feat: full end-to-end testing

* update docker compose
* add vulnerable image by default for local testing

Co-authored-by: Tommy Trøen <[email protected]>

Author: ybelMekk

.tool-versions

@@ -1,5 +1,6 @@
-golang 1.24.0
+golang             1.24.0
 protoc-gen-go-grpc cmd/protoc-gen-go-grpc/v1.5.1
-protoc-gen-go 1.36.5
-protoc 29.3
-helm 3.15.1
+protoc-gen-go      1.36.5
+protoc             29.3
+helm               3.15.1
+trivy              latest

README.md

@@ -22,4 +22,16 @@ users can import the package with a specific version.
   the package from the internet. See github.com/nais/api for an example.
 * Should we create a new row for each workload or do a update? If we do create we have a history of all workloads and
   images tags. If we do a update we only have the latest image tag for each workload. We still have the history of all
-  images tags in the image table.
+  images tags in the image table.
+
+## Commando
+
+This requires that both trivy and cosing is installed
+
+```shell
+  trivy image --format cyclonedx --output vuln-nginx.json localhost:4004/vuln-nginx:1.4.2
+```
+
+```shell
+  cosign attest --predicate vuln-nginx.json --type cyclonedx localhost:4004/vuln-nginx:1.4.2  
+```

cmd/api/main.go

@@ -16,6 +16,7 @@ import (
 	"net"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
@@ -136,11 +137,12 @@ func setupLogger(log *logrus.Logger, logFormat, logLevel string) logrus.FieldLog
 }
 
 func createGrpcServer(parentCtx context.Context, cfg config, pool *pgxpool.Pool, u *updater.Updater, field logrus.FieldLogger) *grpc.Server {
-	serverOpts := []grpc.ServerOption{
-		grpc.UnaryInterceptor(auth.TokenInterceptor(cfg.RequiredAudience, cfg.AuthorizedServiceAccounts, field.WithField("subsystem", "auth"))),
+	serverOpts := make([]grpc.ServerOption, 0)
+	if !strings.HasPrefix(cfg.ListenAddr, "http://localhost") {
+		serverOpts = append(serverOpts, grpc.UnaryInterceptor(auth.TokenInterceptor(cfg.RequiredAudience, cfg.AuthorizedServiceAccounts, field.WithField("subsystem", "auth"))))
 	}
-	grpcServer := grpc.NewServer(serverOpts...)
 
+	grpcServer := grpc.NewServer(serverOpts...)
 	vulnerabilities.RegisterVulnerabilitiesServer(grpcServer, grpcvulnerabilities.NewServer(pool, field.WithField("subsystem", "vulnerabilities")))
 	management.RegisterManagementServer(grpcServer, grpcmgmt.NewServer(parentCtx, pool, u, field.WithField("subsystem", "management")))
 

cmd/seed/main.go

@@ -45,7 +45,7 @@ func main() {
 	createNaisApiWorkloads(ctx, db, "superprod", "devteam")
 	createVulnData(ctx, db, images)
 
-	err = uploadSboms(ctx, "")
+	err = uploadSboms(ctx, "localhost:4004/vuln-nginx:1.4.2")
 	if err != nil {
 		panic(err)
 	}

docker-compose.yaml

@@ -65,6 +65,40 @@ services:
       - "9020:8080"
     restart: unless-stopped
 
+  bootstrap:
+    platform: linux/amd64
+    image: europe-north1-docker.pkg.dev/nais-io/nais/images/dependencytrack-bootstrap:latest
+    environment:
+      - BASE_URL=http://dtrack-apiserver:8080/
+      - DEFAULT_ADMIN_PASSWORD=admin
+      - ADMIN_PASSWORD=yolo
+      - TRIVY_API_TOKEN=my-token
+      - USERS_FILE=users.yaml
+      - TRIVY_BASE_URL=http://trivy:4005
+    depends_on:
+      dtrack-apiserver:
+        condition: service_healthy
+    volumes:
+      - ./users.yaml:/app/users.yaml
+
+  registry:
+    image: registry:latest
+    ports:
+      - '4004:5000'
+
+  trivy:
+    image: aquasec/trivy:0.55.0
+    command:
+      - server
+      - --listen
+      - :4005
+      - --token
+      - my-token
+    volumes:
+      - "trivy-cache:/root/.cache/trivy"
+    restart: unless-stopped
+
 volumes:
   pgdata:
-  dependency-track:
+  dependency-track:
+  trivy-cache: { }

internal/attestation/attestation.go

@@ -11,7 +11,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/google"
 	ociremote "github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/nais/v13s/internal/attestation/github"
 	ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
@@ -32,8 +31,9 @@ type Verifier struct {
 }
 
 func NewVerifier(ctx context.Context, log *logrus.Entry, organizations ...string) (*Verifier, error) {
-	ids := github.NewCertificateIdentity(organizations).GetIdentities()
-	opts, err := CosignOptions(ctx, "", ids)
+	// TODO: fix for localhost
+	//ids := github.NewCertificateIdentity(organizations).GetIdentities()
+	opts, err := CosignOptions(ctx, "", []cosign.Identity{})
 	if err != nil {
 		return nil, err
 	}

users.yaml

@@ -0,0 +1,5 @@
+users:
+  - username: console
+    password: "todo"
+  - username: slsa-verde
+    password: "todos"