diff --git a/k8s/scripts/inspect.sh b/k8s/scripts/inspect.sh index ed617301a..2e5a168bb 100755 --- a/k8s/scripts/inspect.sh +++ b/k8s/scripts/inspect.sh @@ -7,18 +7,24 @@ # elevated permissions (sudo). # # Usage: -# ./inspect.sh [output_file] +# ./inspect.sh [output_file] [--all-namespaces] # # Arguments: -# output_file (Optional) The full path and filename for the generated tarball. -# If not provided, a default filename based on the current date -# and time will be used. +# output_file (Optional) The full path and filename for the generated tarball. +# If not provided, a default filename based on the current date +# and time will be used. +# --all-namespaces (Optional) Acquire detailed debugging information, including logs +# from all Kubernetes namespaces. # # Example: # ./inspect.sh /path/to/output.tar.gz # ./inspect.sh # This will generate a tarball with a default name. +# ./inspect.sh --all-namespaces # Obtain logs from all k8s namespaces. INSPECT_DUMP=$(pwd)/inspection-report +# We won't fetch all namespaces by default to avoid logging potentially sensitive +# user data. +ALL_NAMESPACES=0 function log_success { printf -- '\033[32m SUCCESS: \033[0m %s\n' "$1" @@ -54,8 +60,11 @@ function collect_args { function collect_cluster_info { log_info "Copy k8s cluster-info dump to the final report tarball" - # TODO: add a verbose mode that collects logs from all namespaces (--all-namespaces). - k8s kubectl cluster-info dump --output-directory "$INSPECT_DUMP/cluster-info" &>/dev/null + local FLAGS="" + if [[ "$ALL_NAMESPACES" == "1" ]]; then + FLAGS="--all-namespaces" + fi + k8s kubectl cluster-info dump $FLAGS --output-directory "$INSPECT_DUMP/cluster-info" &>/dev/null } function collect_sbom { @@ -200,6 +209,25 @@ if [ "$EUID" -ne 0 ]; then exit 1 fi +POSITIONAL_ARGS=() +while [[ $# -gt 0 ]]; do + case $1 in + --all-namespaces) + ALL_NAMESPACES=1 + shift + ;; + -*|--*) + echo "Unknown argument: $1" + exit 1 + ;; + *) + POSITIONAL_ARGS+=("$1") + shift + ;; + esac +done +set -- "${POSITIONAL_ARGS[@]}" + rm -rf "$INSPECT_DUMP" mkdir -p "$INSPECT_DUMP" diff --git a/tests/integration/tests/conftest.py b/tests/integration/tests/conftest.py index 03c5d8739..bc0211b9d 100644 --- a/tests/integration/tests/conftest.py +++ b/tests/integration/tests/conftest.py @@ -54,7 +54,11 @@ def _generate_inspection_report(h: harness.Harness, instance_id: str): inspection_path = Path(config.INSPECTION_REPORTS_DIR) result = h.exec( instance_id, - ["/snap/k8s/current/k8s/scripts/inspect.sh", "/inspection-report.tar.gz"], + [ + "/snap/k8s/current/k8s/scripts/inspect.sh", + "--all-namespaces", + "/inspection-report.tar.gz", + ], capture_output=True, text=True, check=False, diff --git a/tests/tics-scan.sh b/tests/tics-scan.sh new file mode 100755 index 000000000..2791824f3 --- /dev/null +++ b/tests/tics-scan.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +SCRIPT_DIR=$(realpath $(dirname "$BASH_SOURCE")) + +set -ex +cd "${SCRIPT_DIR}/.." + +sudo apt-get update +sudo apt-get install -y python3-venv +python3 -m venv .venv/tics +source .venv/tics/bin/activate + +# Install python dependencies +pip install -r tests/integration/requirements-test.txt +pip install -r tests/integration/requirements-dev.txt + +cd src/k8s + +# TICS requires us to have the test results in cobertura xml format under the +# directory use below +sudo make go.unit +go install github.com/boumenot/gocover-cobertura@latest +gocover-cobertura < coverage.txt > coverage.xml +mkdir -p .coverage +mv ./coverage.xml ./.coverage/ + +# Install the TICS and staticcheck +go install honnef.co/go/tools/cmd/staticcheck@v0.5.1 +. <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/') + +# We need to have our project built +# We load the dqlite libs here instead of doing through make because TICS +# will try to build parts of the project itself +sudo add-apt-repository -y ppa:dqlite/dev +sudo apt-get install -y dqlite-tools-v2 libdqlite1.17-dev +sudo make clean +go build -a ./... + +TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $SCRIPT_DIR/.. diff --git a/tests/trivy-scan.sh b/tests/trivy-scan.sh new file mode 100755 index 000000000..ad9b37517 --- /dev/null +++ b/tests/trivy-scan.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +SCRIPT_DIR=$(realpath $(dirname "$BASH_SOURCE")) + +set -ex +cd "${SCRIPT_DIR}/.." + +SNAP_PATH="$1" +if [[ ! -f $SNAP_PATH ]]; then + echo "Usage: $0 " + exit 1 +fi + +# Setup Trivy vulnerability scanner +mkdir -p manual-trivy/sarifs +pushd manual-trivy +VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); +wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz +tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz +popd + +# Run Trivy vulnerability scanner in repo mode +./manual-trivy/trivy fs . \ + --format sarif \ + --db-repository public.ecr.aws/aquasecurity/trivy-db \ + --severity "MEDIUM,HIGH,CRITICAL" \ + --ignore-unfixed \ + > ./manual-trivy/sarifs/trivy-k8s-repo-scan--results.sarif + +for var in $(env | grep -o '^TRIVY_[^=]*'); do + unset "$var" +done +cp "${SNAP_PATH}" ./k8s-test.snap +rm -rf ./squashfs-root +unsquashfs k8s-test.snap +./manual-trivy/trivy rootfs ./squashfs-root/ \ + --format sarif \ + --db-repository public.ecr.aws/aquasecurity/trivy-db \ + > ./manual-trivy/sarifs/snap.sarif