From 6357665b1680a98d414e9f4b8c75930af30c52d2 Mon Sep 17 00:00:00 2001
From: Cees-Jan Kiewiet <ceesjank@gmail.com>
Date: Sat, 20 Feb 2021 22:19:43 +0100
Subject: [PATCH] Restore failing when CVE scanner finds a vulnerability

During the migration to GitHub Actions in #160 this functionality
was mistakenly and overzealously removed. Since PHP 8 and
Alpine 3.13 are out and #166 has been filed, currently with a CVE
for musl in it, this check should have failed as it is our goal
to ship images without known CVE's in it. On my own PHP images
the CVE checking fails and as such I was surprised that #166
didn't have any failures. Up on checking the CI logs it showed
the musl CVE but the step didn't fail.

This commit restores the original functionality and will make the
CI once again fail when it finds a CVE in one of the images.
---
 .github/workflows/ci.yml | 6 +++---
 Makefile                 | 6 ++++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a193be33..4028630c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -204,7 +204,7 @@ jobs:
           path: ./tmp
       - run: docker load --input ./tmp/image*.tar
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
   scan-vulnerability-http:
     name: Scan nginx ${{ matrix.nginx }} for vulnerabilities
     needs:
@@ -233,7 +233,7 @@ jobs:
         shell: bash
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
         shell: bash
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
         shell: bash
   scan-vulnerability-prometheus-exporter-file:
     name: Scan HTTP prometheus-exporter-file for vulnerabilities
@@ -258,7 +258,7 @@ jobs:
           path: ./tmp
       - run: docker load --input ./tmp/image*.tar
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
   test-php:
     name: Functionaly test PHP ${{ matrix.php }} for ${{ matrix.type }} on Alpine ${{ matrix.alpine }}
     needs:
diff --git a/Makefile b/Makefile
index 25d27f85..6d161f2c 100644
--- a/Makefile
+++ b/Makefile
@@ -110,3 +110,9 @@ scan-vulnerability:
 	mkdir -p ./tmp/clair/usabillabv
 	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log % || echo "% is vulnerable"'
 	docker-compose -f test/security/docker-compose.yml -p clair-ci down
+
+ci-scan-vulnerability:
+	docker-compose -f test/security/docker-compose.yml -p clair-ci up -d
+	RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done
+	mkdir -p ./tmp/clair/usabillabv
+	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log %'