feat: add cve-query step

Azure · Dec 27, 2024 · 177c242 · 177c242
1 parent 4c7a34d
commit 177c242
Show file tree

Hide file tree

Showing 4 changed files with 169 additions and 0 deletions.
diff --git a/.pipelines/.vsts-vhd-builder-release.yaml b/.pipelines/.vsts-vhd-builder-release.yaml
@@ -1271,3 +1271,25 @@ stages:
       TAGS_TO_SKIP: "os=windows"
     jobs:
       - template: ./templates/e2e-template.yaml
+  - stage: cveQuery
+    condition: ne(variables.SKIP_CVE_QUERY, 'true')
+    jobs:
+      - job: cveQuery
+        pool: $(QUERY_POOL_NAME)
+        steps:
+          - bash: make -f packer.mk query-cve
+            env:
+              BUILD_SOURCEVERSION: $(Build.SourceVersion)
+          - task: CopyFiles@2
+            condition: failed()
+            displayName: Copy CVE Report
+            inputs:
+              SourceFolder: '$(System.DefaultWorkingDirectory)'
+              Contents: 'cve-report.out'
+              TargetFolder: '$(Build.ArtifactStagingDirectory)'
+          - task: PublishPipelineArtifact@1
+            condition: always()
+            displayName: Publish CVE Report
+            inputs:
+              targetPath: '$(Build.ArtifactStagingDirectory)'
+              artifact: 'cve-report'
diff --git a/packer.mk b/packer.mk
@@ -107,6 +107,10 @@ scanning-vhd: az-login
 test-scan-and-cleanup: az-login
 	@./vhdbuilder/packer/test-scan-and-cleanup.sh
 
+query-cve: az-login
+	@chmod +x ./vhdbuilder/packer/query-cve.sh
+	@./vhdbuilder/packer/query-cve.sh
+
 evaluate-build-performance: az-login
 	@./vhdbuilder/packer/build-performance/evaluate-build-performance.sh
 

diff --git a/vhdbuilder/packer/query-cve-vm.sh b/vhdbuilder/packer/query-cve-vm.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+CVE_REPORT_DIRNAME=/opt/azure/containers
+CVE_REPORT_PATH=${CVE_REPORT_DIRNAME}/cve-report.out
+
+UMSI_PRINCIPAL_ID=${1}
+UMSI_CLIENT_ID=${2}
+ACCOUNT_NAME=${3}
+KUSTO_ENDPOINT=${4}
+KUSTO_DATABASE=${5}
+KUSTO_TABLE=${6}
+COMMIT_HASH=${7}
+STORAGE_ACCOUNT_NAME=${8}
+CVE_REPORT_OUTPUT_NAME=${9}
+CVE_REPORT_CONTAINER_NAME=${10}
+AZURE_MSI_RESOURCE_STRING=${11}
+
+
+MODULE_NAME="vuln-to-kusto-vhd"
+GO_ARCH="amd64"
+
+# hardcoded for now
+LOOKBACK_HOURS=12h
+SEVERITY="HIGH"
+
+# redirect stderr for correct script failure detection
+{
+    sudo apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg
+    curl -sL https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+    echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
+    sudo apt-get update -y && sudo apt-get upgrade -y
+    sudo apt-get install -y azure-cli
+} 2>&1
+
+az login --identity --username $UMSI_PRINCIPAL_ID
+
+# pull vuln-to-kusto binary
+az storage blob download --auth-mode login --account-name ${ACCOUNT_NAME} -c vuln-to-kusto \
+    --name ${MODULE_VERSION}/${MODULE_NAME}_linux_${GO_ARCH} \
+    --file ./${MODULE_NAME} 2>&1
+chmod a+x ${MODULE_NAME}
+
+./vuln-to-kusto-vhd query-report ${LOOKBACK_HOURS} ${COMMIT_HASH} \
+    --severity ${SEVERITY} \
+    --kusto-endpoint ${KUSTO_ENDPOINT} \
+    --kusto-database ${KUSTO_DATABASE} \
+    --kusto-table ${KUSTO_TABLE} \
+    --kusto-managed-identity-client-id=${UMSI_CLIENT_ID} > ${CVE_REPORT_PATH}
+
+if [[ $? -ne 0 ]] && [[ -f ${CVE_REPORT_PATH} ]]; then
+    echo "vuln-to-kusto-vhd query-report cmd found CVEs"
+    az login --identity --username $AZURE_MSI_RESOURCE_STRING
+    az storage blob upload --file ${CVE_REPORT_PATH} \
+        --container-name ${CVE_REPORT_CONTAINER_NAME} \
+        --name ${CVE_REPORT_OUTPUT_NAME} \
+        --account-name ${STORAGE_ACCOUNT_NAME} \
+        --auth-mode login
+fi
diff --git a/vhdbuilder/packer/query-cve.sh b/vhdbuilder/packer/query-cve.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+set -euxo pipefail
+
+QUERY_RESOURCE_PREFIX="cve-query"
+QUERY_VM_NAME="$QUERY_RESOURCE_PREFIX-vm-$(date +%s)-$RANDOM"
+RESOURCE_GROUP_NAME="$QUERY_RESOURCE_PREFIX-$(date +%s)-$RANDOM"
+
+QUERY_VM_USERNAME="azureuser"
+
+QUERY_SCRIPT_PATH="query-cve-vm.sh"
+
+set +x
+QUERY_VM_PASSWORD="QueryVM@$(date +%s)"
+set -x
+
+MODULE_NAME="vuln-to-kusto-vhd"
+MODULE_VERSION="v0.0.2-ac18d186094"
+GO_ARCH="amd64"
+
+function cleanup() {
+    echo "Deleting resource group ${RESOURCE_GROUP_NAME}"
+    az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait
+}
+trap cleanup EXIT
+
+az group create --name $RESOURCE_GROUP_NAME --location ${QUERY_VM_LOCATION}
+
+az vm create --resource-group $RESOURCE_GROUP_NAME \
+  --name $QUERY_VM_NAME \
+  --image $QUERY_VHD_IMAGE \
+  --admin-username $QUERY_VM_USERNAME \
+  --admin-password $QUERY_VM_PASSWORD \
+  --assign-identity "${UMSI_RESOURCE_ID}"
+
+FULL_PATH=$(realpath $0)
+CDIR=$(dirname $FULL_PATH)
+QUERY_SCRIPT_PATH="$CDIR/$QUERY_SCRIPT_PATH"
+
+# storage account specific variables
+
+# Use the domain name from the classic blob URL to get the storage account name.
+# If the CLASSIC_BLOB var is not set create a new var called BLOB_STORAGE_NAME in the pipeline.
+BLOB_URL_REGEX="^https:\/\/.+\.blob\.core\.windows\.net\/vhd(s)?$"
+if [[ $CLASSIC_BLOB =~ $BLOB_URL_REGEX ]]; then
+    STORAGE_ACCOUNT_NAME=$(echo $CLASSIC_BLOB | sed -E 's|https://(.*)\.blob\.core\.windows\.net(:443)?/(.*)?|\1|')
+else
+    # Used in the 'AKS Linux VHD Build - PR check-in gate' pipeline.
+    if [ -z "$BLOB_STORAGE_NAME" ]; then
+        echo "BLOB_STORAGE_NAME is not set, please either set the CLASSIC_BLOB var or create a new var BLOB_STORAGE_NAME in the pipeline."
+        exit 1
+    fi
+    STORAGE_ACCOUNT_NAME=${BLOB_STORAGE_NAME}
+fi
+
+# for scanning storage account/container upload access
+az vm identity assign -g $RESOURCE_GROUP_NAME --name $QUERY_VM_NAME --identities $AZURE_MSI_RESOURCE_STRING
+
+TIMESTAMP=$(date +%s%3N)
+CVE_REPORT_OUTPUT_NAME="cve-report-${BUILD_SOURCEVERSION}-${TIMESTAMP}.out"
+CVE_REPORT_CONTAINER_NAME="vhd-scans"
+
+ret=$(az vm run-command invoke \
+  --command-id RunShellScript \
+  --name $QUERY_VM_NAME \
+  --resource-group $RESOURCE_GROUP_NAME \
+  --scripts @$QUERY_SCRIPT_PATH\
+  --parameters "UMSI_PRINCIPAL_ID"=${UMSI_PRINCIPAL_ID} \
+      "UMSI_CLIENT_ID"=${UMSI_CLIENT_ID} \
+      "ACCOUNT_NAME"=${ACCOUNT_NAME} \
+      "KUSTO_ENDPOINT"=${KUSTO_ENDPOINT} \
+      "KUSTO_DATABASE"=${KUSTO_DATABASE} \
+      "KUSTO_TABLE"=${KUSTO_TABLE} \
+      "COMMIT_HASH"=${BUILD_SOURCEVERSION} \
+      "STORAGE_ACCOUNT_NAME"=${STORAGE_ACCOUNT_NAME} \
+      "CVE_REPORT_OUTPUT_NAME"=${CVE_REPORT_OUTPUT_NAME} \
+      "CVE_REPORT_CONTAINER_NAME"=${CVE_REPORT_CONTAINER_NAME} \
+      "AZURE_MSI_RESOURCE_STRING"=${AZURE_MSI_RESOURCE_STRING})
+
+errMsg=$(echo -e $(echo $ret | jq ".value[] | .message" | grep -oP '(?<=stderr]).*(?=\\n")'))
+if [[ $errMsg != '' ]]; then
+  az storage blob download --account-name $STORAGE_ACCOUNT_NAME --container-name $CVE_REPORT_CONTAINER_NAME --name $CVE_REPORT_OUTPUT_NAME --file cve-report.out --auth-mode login
+  az storage blob delete --account-name $STORAGE_ACCOUNT_NAME --container-name $CVE_REPORT_CONTAINER_NAME --name $CVE_REPORT_OUTPUT_NAME --auth-mode login
+  exit 1
+fi