Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arm64 builds: unit tests #11830

Open
wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

arm64 builds: unit tests #11830

wants to merge 2 commits into from
+60 −31

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Feb 16, 2025
edited
Loading

Description

This PR takes another step towards publishing arm64 images (continuing on from #11673)
Most tutorials for multi platform builds just add a few lines to install Qemy and add -platforms: linux/amd64,linux/arm64 and are done. Unfortunately our nice python wheels such as uwsgi don't get build successfully under Qemu.
So we have run the builds natively on Githubs arm64 runners.

Steps taken (before I knew that native runners was the only way):

  • Build locally for arm64 with Qemu -> FAILED
  • Try to switch our builds to install upstream binaries for uwsgi so we don't have to build them -> FAILED
  • Build on a AWS t4g instance -> FAILED (With PyOpenSSL error)
  • Build on a GitHub ARM runner -> FAILED (With PyOpenSSL error)

At first the PyOpenSSL error seemed related to ARM64 as I had no other reports.
So I thought it was a good idea to run the unit tests also on arm64 runners to make sure they work.
Afterwards I found out the PyOpenSSL error was also present on amd64 and I fixed that.
Now that we have unit tests working in GitHub actions anyway, I think it's good to have them running.
At least for a while during the next couple of releases to see if anything pops up on these arm64 builds.

The integration test are not run for arm64. These tests are fully based on Chrome for which there is no arm64 build.
I tried to switch the integration tests to Chromium, but that would need some more work: #11810 and might not be worth it.

Test results
GitHub usually doesn't take workflow definitions from forks, so I created a branch in the Defect Dojo repository.
GitHub might still not pick up the workflow changes as it may look at master. Let's see if we have to wait until the next monthly release.

Next steps (in another PR)

  • Publish the arm64 images during our releases

@valentijnscholten valentijnscholten changed the title Multi Platform Builds: unit tests arm64 builds: unit tests Feb 16, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review February 16, 2025 18:44
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Feb 16, 2025
edited
Loading

DryRun Security Summary

Multiple security vulnerabilities were identified across DefectDojo's GitHub Actions workflows, including information disclosure risks, insufficient encryption, exposed credentials, and lack of proper security controls in integration tests, Kubernetes tests, release processes, and Docker image builds.

Expand for full summary

This PR modifies multiple GitHub Actions workflows for DefectDojo, focusing on cross-platform testing, runner configuration, and workflow optimization. Security findings include:

  1. Integration Tests Workflow (.github/workflows/integration-tests.yml):
  • Potential information disclosure through exposed test matrix and file paths
  • No explicit network isolation for multiple exposed services
  • Risk of sensitive information logging (up to 2500 lines)
  1. Kubernetes Tests Workflow (.github/workflows/k8s-tests.yml):
  • Uses HTTP instead of HTTPS for connectivity checks
  • Exposed admin password retrieval via kubectl
  • Plaintext HTTP authentication
  • No explicit TLS/encryption for internal communications
  1. Release Workflow (.github/workflows/release-2-tag-docker-push.yml):
  • Broad secret inheritance through secrets: inherit
  • Potential inadvertent credential exposure
  • No strict input validation for release version
  1. Docker Image Build Workflow (.github/workflows/build-docker-images-for-testing.yml):
  • Runner information disclosure
  • Potential infrastructure insights through workflow configuration

These findings suggest multiple configuration-level security considerations that should be addressed to improve the workflow's security posture.

Code Analysis

We ran 9 analyzers against 7 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Feb 19, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@valentijnscholten
Copy link
Member Author

valentijnscholten commented Feb 21, 2025 via email

@Maffooch
Copy link
Contributor

@valentijnscholten I would also like a 25% refund on my monitor 😂

@valentijnscholten
Copy link
Member Author

Consider it done. @Maffooch 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@valentijnscholten @Maffooch @mtesauro