diff --git a/.github/workflows/ec-cli-sealights.yaml b/.github/workflows/ec-cli-sealights.yaml new file mode 100644 index 000000000..d9da00aa1 --- /dev/null +++ b/.github/workflows/ec-cli-sealights.yaml @@ -0,0 +1,193 @@ +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +name: Sealights + +"on": + pull_request: + branches: + - main + - release-* + push: + branches: + - main + - release-* + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.event.pull_request.number) || github.ref }} + cancel-in-progress: true + +jobs: + + Initialize: + runs-on: ubuntu-latest + env: + SEALIGHTS_LOG_LEVEL: none + outputs: + bsid: ${{ steps.sealights-scan.outputs.bsid }} + steps: + - name: Determine workflow run event context + run: echo "on-event=${{ github.event_name }}" >> $GITHUB_ENV + + - name: Handle invalid context for pull requests + if: ${{ env.on-event == 'pull_request' && (!github.event.pull_request.head.sha || !github.event.pull_request.number) }} + run: | + echo "Invalid context for this workflow run. Exiting." + exit 1 + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + # Needed in hack/derive-version.sh + fetch-depth: 0 + + - name: Restore Cache + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + with: + key: main + path: '**' + + - name: Setup Go environment + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: go.mod + cache: false + + - name: Check go versions + uses: enterprise-contract/github-workflows/golang-version-check@main + + - name: Download SeaLights Go agent and CLI tool + run: | + echo "[Sealights] Downloading Sealights Golang & CLI Agents..." + case $(lscpu | awk '/Architecture:/{print $2}') in + x86_64) SL_ARCH="linux-amd64";; + arm) SL_ARCH="linux-arm64";; + esac + wget -nv -O sealights-go-agent.tar.gz https://agents.sealights.co/slgoagent/latest/slgoagent-$SL_ARCH.tar.gz + wget -nv -O sealights-slcli.tar.gz https://agents.sealights.co/slcli/latest/slcli-$SL_ARCH.tar.gz + tar -xzf ./sealights-go-agent.tar.gz && tar -xzf ./sealights-slcli.tar.gz + rm -f ./sealights-go-agent.tar.gz ./sealights-slcli.tar.gz + ./slgoagent -v 2> /dev/null | grep version && ./slcli -v 2> /dev/null | grep version + + - name: Write SeaLights token into file + run: echo "${SEALIGHTS_AGENT_TOKEN}" > sltoken.txt + env: + SEALIGHTS_AGENT_TOKEN: '${{secrets.SEALIGHTS_AGENT_TOKEN}}' + + - name: Initiating the SeaLights agent + run: | + echo "[Sealights] Initiating the SeaLights agent to Golang and handing it the token" + ./slcli config init --lang go --token ./sltoken.txt + + - name: Configuring SeaLights - on pull_request event + if: env.on-event == 'pull_request' + run: | + echo "[Sealights] Configuring SeaLights to scan the pull request branch" + echo "Latest commit sha: ${LATEST_COMMIT_SHA}" + echo "PR Number: ${PULL_REQUEST_NUMBER}" + ./slcli config create-pr-bsid --app ec-cli --target-branch "main" --pull-request-number ${PULL_REQUEST_NUMBER} --latest-commit ${LATEST_COMMIT_SHA} --repository-url https://github.com/ascerra/ec-cli.git + env: + PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} + LATEST_COMMIT_SHA: ${{github.event.pull_request.head.sha}} + + - name: Configuring SeaLights - on push event + if: env.on-event == 'push' + run: | + echo "[Sealights] Configuring SeaLights to scan the main branch after pull request was closed" + ./slcli config create-bsid --app ec-cli --branch main --build ${LATEST_COMMIT_SHA} + env: + LATEST_COMMIT_SHA: ${{ github.sha }} + + - name: Run the SeaLights scan + id: sealights-scan + run: | + echo "[Sealights] Running the SeaLights scan" + ./slcli scan --bsid buildSessionId.txt --path-to-scanner ./slgoagent --workspacepath ./ --scm git --scmBaseUrl https://github.com/ascerra/ec-cli.git --scmVersion “0” --scmProvider github + echo bsid=$(< buildSessionId.txt) | tee -a "$GITHUB_OUTPUT" + - name: clean all SeaLights secret stuff + run: | + echo "[Sealights] Cleaning up after SeaLights run" + rm sltoken.txt + + - name: Save workspace + uses: actions/cache@v4 + with: + path: ${{ github.workspace }} + key: workspace-${{ github.run_id }} + + Test: + runs-on: ubuntu-latest + needs: Initialize + env: + BSID: ${{ needs.Initialize.outputs.bsid }} + steps: + - name: Restore workspace + uses: actions/cache@v4 + with: + path: ${{ github.workspace }} + key: workspace-${{ github.run_id }} + + - name: Harden Runner + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + disable-telemetry: true + + - name: Generate + run: make generate + + - name: Test + run: make test + + - name: end test session + if: success() || failure() + run: | + ./slcli test end-stage --bsid=$BSID --executionId "Unit Tests" + + Acceptance: + runs-on: ubuntu-latest + needs: [Initialize, Test] + env: + BSID: ${{ needs.Initialize.outputs.bsid }} + SEALIGHTS_LOG_LEVEL: none + SEALIGHTS_CONNECTION_TIMEOUT: 120s + steps: + - name: Restore workspace + uses: actions/cache@v4 + with: + path: ${{ github.workspace }} + key: workspace-${{ github.run_id }} + + - name: Update podman + run: | + "${GITHUB_WORKSPACE}/hack/ubuntu-podman-update.sh" + - name: Create a test session + run: ./slcli test start-stage --bsid=$BSID --testStage "Acceptance Tests" + + - name: Acceptance test + run: make acceptance-sealights + + - name: Upload test results, end test session + if: success() || failure() + run: | + cat ./junit-acceptance.xml + ./slcli test upload-reports --bsid=$BSID --report-location ./junit-acceptance.xml + ./slcli test end-stage --bsid=$BSID --executionId "Acceptance Tests" \ No newline at end of file diff --git a/.gitignore b/.gitignore index e691a1a02..34667aa66 100644 --- a/.gitignore +++ b/.gitignore @@ -180,3 +180,6 @@ hack/**/charts # Pregenerated benchmark data benchmark/*/data.tar.gz + +# JUnit file output from acceptance tests + junit-acceptance.xml \ No newline at end of file diff --git a/Makefile b/Makefile index 55d8c2711..7971b542e 100644 --- a/Makefile +++ b/Makefile @@ -123,12 +123,25 @@ acceptance: ## Run all acceptance tests trap cleanup EXIT; \ cp -R . "$$ACCEPTANCE_WORKDIR"; \ cd "$$ACCEPTANCE_WORKDIR" && \ - go run acceptance/coverage/coverage.go && \ $(MAKE) build && \ export COVERAGE_FILEPATH="$$ACCEPTANCE_WORKDIR"; \ export COVERAGE_FILENAME="-acceptance"; \ - cd acceptance && go test -coverprofile "$$ACCEPTANCE_WORKDIR/coverage-acceptance.out" -timeout $(ACCEPTANCE_TIMEOUT) ./... && \ - go run -modfile "$$ACCEPTANCE_WORKDIR/tools/go.mod" github.com/wadey/gocovmerge "$$ACCEPTANCE_WORKDIR/coverage-acceptance.out" > "$(ROOT_DIR)/coverage-acceptance.out" + cd acceptance && SEALIGHTS_LOG_LEVEL=none go run -modfile "$$ACCEPTANCE_WORKDIR/tools/go.mod" gotest.tools/gotestsum --junitfile "$(ROOT_DIR)/junit-acceptance.xml" -- -parallel 1 -timeout $(ACCEPTANCE_TIMEOUT) ./... + +acceptance-sealights: ## Run all acceptance tests with sealights integration + @ACCEPTANCE_WORKDIR="$$(mktemp -d)"; \ + cleanup() { \ + cp "$${ACCEPTANCE_WORKDIR}"/features/__snapshots__/* "$(ROOT_DIR)"/features/__snapshots__/; \ + }; \ + trap cleanup EXIT; \ + cp -R . "$$ACCEPTANCE_WORKDIR"; \ + cd "$$ACCEPTANCE_WORKDIR" && \ + $(MAKE) build && \ + export COVERAGE_FILEPATH="$$ACCEPTANCE_WORKDIR"; \ + export COVERAGE_FILENAME="-acceptance"; \ + ls -la; \ + ./slcli scan --tests-runner --workspacepath "acceptance" --path-to-scanner ./slgoagent --scm none; \ + cd acceptance && SEALIGHTS_LOG_LEVEL=none go run -modfile "$$ACCEPTANCE_WORKDIR/tools/go.mod" gotest.tools/gotestsum --junitfile "$(ROOT_DIR)/junit-acceptance.xml" -- -parallel 1 -timeout $(ACCEPTANCE_TIMEOUT) ./... # Add @focus above the feature you're hacking on to use this # (Mainly for use with the feature-% target below) diff --git a/internal/rego/oci/oci.go b/internal/rego/oci/oci.go index 4c6168189..5cfaf97c2 100644 --- a/internal/rego/oci/oci.go +++ b/internal/rego/oci/oci.go @@ -130,7 +130,7 @@ func registerOCIDescriptor() { // a declaration that does include the description. ast.RegisterBuiltin(&ast.Builtin{ Name: decl.Name, - Description: "Fetch a raw Image from an OCI registry.", + Description: "Code change to test sealights", Decl: decl.Decl, Nondeterministic: decl.Nondeterministic, }) diff --git a/internal/rego/purl/purl.go b/internal/rego/purl/purl.go index 5e91983e3..9cfc4ea68 100644 --- a/internal/rego/purl/purl.go +++ b/internal/rego/purl/purl.go @@ -75,6 +75,7 @@ func registerPURLParse() { {Key: "namespace", Value: types.S}, {Key: "name", Value: types.S}, {Key: "version", Value: types.S}, + {Key: "change-in-code", Value: types.S}, {Key: "qualifiers", Value: types.NewArray( nil, types.NewObject( []*types.StaticProperty{ diff --git a/tools/go.mod b/tools/go.mod index 57bc581f0..109c78baf 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -121,6 +121,7 @@ require ( github.com/basgys/goxml2json v1.1.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect + github.com/bitfield/gotestdox v0.2.2 // indirect github.com/bkielbasa/cyclop v1.2.3 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/blang/semver/v4 v4.0.0 // indirect @@ -164,6 +165,7 @@ require ( github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/distribution/reference v0.6.0 // indirect + github.com/dnephin/pflag v1.0.7 // indirect github.com/docker/cli v27.2.0+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v27.2.0+incompatible // indirect @@ -185,7 +187,7 @@ require ( github.com/fatih/structtag v1.2.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/firefart/nonamedreturns v1.0.5 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fsnotify/fsnotify v1.8.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/fzipp/gocyclo v0.6.0 // indirect github.com/gdamore/encoding v1.0.1 // indirect @@ -533,6 +535,7 @@ require ( gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + gotest.tools/gotestsum v1.12.1 // indirect honnef.co/go/tools v0.5.1 // indirect k8s.io/api v0.32.2 // indirect k8s.io/apiextensions-apiserver v0.32.2 // indirect diff --git a/tools/go.sum b/tools/go.sum index 8620c340e..eb2bdb707 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -455,6 +455,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= +github.com/bitfield/gotestdox v0.2.2 h1:x6RcPAbBbErKLnapz1QeAlf3ospg8efBsedU93CDsnE= +github.com/bitfield/gotestdox v0.2.2/go.mod h1:D+gwtS0urjBrzguAkTM2wodsTQYFHdpx8eqRJ3N+9pY= github.com/bitly/go-simplejson v0.5.0 h1:6IH+V8/tVMab511d5bn4M7EwGXZf9Hj6i2xSwkNEM+Y= github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA= github.com/bkielbasa/cyclop v1.2.3 h1:faIVMIGDIANuGPWH031CZJTi2ymOQBULs9H21HSMa5w= @@ -620,6 +622,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= +github.com/dnephin/pflag v1.0.7 h1:oxONGlWxhmUct0YzKTgrpQv9AUA1wtPBn7zuSjJqptk= +github.com/dnephin/pflag v1.0.7/go.mod h1:uxE91IoWURlOiTUIA8Mq5ZZkAv3dPUfZNaT80Zm7OQE= github.com/docker/cli v27.2.0+incompatible h1:yHD1QEB1/0vr5eBNpu8tncu8gWxg8EydFPOSKHzXSMM= github.com/docker/cli v27.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= @@ -690,6 +694,8 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo= @@ -2475,6 +2481,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +gotest.tools/gotestsum v1.12.1 h1:dvcxFBTFR1QsQmrCQa4k/vDXow9altdYz4CjdW+XeBE= +gotest.tools/gotestsum v1.12.1/go.mod h1:mwDmLbx9DIvr09dnAoGgQPLaSXszNpXpWo2bsQge5BE= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg= diff --git a/tools/tools.go b/tools/tools.go index 0b4b7891c..cbda6d7d1 100644 --- a/tools/tools.go +++ b/tools/tools.go @@ -25,6 +25,7 @@ import ( _ "github.com/tektoncd/chains/pkg/chains" _ "github.com/tektoncd/cli/cmd/tkn" _ "github.com/wadey/gocovmerge" + _ "gotest.tools/gotestsum" _ "helm.sh/helm/v3/cmd/helm" _ "k8s.io/kubernetes/cmd/kubectl" _ "sigs.k8s.io/kustomize/kustomize/v5"