Long-Standing Pipeline Failure + New Anchore Timeout

Summary

The pipeline for NiFi AIML hasn't worked in 9-10 months, as far as I can tell. Our team would like to update this image to 1.24, and so I planned to contribute to this project. The pipeline has failed on "scan-logic" when attempting to verify cosign for quite a while. I have a branch, ae-1899, that gets a bit further. I suspect the issue might be the underlying NiFi container image since all I did was update NiFi from 1.20 to 1.24. My branch still fails later during the Anchore scan. The logs indicate it is timing out, but I think that might be a red herring and there's something else going on. I don't believe I have the necessary access to investigate further.

Additionally, I noticed the timeout passed to the Anchore CLI is 7200 seconds (two hours). I think the project CI/CD settings, however, enforce a timeout of half that (one hour). I don't think this is necessarily significant - just an observation.

Link to failed pipeline

• My branch (ae-1899): https://repo1.dso.mil/dsop/aiml/apache/nifi/-/pipelines/2737592
• Most recent run for development branch: https://repo1.dso.mil/dsop/aiml/apache/nifi/-/pipelines/2757725

What is the current bug behavior?

• For development, it seems the "scan-logic" job can't verify cosign.
• For my branch ae-1899, the Anchore scan fails. Logs indicate a timeout, but that might be hiding the true problem.

What is the expected correct behavior?

The pipeline succeeds for both the development branch and my branch ae-1899 that merely updates NiFi from 1.20 to 1.24.

Possible fixes

If we could determine why Anchore is actually failing, the newer 1.24 image may work just fine. In which case, the problem might disappear once my branch is merged with development. This assumes the scans of 1.24 do not indicate unacceptable security concerns, of course.

Tasks

• Pipeline failure has been resolved

Please read the Iron Bank Documentation for more info