|
36 | 36 | "if set to release, all risks will be reported" |
37 | 37 | ), |
38 | 38 | ) |
| 39 | +parser.add_argument( |
| 40 | + "--skip-source-code", |
| 41 | + action="store_true", |
| 42 | + default=False, |
| 43 | + help="Skip processing source code scanning results", |
| 44 | +) |
| 45 | +parser.add_argument( |
| 46 | + "--skip-container", |
| 47 | + action="store_true", |
| 48 | + default=False, |
| 49 | + help="Skip processing container scanning results", |
| 50 | +) |
39 | 51 | args = parser.parse_args() |
40 | 52 |
|
41 | | -LICENSE_CHECK_TOKEN = os.environ.get("LICENSE_CHECK_TOKEN") |
| 53 | +LICENSE_CHECK_TOKEN = os.environ.get("LICENSE_CHECK_TOKEN", "") |
42 | 54 | if not LICENSE_CHECK_TOKEN: |
43 | 55 | raise EnvironmentError("Error: Environment variable 'LICENSE_CHECK_TOKEN' is not set!") |
44 | 56 |
|
|
59 | 71 |
|
60 | 72 | def process_result(): |
61 | 73 | RISKY_DEPENDENCIES = [] |
62 | | - |
63 | | - last_source_vulns = get_last_scan_results("source_code_vulnerability", args.ref) |
64 | | - source_vulns = submit_source_code_vulns( |
65 | | - os.path.join(args.report_directory, "source_code/vulns.json"), |
66 | | - last_source_vulns, |
67 | | - **SUBMIT_KWARG, |
68 | | - ) |
69 | | - if len(source_vulns) > 0: |
70 | | - RISKY_DEPENDENCIES.append(f"{len(source_vulns)} new source code vulnerability") |
71 | | - |
72 | | - last_source_licenses = get_last_scan_results("source_code_license", args.ref) |
73 | | - source_licenses = submit_source_code_licenses( |
74 | | - os.path.join(args.report_directory, "source_code/sbom.json"), |
75 | | - last_source_licenses, |
76 | | - **SUBMIT_KWARG, |
77 | | - license_check_token=LICENSE_CHECK_TOKEN, |
78 | | - ) |
79 | | - if source_licenses is None: |
80 | | - RISKY_DEPENDENCIES.append("source code SBOM not found") |
81 | | - sbom_missing = True |
82 | | - else: |
83 | | - sbom_missing = False |
84 | | - if len(source_licenses) > 0: |
| 74 | + source_licenses = [] |
| 75 | + count_container_licenses = 0 |
| 76 | + |
| 77 | + if not args.skip_source_code: |
| 78 | + last_source_vulns = get_last_scan_results("source_code_vulnerability", args.ref) |
| 79 | + source_vulns = submit_source_code_vulns( |
| 80 | + os.path.join(args.report_directory, "source_code/vulns.json"), |
| 81 | + last_source_vulns, |
| 82 | + **SUBMIT_KWARG, |
| 83 | + ) |
| 84 | + if len(source_vulns) > 0: |
| 85 | + RISKY_DEPENDENCIES.append(f"{len(source_vulns)} new source code vulnerability") |
| 86 | + |
| 87 | + last_source_licenses = get_last_scan_results("source_code_license", args.ref) |
| 88 | + source_licenses = submit_source_code_licenses( |
| 89 | + os.path.join(args.report_directory, "source_code/sbom.json"), |
| 90 | + last_source_licenses, |
| 91 | + **SUBMIT_KWARG, |
| 92 | + license_check_token=LICENSE_CHECK_TOKEN, |
| 93 | + ) |
| 94 | + if source_licenses is None: |
| 95 | + RISKY_DEPENDENCIES.append("source code SBOM not found") |
| 96 | + else: |
| 97 | + if len(source_licenses) > 0: |
| 98 | + RISKY_DEPENDENCIES.append( |
| 99 | + f"{len(source_licenses)} new source code non-permissive license" |
| 100 | + ) |
| 101 | + |
| 102 | + if not args.skip_container: |
| 103 | + last_container_vulns = get_last_scan_results("container_vulnerability", args.ref) |
| 104 | + amd64_container_vulns = submit_container_vulns( |
| 105 | + os.path.join(args.report_directory, "release_amd64/vulns.json"), |
| 106 | + os.path.join(args.report_directory, "base_amd64/vulns.json"), |
| 107 | + "amd64", |
| 108 | + last_container_vulns, |
| 109 | + **SUBMIT_KWARG, |
| 110 | + ) |
| 111 | + arm64_container_vulns = submit_container_vulns( |
| 112 | + os.path.join(args.report_directory, "release_arm64/vulns.json"), |
| 113 | + os.path.join(args.report_directory, "base_arm64/vulns.json"), |
| 114 | + "arm64", |
| 115 | + last_container_vulns, |
| 116 | + **SUBMIT_KWARG, |
| 117 | + ) |
| 118 | + count_container_vulns = len(amd64_container_vulns + arm64_container_vulns) |
| 119 | + if count_container_vulns > 0: |
| 120 | + RISKY_DEPENDENCIES.append(f"{count_container_vulns} new container vulnerability") |
| 121 | + |
| 122 | + last_container_licenses = get_last_scan_results("container_license", args.ref) |
| 123 | + amd64_container_licenses = submit_container_licenses( |
| 124 | + os.path.join(args.report_directory, "release_amd64/licenses.json"), |
| 125 | + os.path.join(args.report_directory, "base_amd64/licenses.json"), |
| 126 | + "amd64", |
| 127 | + last_container_licenses, |
| 128 | + **SUBMIT_KWARG, |
| 129 | + license_check_token=LICENSE_CHECK_TOKEN, |
| 130 | + ) |
| 131 | + arm64_container_licenses = submit_container_licenses( |
| 132 | + os.path.join(args.report_directory, "release_arm64/licenses.json"), |
| 133 | + os.path.join(args.report_directory, "base_arm64/licenses.json"), |
| 134 | + "arm64", |
| 135 | + last_container_licenses, |
| 136 | + **SUBMIT_KWARG, |
| 137 | + license_check_token=LICENSE_CHECK_TOKEN, |
| 138 | + ) |
| 139 | + count_container_licenses = len(amd64_container_licenses + arm64_container_licenses) |
| 140 | + if count_container_licenses > 0: |
85 | 141 | RISKY_DEPENDENCIES.append( |
86 | | - f"{len(source_licenses)} new source code non-permissive license" |
| 142 | + f"{count_container_licenses} new container non-permissive license" |
87 | 143 | ) |
88 | 144 |
|
89 | | - last_container_vulns = get_last_scan_results("container_vulnerability", args.ref) |
90 | | - amd64_container_vulns = submit_container_vulns( |
91 | | - os.path.join(args.report_directory, "release_amd64/vulns.json"), |
92 | | - os.path.join(args.report_directory, "base_amd64/vulns.json"), |
93 | | - "amd64", |
94 | | - last_container_vulns, |
95 | | - **SUBMIT_KWARG, |
96 | | - ) |
97 | | - arm64_container_vulns = submit_container_vulns( |
98 | | - os.path.join(args.report_directory, "release_arm64/vulns.json"), |
99 | | - os.path.join(args.report_directory, "base_arm64/vulns.json"), |
100 | | - "arm64", |
101 | | - last_container_vulns, |
102 | | - **SUBMIT_KWARG, |
103 | | - ) |
104 | | - count_container_vulns = len(amd64_container_vulns + arm64_container_vulns) |
105 | | - if count_container_vulns > 0: |
106 | | - RISKY_DEPENDENCIES.append(f"{count_container_vulns} new container vulnerability") |
107 | | - |
108 | | - last_container_licenses = get_last_scan_results("container_license", args.ref) |
109 | | - amd64_container_licenses = submit_container_licenses( |
110 | | - os.path.join(args.report_directory, "release_amd64/licenses.json"), |
111 | | - os.path.join(args.report_directory, "base_amd64/licenses.json"), |
112 | | - "amd64", |
113 | | - last_container_licenses, |
114 | | - **SUBMIT_KWARG, |
115 | | - license_check_token=LICENSE_CHECK_TOKEN, |
116 | | - ) |
117 | | - arm64_container_licenses = submit_container_licenses( |
118 | | - os.path.join(args.report_directory, "release_arm64/licenses.json"), |
119 | | - os.path.join(args.report_directory, "base_arm64/licenses.json"), |
120 | | - "arm64", |
121 | | - last_container_licenses, |
122 | | - **SUBMIT_KWARG, |
123 | | - license_check_token=LICENSE_CHECK_TOKEN, |
124 | | - ) |
125 | | - count_container_licenses = len(amd64_container_licenses + arm64_container_licenses) |
126 | | - if count_container_licenses > 0: |
127 | | - RISKY_DEPENDENCIES.append( |
128 | | - f"{count_container_licenses} new container non-permissive license" |
129 | | - ) |
130 | | - |
131 | 145 | if RISKY_DEPENDENCIES: |
132 | 146 | detail = ", ".join(RISKY_DEPENDENCIES) |
133 | 147 | status = "unstable" |
134 | 148 | if args.scan_mode == "monitor": |
135 | 149 | post_slack_msg(args.build_number, args.ref, detail) |
136 | 150 | if ( |
137 | 151 | args.scan_mode == "release" |
138 | | - and not sbom_missing |
| 152 | + and source_licenses is not None |
139 | 153 | and count_container_licenses + len(source_licenses) == 0 |
140 | 154 | ): |
141 | 155 | status = "success" |
|
0 commit comments