add vulnerability scan (#585)

This PR adds vulnerability scanning for new connector releases

## How
Three new commands have been added:
1. `download-artifacts`: This command is responsible for downloading
connector artifacts (CLI Plugins, targz file, Docker Images)
2. `scan trivy`: This command scans the downloaded connector artifacts
using Trivy
3. `scan gokakashi`: This commands scans all connector docker images
using Gokakashi

Trivy scan runs on new PRs
Gokakashi scan runs once a day periodically

## Review
This PR refactors and changes a few files. I've broken the changes down
by commits. I'd recommend using commits to review this.

## Tests
Tests for the new commands (and functions) are not yet present. I'll be
adding them in a follow up PR

---------

Co-authored-by: Daniel Harvey <[email protected]>

Author: m-Bilal

.github/workflows/gokakashi-scan.yaml

@@ -0,0 +1,54 @@
+name: Vulnerability Scan using Gokakashi
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/gokakashi-scan.yaml # run on changes to this workflow file
+      - registry-automation/** # run on changes to the registry automation files
+  schedule:
+    - cron: '0 0 * * *' # everyday at midnight
+
+jobs:
+  gokakashi-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          fetch_depth: 1
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.22.x
+
+      - name: Download gokakashi
+        id: download_gokakashi
+        run: |
+          # Define URL and output path
+          URL="https://github.com/shinobistack/gokakashi/releases/download/v0.2.0/gokakashi-linux-amd64"
+          DEST="$RUNNER_TEMP/gokakashi"
+
+          # Download and make it executable
+          curl -L "$URL" -o "$DEST"
+          chmod +x "$DEST"
+          echo "Gokakashi binary downloaded to $DEST"
+
+          echo "gokakashi_path=$DEST" >> "$GITHUB_OUTPUT"
+
+      - name: Run Gokakashi Scan
+        run: |
+          cd registry-automation
+          go run main.go scan gokakashi \
+            --files "../registry/*/*/releases/*/connector-packaging.json" \
+            --server "${{ secrets.GOKAKASHI_SERVER_URL }}" \
+            --token "${{ secrets.GOKAKASHI_API_TOKEN }}" \
+            --policy ci-platform \
+            --cf-access-client-id "${{ secrets.GOKAKASHI_CF_ACCESS_CLIENT_ID }}" \
+            --cf-access-client-secret "${{ secrets.GOKAKASHI_CF_ACCESS_CLIENT_SECRET }}" \
+            --binary-path "$GOKAKASHI_PATH"
+        env:
+          GOKAKASHI_PATH: ${{ steps.download_gokakashi.outputs.gokakashi_path }}

.github/workflows/pr-scan.yaml

@@ -0,0 +1,54 @@
+name: Vulnerability Scan for Pull Requests
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - registry/**/connector-packing.json
+      - .github/workflows/pr-scan.yaml
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          fetch_depth: 1
+
+      - name: Get all connector version package changes
+        id: connector-version-changed-files
+        uses: tj-actions/[email protected]
+        with:
+          json: true
+          escape_json: false
+          files: |
+            registry/**
+
+      - name: Print out all the changed filse
+        env:
+          ADDED_FILES: ${{ steps.connector-version-changed-files.outputs.added_files }}
+          MODIFIED_FILES: ${{ steps.connector-version-changed-files.outputs.modified_files }}
+          DELETED_FILES: ${{ steps.connector-version-changed-files.outputs.deleted_files }}
+        run: |
+          echo "{\"added_files\": $ADDED_FILES, \"modified_files\": $MODIFIED_FILES, \"deleted_files\": $DELETED_FILES}" > changed_files.json
+
+      - name: List changed files
+        id: list_files
+        run: |
+          cat changed_files.json
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
+
+      - name: Run Scan
+        env:
+          CHANGED_FILES_PATH: "changed_files.json"
+        run: |
+          mv changed_files.json registry-automation/changed_files.json
+          cd registry-automation
+          go run main.go scan trivy

registry-automation/cmd/ci.go

@@ -34,7 +34,7 @@ var ciCmd = &cobra.Command{
 var ciCmdArgs ConnectorRegistryArgs
 
 func init() {
-	rootCmd.AddCommand(ciCmd)
+	RootCmd.AddCommand(ciCmd)
 
 	// Path for the changed files in the PR
 	var changedFilesPathEnv = os.Getenv("CHANGED_FILES_PATH")
@@ -626,7 +626,7 @@ func uploadConnectorVersionPackage(ciCtx Context, connector Connector, version s
 		return connectorVersion, fmt.Errorf("invalid or undefined TGZ URL: %v", tgzUrl)
 	}
 
-	connectorVersionMetadata, connectorMetadataTgzPath, err := pkg.GetConnectorVersionMetadata(tgzUrl,
+	connectorVersionMetadata, connectorMetadataTgzPath,  _, err := pkg.GetConnectorVersionMetadata(tgzUrl,
 		connector.Namespace, connector.Name, version)
 	if err != nil {
 		return connectorVersion, err

registry-automation/cmd/download_artifacts.go

@@ -0,0 +1,196 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+
+	"github.com/hasura/ndc-hub/registry-automation/pkg/ndchub"
+	"github.com/spf13/cobra"
+)
+
+var downloadArtifactsCmd = &cobra.Command{
+	Use:   "download-artifacts",
+	Short: "Downloads the artifacts from the connector registry",
+	Run:   runDownloadArtifactsCmd,
+}
+
+var downloadArtifactsCmdArgs ConnectorRegistryArgs
+
+func init() {
+	RootCmd.AddCommand(downloadArtifactsCmd)
+	var changedFilesPathEnv = os.Getenv("CHANGED_FILES_PATH") // this file contains the list of changed files
+	downloadArtifactsCmd.PersistentFlags().StringVar(&downloadArtifactsCmdArgs.ChangedFilesPath, "changed-files-path", changedFilesPathEnv, "path to a line-separated list of changed files in the PR")
+	if changedFilesPathEnv == "" {
+		downloadArtifactsCmd.MarkPersistentFlagRequired("changed-files-path")
+	}
+}
+
+type ArtifactDownloadOptions struct {
+	ChangedFilesPath string
+	SingleFilePath   string
+}
+
+type ArtifactOption func(*ArtifactDownloadOptions)
+
+func WithChangedFilesPath(path string) ArtifactOption {
+	return func(o *ArtifactDownloadOptions) {
+		o.ChangedFilesPath = path
+	}
+}
+
+func WithSingleFile(path string) ArtifactOption {
+	return func(o *ArtifactDownloadOptions) {
+		o.SingleFilePath = path
+	}
+}
+
+func DownloadArtifacts(opts ...ArtifactOption) ([]*ndchub.ConnectorArtifacts, error) {
+	options := &ArtifactDownloadOptions{}
+	for _, opt := range opts {
+		opt(options)
+	}
+
+	if options.ChangedFilesPath == "" && options.SingleFilePath == "" {
+		return nil, fmt.Errorf("at least one of ChangedFilesPath or SingleFilePath must be provided")
+	}
+
+	if options.ChangedFilesPath != "" {
+		connectorPackagingFiles, err := getConnectorPackagingFilesFromChangedFiles(options.ChangedFilesPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get connector packaging files from changed files: %w", err)
+		}
+		return downloadArtifacts(connectorPackagingFiles)
+	} else {
+		// If a single file path is provided, we can directly download the artifacts for that file
+		artifacts, err := downloadArtifactsUtil(options.SingleFilePath)
+		artifactsArr := []*ndchub.ConnectorArtifacts{artifacts}
+		return artifactsArr, err
+	}
+}
+
+func getChangedFiles(filepath string) (*ChangedFiles, error) {
+	changedFilesContent, err := os.Open(filepath)
+	if err != nil {
+		// log.Fatalf("Failed to open the file: %v, err: %v", ciCmdArgs.ChangedFilesPath, err)
+		return nil, fmt.Errorf("failed to open the file: %v, err: %w", downloadArtifactsCmdArgs.ChangedFilesPath, err)
+	}
+	defer changedFilesContent.Close()
+
+	// Read the changed file's contents. This file contains all the changed files in the PR
+	changedFilesByteValue, err := io.ReadAll(changedFilesContent)
+	if err != nil {
+		// log.Fatalf("Failed to read the changed files JSON file: %v", err)
+		return nil, fmt.Errorf("failed to read the changed files JSON file: %w", err)
+	}
+
+	var changedFiles *ChangedFiles = &ChangedFiles{}
+	err = json.Unmarshal(changedFilesByteValue, changedFiles)
+	if err != nil {
+		// log.Fatalf("Failed to unmarshal the changed files content: %v", err)
+		return nil, fmt.Errorf("failed to unmarshal the changed files content: %w", err)
+	}
+
+	return changedFiles, nil
+}
+
+// for now, since we're only adding support for newly added connectors, we will only check for the added files
+// in the added files, we only need files that end with connector-packaging.json
+func filterConnectorPackagingFiles(changedFiles *ChangedFiles) []string {
+	// Filter the changed files to only include the ones that are in the connector registry
+	var filteredChangedFiles []string = make([]string, 0)
+	for _, file := range changedFiles.Added {
+		if isConnectorPackagingFile(file) {
+			filteredChangedFiles = append(filteredChangedFiles, file)
+		}
+	}
+
+	log.Printf("Filtered connector packaging files: %v", filteredChangedFiles)
+	return filteredChangedFiles
+}
+
+func isConnectorPackagingFile(path string) bool {
+	return filepath.Base(path) == "connector-packaging.json"
+}
+
+func getConnectorPackaging(filePath string) (*ndchub.ConnectorPackaging, error) {
+	if !filepath.IsAbs(filePath) {
+		filePath = filepath.Join("../", filePath) // the filepaths returned by the changed files action are relative to the root of the repository. Therefore, we need to prepend "../" to the path to get the correct path
+	}
+	ndcHubConnectorPackaging, err := ndchub.GetConnectorPackaging(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get the connector packaging for file %s: %w", filePath, err)
+	}
+	return ndcHubConnectorPackaging, nil
+}
+
+func getConnectorPackagingFilesFromChangedFiles(changedFilesPath string) ([]string, error) {
+	// Get the changed files from the PR
+	changedFiles, err := getChangedFiles(changedFilesPath)
+	if err != nil {
+		return nil, err
+	}
+
+	// Get the connector packaging files (connector-packaging.json) from the changed files
+	connectorPackagingFiles := filterConnectorPackagingFiles(changedFiles)
+	return connectorPackagingFiles, nil
+}
+
+func downloadArtifacts(connectorPackagingFiles []string) ([]*ndchub.ConnectorArtifacts, error) {
+	artifactList := make([]*ndchub.ConnectorArtifacts, 0)
+	for _, file := range connectorPackagingFiles {
+		log.Printf("\n\n") // for more readable logs
+		artifacts, err := downloadArtifactsUtil(file)
+		if err != nil {
+			return nil, fmt.Errorf("failed to download artifacts for file %s: %w", file, err)
+		}
+		artifactList = append(artifactList, artifacts)
+	}
+
+	return artifactList, nil
+}
+
+func downloadArtifactsUtil(connectorPackagingFilePath string) (*ndchub.ConnectorArtifacts, error) {
+	connectorPackaging, err := getConnectorPackaging(connectorPackagingFilePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get the connector packaging: %w", err)
+	}
+
+	connectorMetadata, _, extractedTgzPath, err := ndchub.GetPackagingSpec(connectorPackaging.URI, 
+		connectorPackaging.Namespace,
+		connectorPackaging.Name, 
+		connectorPackaging.Version,
+	)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to get connector metadata for %s/%s:%s: %w",
+			connectorPackaging.Namespace, connectorPackaging.Name, connectorPackaging.Version, err)
+	}
+
+	artifacts, err := connectorMetadata.GetArtifacts(extractedTgzPath)	
+	if err != nil {
+		return nil, fmt.Errorf("failed to get the artifacts for %s/%s:%s: %w",
+			connectorPackaging.Namespace, connectorPackaging.Name, connectorPackaging.Version, err)
+	}
+	
+	return artifacts, nil
+}
+
+func runDownloadArtifactsCmd(cmd *cobra.Command, args []string) {
+	artifacts, err := DownloadArtifacts(WithChangedFilesPath(downloadArtifactsCmdArgs.ChangedFilesPath))
+	if err != nil {
+		fmt.Printf("Failed to download artifacts: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Print artifactList as JSON
+	artifactListJSON, err := json.MarshalIndent(artifacts, "", "  ")
+	if err != nil {
+		fmt.Printf("Failed to marshal artifact list to JSON: %v\n", err)
+		return
+	}
+	fmt.Println(string(artifactListJSON))
+}

registry-automation/cmd/e2e.go

@@ -50,7 +50,7 @@ func init() {
 
 	e2eCmd.AddCommand(e2eChangedCmd, e2eLatest, e2eAll)
 
-	rootCmd.AddCommand(e2eCmd)
+	RootCmd.AddCommand(e2eCmd)
 }
 
 func e2eChanged(cmd *cobra.Command, args []string) {

registry-automation/cmd/root.go

@@ -6,16 +6,16 @@ import (
 	"github.com/spf13/cobra"
 )
 
-// rootCmd represents the base command when called without any subcommands
-var rootCmd = &cobra.Command{
+// RootCmd represents the base command when called without any subcommands
+var RootCmd = &cobra.Command{
 	Use:   "registry-automation",
 	Short: "Commands associated with automation for the hub registry",
 }
 
 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
-	err := rootCmd.Execute()
+	err := RootCmd.Execute()
 	if err != nil {
 		os.Exit(1)
 	}