diff --git a/scripts/hardening_manifest_yaml/generate.py b/scripts/hardening_manifest_yaml/generate.py index 8baa429e0f395bc444c088099d93f1c9395626d2..43256fc8b92c7678ee2468015b294fb4f92e98dd 100644 --- a/scripts/hardening_manifest_yaml/generate.py +++ b/scripts/hardening_manifest_yaml/generate.py @@ -22,6 +22,7 @@ def _fetch_file(url, file, branch="development"): Grabs a raw file from gitlab. """ + assert "/" not in branch url = f"{url}/-/raw/{branch}/{file}" logger.debug(url) diff --git a/stages/check-cves/pipeline_wl_compare.py b/stages/check-cves/pipeline_wl_compare.py index bfa2e8680e5f30f100a0eb3df251945930956294..1835ae5486006cbe098f593ad9b960267ae03ed7 100644 --- a/stages/check-cves/pipeline_wl_compare.py +++ b/stages/check-cves/pipeline_wl_compare.py @@ -30,6 +30,10 @@ from scanners import anchore from scanners import twistlock import swagger_to_jsonschema +# add global var for api failures. +# TODO: Remove api_exit_code when converting to using the api instead of the query +api_exit_code = 0 + def _connect_to_db(): """ @@ -139,7 +143,8 @@ def _pipeline_whitelist_compare(image_name, hardening_manifest, lint=False): whitelist_branch=wl_branch, hardening_manifest=hardening_manifest, ) - sys.exit(0) + logging.info(api_exit_code) + sys.exit(api_exit_code) artifacts_path = os.environ["ARTIFACT_STORAGE"] @@ -310,11 +315,15 @@ def _get_greylist_file_contents(image_path, branch): def _vat_findings_query(im_name, im_version): logging.info("Running query to vat api") - url = f"{os.environ['VAT_BACKEND_SERVER_ADDRESS']}/internal/container?name={im_name}&tag={im_version}" - logging.info(f"GET {url}") try: - r = requests.get(url) + r = requests.get( + f"{os.environ['VAT_BACKEND_SERVER_ADDRESS']}/internal/container", + params={ + "name": im_name, + "tag": im_version, + }, + ) except requests.exceptions.RequestException as e: logging.warning(f"Could not access VAT API: {url}") logging.warning(e) @@ -353,7 +362,8 @@ def _vat_findings_query(im_name, im_version): logging.warning(f"Unknown response from VAT {r.status_code}") logging.warning(r.text) logging.error("Failing the pipeline, please contact the administrators") - sys.exit(1) + global api_exit_code + api_exit_code = 3 def _vat_approval_query(im_name, im_version): @@ -390,6 +400,7 @@ def _vat_approval_query(im_name, im_version): result = cursor.fetchall() except Error as error: logging.info(error) + sys.exit(1) finally: if conn is not None and conn.is_connected(): conn.close() @@ -437,6 +448,7 @@ def _vat_vuln_query(im_name, im_version): result = cursor.fetchall() except Error as error: logging.info(error) + sys.exit(1) finally: if conn is not None and conn.is_connected(): conn.close() diff --git a/stages/csv-output/pipeline_csv_gen.py b/stages/csv-output/pipeline_csv_gen.py index a61a38e2ce796711e937c6d5766314d9a2cff9f7..836d6e3f1432da9d3359c23785253745089639c9 100644 --- a/stages/csv-output/pipeline_csv_gen.py +++ b/stages/csv-output/pipeline_csv_gen.py @@ -346,6 +346,7 @@ def _vat_vuln_query(im_name, im_version): result = cursor.fetchall() except Error as error: logging.info(error) + sys.exit(1) finally: if conn is not None and conn.is_connected(): conn.close() diff --git a/stages/lint/base.yaml b/stages/lint/base.yaml index 019930113e708974dce8e4ea0beadb9df62e44e1..b4846cab7eeb6e456b26be38a36a170e066ad87c 100644 --- a/stages/lint/base.yaml +++ b/stages/lint/base.yaml @@ -62,7 +62,10 @@ wl compare lint: - export PROJ_PATH - pip3 install jsonschema - 'mkdir -p "${ARTIFACT_DIR}"' + - set +e - 'python3 "${PIPELINE_REPO_DIR}/stages/check-cves/pipeline_wl_compare.py" --lint' + allow_failure: + exit_codes: 3 artifacts: paths: - "${ARTIFACT_DIR}/"