Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DAOS-16846 test: Add in GCP client and server images and GHA testing #15558

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

DAOS-16846 test: Add in GCP client and server images and GHA testing #15558

wants to merge 2 commits into from

Conversation

mlawsonca
Copy link
Collaborator

Run-GHA: true

Required-githooks: true

Before requesting gatekeeper:

  • Two review approvals and any prior change requests have been resolved.
  • Testing is complete and all tests passed or there is a reason documented in the PR why it should be force landed and forced-landing tag is set.
  • Features: (or Test-tag*) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.
  • Commit messages follows the guidelines outlined here.
  • Any tests skipped by the ticket being addressed have been run and passed in the PR.

Gatekeeper:

  • You are the appropriate gatekeeper to be landing the patch.
  • The PR has 2 reviews by people familiar with the code, including appropriate owners.
  • Githooks were used. If not, request that user install them and check copyright dates.
  • Checkpatch issues are resolved. Pay particular attention to ones that will show up on future PRs.
  • All builds have passed. Check non-required builds for any new compiler warnings.
  • Sufficient testing is done. Check feature pragmas and test tags and that tests skipped for the ticket are run and now pass with the changes.
  • If applicable, the PR has addressed any potential version compatibility issues.
  • Check the target branch. If it is master branch, should the PR go to a feature branch? If it is a release branch, does it have merge approval in the JIRA ticket.
  • Extra checks if forced landing is requested
    • Review comments are sufficiently resolved, particularly by prior reviewers that requested changes.
    • No new NLT or valgrind warnings. Check the classic view.
    • Quick-build or Quick-functional is not used.
  • Fix the commit message upon landing. Check the standard here. Edit it to create a single commit. If necessary, ask submitter for a new summary.

@mlawsonca
Add in client and server images + testing
a304775 
Run-GHA: true

Required-githooks: true

Signed-off-by: Margaret Lawson <[email protected]>
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 3, 2024
View reviewed changes
.github/workflows/gcp-builds.yml
dequoted_message: ${{ steps.get-commit-message.outputs.text }}
steps:
- name: Checkout code
uses: actions/checkout@v4

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
.github/workflows/gcp-builds.yml Outdated
echo "DISTRO_VERSION=$DISTRO_VERSION" >> $GITHUB_ENV
echo "STAGE_NAME=Build RPM on $DISTRO_NAME $DISTRO_VERSION" >> $GITHUB_ENV
- name: Checkout code
uses: actions/checkout@v4

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
.github/workflows/gcp-builds.yml
--build-arg RAFT_HASH={RAFT_HASH}
--build-arg PMDK_HASH=${PMDK_HASH}
- name: Update commit status
uses: ouzi-dev/commit-status-updater@v2

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: third-party GitHubAction not pinned by hash
Click Remediation section below to solve this issue
.github/workflows/gcp-builds.yml Outdated
echo "DAOS_DOCKER_IMAGE=$DAOS_DOCKER_IMAGE" >> $GITHUB_ENV
echo "STAGE_NAME=Build Server Images" >> $GITHUB_ENV
- name: Checkout code
uses: actions/checkout@v4

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: GitHub-owned GitHubAction not pinned by hash
Click Remediation section below to solve this issue
.github/workflows/gcp-builds.yml
--build-arg DAOS_BUILD_TYPE="release"
--build-arg GHA="true"
- name: Update commit status
uses: ouzi-dev/commit-status-updater@v2

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: third-party GitHubAction not pinned by hash
Click Remediation section below to solve this issue
utils/docker/gcp/client/base/el/Dockerfile
Comment on lines +177 to +188
RUN virtualenv venv && \
source venv/bin/activate && \
pip install --upgrade pip && \
{ [[ -f requirements-build.txt ]] && pip install -r requirements-build.txt || pip install -r requirements.txt; } && \
echo "Building fuse" && \
scons --jobs="$(nproc --all)" --build-deps=only \
USE_INSTALLED=spdk,pmdk,ucx,mercury,ofi,argobots,isal,isal_crypto && \
cp install/prereq/release/fuse/lib64/libfuse3.a /usr/lib64 && \
cp -r install/prereq/release/fuse/include/* /usr/include && \
echo "Building daos RPM" && \
scons --jobs="$(nproc --all)" --build-deps=yes rpms BUILD_TYPE="$DAOS_BUILD_TYPE" \
TARGET_TYPE="release"

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: pipCommand not pinned by hash
Click Remediation section below to solve this issue
utils/docker/gcp/server/base/build_image/Dockerfile
@@ -0,0 +1,26 @@
ARG BASE=rockylinux/rockylinux:8
FROM $BASE

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: containerImage not pinned by hash
Click Remediation section below to solve this issue
utils/docker/gcp/server/base/daos_base_image/Dockerfile
@@ -0,0 +1,13 @@
ARG BASE=rockylinux/rockylinux:8
FROM $BASE

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: containerImage not pinned by hash
Click Remediation section below to solve this issue
utils/docker/gcp/server/base/daos_image/Dockerfile
ARG BUILD_BASE=rockylinux/rockylinux:8
ARG BASE=rockylinux/rockylinux:8

FROM $BUILD_BASE as builder

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: containerImage not pinned by hash
Click Remediation section below to solve this issue
utils/docker/gcp/server/base/daos_image/Dockerfile
fi

# Start a new image from the base image.
FROM $BASE

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 1: containerImage not pinned by hash
Click Remediation section below to solve this issue
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 3, 2024
View reviewed changes
utils/docker/gcp/requirements.txt
--hash=sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597 \
--hash=sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df
# via requests
cryptography==40.0.2 \

Check failure

Code scanning / Trivy

python-cryptography: SSH certificate encoding/parsing incompatibility with OpenSSH High

Package: cryptography
Installed Version: 40.0.2
Vulnerability CVE-2023-38325
Severity: HIGH
Fixed Version: 41.0.2
Link: CVE-2023-38325
utils/docker/gcp/requirements.txt
--hash=sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597 \
--hash=sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df
# via requests
cryptography==40.0.2 \

Check failure

Code scanning / Trivy

python-cryptography: Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659 High

Package: cryptography
Installed Version: 40.0.2
Vulnerability CVE-2023-50782
Severity: HIGH
Fixed Version: 42.0.0
Link: CVE-2023-50782
utils/docker/gcp/requirements.txt
--hash=sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597 \
--hash=sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df
# via requests
cryptography==40.0.2 \

Check failure

Code scanning / Trivy

python-cryptography: NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override High

Package: cryptography
Installed Version: 40.0.2
Vulnerability CVE-2024-26130
Severity: HIGH
Fixed Version: 42.0.4
Link: CVE-2024-26130
utils/docker/gcp/requirements.txt
--hash=sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597 \
--hash=sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df
# via requests
cryptography==40.0.2 \

Check warning

Code scanning / Trivy

python-cryptography: NULL-dereference when loading PKCS7 certificates Medium

Package: cryptography
Installed Version: 40.0.2
Vulnerability CVE-2023-49083
Severity: MEDIUM
Fixed Version: 41.0.6
Link: CVE-2023-49083
utils/docker/gcp/requirements.txt
--hash=sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597 \
--hash=sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df
# via requests
cryptography==40.0.2 \

Check warning

Code scanning / Trivy

openssl: denial of service via null dereference Medium

Package: cryptography
Installed Version: 40.0.2
Vulnerability CVE-2024-0727
Severity: MEDIUM
Fixed Version: 42.0.2
Link: CVE-2024-0727
utils/docker/gcp/requirements.txt
--hash=sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d \
--hash=sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f
# via -r requirements.in
requests==2.27.1 \

Check warning

Code scanning / Trivy

python-requests: Unintended leak of Proxy-Authorization header Medium

Package: requests
Installed Version: 2.27.1
Vulnerability CVE-2023-32681
Severity: MEDIUM
Fixed Version: 2.31.0
Link: CVE-2023-32681
utils/docker/gcp/requirements.txt
--hash=sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d \
--hash=sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f
# via -r requirements.in
requests==2.27.1 \

Check warning

Code scanning / Trivy

requests: subsequent requests to the same host ignore cert verification Medium

Package: requests
Installed Version: 2.27.1
Vulnerability CVE-2024-35195
Severity: MEDIUM
Fixed Version: 2.32.0
Link: CVE-2024-35195
utils/docker/gcp/requirements.txt
# via
# importlib-metadata
# jira
urllib3==1.26.18 \

Check warning

Code scanning / Trivy

urllib3: proxy-authorization request header is not stripped during cross-origin redirects Medium

Package: urllib3
Installed Version: 1.26.18
Vulnerability CVE-2024-37891
Severity: MEDIUM
Fixed Version: 1.26.19, 2.2.2
Link: CVE-2024-37891
utils/docker/gcp/requirements.txt
--hash=sha256:34b97092d7e0a3a8cf7cd10e386f401b3737364026c45e622aa02903dffe0f07 \
--hash=sha256:f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0
# via requests
wheel==0.37.1 \

Check failure

Code scanning / Trivy

python-wheel: remote attackers can cause denial of service via attacker controlled input to wheel cli High

Package: wheel
Installed Version: 0.37.1
Vulnerability CVE-2022-40898
Severity: HIGH
Fixed Version: 0.38.1
Link: CVE-2022-40898
utils/docker/gcp/requirements.txt
--hash=sha256:4bdcd7d840138086126cd09254dc6195fb4fc6f01c050a1d7236f2630db1d22a \
--hash=sha256:e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d49529c1c4
# via -r requirements.in
zipp==3.6.0 \

Check warning

Code scanning / Trivy

github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp Medium

Package: zipp
Installed Version: 3.6.0
Vulnerability CVE-2024-5569
Severity: MEDIUM
Fixed Version: 3.19.1
Link: CVE-2024-5569
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 3, 2024
edited
Loading

Ticket title is 'Add GHA testing for GCP'
Status is 'In Progress'
https://daosio.atlassian.net/browse/DAOS-16846

@mlawsonca mlawsonca changed the title Add in client and server images + testing DAOS-16846 test: Add in client and server images + testing Dec 3, 2024
@mlawsonca mlawsonca changed the title DAOS-16846 test: Add in client and server images + testing DAOS-16846 test: Add in GCP client and server images and GHA testing Dec 3, 2024
@mlawsonca mlawsonca force-pushed the mlawsonca/gcp_builds branch 2 times, most recently from 032e89f to 7764ff9 Compare December 3, 2024 22:19
@mlawsonca
Move code pulls earlier
3cd28c7 
Run-GHA: true

Required-githooks: true

Signed-off-by: Margaret Lawson <[email protected]>
@mlawsonca mlawsonca force-pushed the mlawsonca/gcp_builds branch from 7764ff9 to 3cd28c7 Compare December 3, 2024 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mlawsonca