Merge pull request #113 from IBM/akash

Dependency analysis

Author: akgunjal

.gitignore

@@ -0,0 +1,6 @@
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+*.html
+
+/dependency-check/*.json
+/dependency-check/logfile

block-storage-attacher/Dockerfile.dependencycheck

@@ -0,0 +1,12 @@
+FROM wcp-alchemy-containers-team-access-redhat-docker-remote.artifactory.swg-devops.com/ubi8/ubi-minimal
+ARG ARTIFACTORY_API_KEY=blank
+ENV DEP_CHECK_VER 5.3.2
+ENV JAVA_HOME /usr
+RUN microdnf update -y && microdnf install java-11-openjdk-devel zip findutils golang make
+RUN curl -sLH "X-JFrog-Art-Api:${ARTIFACTORY_API_KEY}" "https://na.artifactory.swg-devops.com/artifactory/wcp-alchemy-containers-team-github-generic-remote/jeremylong/DependencyCheck/releases/download/v${DEP_CHECK_VER}/dependency-check-${DEP_CHECK_VER}-release.zip" -o /tmp/dependency-check-${DEP_CHECK_VER}-release.zip
+RUN cd /tmp && unzip dependency-check-${DEP_CHECK_VER}-release.zip
+RUN chmod +x /tmp/dependency-check/bin/dependency-check.sh
+ADD . /src
+RUN rm -rf /src/build-tools /src/go*.tar.gz
+WORKDIR /src
+ENTRYPOINT [ "make", "analyzedeps" ]

block-storage-attacher/Makefile

@@ -54,7 +54,7 @@ coverage:
 
 .PHONY: buildimage
 buildimage: build-systemutil
-	#go run github.ibm.com/alchemy-containers/go-build-tools/cmd/goproxy -docker-build -- 
+	#go run github.ibm.com/alchemy-containers/go-build-tools/cmd/goproxy -docker-build --
 		docker build \
 			--build-arg git_commit_id=${GIT_COMMIT_SHA} \
 			--build-arg git_remote_url=${GIT_REMOTE_URL} \
@@ -81,3 +81,18 @@ build-systemutil:
 oss:
 	go get github.ibm.com/alchemy-containers/[email protected]
 	go run github.ibm.com/alchemy-containers/armada-opensource-lib/cmd/makeoss ${OSS_FILES}
+
+.PHONY: runanalyzedeps
+runanalyzedeps:
+	docker build --rm --build-arg ARTIFACTORY_API_KEY="${ARTIFACTORY_API_KEY}"  -t armada/analyze-deps -f Dockerfile.dependencycheck .
+	docker run -v `pwd`/dependency-check:/results armada/analyze-deps
+
+.PHONY: analyzedeps
+analyzedeps:
+	/tmp/dependency-check/bin/dependency-check.sh --enableExperimental --log /results/logfile --out /results --disableAssembly \
+		--suppress /src/dependency-check/suppression-file.xml --format JSON --prettyPrint --failOnCVSS 0 --scan /src
+
+.PHONY: showanalyzedeps
+showanalyzedeps:
+	grep "VULNERABILITY FOUND" dependency-check/logfile;
+	cat dependency-check/dependency-check-report.json |jq '.dependencies[] | select(.vulnerabilities | length>0)';

block-storage-attacher/dependency-check/suppression-file.xml

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+</suppressions>