included for registry1 and upstream

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
defenseunicorns · Mar 31, 2024 · 357a670 · 357a670
1 parent 1a7d0d9
commit 357a670
Showing 1 changed file with 22 additions and 10 deletions.
diff --git a/tasks/scanvulnerability.yaml b/tasks/scanvulnerability.yaml
@@ -4,20 +4,32 @@ tasks:
     description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities
     actions:
       - cmd: |
-          uds zarf package create . --flavor=upstream --confirm --no-progress -o sbom
-          for file in sbom/*.zst; do
-            uds zarf package inspect "$file" --sbom-out ./sbom --no-progress;
+          # Declare an array of package flavors to be processed
+          declare -a flavors=("upstream" "registry1")
+          # Loop through each flavor, creating and inspecting packages
+          for flavor in "${flavors[@]}"; do
+            # Create a UDS package for the current flavor
+            uds zarf package create . --flavor="$flavor" --confirm --no-progress -o sbom
+            # Loop through each .zst file in the sbom directory
+            for file in sbom/*.zst; do
+              # Inspect the package and output the SBOM to the sbom directory
+              uds zarf package inspect "$file" --sbom-out ./sbom --no-progress;
+            done
           done
+          # Check if grype is installed, if not, install it
           if ! command -v grype &> /dev/null; then
             echo "Grype could not be found, installing..."
             curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
           fi
+          # Create the sarif directory if it doesn't exist
           mkdir -p ./sarif
-          find ./sbom -type f -name '*.json' -exec sh -c '
-            for sbom_file; do
-              base=$(basename "${sbom_file}" .json)
-              grype sbom:"${sbom_file}" -o sarif > "./sarif/${base}.sarif"
-              echo "Output saved to ./sarif/${base}.sarif"
-            done
-          ' sh {} +
+          # Find all .json files in the sbom directory and process them with grype
+          find ./sbom -type f -name '*.json' | while read -r sbom_file; do
+            # Extract the base name of the file without the .json extension
+            base=$(basename "${sbom_file}" .json)
+            # Run grype on the SBOM file and output the results to a .sarif file
+            grype sbom:"${sbom_file}" -o sarif > "./sarif/${base}.sarif"
+            echo "Output saved to ./sarif/${base}.sarif"
+          done
+          # Log completion of SBOM processing and vulnerability analysis
           echo "All SBOM files processed and analyzed for vulnerabilities."