From 26fb2c60c60a619679d42e59a987e26cb6a12599 Mon Sep 17 00:00:00 2001
From: Gabor Burges <gburges@redhat.com>
Date: Wed, 20 Sep 2023 17:00:09 +0200
Subject: [PATCH] [WIP]Add platsec check to jenkinsfile

---
 .../backend-pipeline-pr-checks/Jenkinsfile    | 11 +++++++-
 platsec.sh                                    | 28 +++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100755 platsec.sh

diff --git a/examples/backend-pipeline-pr-checks/Jenkinsfile b/examples/backend-pipeline-pr-checks/Jenkinsfile
index d3debd7b..8a634c78 100644
--- a/examples/backend-pipeline-pr-checks/Jenkinsfile
+++ b/examples/backend-pipeline-pr-checks/Jenkinsfile
@@ -24,7 +24,7 @@ pipeline {
         APP_NAME="CHANGEME"  // name of app-sre "application" folder this component lives in
         COMPONENT_NAME="CHANGEME"  // name of app-sre "resourceTemplate" in deploy.yaml for this component
         IMAGE="quay.io/cloudservices/CHANGEME"  // image location on quay
-
+        RUN_PLATSEC=false // optional step to run vulnerability checks
         IQE_PLUGINS="CHANGEME"  // name of the IQE plugin for this app.
         IQE_MARKER_EXPRESSION="CHANGEME"  // This is the value passed to pytest -m
         IQE_FILTER_EXPRESSION=""  // This is the value passed to pytest -k
@@ -67,6 +67,15 @@ pipeline {
 
                     }
                 }
+                
+                stage ('Run vulnerability tests') {
+                    if (env.RUN_PLATSEC == true)
+                        steps {
+                            withVault([configuration, vaultSecrets: secrets]) {
+                                sh 'source ${CICD_ROOT}/platsec.sh' 
+                        }
+                    }
+                }   
             }
         }
     }
diff --git a/platsec.sh b/platsec.sh
new file mode 100755
index 00000000..afb8c7cc
--- /dev/null
+++ b/platsec.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+ARTIFACTS_DIR="grype-vuln-artifacts"
+IMAGE_TAG="quay.io/gburges/kibana:latest"
+
+mkdir -p "$ARTIFACTS_DIR"
+
+function download (){
+    curl -sSfL https://raw.githubusercontent.com/anchore/$1/main/install.sh | sh -s -- -b ./bin
+}
+
+if ! ./bin/syft; then
+    download syft
+fi
+
+if ! ./bin/grype; then
+    download grype
+fi
+
+#install and run syft
+# curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ./bin
+./bin/syft -v ${IMAGE_TAG} > "${ARTIFACTS_DIR}/syft-sbom-results.txt"
+
+#install and run grype
+# curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ./bin
+./bin/grype -v -o table ${IMAGE_TAG} > "${ARTIFACTS_DIR}/grype-vuln-results-full.txt"
+./bin/grype -v -o table --only-fixed ${IMAGE_TAG} > "${ARTIFACTS_DIR}/grype-vuln-results-fixable.txt"
+./bin/grype -v -o table --only-fixed --fail-on high ${IMAGE_TAG};