test: skip build

Azure · Jan 29, 2025 · 2950119 · 2950119
1 parent 0cb8c38
commit 2950119
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 24 deletions.
diff --git a/.pipelines/templates/.builder-release-template.yaml b/.pipelines/templates/.builder-release-template.yaml
@@ -111,35 +111,35 @@ steps:
       echo "##vso[task.setvariable variable=SKU_NAME]$SKU_NAME"
       echo "Set SKU_NAME to $SKU_NAME"
     displayName: Set SKU Name
-  - bash: make -f packer.mk run-packer
-    displayName: Build VHD
-    retryCountOnTaskFailure: 3
-    env:
-      OS_TYPE: Linux
-      GIT_VERSION: $(Build.SourceVersion)
-      BRANCH: $(Build.SourceBranch)
-      BUILD_NUMBER: $(Build.BuildNumber)
-      BUILD_ID: $(Build.BuildId)
-      BUILD_DEFINITION_NAME: $(Build.DefinitionName)
-      UA_TOKEN: $(ua-token)
+  # - bash: make -f packer.mk run-packer
+  #   displayName: Build VHD
+  #   retryCountOnTaskFailure: 3
+  #   env:
+  #     OS_TYPE: Linux
+  #     GIT_VERSION: $(Build.SourceVersion)
+  #     BRANCH: $(Build.SourceBranch)
+  #     BUILD_NUMBER: $(Build.BuildNumber)
+  #     BUILD_ID: $(Build.BuildId)
+  #     BUILD_DEFINITION_NAME: $(Build.DefinitionName)
+  #     UA_TOKEN: $(ua-token)
 
   - bash: |
-      PACKER_VNET_RESOURCE_GROUP_NAME="$(cat vhdbuilder/packer/settings.json | grep "vnet_resource_group_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
-      PACKER_VNET_NAME="$(cat vhdbuilder/packer/settings.json | grep "vnet_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
-      CAPTURED_SIG_VERSION="$(cat vhdbuilder/packer/settings.json | grep "captured_sig_version" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
-      SIG_IMAGE_NAME="$(cat vhdbuilder/packer/settings.json | grep "sig_image_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
+      PACKER_VNET_RESOURCE_GROUP_NAME="nodesig-test-westus2-packer-vnet-rg" && \
+      PACKER_VNET_NAME="nodesig-packer-vnet-westus2" && \
+      CAPTURED_SIG_VERSION="1.1738120749.14404" && \
+      SIG_IMAGE_NAME="2204containerd" && \
       echo "##vso[task.setvariable variable=PACKER_VNET_RESOURCE_GROUP_NAME]${PACKER_VNET_RESOURCE_GROUP_NAME}" && \
       echo "##vso[task.setvariable variable=PACKER_VNET_NAME]${PACKER_VNET_NAME}" && \
       echo "##vso[task.setvariable variable=VHD_NAME]${CAPTURED_SIG_VERSION}.vhd" && \
       echo "##vso[task.setvariable variable=IMAGE_NAME]${SIG_IMAGE_NAME}-${CAPTURED_SIG_VERSION}" && \
       echo "##vso[task.setvariable variable=SIG_IMAGE_NAME]${SIG_IMAGE_NAME}" && \
       echo "##vso[task.setvariable variable=CAPTURED_SIG_VERSION]${CAPTURED_SIG_VERSION}" && \
       echo "##vso[task.setvariable variable=IMPORTED_IMAGE_NAME]$(cat vhdbuilder/packer/settings.json | grep "imported_image_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
-      echo "##vso[task.setvariable variable=OS_DISK_URI]$(cat packer-output | grep "OSDiskUri:" | cut -d " " -f 2)" && \
-      echo "##vso[task.setvariable variable=MANAGED_SIG_ID]$(cat packer-output | grep "ManagedImageSharedImageGalleryId:" | cut -d " " -f 2)" && \
-      echo "##vso[task.setvariable variable=SIG_GALLERY_NAME]$(cat vhdbuilder/packer/settings.json | grep "sig_gallery_name" | awk -F':' '{print $2}' | awk -F'"' '{print $2}')" && \
+      echo "##vso[task.setvariable variable=OS_DISK_URI]$" && \
+      echo "##vso[task.setvariable variable=MANAGED_SIG_ID]/subscriptions/c4c3550e-a965-4993-a50c-628fd38cd3e1/resourceGroups/aksvhdtestbuildrg/providers/Microsoft.Compute/galleries/PackerSigGalleryEastUS/images/2204containerd/versions/1.1738120749.14404" && \
+      echo "##vso[task.setvariable variable=SIG_GALLERY_NAME]PackerSigGalleryEastUS" && \
       echo "##vso[task.setvariable variable=PERFORMANCE_DATA_FILE]vhd-build-performance-data.json" && \
-      echo "##vso[task.setvariable variable=PKR_RG_NAME]$(cat packer-output | grep "ResourceGroupName" | cut -d "'" -f 2 | head -1)" && \
+      echo "##vso[task.setvariable variable=PKR_RG_NAME]aksvhdtestbuildrg" && \
       echo "##vso[task.setvariable variable=IS_NOT_1804]$( [[ "${OS_VERSION}" != "18.04" ]] && echo true || echo false )" && \
       echo "##vso[task.setvariable variable=OS_NAME]Linux" && \
       echo "##vso[task.setvariable variable=OS_TYPE]Linux" && \

diff --git a/vhdbuilder/packer/trivy-scan.sh b/vhdbuilder/packer/trivy-scan.sh
@@ -4,6 +4,7 @@ set -euxo pipefail
 TRIVY_REPORT_DIRNAME=/opt/azure/containers
 TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json
 TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt
+CVE_DIFF_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-diff.txt
 TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db"
 
 TRIVY_VERSION="0.57.0"
@@ -40,6 +41,7 @@ export SYSTEM_COLLECTIONURI=${26}
 export SYSTEM_TEAMPROJECT=${27}
 export BUILD_BUILDID=${28}
 export IMAGE_VERSION=${29}
+CVE_DIFF_UPLOAD_REPORT_NAME=${30}
 
 retrycmd_if_failure() {
     retries=$1; wait_sleep=$2; timeout=$3; shift && shift && shift
@@ -131,6 +133,7 @@ rm "trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz"
 chmod a+x trivy 
 
 # pull vuln-to-kusto binary
+MODULE_VERSION="v0.0.3-03a822ef770"
 az storage blob download --auth-mode login --account-name ${ACCOUNT_NAME} -c vuln-to-kusto \
     --name ${MODULE_VERSION}/${MODULE_NAME}_linux_${GO_ARCH} \
     --file ./${MODULE_NAME}
@@ -187,13 +190,26 @@ for CONTAINER_IMAGE in $IMAGE_LIST; do
     fi
 done
 
+./vuln-to-kusto-vhd query-report query-diff \
+    --vhd-vhdname=${VHD_ARTIFACT_NAME} \
+    --kusto-endpoint=${KUSTO_ENDPOINT} \
+    --kusto-database=${KUSTO_DATABASE} \
+    --kusto-table=${KUSTO_TABLE} \
+    --kusto-managed-identity-client-id=${UMSI_CLIENT_ID} >> ${CVE_DIFF_QUERY_OUTPUT_PATH}
+
 rm ./trivy
 
 chmod a+r "${TRIVY_REPORT_ROOTFS_JSON_PATH}"
 chmod a+r "${TRIVY_REPORT_IMAGE_TABLE_PATH}"
 
 login_with_user_assigned_managed_identity ${AZURE_MSI_RESOURCE_STRING}
 
+az storage blob upload --file ${CVE_DIFF_QUERY_OUTPUT_PATH} \
+    --container-name ${SIG_CONTAINER_NAME} \
+    --name ${CVE_DIFF_UPLOAD_REPORT_NAME} \
+    --account-name ${STORAGE_ACCOUNT_NAME} \
+    --auth-mode login
+
 az storage blob upload --file ${TRIVY_REPORT_ROOTFS_JSON_PATH} \
     --container-name ${SIG_CONTAINER_NAME} \
     --name ${TRIVY_UPLOAD_REPORT_NAME} \

diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh
@@ -22,10 +22,10 @@ SIG_CONTAINER_NAME="vhd-scans"
 SCAN_VM_ADMIN_USERNAME="azureuser"
 
 RELEASE_NOTES_FILEPATH="${DEFAULT_WORKING_DIRECTORY}/release-notes.txt"
-if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
-    echo "${RELEASE_NOTES_FILEPATH} does not exist"
-    exit 1
-fi
+# if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then
+#     echo "${RELEASE_NOTES_FILEPATH} does not exist"
+#     exit 1
+# fi
 
 # we must create VMs in a vnet subnet which has access to the storage account, otherwise they will not be able to access the VHD blobs
 SCANNING_SUBNET_ID="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${PACKER_VNET_RESOURCE_GROUP_NAME}/providers/Microsoft.Network/virtualNetworks/${PACKER_VNET_NAME}/subnets/scanning"
@@ -100,6 +100,7 @@ TRIVY_SCRIPT_PATH="$CDIR/$TRIVY_SCRIPT_PATH"
 TIMESTAMP=$(date +%s%3N)
 TRIVY_UPLOAD_REPORT_NAME="trivy-report-${BUILD_ID}-${TIMESTAMP}.json"
 TRIVY_UPLOAD_TABLE_NAME="trivy-table-${BUILD_ID}-${TIMESTAMP}.txt"
+CVE_DIFF_UPLOAD_REPORT_NAME="cve-diff-${BUILD_ID}-${TIMESTAMP}.txt"
 
 # Extract date, revision from build number
 BUILD_RUN_NUMBER=$(echo $BUILD_RUN_NUMBER | cut -d_ -f 1)
@@ -143,15 +144,19 @@ az vm run-command invoke \
         "SYSTEM_COLLECTIONURI"=${SYSTEM_COLLECTIONURI} \
         "SYSTEM_TEAMPROJECT"=${SYSTEM_TEAMPROJECT} \
         "BUILDID"=${BUILD_ID} \
-        "IMAGE_VERSION"=${IMAGE_VERSION}
+        "IMAGE_VERSION"=${IMAGE_VERSION} \
+        "CVE_DIFF_UPLOAD_REPORT_NAME"=${CVE_DIFF_UPLOAD_REPORT_NAME}
 
 capture_benchmark "${SCRIPT_NAME}_run_az_scan_command"
 
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_REPORT_NAME} --file trivy-report.json --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${TRIVY_UPLOAD_TABLE_NAME} --file  trivy-images-table.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
+az storage blob download --container-name ${SIG_CONTAINER_NAME} --name  ${CVE_DIFF_UPLOAD_REPORT_NAME} --file  cve-diff.txt --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 
 az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_REPORT_NAME} --auth-mode login
 az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${TRIVY_UPLOAD_TABLE_NAME} --auth-mode login
+az storage blob delete --account-name ${STORAGE_ACCOUNT_NAME} --container-name ${SIG_CONTAINER_NAME} --name ${CVE_DIFF_UPLOAD_REPORT_NAME} --auth-mode login
+
 capture_benchmark "${SCRIPT_NAME}_download_and_delete_blobs"
 
 if [ ! -f "${RELEASE_NOTES_FILEPATH}" ]; then