UNCLASSIFIED - NO CUI

Currently supported Big Bang Version is 2.27.0

Jared Ladner requested to merge 372-docker-builds-are-not-able-to-provide-a-tag-version into master May 01, 2024

General MR

Issue: changes to a docker file could not specify a new version/tag

Cause: the version/tag was defined in the master branch of the pipeline-templates.

Summary

Use a Manifest file (similar to IB approach) to gather tag versions and other info to be used when building the image.
Other changes to trivy scanning:
- use of an ignore file
- do not use ignore file on full reports
- copy reports as artifacts
Fixed Build Args being passed --build-arg $VAR=value is incorrect. The correct syntax is --build-arg=$VAR=value
Security Vulns were reduced for bb-ci, terraform and cypress but some still remain.

Relevant logs/screenshots

Working pipeline for only 1 image:

https://repo1.dso.mil/big-bang/pipeline-templates/package-validation/-/pipelines/3283433
Scan stage has artifacts
The HTML reports ALL CVEs
The ignore file allows the gates to pass without warning when:
- no FIXABLE High or Critical CVEs found that are Not in the ignore list (or with expiration time of ignore list)

Linked Issue

Closes #372

Upgrade Notices

N/A

Edited May 17, 2024 by Jared Ladner

UNCLASSIFIED - NO CUI