Skip to content

Feature #3054 develop scan_for_CVEs #3055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Jul 22, 2025
Merged

Feature #3054 develop scan_for_CVEs #3055

merged 12 commits into from
Jul 22, 2025

Conversation

JohnHalleyGotway
Copy link
Collaborator

@JohnHalleyGotway JohnHalleyGotway commented Jul 16, 2025
edited
Loading

Pull Request Testing

This PR proposes enhancements to the develop branch to add CVE scanning to the existing release-docker-images.yml workflow. The 12 modified files include changes for:

  • [1] bash_functions.sh to add the cve_scan_image function and enhance the existing time_command function to redirect log output to a file which is already supported in MET and METviewer.

  • [1] docker_build_metplus_images.sh removes the is_official variable and move the handling of X.Y-latest images from here to docker_push_metplus_images.sh.

  • [1] docker_push_metplus_images.sh adds logic for handling X.Y-latest images.

  • [1] docker_scan_metplus_images.sh is new and calls the cve_scan_image to run grype on the 2 METplus images and write the result to a log file.

  • [1] release-docker-images.yml workflow can now be run for new releases, through workflow_dispatch, and on a cron schedule (3 hours after the MET cron is run weekly). The define-matrix job is new to handle building images for multiple versions. And Syft/Grype are installed to support the new scanning step. Note that this is updated to reference the new DOCKER_TOKEN repository secret rather than building/pushing as @georgemccabe.

  • [7] The Release_Guide docs are updated by adding new instructions for updating the Docker image workflow in update_docker_image_workflow.rst. And then those instructions are referenced in the official and bugfix instructions for MET, METplus, and METviewer.

  • Describe testing already performed for these changes:

    Manually ran the updated release-docker-images.yml workflow in this GHA run, and confirmed that it ran as expected and produced the expected scanning results. I downloaded/inspected the error logs and found that all errors are based on the METplus-Analysis tools problem with kaleido:

egrep -i ERROR `find ./ -name "*.log"` | grep kaleido
.//s2s/UserScript_obsPrecip_obsOnly_Hovmoeller/user_script.log:AttributeError: module 'kaleido' has no attribute 'get_chrome_sync'
.//clouds/GridStat_fcstGFS_obsGFS_cloudFracLayer/user_script.plot_stats.log:AttributeError: module 'kaleido' has no attribute 'get_chrome_sync'
.//tc_and_extra_tc/PointStat_fcstWRF_obsMADIS_hurricane_matthew/user_script.metplotpy.log:AttributeError: module 'kaleido' has no attribute 'get_chrome_sync'
.//s2s_soil_moisture/GridStat_fcstSFSGSL_obsERA5Land_SoilMoisture/user_script.plot_stats.log:AttributeError: module 'kaleido' has no attribute 'get_chrome_sync'

  • Recommend testing for the reviewer(s) to perform, including the location of input datasets, and any additional instructions:

    Review code changes, the output of the run linked above, and the Release Guide updates.

  • Do these changes include sufficient documentation updates, ensuring that no errors or warnings exist in the build of the documentation? [Yes]

  • Do these changes include sufficient testing updates? [No]
    None needed.

  • Will this PR result in changes to the test suite? [No]

    If yes, describe the new output and/or changes to the existing output:

Note however that 4 of the METplus use cases failed in this GHA Pull Request testing workflow run.

  • Do these changes introduce new SonarQube findings? [No]

    If yes, please describe:

  • Please complete this pull request review by [Thurs July 17, 2025].

Pull Request Checklist

See the METplus Workflow for details.

  • Add any new Python packages to the METplus Components Python Requirements table.
  • For any new datasets, an entry to the METplus Verification Datasets Guide.
  • Review the source issue metadata (required labels, projects, and milestone).
  • Complete the PR definition above.
  • Ensure the PR title matches the feature or bugfix branch name.
  • Define the PR metadata, as permissions allow.
    Select: Reviewer(s) and Development issue
    Select: Milestone as the version that will include these changes
    Select: Coordinated METplus-X.Y Support project for bugfix releases or METplus-Wrappers-X.Y.Z Development project for official releases
  • After submitting the PR, select the ⚙️ icon in the Development section of the right hand sidebar. Search for the issue that this PR will close and select it, if it is not already selected.
  • After the PR is approved, merge your changes. If permissions do not allow this, request that the reviewer do the merge.
  • Close the linked issue and delete your feature or bugfix branch from GitHub.

@JohnHalleyGotway JohnHalleyGotway added this to the METplus-6.2.0 milestone Jul 16, 2025
@github-project-automation github-project-automation bot moved this to 🩺 Needs Triage in METplus-6.2 Development Jul 16, 2025
@JohnHalleyGotway JohnHalleyGotway moved this from 🩺 Needs Triage to 🔎 In review in METplus-6.2 Development Jul 16, 2025
@JohnHalleyGotway JohnHalleyGotway linked an issue Jul 16, 2025 that may be closed by this pull request
Enhancement: Add CVE scanning to the release-docker-images.yml workflow #3054
Closed
23 tasks
This was referenced Jul 16, 2025
Merged
Merged
jprestop
jprestop previously approved these changes Jul 16, 2025
View reviewed changes
Copy link
Collaborator

@jprestop jprestop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reviewed the code changes, the output of the linked GHA run, and the Release Guide updates. Thank you for noting that all errors are based on the METplus-Analysis tools problem with kaleido. I approve this request. Thanks for all of your work on this task @JohnHalleyGotway.

jprestop
jprestop previously approved these changes Jul 16, 2025
View reviewed changes
Copy link
Collaborator

@jprestop jprestop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for updating metplus_components_v6.1_py3.12.sh!

@JohnHalleyGotway
Per #3054, revert changes to python package versions since those do n…
e6fdef4 
…ot actually impact the GHA testing environment.
@JohnHalleyGotway
Per #3054, updating plotly version to 6.1.1 and python-kaledio versio…
786818b 
…n to 1.0.0 in the documentation and internal scripts. Hoping that will enable the 4 failing METplus use cases to succeed.
@JohnHalleyGotway JohnHalleyGotway merged commit c8ed792 into develop Jul 22, 2025
11 of 12 checks passed
@github-project-automation github-project-automation bot moved this from 🔎 In review to 🏁 Done in METplus-6.2 Development Jul 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jprestop jprestop jprestop left review comments

Assignees
No one assigned
Labels
None yet
Projects
METplus-6.2 Development
Status: 🏁 Done
Milestone
METplus-6.2.0
Development

Successfully merging this pull request may close these issues.

Enhancement: Add CVE scanning to the release-docker-images.yml workflow
2 participants
@JohnHalleyGotway @jprestop