buildah-sast: buildful SAST scanning with GCC Analyzer

Related: https://issues.redhat.com/browse/STONEBLD-2804 Related: https://issues.redhat.com/browse/OSH-714 Resolves: https://issues.redhat.com/browse/OSH-770
konflux-ci · Oct 25, 2024 · 535258d · 535258d
1 parent 8e03ea8
commit 535258d
Showing 1 changed file with 39 additions and 8 deletions.
diff --git a/task/buildah-sast/0.2/patch.yaml b/task/buildah-sast/0.2/patch.yaml
@@ -42,7 +42,7 @@
 - op: replace
   path: /spec/steps/0/image
   # New image shoould be based on quay.io/konflux-ci/buildah-task:latest or have all the tooling that the original image has.
-  value: quay.io/konflux-ci/buildah-task:latest
+  value: quay.io/kdudka/buildah-csutils:latest
 
   # Change build step resources
 - op: replace
@@ -58,15 +58,20 @@
   value:
     name: ADDITIONAL_VOLUME_MOUNTS
     value: |-
-      /tmp/sast-scan-results:/sast-scan-results
+      /shared:/shared
+      /usr/bin/csgcca:/usr/bin/csgcca
+      /usr/bin/cswrap:/usr/bin/cswrap
+      /usr/lib64/csgcca:/usr/lib64/csgcca
+      /usr/lib64/cswrap:/usr/lib64/cswrap
+      /usr/libexec/csgrep-static:/usr/libexec/csgrep-static
 
 # Add prepare and postprocess steps
   # Prepare step
 - op: add
   path: /spec/steps/0
   value:
     name: prepare
-    image: quay.io/konflux-ci/buildah-task:latest
+    image: quay.io/kdudka/buildah-csutils:latest
     computeResources:
       limits:
         memory: 1Gi
@@ -79,6 +84,8 @@
       - name: DOCKERFILE
         value: $(params.DOCKERFILE)
     script: |
+      set -x
+
       # Dockerfile discovery logic is copied from buildah task
       SOURCE_CODE_DIR=source
       if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
@@ -103,8 +110,27 @@
         exit 1
       fi
 
-      # Modify Dockerfile
-      sed '1 i\ARG NEW_ARG=default-value' $dockerfile_path | tee /shared/Containerfile
+      # pre-create directory for SAST scaning results
+      sast_dir="/shared/sast-results"
+      mkdir "${sast_dir}"
+      touch "${sast_dir}/empty.txt"
+
+      # create a wrapper script to instrument RUN lines
+      tee /shared/cmd-wrap.sh << EOF
+      #!/bin/bash -x
+      env "PATH=/usr/lib64/csgcca:/usr/lib64/cswrap:\$PATH" CSWRAP_TIMEOUT=30 CSWRAP_TIMEOUT_FOR=gcc CSWRAP_CAP_FILE="${sast_dir}/gcc-\$\$.txt" "\$@"
+      EC=\$?
+      src="${sast_dir}/gcc-\$\$.txt"
+      if test -f "\$src"; then
+        /usr/libexec/csgrep-static --mode=json --event=^warning --embed-context=3 --quiet "\$src" >"${sast_dir}/gcc-\$\$.json"
+        rm -f "\$src"
+      fi
+      exit \$EC
+      EOF
+      chmod 0755 /shared/cmd-wrap.sh
+
+      # instrument all RUN lines in Dockerfile
+      cstrans-df-run --verbose /shared/cmd-wrap.sh < "$dockerfile_path" > /shared/Containerfile
 
   # Make the buildah task use the instrumented Dockerfile
 - op: replace
@@ -116,7 +142,7 @@
   path: /spec/steps/2
   value:
     name: postprocess
-    image: quay.io/konflux-ci/buildah-task:latest
+    image: quay.io/kdudka/buildah-csutils:latest
     computeResources:
       limits:
         memory: 1Gi
@@ -126,8 +152,13 @@
         cpu: '0.5'
     workingDir: $(workspaces.source.path)
     script: |
-      ls -l /shared
-      echo 'Postprocessing SAST results'
+      set -x
+      sast_dir="/shared/sast-results"
+      ls -l "$sast_dir"
+
+      # read the collected SAST scanning results
+      (set -x && cd "$sast_dir" && csgrep --mode=sarif --event=^warning --remove-duplicates ./*) \
+        | tee sast.sarif | csgrep
 
       # buildah push quay.io/results-image
       echo "buildah push quay.io/results-image"