Restore failing when CVE scanner finds a vulnerability

WyriHaximus · WyriHaximus · commit ac82b67389e6 · 2021-02-25T17:43:36.000+01:00
During the migration to GitHub Actions in #160 this functionality was mistakenly and overzealously removed. Since PHP 8 and Alpine 3.13 are out and #166 has been filed, currently with a CVE for musl in it, this check should have failed as it is our goal to ship images without known CVE's in it. On my own PHP images the CVE checking fails and as such I was surprised that #166 didn't have any failures. Up on checking the CI logs it showed the musl CVE but the step didn't fail. This commit restores the original functionality and will make the CI once again fail when it finds a CVE in one of the images.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -204,7 +204,7 @@ jobs:
           path: ./tmp
       - run: docker load --input ./tmp/image*.tar
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
   scan-vulnerability-http:
     name: Scan nginx ${{ matrix.nginx }} for vulnerabilities
     needs:
@@ -233,7 +233,7 @@ jobs:
         shell: bash
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
         shell: bash
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
         shell: bash
   scan-vulnerability-prometheus-exporter-file:
     name: Scan HTTP prometheus-exporter-file for vulnerabilities
@@ -258,7 +258,7 @@ jobs:
           path: ./tmp
       - run: docker load --input ./tmp/image*.tar
       - run: mkdir -p "./clair/${DOCKER_IMAGE}"
-      - run: make scan-vulnerability
+      - run: make ci-scan-vulnerability
   test-php:
     name: Functionaly test PHP ${{ matrix.php }} for ${{ matrix.type }} on Alpine ${{ matrix.alpine }}
     needs:
diff --git a/Makefile b/Makefile
@@ -108,3 +108,9 @@ scan-vulnerability:
 	mkdir -p ./tmp/clair/usabillabv
 	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log % || echo "% is vulnerable"'
 	docker-compose -f test/security/docker-compose.yml -p clair-ci down
+
+ci-scan-vulnerability:
+	docker-compose -f test/security/docker-compose.yml -p clair-ci up -d
+	RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done
+	mkdir -p ./tmp/clair/usabillabv
+	cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log %'
