Draft: Add manifest-cyber-upload job (!1467) · Merge requests · Iron Bank / ironbank-pipeline

Matthew Scott requested to merge 2090-manifest-cyber into master Dec 09, 2024

Description

Addresses Issue #2090

Added new manifest-cyber-upload job to 4-findings stage.

This job takes the CycloneDX SBOM outputted from the anchore-scan job and uploads it to Manifest Cyber for analysis. The job outputs a vulnerability report in a VAT-compatible format.

New CICD vars:
ENABLE_MANIFEST_CYBER - toggle for the job
MANIFEST_CYBER_TOKEN - API token for interacting with Manifest Cyber.

Multiple Manifest Cyber API routes are used to retrieve all data for a particular vulnerability. This can probably be refactored once Manifest Cyber releases the /dependency/stackByVulnerability?assetId=your-asset-id&cveId=all endpoint (it's currently in pre-release and unavailable to the public).

Sample Manifest Cyber Vulnerability report (VAT-like format)

Risk

Minimal risk. The manifest-cyber-upload job is allowed to fail in the pipeline and only runs when enabled by ENABLE_MANIFEST_CYBER.

Rollback Plan

Disable the manifest-cyber-upload job by setting ENABLE_MANIFEST_CYBER env var to an empty string.

Testing

Mario UBI 9
Mario FluentBit
Mario Alpine Linux
Mario Ubuntu
Mario Distroless
Mario Java-21
Mario Debian 12.x
Mario UBI 8
Mario SUSE
Mario Pipeline-Runner-Alpine

Edited Dec 18, 2024 by Matthew Scott

Admin message

Draft: Add manifest-cyber-upload job

Description

Risk

Rollback Plan

Testing

Merge request reports