USHIFT-6920: feat: add crypto_scan auto-rebase for cbom generation#7051
USHIFT-6920: feat: add crypto_scan auto-rebase for cbom generation#7051fracappa wants to merge 1 commit into
Conversation
|
@fracappa: This pull request references USHIFT-6920 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fracappa The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThe PR adds an optional rebase-job crypto scan that stages selected MicroShift sources, runs a containerized scanner, generates CBOM and SPDX 2.3 JSON artifacts, and commits changed outputs. ChangesCryptographic artifact workflow
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant RebaseJob
participant CryptoScan
participant Podman
participant CryptoScanner
participant JQ
participant Git
RebaseJob->>CryptoScan: Run when CRYPTO_SCAN=true
CryptoScan->>Podman: Pull scanner image
CryptoScan->>CryptoScanner: Scan staged source trees
CryptoScanner-->>CryptoScan: Write CBOM JSON
CryptoScan->>JQ: Convert CBOM to SPDX 2.3
JQ-->>CryptoScan: Write SPDX JSON
RebaseJob->>Git: Stage and commit changed artifacts
Suggested reviewers: Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 38: In scripts/auto-rebase/crypto_scan.sh, replace the CBOM status
command substitution at lines 38-38 with separate echo and ls commands, then
apply the same change to the SPDX status output at lines 79-79: echo the
generated-file label first and run ls -lh on the corresponding output variable
separately so failures propagate.
- Line 25: Update the EXIT trap command in crypto_scan.sh to preserve quoting
around SCAN_DIR when the deferred cleanup runs, ensuring rm -rf handles paths
containing spaces safely.
- Around line 1-5: Update the script header to use the /usr/bin/bash shebang,
remove the shellcheck disable directive, and consolidate the separate errexit,
nounset, and pipefail settings into a single set -euo pipefail command.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: a283846f-6ebb-4d10-89eb-1fb49d0e47df
📒 Files selected for processing (2)
scripts/auto-rebase/crypto_scan.shscripts/auto-rebase/rebase_job_entrypoint.sh
711e3fe to
494416a
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
scripts/auto-rebase/crypto_scan.sh (1)
42-42: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick winAvoid swallowed errors in command substitutions.
Both lines use command substitutions that mask failures because
errexitis not inherited by default. Based on learnings, restructure to avoid the substitution so errors are caught.
scripts/auto-rebase/crypto_scan.sh#L42-L42: Replace withecho "CBOM generated:"followed byls -lh "${CBOM_OUTPUT}"on a new line.scripts/auto-rebase/crypto_scan.sh#L83-L83: Replace withecho "SPDX generated:"followed byls -lh "${SPDX_OUTPUT}"on a new line.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/auto-rebase/crypto_scan.sh` at line 42, In scripts/auto-rebase/crypto_scan.sh at lines 42-42 and 83-83, remove the ls command substitutions from the CBOM and SPDX status messages. In the CBOM generation flow, print “CBOM generated:” first, then run ls -lh against CBOM_OUTPUT on the next line; similarly, print “SPDX generated:” first, then run ls -lh against SPDX_OUTPUT on the next line so failures propagate.Source: Learnings
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 12: Update the EXIT trap command to use single quotes around the trap
body and double-quote IMAGE_DIR, SCANNER_DIR, and SCAN_DIR within it, preventing
early expansion and safely handling paths containing spaces.
---
Duplicate comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 42: In scripts/auto-rebase/crypto_scan.sh at lines 42-42 and 83-83,
remove the ls command substitutions from the CBOM and SPDX status messages. In
the CBOM generation flow, print “CBOM generated:” first, then run ls -lh against
CBOM_OUTPUT on the next line; similarly, print “SPDX generated:” first, then run
ls -lh against SPDX_OUTPUT on the next line so failures propagate.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 5676ec02-b50f-4b9c-b3e5-1c493893d6e2
📒 Files selected for processing (1)
scripts/auto-rebase/crypto_scan.sh
d4b1e1d to
494416a
Compare
| "${SCANNER_IMAGE}" \ | ||
| /workspace > "${CBOM_OUTPUT}" | ||
|
|
||
| echo "CBOM generated: $(ls -lh "${CBOM_OUTPUT}")" |
There was a problem hiding this comment.
need some err handling if the scan fails
There was a problem hiding this comment.
@eslutsky thanks!
I added it, just let me know if any other change is required
|
|
||
| SCANNER_IMAGE="images.paas.redhat.com/exd-sp-guild-security/rh-crypto-scanner-image:latest" | ||
| REPOROOT="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/../..")" | ||
| CBOM_OUTPUT="${REPOROOT}/cbom-microshift.json" |
There was a problem hiding this comment.
do we want to commit it to the root ?
There was a problem hiding this comment.
I spoke with @pacevedom and we agreed to push it on the root directory, but feel free to provide any suggestion if you believe there could be better places
5b39562 to
b35283f
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/auto-rebase/crypto_scan.sh`:
- Line 25: Update the EXIT trap in crypto_scan.sh to quote the SCAN_DIR
expansion when removing the directory, ensuring paths containing spaces are
handled safely.
- Line 2: Update the shell options declaration at the start of crypto_scan.sh to
enable errexit by using set -euo pipefail, preserving the existing nounset and
pipefail behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: e1125759-c7f9-4cf4-af27-d44b3e1a0791
📒 Files selected for processing (2)
scripts/auto-rebase/crypto_scan.shscripts/auto-rebase/rebase_job_entrypoint.sh
🚧 Files skipped from review as they are similar to previous changes (1)
- scripts/auto-rebase/rebase_job_entrypoint.sh
added auto-rebase crypto_scan.sh script for cbom generation. This script uses crypto-scanner-iamge to generate a CycloneDX document. It also provides a SPDX one, by implementing the mapping suggested by the prod sec team.
76b6dbf to
4016fc6
Compare
|
/retest-required |
|
@fracappa: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
added auto-rebase crypto_scan.sh script for cbom generation. This script uses crypto-scanner-iamge to generate a CycloneDX document. It also provides a SPDX one, by implementing the mapping suggested by the prod sec team.
Summary by CodeRabbit