Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
mimaison merged PR #15013: URL: https://github.com/apache/kafka/pull/15013 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1535995024 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: Review Comment: Sounds good. I will add a manual option as well. Maybe a different workflow altogether for running manually will be better. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1535992897 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: Review Comment: These have been fixed in the base image. Whenever we will rebuild this image, these CVEs will get fixed. I ran the pipeline for latest kafka source code which rebuilt the docker image and ran CVE scan on it in my repo https://github.com/VedarthConfluent/test-github-actions/actions/runs/8394467774 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1535992897 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: Review Comment: These have been fixed in the base image. Whenever we will rebuild this image, these CVEs will get fixed. I ran the pipeline for 3.7.0 kafka binary which rebuilt the docker image and ran CVE scan on it in my repo https://github.com/VedarthConfluent/test-github-actions/actions/runs/8394467774 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1535989381 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: Review Comment: Yes that's correct it's because of detected CVEs. Seems like these are CVEs in the base image -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
mimaison commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1535628671 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: Review Comment: I did that on my fork to test the action: https://github.com/mimaison/kafka/actions/runs/8391370100 The action failed, is it because it detected CVEs? This is the report it produced: ``` apache/kafka:3.7.0 (alpine 3.19.1) == Total: 2 (HIGH: 2, CRITICAL: 0) ┌──┬┬──┬┬───┬───┬─┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │Title│ ├──┼┼──┼┼───┼───┼─┤ │ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r2 │ 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │ │ ││ ││ │ │ https://avd.aquasec.com/nvd/cve-2023-52425 │ │ ├┤ ││ ├───┼─┤ │ │ CVE-2024-28757 │ ││ │ 2.6.2-r0 │ expat: XML Entity Expansion │ │ ││ ││ │ │ https://avd.aquasec.com/nvd/cve-2024-28757 │ └──┴┴──┴┴───┴───┴─┘ ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
mimaison commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1535628671 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: Review Comment: I did that on my fork to test the action: https://github.com/mimaison/kafka/actions/runs/8391370100 The action failed, is it because it detected CVEs? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
mimaison commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1535628671 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: Review Comment: I did that on my fork to test the action. The action failed, is it because it detected a CVE? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
mimaison commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1535627617 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,43 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: Review Comment: Can we also add the option to trigger this action manually? This may be useful to check if a fix works. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013:
URL: https://github.com/apache/kafka/pull/15013#discussion_r1535081050
##
.github/workflows/docker_scan.yml:
##
@@ -0,0 +1,43 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Image CVE Scanner
+on:
+ schedule:
+# This job will run at 3:30 UTC daily
+- cron: '30 3 * * *'
+jobs:
+ scan_jvm:
+runs-on: ubuntu-latest
+strategy:
+ matrix:
+# This is an array of supported tags. Make sure this array only
contains the supported tags
+supported_image_tag: ['3.7.0']
+steps:
+ - name: Run CVE scan
+uses: aquasecurity/trivy-action@master
+if: always()
+with:
+ image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+ format: 'table'
+ severity: 'CRITICAL,HIGH'
+ output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+ exit-code: '1'
+ - name: Upload CVE scan report
Review Comment:
I have created the following jira to track this
https://issues.apache.org/jira/browse/KAFKA-16400
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013:
URL: https://github.com/apache/kafka/pull/15013#discussion_r1534434427
##
.github/workflows/docker_scan.yml:
##
@@ -0,0 +1,43 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Image CVE Scanner
+on:
+ schedule:
+# This job will run at 3:30 UTC daily
+- cron: '30 3 * * *'
+jobs:
+ scan_jvm:
+runs-on: ubuntu-latest
+strategy:
+ matrix:
+# This is an array of supported tags. Make sure this array only
contains the supported tags
+supported_image_tag: ['3.7.0']
+steps:
+ - name: Run CVE scan
+uses: aquasecurity/trivy-action@master
+if: always()
+with:
+ image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+ format: 'table'
+ severity: 'CRITICAL,HIGH'
+ output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+ exit-code: '1'
+ - name: Upload CVE scan report
Review Comment:
Sounds good to me!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
mimaison commented on code in PR #15013:
URL: https://github.com/apache/kafka/pull/15013#discussion_r1534417939
##
.github/workflows/docker_scan.yml:
##
@@ -0,0 +1,43 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Image CVE Scanner
+on:
+ schedule:
+# This job will run at 3:30 UTC daily
+- cron: '30 3 * * *'
+jobs:
+ scan_jvm:
+runs-on: ubuntu-latest
+strategy:
+ matrix:
+# This is an array of supported tags. Make sure this array only
contains the supported tags
+supported_image_tag: ['3.7.0']
+steps:
+ - name: Run CVE scan
+uses: aquasecurity/trivy-action@master
+if: always()
+with:
+ image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+ format: 'table'
+ severity: 'CRITICAL,HIGH'
+ output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+ exit-code: '1'
+ - name: Upload CVE scan report
Review Comment:
Thanks for the clarifications. I guess we can merge as is for now and follow
up in another PR for changing the notification system.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013:
URL: https://github.com/apache/kafka/pull/15013#discussion_r1534363653
##
.github/workflows/docker_scan.yml:
##
@@ -0,0 +1,43 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Image CVE Scanner
+on:
+ schedule:
+# This job will run at 3:30 UTC daily
+- cron: '30 3 * * *'
+jobs:
+ scan_jvm:
+runs-on: ubuntu-latest
+strategy:
+ matrix:
+# This is an array of supported tags. Make sure this array only
contains the supported tags
+supported_image_tag: ['3.7.0']
+steps:
+ - name: Run CVE scan
+uses: aquasecurity/trivy-action@master
+if: always()
+with:
+ image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+ format: 'table'
+ severity: 'CRITICAL,HIGH'
+ output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+ exit-code: '1'
+ - name: Upload CVE scan report
Review Comment:
The CVE report is uploaded in github actions workflow only. Just like build
test workflow one can download and check the report.
In case pipeline fails, github actions sends out an email to github user who
last edited the workflow.
There doesn't seem to be any native setting to control email notification
for individual workflows where we can specify the email addresses that should
get notified.
There are github actions that can send emails, but they are not github
certified, so I don't think they will be allowed as there are restrictions on
what github actions can run on Apache's repos. So probably it will be better to
send email via some cli tool. Will need a bot email for that.
I'll explore this and update here
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013:
URL: https://github.com/apache/kafka/pull/15013#discussion_r1534363653
##
.github/workflows/docker_scan.yml:
##
@@ -0,0 +1,43 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Image CVE Scanner
+on:
+ schedule:
+# This job will run at 3:30 UTC daily
+- cron: '30 3 * * *'
+jobs:
+ scan_jvm:
+runs-on: ubuntu-latest
+strategy:
+ matrix:
+# This is an array of supported tags. Make sure this array only
contains the supported tags
+supported_image_tag: ['3.7.0']
+steps:
+ - name: Run CVE scan
+uses: aquasecurity/trivy-action@master
+if: always()
+with:
+ image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+ format: 'table'
+ severity: 'CRITICAL,HIGH'
+ output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+ exit-code: '1'
+ - name: Upload CVE scan report
Review Comment:
The CVE report is uploaded in github actions workflow only. Just like build
test workflow one can download and check the report.
In case pipeline fails, github actions sends out an email to github user who
last edited the workflow.
There doesn't seem to be any native setting to control email notification
for individual workflows where we can specify the email addresses that should
get notified.
There are github actions that can send emails, but they are not github
certified, so I don't think they will be allowed as there are restrictions on
what github actions can run on Apache's repos.
I'll explore if there is a way to send the mail to dev list on failure of
the workflow
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013:
URL: https://github.com/apache/kafka/pull/15013#discussion_r1534363653
##
.github/workflows/docker_scan.yml:
##
@@ -0,0 +1,43 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Image CVE Scanner
+on:
+ schedule:
+# This job will run at 3:30 UTC daily
+- cron: '30 3 * * *'
+jobs:
+ scan_jvm:
+runs-on: ubuntu-latest
+strategy:
+ matrix:
+# This is an array of supported tags. Make sure this array only
contains the supported tags
+supported_image_tag: ['3.7.0']
+steps:
+ - name: Run CVE scan
+uses: aquasecurity/trivy-action@master
+if: always()
+with:
+ image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+ format: 'table'
+ severity: 'CRITICAL,HIGH'
+ output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+ exit-code: '1'
+ - name: Upload CVE scan report
Review Comment:
The CVE report is uploaded in github actions workflow only. Just like build
test workflow one can download and check the report.
In case pipeline fails, github actions sends out an email to github user who
last edited the workflow.
There doesn't seem to be any native setting to control email notification
for individual workflows where we can specify the email addresses that should
get notified.
There are github actions that can send emails, but they are not github
certified, so I don't think they will be allowed as there are restrictions on
what github actions can run on Apache's repos.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
mimaison commented on code in PR #15013:
URL: https://github.com/apache/kafka/pull/15013#discussion_r1534135664
##
.github/workflows/docker_scan.yml:
##
@@ -0,0 +1,43 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker Image CVE Scanner
+on:
+ schedule:
+# This job will run at 3:30 UTC daily
+- cron: '30 3 * * *'
+jobs:
+ scan_jvm:
+runs-on: ubuntu-latest
+strategy:
+ matrix:
+# This is an array of supported tags. Make sure this array only
contains the supported tags
+supported_image_tag: ['3.7.0']
+steps:
+ - name: Run CVE scan
+uses: aquasecurity/trivy-action@master
+if: always()
+with:
+ image-ref: apache/kafka:${{ matrix.supported_image_tag }}
+ format: 'table'
+ severity: 'CRITICAL,HIGH'
+ output: scan_report_jvm_${{ matrix.supported_image_tag }}.txt
+ exit-code: '1'
+ - name: Upload CVE scan report
Review Comment:
Where is the CVE report uploaded?
Also should we email the dev list on failures? otherwise this relies on
committers checking the result daily.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1477311393 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,41 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: +- cron: '30 3 * * *' +jobs: + scan_jvm: +runs-on: ubuntu-latest +strategy: + matrix: +supported_image_tag: ['3.7.0-rc1'] Review Comment: Yes, it will be part of the post release process. Once a release is done this array of supported tags need to be updated. I will update the wiki once 3.7.0 is released and this PR is merged. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
VedarthConfluent commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1477310892 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,41 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: +- cron: '30 3 * * *' Review Comment: Done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] KAFKA-15882: Add nightly docker image scan job [kafka]
mimaison commented on code in PR #15013: URL: https://github.com/apache/kafka/pull/15013#discussion_r1476129852 ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,41 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: +- cron: '30 3 * * *' +jobs: + scan_jvm: +runs-on: ubuntu-latest +strategy: + matrix: +supported_image_tag: ['3.7.0-rc1'] Review Comment: How will this tag be updated? Is it part of the release process? ## .github/workflows/docker_scan.yml: ## @@ -0,0 +1,41 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +#http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Docker Image CVE Scanner +on: + schedule: +- cron: '30 3 * * *' Review Comment: Nit: Can we add a comment to tell "This runs daily at 3:30am" -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
