WIP: v1.1.0 bug fixes (#54)

bluesentinelsec · Michael Long · web-flow · commit ae0421a868c3 · 2024-06-04T13:17:03.000-04:00
* update workflow definitions to v1.1.0

* Handle non-existing files in step summary

* add try-except to file write

* Debugging

* log.error to info since GHA treats err as failure

---------

Co-authored-by: Michael Long &lt;mlongii@amazon.com&gt;
diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml
@@ -47,7 +47,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan built image with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         id: inspector
         with:
           artifact_type: 'container'
@@ -63,7 +63,7 @@ jobs:
           medium_threshold: 1
           low_threshold: 1
           other_threshold: 1
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       - name: Demonstrate SBOM Output (JSON)
         run: cat ${{ steps.inspector.outputs.artifact_sbom }}
diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml
@@ -29,7 +29,7 @@ jobs:
       # modify this block to scan your intended artifact
       - name: Inspector Scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.0.0
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         with:
           # change artifact_type to either 'repository', 'container', 'binary', or 'archive'.
           # this example scans a container image
@@ -54,7 +54,7 @@ jobs:
           medium_threshold: 1
           low_threshold: 1
           other_threshold: 1
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
           # Additional input arguments are available.
           # See 'action.yml' for additional input/output options.
diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml
@@ -32,12 +32,12 @@ jobs:
 
       - name: Test archive scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         with:
           artifact_type: 'archive'
           artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip'
           display_vulnerability_findings: "enabled"
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml
@@ -32,12 +32,12 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen'
           display_vulnerability_findings: "enabled"
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml
@@ -32,12 +32,12 @@ jobs:
 
       - name: Test container scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         with:
           artifact_type: 'container'
           artifact_path: 'ubuntu:14.04'
           display_vulnerability_findings: "enabled"
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml
@@ -31,12 +31,12 @@ jobs:
 
       - name: Scan Dockerfiles
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         with:
           artifact_type: 'repository'
           artifact_path: './'
           display_vulnerability_findings: "enabled"
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       - name: Display scan results (JSON)
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml
@@ -28,12 +28,12 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Test Amazon Inspector GitHub Actions plugin
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         with:
           artifact_type: 'container'
           artifact_path: 'alpine:latest'
           display_vulnerability_findings: "enabled"
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       # only run if the previous step failed
       - name: Notify maintainers of installation failure
diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml
@@ -28,7 +28,7 @@ jobs:
 
       - name: Test binary scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         with:
           artifact_type: 'binary'
           artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary'
@@ -38,7 +38,7 @@ jobs:
           output_inspector_scan_path_csv: 'inspector_pkg_scan.csv'
           output_inspector_dockerfile_scan_path_csv: 'inspector_dockerfile_scan.csv'
           output_inspector_dockerfile_scan_path_markdown: 'inspector_dockerfile_scan.md'
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       - name: Demonstrate Upload Scan Results
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml
@@ -31,12 +31,12 @@ jobs:
 
       - name: Test repository scan
         id: inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         with:
           artifact_type: 'repository'
           artifact_path: './'
           display_vulnerability_findings: "enabled"
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       - name: Display scan results
         run: cat ${{ steps.inspector.outputs.inspector_scan_results }}
diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml
@@ -30,7 +30,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
 
       - name: Scan artifact with Inspector
-        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.0
         id: inspector
         with:
           artifact_type: 'archive'
@@ -44,7 +44,7 @@ jobs:
           medium_threshold: 1
           low_threshold: 1
           other_threshold: 1
-          sbomgen_version: "1.2.0-beta"
+          sbomgen_version: "latest"
 
       - name: Fail if vulnerability threshold is exceeded
         run: if [[  ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} != "1" ]]; then echo "test failed"; else echo "test passed"; fi
diff --git a/entrypoint/entrypoint/orchestrator.py b/entrypoint/entrypoint/orchestrator.py
@@ -56,8 +56,12 @@ def post_dockerfile_step_summary(args, total_vulns):
         logging.info("posting Inspector Dockerfile scan findings to GitHub Actions step summary page")
 
         dockerfile_markdown = ""
-        with open(args.out_dockerfile_scan_md, "r") as f:
-            dockerfile_markdown = f.read()
+        try:
+            with open(args.out_dockerfile_scan_md, "r") as f:
+                dockerfile_markdown = f.read()
+        except Exception as e:
+            logging.info(e)
+            return
 
         if not dockerfile_markdown:
             return
@@ -66,8 +70,12 @@ def post_dockerfile_step_summary(args, total_vulns):
         if os.getenv('GITHUB_ACTIONS'):
             job_summary_file = os.environ["GITHUB_STEP_SUMMARY"]
 
-        with open(job_summary_file, "a") as f:
-            f.write(dockerfile_markdown)
+        try:
+            with open(job_summary_file, "a") as f:
+                f.write(dockerfile_markdown)
+        except Exception as e:
+            logging.info(e)
+            return
 
 
 def download_install_sbomgen(sbomgen_version: str, install_dst: str) -> bool:
diff --git a/entrypoint/entrypoint/pkg_vuln.py b/entrypoint/entrypoint/pkg_vuln.py
@@ -429,8 +429,12 @@ def post_github_step_summary(markdown="null"):
     if os.getenv('GITHUB_ACTIONS'):
         job_summary_file = os.environ["GITHUB_STEP_SUMMARY"]
 
-    with open(job_summary_file, "a") as f:
-        f.write(markdown)
+    try:
+        with open(job_summary_file, "a") as f:
+            f.write(markdown)
+    except Exception as e:
+        logging.error(e)
+        return
 
 
 def fatal_assert(expr: bool, msg: str):
