apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: redhat-dependency-analytics labels: app.kubernetes.io/version: "0.2" annotations: tekton.dev/categories: Security tekton.dev/pipelines.minVersion: "0.37.5" tekton.dev/tags: Security, Vulnenrability, CVE tekton.dev/displayName: "Red Hat Dependency Analytics" tekton.dev/platforms: "linux/amd64" spec: description: >- The Red Hat Dependency Analytics task is an interface between Tekton and Red Hat Dependency Analytics (RHDA) platform. It provides vulnerability and compliance analysis for application dependencies in your software supply chain. workspaces: - name: output description: Volume backing this workspace is used for input/output of the task. params: - name: manifest-file-path description: Path to target manifest file within workspace. - name: output-file-path description: Path to file within workspace, where the analysis report is saved. default: redhat-dependency-analytics-report.json - name: rhda-image description: Image where Exhort Javascript API and required dependencies are installed. default: quay.io/ecosystem-appeng/exhort-javascript-api:0.1.1-ea.26 - name: python-image description: Image with installed Python interpreter and associated tools (such as pip, pip3, etc.). default: python:3.11 - name: use-go-mvs-logic description: Uses the Minimal version selection (MVS) algorithm to select a set of module versions to use when building Go packages. default: false sidecars: - name: python image: $(params.python-image) volumeMounts: - mountPath: /shared name: shared-data script: | #!/bin/sh # Function to handle errors handle_error() { cp error.log /shared/error.log exit 1 } # Wait for a Step to supply the sidecar with requirements file. while [ ! -f /shared/requirements.txt ] ; do if [ -f /shared/notPython ]; then exit 0 fi sleep 1 done python -m venv /tmp 2>error.log || handle_error /tmp/bin/pip3 install -r /shared/requirements.txt 2>error.log || handle_error /tmp/bin/pip3 freeze --all > /shared/pip_freeze.txt 2>error.log || handle_error SHOW_LIST=$(awk -F '==' '{print $1}' < /shared/pip_freeze.txt) /tmp/bin/pip3 show $(echo "$SHOW_LIST") > /shared/pip_show.txt 2>error.log || handle_error touch /shared/pythonComplete steps: - name: redhat-dependency-analytics image: $(params.rhda-image) workingDir: $(workspaces.output.path) env: - name: RHDA_SOURCE value: tekton volumeMounts: - mountPath: /shared name: shared-data script: | #!/bin/sh # Function to handle errors handle_error() { # Save exit code into output file. jq -n {} | jq --arg exit_code "1" '. + {exit_code: $exit_code}' > $OUTPUT_FILE_PATH # Print stderr message to console error_message=$(sed -n '/^ERROR:/p' error.log) printf "\n[ERROR] Failed to install dependencies from requirements.txt.\n$error_message" exit 1 } # Set the timeout duration in seconds timeout_duration=60 elapsed_time=0 # get task parameter values MANIFEST_FILE_PATH="$(params.manifest-file-path)" OUTPUT_FILE_PATH="$(params.output-file-path)" # install dependencies for requirements.txt file MANIFEST_FILE_BASENAME=$(basename "$MANIFEST_FILE_PATH") if [ "$MANIFEST_FILE_BASENAME" = "requirements.txt" ]; then cp $MANIFEST_FILE_PATH /shared/requirements.txt # Wait for sidecar to provide dependency data. while [ ! -f /shared/pip_show.txt ] || [ ! -f /shared/pip_freeze.txt ] || [ ! -f /shared/pythonComplete ] ; do # Check if error occured if [ -f /shared/error.log ]; then cp /shared/error.log . handle_error fi # Check if the timeout is reached if [ "$elapsed_time" -ge "$timeout_duration" ]; then echo "Timeout reached." > error.log handle_error fi sleep 1 ((elapsed_time++)) done export EXHORT_PIP_FREEZE=$(cat /shared/pip_freeze.txt | base64 -w 0) export EXHORT_PIP_SHOW=$(cat /shared/pip_show.txt | base64 -w 0) else touch /shared/notPython fi export EXHORT_GO_MVS_LOGIC_ENABLED=$(echo "$(params.use-go-mvs-logic)") # execute RHDA sh /rhda.sh "$MANIFEST_FILE_PATH" "$OUTPUT_FILE_PATH" volumes: - name: shared-data emptyDir: {}