Adding Anchore CI check (#77)

denismakogon · web-flow · commit da2184f05fa3 · 2019-05-30T15:01:16.000+03:00
* Adding Snyk CI check

* Install NodeJS with sudo

* Fix nodejs install script

* Fix CI build script

* Enable 3.7.1 snyk check

* Make 3.7.1 dev and runtime images safe

* Make 3.6 dev and runtime images safe

* some fixes

 - moving CI config file into .circleci
 - adding image release script
 - fixing 3.7.1 snyk checks

* add missing fi

* add dev images to release script

* Fix after rebase

* Simplify dockerfiles

 - almost all CWEs and CVEs going away with just "apt-get upgrade"

* hide snyk token

* get rid of snyk in favour of anchore

* retrigger ci workflow

* adding orb ref

* adding policy bundle for anchore

* attempting to fix anchore orb bug

* Make config actually work

* Adjust CI config

* Split dev and runtime check jobs

  This change is related to recently discovered bug in ci-tools of Anchore.
  Therefore, had to define 1 job per image build + check

* add missing bundle reference

* add missing bundle reference

* testing new Anchore CI orb 1.3.0 features

* adding bash install

* add remote docker job

* make image checks scheduled

* run scheduled job on master branch only

* split fdk job in two: test and deploy
diff --git a/.circleci/.anchore/policy_bundle.json b/.circleci/.anchore/policy_bundle.json
@@ -0,0 +1,33 @@
+{
+  "id": "default0",
+  "version": "1_0",
+  "name": "My Default bundle",
+  "comment": "My system's default bundle",
+  "whitelisted_images": [],
+  "blacklisted_images": [],
+  "mappings": [],
+  "whitelists": [],
+  "policies": [
+    {
+      "name": "IgnoreUnfixablePkgs",
+      "version": "1_0",
+      "comment": "Policy for basic checks",
+      "id": "ba6daa06-da3b-46d3-9e22-f01f07b0489a",
+      "rules": [
+        {
+          "action": "STOP",
+          "gate": "vulnerabilities",
+          "id": "80569900-d6b3-4391-b2a0-bf34cf6d813d",
+          "params": [
+            { "name": "package_type", "value": "all" },
+            { "name": "severity_comparison", "value": ">=" },
+            { "name": "severity", "value": "medium" },
+            { "name": "fix_available", "value": "true"}
+          ],
+          "trigger": "package"
+        }
+      ]
+    }
+
+  ]
+}
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,112 @@
+version: 2.1
+orbs:
+  anchore: anchore/anchore-engine@1.3.0
+jobs:
+  "test":
+    docker:
+      - image: circleci/python:3.7.0
+    working_directory: ~/fdk-python
+    steps:
+      - checkout
+      - restore_cache:
+          key: deps1-{{ .Branch }}-{{ checksum "requirements.txt" }}
+      - setup_remote_docker:
+          docker_layer_caching: true
+      - run:
+          command: |
+            python3 -m venv venv
+            . venv/bin/activate
+            pip install tox
+            pip install -r requirements.txt
+      - run: docker version
+      - run: docker pull fnproject/fnserver
+      - save_cache:
+          key: deps1-{{ .Branch }}-{{ checksum "requirements.txt" }}
+          paths:
+            - "venv"
+      - run:
+          command: |
+            . venv/bin/activate
+            tox -epep8
+      - run:
+          command: |
+            . venv/bin/activate
+            tox -epy3.7
+  "deploy":
+    docker:
+      - image: circleci/python:3.7.0
+    working_directory: ~/fdk-python
+    steps:
+      - checkout
+      - restore_cache:
+          key: deps1-{{ .Branch }}-{{ checksum "requirements.txt" }}
+      - setup_remote_docker:
+          docker_layer_caching: true
+      - deploy:
+        # TODO(denismakogon): add pypi release here as well
+          command: |
+            if [[ "${CIRCLE_BRANCH}" == "master" && -z "${CIRCLE_PR_REPONAME}" ]]; then
+              printenv DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin
+              ./build-images.sh 3.6
+              ./build-images.sh 3.7.1
+              ./release_images.sh
+            fi
+
+  "python36_security_check":
+    executor: anchore/anchore_engine
+    working_directory: ~/fdk-python
+    steps:
+      - setup_remote_docker:
+          docker_layer_caching: true
+      - checkout
+      - run:
+          name: Python 3.6 build
+          command: |
+            apk add bash
+            ./build-images.sh 3.6
+      - anchore/analyze_local_image:
+          image_name: "fnproject/python:3.6-dev fnproject/python:3.6"
+          timeout: '500'
+          policy_failure: true
+          policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
+      - anchore/parse_reports
+
+  "python371_security_check":
+    executor: anchore/anchore_engine
+    working_directory: ~/fdk-python
+    steps:
+      - setup_remote_docker:
+          docker_layer_caching: true
+      - checkout
+      - run:
+          name: Python 3.7.1 build
+          command: |
+            apk add bash
+            ./build-images.sh 3.7.1
+      - anchore/analyze_local_image:
+          image_name: "fnproject/python:3.7.1-dev fnproject/python:3.7.1"
+          timeout: '500'
+          policy_failure: true
+          policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
+      - anchore/parse_reports
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      - "test"
+  commit:
+    jobs:
+      - "test"
+      - "deploy"
+  nightly:
+    triggers:
+      - schedule:
+          cron: "0 0 * * *"
+          filters:
+            branches:
+              only:
+                - master
+    jobs:
+      - "python36_security_check"
+      - "python371_security_check"
diff --git a/.gitignore b/.gitignore
@@ -114,7 +114,6 @@ python-troveclient.iml
 # Files created by releasenotes build
 releasenotes/build
 .coverage.*
-*.json
 .cache
 *.log*
 *.csv
@@ -127,4 +126,4 @@ data/
 
 func.yaml
 func.yml
-test_function/
+test_function/
diff --git a/build-images.sh b/build-images.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -xe
+
+pyversion=${1:-"3.7.1"}
+
+pushd images/build-stage/${pyversion} && docker build -t fnproject/python:${pyversion}-dev . && popd
+pushd images/runtime/${pyversion} && docker build -t fnproject/python:${pyversion} . && popd
diff --git a/circle.yml b/circle.yml
diff --git a/images/build-stage/3.6/Dockerfile b/images/build-stage/3.6/Dockerfile
@@ -1,3 +1,5 @@
 FROM python:3.6-slim-stretch
 
-RUN apt-get update && apt-get install --no-install-recommends -qy build-essential gcc && apt-get clean
+RUN apt-get update && apt-get upgrade -qy && \
+    apt-get install --no-install-recommends -qy build-essential gcc && \
+    apt-get clean
diff --git a/images/build-stage/3.7.1/Dockerfile b/images/build-stage/3.7.1/Dockerfile
@@ -1,3 +1,5 @@
 FROM python:3.7.1-slim-stretch
 
-RUN apt-get update && apt-get install --no-install-recommends -qy build-essential gcc && apt-get clean
+RUN apt-get update && apt-get upgrade -qy && \
+    apt-get install --no-install-recommends -qy build-essential gcc && \
+    apt-get clean
diff --git a/images/runtime/3.6/Dockerfile b/images/runtime/3.6/Dockerfile
@@ -1,3 +1,4 @@
 FROM python:3.6-slim-stretch
 
-RUN addgroup --gid 1000 --system fn && adduser --system --uid 1000 --ingroup fn fn
+RUN apt-get update && apt-get upgrade -qy && apt-get clean
+RUN addgroup --system --gid 1000 --system fn && adduser --system --uid 1000 --ingroup fn fn
diff --git a/images/runtime/3.7.1/Dockerfile b/images/runtime/3.7.1/Dockerfile
@@ -1,3 +1,5 @@
 FROM python:3.7.1-slim-stretch
 
-RUN addgroup --gid 1000 --system fn && adduser --system --uid 1000 --ingroup fn fn
+
+RUN apt-get update && apt-get upgrade -qy && apt-get clean
+RUN addgroup --system --gid 1000 --system fn && adduser --system --uid 1000 --ingroup fn fn
diff --git a/release_images.sh b/release_images.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+user="fnproject"
+image="python"
+runtime36="3.6"
+runtime371="3.7.1"
+
+docker push ${user}/${image}:${runtime36}
+docker push ${user}/${image}:${runtime36}-dev
+
+docker push ${user}/${image}:${runtime371}
+docker push ${user}/${image}:${runtime371}-dev
