From c0910b015aeb7d538e312bc976467c17c7572982 Mon Sep 17 00:00:00 2001 From: Rajesh Rajendran Date: Thu, 31 Oct 2024 15:02:21 +0100 Subject: [PATCH] Fix ci varibles and trivy failover voln db (#2718) * ci(actios): Adding more secrets * ci(actions): Update trivy version * fix(ci): local variable * ci(fix): variable substitution * feat(docker): use insanely fast uv for pip * chore(ci): Adding failover trivy db * chore(requirements): Making the requirements file compatible with uv --------- Signed-off-by: rjshrjndrn --- .../composite-actions/update-keys/action.yml | 39 +++++++++++++------ .github/workflows/alerts-ee.yaml | 11 ++++-- .github/workflows/alerts.yaml | 11 ++++-- .github/workflows/api-ee.yaml | 11 ++++-- .github/workflows/api.yaml | 11 ++++-- .github/workflows/assist-ee.yaml | 11 ++++-- .github/workflows/assist-stats.yaml | 18 +++++++-- .github/workflows/assist.yaml | 11 ++++-- .github/workflows/crons-ee.yaml | 11 ++++-- .github/workflows/frontend.yaml | 14 ++++++- .github/workflows/peers-ee.yaml | 11 ++++-- .github/workflows/peers.yaml | 11 ++++-- .github/workflows/sourcemaps-reader-ee.yaml | 11 ++++-- .github/workflows/sourcemaps-reader.yaml | 11 ++++-- .github/workflows/workers-ee.yaml | 11 ++++-- .github/workflows/workers.yaml | 12 ++++-- api/Dockerfile | 3 +- ee/api/Dockerfile | 5 ++- ee/api/requirements.txt | 3 +- 19 files changed, 166 insertions(+), 60 deletions(-) diff --git a/.github/composite-actions/update-keys/action.yml b/.github/composite-actions/update-keys/action.yml index a2fa1c660..3de586420 100644 --- a/.github/composite-actions/update-keys/action.yml +++ b/.github/composite-actions/update-keys/action.yml @@ -10,6 +10,9 @@ inputs: jwt_secret: required: true description: 'JWT Secret' + jwt_spot_secret: + required: true + description: 'JWT spot Secret' minio_access_key: required: true description: 'MinIO Access Key' @@ -36,22 +39,36 @@ runs: - name: "Updating OSS secrets" run: | cd scripts/helmcharts/ - yq e -i '.global.domainName = strenv(DOMAIN_NAME)' vars.yaml - yq e -i '.global.assistKey = strenv(ASSIST_KEY)' vars.yaml - yq e -i '.global.assistJWTSecret = strenv(ASSIST_JWT_SECRET)' vars.yaml - yq e -i '.global.jwtSecret = strenv(JWT_SECRET)' vars.yaml - yq e -i '.global.jwtSpotSecret = strenv(JWT_SPOT_SECRET)' vars.yaml - yq e -i '.global.enterpriseEditionLicense = strenv(LICENSE_KEY)' vars.yaml - yq e -i '.global.s3.accessKey = strenv(MINIO_ACCESS_KEY)' vars.yaml - yq e -i '.global.s3.secretKey = strenv(MINIO_SECRET_KEY)' vars.yaml - yq e -i '.postgresql.postgresqlPassword = strenv(PG_PASSWORD)' vars.yaml - yq e -i '.global.openReplayContainerRegistry = strenv(REGISTRY_URL)' vars.yaml + vars=( + "ASSIST_JWT_SECRET:.global.assistJWTSecret" + "ASSIST_KEY:.global.assistKey" + "DOMAIN_NAME:.global.domainName" + "JWT_REFRESH_SECRET:.chalice.env.JWT_REFRESH_SECRET" + "JWT_SECRET:.global.jwtSecret" + "JWT_SPOT_REFRESH_SECRET:.chalice.env.JWT_SPOT_REFRESH_SECRET" + "JWT_SPOT_SECRET:.global.jwtSpotSecret" + "LICENSE_KEY:.global.enterpriseEditionLicense" + "MINIO_ACCESS_KEY:.global.s3.accessKey" + "MINIO_SECRET_KEY:.global.s3.secretKey" + "PG_PASSWORD:.postgresql.postgresqlPassword" + "REGISTRY_URL:.global.openReplayContainerRegistry" + ) + for var in "${vars[@]}"; do + IFS=":" read -r env_var yq_path <<<"$var" + yq e -i "${yq_path} = strenv(${env_var})" vars.yaml + done shell: bash env: + ASSIST_JWT_SECRET: ${{ inputs.assist_jwt_secret }} + ASSIST_KEY: ${{ inputs.assist_key }} DOMAIN_NAME: ${{ inputs.domain_name }} - LICENSE_KEY: ${{ inputs.license_key }} + JWT_REFRESH_SECRET: ${{ inputs.jwt_refresh_secret }} JWT_SECRET: ${{ inputs.jwt_secret }} + JWT_SPOT_REFRESH_SECRET: ${{inputs.jwt_spot_refresh_secret}} + JWT_SPOT_SECRET: ${{ inputs.jwt_spot_secret }} + LICENSE_KEY: ${{ inputs.license_key }} MINIO_ACCESS_KEY: ${{ inputs.minio_access_key }} MINIO_SECRET_KEY: ${{ inputs.minio_secret_key }} PG_PASSWORD: ${{ inputs.pg_password }} REGISTRY_URL: ${{ inputs.registry_url }} + diff --git a/.github/workflows/alerts-ee.yaml b/.github/workflows/alerts-ee.yaml index 5057f460c..1df316c3e 100644 --- a/.github/workflows/alerts-ee.yaml +++ b/.github/workflows/alerts-ee.yaml @@ -43,9 +43,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} @@ -78,10 +83,10 @@ jobs: cd api PUSH_IMAGE=0 bash -x ./build_alerts.sh ee [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("alerts") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/alerts.yaml b/.github/workflows/alerts.yaml index 8e823c60e..c5d268648 100644 --- a/.github/workflows/alerts.yaml +++ b/.github/workflows/alerts.yaml @@ -36,9 +36,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} @@ -71,10 +76,10 @@ jobs: cd api PUSH_IMAGE=0 bash -x ./build_alerts.sh [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("alerts") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/api-ee.yaml b/.github/workflows/api-ee.yaml index 91b51d871..9f26be0fb 100644 --- a/.github/workflows/api-ee.yaml +++ b/.github/workflows/api-ee.yaml @@ -42,9 +42,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} @@ -77,10 +82,10 @@ jobs: cd api PUSH_IMAGE=0 bash -x ./build.sh ee [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("chalice") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/api.yaml b/.github/workflows/api.yaml index 7b97e6a2d..0c6f2f31d 100644 --- a/.github/workflows/api.yaml +++ b/.github/workflows/api.yaml @@ -35,9 +35,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} @@ -70,10 +75,10 @@ jobs: cd api PUSH_IMAGE=0 bash -x ./build.sh [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("chalice") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/assist-ee.yaml b/.github/workflows/assist-ee.yaml index 195ee887c..bbbd871e9 100644 --- a/.github/workflows/assist-ee.yaml +++ b/.github/workflows/assist-ee.yaml @@ -33,9 +33,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} @@ -63,10 +68,10 @@ jobs: cd assist PUSH_IMAGE=0 bash -x ./build.sh ee [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("assist") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/assist-stats.yaml b/.github/workflows/assist-stats.yaml index ed7078f6f..9795d9588 100644 --- a/.github/workflows/assist-stats.yaml +++ b/.github/workflows/assist-stats.yaml @@ -32,9 +32,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} @@ -67,10 +72,10 @@ jobs: cd assist-stats PUSH_IMAGE=0 bash -x ./build.sh ee [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("assist-stats") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { @@ -94,9 +99,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} diff --git a/.github/workflows/assist.yaml b/.github/workflows/assist.yaml index 02a2c8fb1..451cc07b5 100644 --- a/.github/workflows/assist.yaml +++ b/.github/workflows/assist.yaml @@ -32,9 +32,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} @@ -62,10 +67,10 @@ jobs: cd assist PUSH_IMAGE=0 bash -x ./build.sh [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("assist") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/crons-ee.yaml b/.github/workflows/crons-ee.yaml index 0fb91d420..31354e234 100644 --- a/.github/workflows/crons-ee.yaml +++ b/.github/workflows/crons-ee.yaml @@ -44,9 +44,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} @@ -79,10 +84,10 @@ jobs: cd api PUSH_IMAGE=0 bash -x ./build_crons.sh ee [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("crons") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/frontend.yaml b/.github/workflows/frontend.yaml index cf4786f80..1dc69c580 100644 --- a/.github/workflows/frontend.yaml +++ b/.github/workflows/frontend.yaml @@ -31,9 +31,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} @@ -103,9 +108,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} diff --git a/.github/workflows/peers-ee.yaml b/.github/workflows/peers-ee.yaml index 04aec596c..647a1373e 100644 --- a/.github/workflows/peers-ee.yaml +++ b/.github/workflows/peers-ee.yaml @@ -33,9 +33,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} @@ -68,10 +73,10 @@ jobs: cd peers PUSH_IMAGE=0 bash -x ./build.sh ee [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("peers") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/peers.yaml b/.github/workflows/peers.yaml index b35422d64..86bdcca39 100644 --- a/.github/workflows/peers.yaml +++ b/.github/workflows/peers.yaml @@ -32,9 +32,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} @@ -67,10 +72,10 @@ jobs: cd peers PUSH_IMAGE=0 bash -x ./build.sh [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("peers") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/sourcemaps-reader-ee.yaml b/.github/workflows/sourcemaps-reader-ee.yaml index bb35ecd10..cb185af46 100644 --- a/.github/workflows/sourcemaps-reader-ee.yaml +++ b/.github/workflows/sourcemaps-reader-ee.yaml @@ -32,9 +32,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} @@ -67,10 +72,10 @@ jobs: cd sourcemap-reader PUSH_IMAGE=0 bash -x ./build.sh [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("sourcemaps-reader") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/sourcemaps-reader.yaml b/.github/workflows/sourcemaps-reader.yaml index cfb06d91d..2034456a7 100644 --- a/.github/workflows/sourcemaps-reader.yaml +++ b/.github/workflows/sourcemaps-reader.yaml @@ -32,9 +32,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} @@ -67,10 +72,10 @@ jobs: cd sourcemap-reader PUSH_IMAGE=0 bash -x ./build.sh [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ images=("sourcemaps-reader") for image in ${images[*]};do - ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG done err_code=$? [[ $err_code -ne 0 ]] && { diff --git a/.github/workflows/workers-ee.yaml b/.github/workflows/workers-ee.yaml index 11102e663..5ed1039b2 100644 --- a/.github/workflows/workers-ee.yaml +++ b/.github/workflows/workers-ee.yaml @@ -36,9 +36,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.EE_DOMAIN_NAME }} - license_key: ${{ secrets.EE_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.EE_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.EE_LICENSE_KEY }} minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }} pg_password: ${{ secrets.EE_PG_PASSWORD }} @@ -116,8 +121,8 @@ jobs: echo "Bulding $image" PUSH_IMAGE=0 bash -x ./build.sh ee $image [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ - ./trivy image --exit-code 1 --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG err_code=$? [[ $err_code -ne 0 ]] && { exit $err_code diff --git a/.github/workflows/workers.yaml b/.github/workflows/workers.yaml index e6cccb1e9..ceb4e0f43 100644 --- a/.github/workflows/workers.yaml +++ b/.github/workflows/workers.yaml @@ -35,9 +35,14 @@ jobs: - uses: ./.github/composite-actions/update-keys with: + assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }} + assist_key: ${{ secrets.ASSIST_KEY }} domain_name: ${{ secrets.OSS_DOMAIN_NAME }} - license_key: ${{ secrets.OSS_LICENSE_KEY }} + jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }} jwt_secret: ${{ secrets.OSS_JWT_SECRET }} + jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }} + jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }} + license_key: ${{ secrets.OSS_LICENSE_KEY }} minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }} minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }} pg_password: ${{ secrets.OSS_PG_PASSWORD }} @@ -109,8 +114,8 @@ jobs: echo "Bulding $image" PUSH_IMAGE=0 bash -x ./build.sh skip $image [[ "x$skip_security_checks" == "xtrue" ]] || { - curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ - ./trivy image --exit-code 1 --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./ + ./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG err_code=$? [[ $err_code -ne 0 ]] && { exit $err_code @@ -178,3 +183,4 @@ jobs: # ENVIRONMENT: staging # with: # iimit-access-to-actor: true + # diff --git a/api/Dockerfile b/api/Dockerfile index a0445b175..5ef791274 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -17,7 +17,8 @@ ENV SOURCE_MAP_VERSION=0.7.4 \ WORKDIR /work COPY requirements.txt ./requirements.txt -RUN pip install --no-cache-dir --upgrade -r requirements.txt +RUN pip install --no-cache-dir --upgrade uv +RUN uv pip install --no-cache-dir --upgrade -r requirements.txt --system COPY . . RUN mv env.default .env diff --git a/ee/api/Dockerfile b/ee/api/Dockerfile index fbea125c8..28de57ef2 100644 --- a/ee/api/Dockerfile +++ b/ee/api/Dockerfile @@ -13,8 +13,9 @@ ENV SOURCE_MAP_VERSION=0.7.4 \ WORKDIR /work COPY requirements.txt ./requirements.txt # Caching the source build -RUN pip install --no-cache-dir --upgrade python3-saml==1.16.0 --no-binary=lxml -RUN pip install --no-cache-dir --upgrade -r requirements.txt +RUN pip install --no-cache-dir --upgrade uv +RUN uv pip install --no-cache-dir --upgrade python3-saml==1.16.0 --no-binary=lxml --system +RUN uv pip install --no-cache-dir --upgrade -r requirements.txt --system COPY . . RUN mv env.default .env diff --git a/ee/api/requirements.txt b/ee/api/requirements.txt index b4e73fe49..2e664ba7e 100644 --- a/ee/api/requirements.txt +++ b/ee/api/requirements.txt @@ -21,7 +21,8 @@ apscheduler==3.10.4 clickhouse-driver[lz4]==0.2.9 # TODO: enable after xmlsec fix https://github.com/xmlsec/python-xmlsec/issues/252 #--no-binary is used to avoid libxml2 library version incompatibilities between xmlsec and lxml -python3-saml==1.16.0 --no-binary=lxml +python3-saml==1.16.0 +--no-binary=lxml python-multipart==0.0.16 redis==5.2.0