else \
-	    scan_out_body=$$(echo "$$grype_json_output" | jq -r 'def sevorder: {Critical:0, High:1, Medium:2, Low:3, Negligible:4, Unknown:5}; [.matches[]? | {pkg: .artifact.name, ver: .artifact.version, cve: .vulnerability.id, sev: .vulnerability.severity}] | map(. + {sort_key: sevorder[.sev // "Unknown"]}) | sort_by(.sort_key) | .[] | [.pkg // "N/A", .ver // "N/A", .cve // "N/A", .sev // "N/A"] | @tsv'); \
-	    if [ -n "$$scan_out_body" ]; then \
-	      (echo "Package\tVersion\tCVE\tSeverity"; echo "$$scan_out_body") | column -t -s $$'\t' $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    else \
-	      echo "No vulnerability details to display for $$img (though summary reported counts)." $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	    fi; \
-	  fi; \
-	  echo $(if $(saveOutput), | tee -a dep-image-scan.txt,); \
-	}; \
-	util_image=$$(grep -A2 'utilContainer:' charts/values.yaml | grep 'image:' | sed 's/.*image:[[:space:]]*//g' | sed 's/"//g' | xargs); \
-	scan_image "$$util_image" "charts/values.yaml"; \
-	haproxy_image=$$(grep -A 3 '^haproxy:' charts/values.yaml | grep -A 1 '^\s*image:' | grep '^\s*repository:' | sed 's/.*repository:[[:space:]]*//g' | sed 's/"//g' | sed 's/#.*//g' | xargs); \
-	haproxy_tag=$$(grep -A 4 '^haproxy:' charts/values.yaml | grep -A 2 '^\s*image:' | grep '^\s*tag:' | sed 's/.*tag:[[:space:]]*//g' | sed 's/"//g' | sed 's/{{.*}}/latest/' | sed 's/#.*//g' | xargs); \
-	scan_image "$$haproxy_image:$$haproxy_tag" "charts/values.yaml";
-	@# Remove trailing comma from helm_image.list if present
-	@if [ -f helm_image.list ]; then \
-		sed -i '' -e 's/,\s*$$//' helm_image.list; \
-	fi
+	@for depImage in $(shell grep -E "^\s*\bimage:\s+(.*)" charts/values.yaml | sed 's/image: //g' | sed 's/"//g'); do\
+		echo -n "$${depImage}," >> helm_image.list ; \
+		echo "= $${depImage}:" $(if $(saveOutput), | tee -a dep-image-scan.txt,) ; \
+		docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest --output json $${depImage} | jq -r '[(.matches[] | [.artifact.name, .artifact.version, .vulnerability.id, .vulnerability.severity])] | .[] | @tsv' | sort -k4 | column -t $(if $(saveOutput), | tee -a dep-image-scan.txt,);\
+		echo $(if $(saveOutput), | tee -a dep-image-scan.txt,) ;\
+	done