From 6b964169b98fcf8ac576fe8f76f2045ba3e43c02 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 13 Feb 2025 22:14:03 +0000
Subject: [PATCH] Add docker scan results to the RC comment (#579)

Signed-off-by: Sayali Gaikawad <gaiksaya@amazon.com>
(cherry picked from commit 12efe78a5dcb28a33977e006afe5250ee3b61c59)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 resources/release/rc-details-template.md      | 29 ++++++++++++
 tests/jenkins/TestAddRcDetailsComment.groovy  | 17 +++++++
 .../jobs/AddRcDetailsComment.jenkinsFile.txt  | 44 ++++++++++++++++++
 vars/addRcDetailsComment.groovy               | 45 +++++++++++++++++--
 4 files changed, 132 insertions(+), 3 deletions(-)

diff --git a/resources/release/rc-details-template.md b/resources/release/rc-details-template.md
index 05e55394..625884db 100644
--- a/resources/release/rc-details-template.md
+++ b/resources/release/rc-details-template.md
@@ -128,3 +128,32 @@ _Check how to install [opensearch](https://opensearch.org/docs/latest/install-an
 Thank you
 </p>
 </details>
+
+
+<details><summary>OpenSearch Docker-Scan Results</summary>
+<p>
+
+[Workflow run](${OPENSEARCH_DOCKER_SCAN_URL})
+<pre>
+<code>
+
+${OPENSEARCH_DOCKER_SCAN_RESULTS}
+
+</code>
+</pre>
+</p>
+</details>
+
+<details><summary>OpenSearch-Dashboards Docker-Scan Results</summary>
+<p>
+
+[Workflow run](${OPENSEARCH_DASHBOARDS_DOCKER_SCAN_URL})
+<pre>
+<code>
+
+${OPENSEARCH_DASHBOARDS_DOCKER_SCAN_RESULTS}
+
+</code>
+</pre>
+</p>
+</details>
diff --git a/tests/jenkins/TestAddRcDetailsComment.groovy b/tests/jenkins/TestAddRcDetailsComment.groovy
index f72a5ffd..362813a1 100644
--- a/tests/jenkins/TestAddRcDetailsComment.groovy
+++ b/tests/jenkins/TestAddRcDetailsComment.groovy
@@ -221,6 +221,22 @@ class TestAddRcDetailsComment extends BuildPipelineTest {
         helper.addShMock("""\n            set -e\n            set +x\n            curl -s -XGET \"sample.url/opensearch-distribution-build-results/_search\" --aws-sigv4 \"aws:amz:us-east-1:es\" --user \"abc:xyz\" -H \"x-amz-security-token:sampleToken\" -H 'Content-Type: application/json' -d \"{\\"_source\\":\\"distribution_build_number\\",\\"sort\\":[{\\"distribution_build_number\\":{\\"order\\":\\"desc\\"}}],\\"size\\":1,\\"query\\":{\\"bool\\":{\\"filter\\":[{\\"match_phrase\\":{\\"component\\":\\"OpenSearch-Dashboards\\"}},{\\"match_phrase\\":{\\"rc\\":\\"true\\"}},{\\"match_phrase\\":{\\"version\\":\\"2.19.0\\"}},{\\"match_phrase\\":{\\"rc_number\\":\\"5\\"}}]}}}\" | jq '.'\n        """) { script ->
             return [stdout: osdRcDistributionNumberResponse, exitValue: 0]
         }
+
+        helper.addShMock("""curl -s -XGET "https://build.ci.opensearch.org/blue/rest/organizations/jenkins/pipelines/distribution-build-opensearch/runs/10787/nodes/" | jq '.[] | select(.actions[].description? | contains("docker-scan")) | .actions[] | select(.description | contains("docker-scan")) | ._links.self.href'""") { script ->
+            return [stdout: '/blue/rest/organizations/jenkins/pipelines/docker-scan/runs/4439/', exitValue: 0]
+        }
+
+        helper.addShMock("""curl -s -XGET "https://build.ci.opensearch.org/blue/rest/organizations/jenkins/pipelines/docker-scan/runs/4439/" | jq -r '._links.artifacts.href'""") { script ->
+            return [stdout: '/blue/rest/organizations/jenkins/pipelines/docker-scan/runs/4439/artifacts/', exitValue: 0]
+        }
+
+        helper.addShMock("""curl -s -XGET "https://build.ci.opensearch.org/blue/rest/organizations/jenkins/pipelines/docker-scan/runs/4439/artifacts/" | jq -r '.[] | select(.name | endswith(".txt")) | .url'""") { script ->
+            return [stdout: '/job/docker-scan/4439/artifact/scan_docker_image.txt', exitValue: 0]
+        }
+
+        helper.addShMock('curl -s -XGET "https://build.ci.opensearch.org/job/docker-scan/4439/artifact/scan_docker_image.txt"') { script ->
+            return [stdout: 'Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0))', exitValue: 0]
+        }
     }
 
     @Test
@@ -239,6 +255,7 @@ class TestAddRcDetailsComment extends BuildPipelineTest {
         assertThat(fileContent, containsString("OpenSearch 10787 and OpenSearch-Dashboards 8260 is ready for your test."))
         assertThat(fileContent, containsString("image: opensearchstaging/opensearch:2.19.0.1078"))
         assertThat(fileContent, containsString("image: opensearchstaging/opensearch-dashboards:2.19.0.8260"))
+        assertThat(fileContent, containsString("Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)"))
     }
 
     def getCommands(method, text) {
diff --git a/tests/jenkins/jobs/AddRcDetailsComment.jenkinsFile.txt b/tests/jenkins/jobs/AddRcDetailsComment.jenkinsFile.txt
index 3f8625c0..b7062257 100644
--- a/tests/jenkins/jobs/AddRcDetailsComment.jenkinsFile.txt
+++ b/tests/jenkins/jobs/AddRcDetailsComment.jenkinsFile.txt
@@ -48,6 +48,17 @@
             set +x
             curl -s -XGET "sample.url/opensearch-distribution-build-results/_search" --aws-sigv4 "aws:amz:us-east-1:es" --user "abc:xyz" -H "x-amz-security-token:sampleToken" -H 'Content-Type: application/json' -d "{\"_source\":\"distribution_build_number\",\"sort\":[{\"distribution_build_number\":{\"order\":\"desc\"}}],\"size\":1,\"query\":{\"bool\":{\"filter\":[{\"match_phrase\":{\"component\":\"OpenSearch-Dashboards\"}},{\"match_phrase\":{\"rc\":\"true\"}},{\"match_phrase\":{\"version\":\"2.19.0\"}},{\"match_phrase\":{\"rc_number\":\"5\"}}]}}}" | jq '.'
         , returnStdout=true})
+                  addRcDetailsComment.sh({script=curl -s -XGET "https://build.ci.opensearch.org/blue/rest/organizations/jenkins/pipelines/distribution-build-opensearch/runs/10787/nodes/" | jq '.[] | select(.actions[].description? | contains("docker-scan")) | .actions[] | select(.description | contains("docker-scan")) | ._links.self.href', returnStdout=true})
+                  addRcDetailsComment.sh({script=curl -s -XGET "https://build.ci.opensearch.org/blue/rest/organizations/jenkins/pipelines/docker-scan/runs/4439/" | jq -r '._links.artifacts.href', returnStdout=true})
+                  addRcDetailsComment.sh({script=curl -s -XGET "https://build.ci.opensearch.org/blue/rest/organizations/jenkins/pipelines/docker-scan/runs/4439/artifacts/" | jq -r '.[] | select(.name | endswith(".txt")) | .url', returnStdout=true})
+                  addRcDetailsComment.sh({script=curl -s -XGET "https://build.ci.opensearch.org/job/docker-scan/4439/artifact/scan_docker_image.txt", returnStdout=true})
+                  addRcDetailsComment.sh({script=curl -s -XGET "https://build.ci.opensearch.org/blue/rest/organizations/jenkins/pipelines/distribution-build-opensearch-dashboards/runs/8260/nodes/" | jq '.[] | select(.actions[].description? | contains("docker-scan")) | .actions[] | select(.description | contains("docker-scan")) | ._links.self.href', returnStdout=true})
+                  addRcDetailsComment.sh({script=curl -s -XGET "https://build.ci.opensearch.orgbbb
+ccc" | jq -r '._links.artifacts.href', returnStdout=true})
+                  addRcDetailsComment.sh({script=curl -s -XGET "https://build.ci.opensearch.orgbbb
+ccc" | jq -r '.[] | select(.name | endswith(".txt")) | .url', returnStdout=true})
+                  addRcDetailsComment.sh({script=curl -s -XGET "https://build.ci.opensearch.orgbbb
+ccc", returnStdout=true})
                   addRcDetailsComment.libraryResource(release/rc-details-template.md)
                   addRcDetailsComment.writeFile({file=rc-details-comment-body.md, text=## See OpenSearch RC 5 and OpenSearch-Dashboards RC 5 details
 <details><summary>OpenSearch 5 and OpenSearch-Dashboards 5 details</summary>
@@ -179,6 +190,39 @@ _Check how to install [opensearch](https://opensearch.org/docs/latest/install-an
 Thank you
 </p>
 </details>
+
+
+<details><summary>OpenSearch Docker-Scan Results</summary>
+<p>
+
+[Workflow run](https://build.ci.opensearch.org/job/docker-scan/4439/artifact/scan_docker_image.txt)
+<pre>
+<code>
+
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0))
+
+</code>
+</pre>
+</p>
+</details>
+
+<details><summary>OpenSearch-Dashboards Docker-Scan Results</summary>
+<p>
+
+[Workflow run](https://build.ci.opensearch.orgbbb
+ccc)
+<pre>
+<code>
+
+
+bbb
+ccc
+
+
+</code>
+</pre>
+</p>
+</details>
 })
                   addRcDetailsComment.usernamePassword({credentialsId=jenkins-github-bot-token, passwordVariable=GITHUB_TOKEN, usernameVariable=GITHUB_USER})
                   addRcDetailsComment.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
diff --git a/vars/addRcDetailsComment.groovy b/vars/addRcDetailsComment.groovy
index 969b1fe1..39c786ed 100644
--- a/vars/addRcDetailsComment.groovy
+++ b/vars/addRcDetailsComment.groovy
@@ -22,7 +22,7 @@ void call(Map args = [:]) {
     def opensearchDashboardsRcNumber
     def opensearchRcBuildNumber
     def opensearchDashboardsRcBuildNumber
-    def releaseIssueUrl
+    String releaseIssueUrl
 
     if (version.isEmpty()){
         error('version is required to get RC details.')
@@ -47,14 +47,20 @@ void call(Map args = [:]) {
         }
     }
 
+    def opensearchScanResults = getDockerScanResult('OpenSearch', opensearchRcBuildNumber)
+    def opensearchDashboardsScanResults = getDockerScanResult('OpenSearch-Dashboards', opensearchDashboardsRcBuildNumber)
+
     def rcValues = [
             VERSION: version,
             OPENSEARCH_RC_NUMBER: opensearchRcNumber,
             OPENSEARCH_DASHBOARDS_RC_NUMBER: opensearchDashboardsRcNumber,
             OPENSEARCH_RC_BUILD_NUMBER: opensearchRcBuildNumber,
-            OPENSEARCH_DASHBOARDS_RC_BUILD_NUMBER: opensearchDashboardsRcBuildNumber
+            OPENSEARCH_DASHBOARDS_RC_BUILD_NUMBER: opensearchDashboardsRcBuildNumber,
+            OPENSEARCH_DOCKER_SCAN_RESULTS: opensearchScanResults.dockerScanResult,
+            OPENSEARCH_DASHBOARDS_DOCKER_SCAN_RESULTS: opensearchDashboardsScanResults.dockerScanResult,
+            OPENSEARCH_DOCKER_SCAN_URL: opensearchScanResults.dockerScanUrl,
+            OPENSEARCH_DASHBOARDS_DOCKER_SCAN_URL: opensearchDashboardsScanResults.dockerScanUrl
     ]
-    println('Retrieved values: '+ rcValues)
 
     try {
         // Check for null or empty values
@@ -92,3 +98,36 @@ void call(Map args = [:]) {
         )
     }
 }
+
+def getDockerScanResult(String component, def distributionRcBuildNumber) {
+    println('Getting docker scan results')
+    String buildJobName = ''
+    String JENKINS_BASE_URL = 'https://build.ci.opensearch.org'
+    String BLUE_OCEAN_URL = 'blue/rest/organizations/jenkins/pipelines'
+    if(component == 'OpenSearch') {
+        buildJobName = 'distribution-build-opensearch'
+    } else if(component == 'OpenSearch-Dashboards') {
+        buildJobName = 'distribution-build-opensearch-dashboards'
+    } else {
+        error("Invalid component name: ${component}. Valid values: OpenSearch, OpenSearch-Dashboards")
+    }
+    String dockerScanUrl = sh (
+            script: "curl -s -XGET \"${JENKINS_BASE_URL}/${BLUE_OCEAN_URL}/${buildJobName}/runs/${distributionRcBuildNumber}/nodes/\" | jq '.[] | select(.actions[].description? | contains(\"docker-scan\")) | .actions[] | select(.description | contains(\"docker-scan\")) | ._links.self.href'",
+            returnStdout: true
+    ).trim()
+    String artifactsUrl = sh(
+            script: "curl -s -XGET \"${JENKINS_BASE_URL}${dockerScanUrl}\" | jq -r '._links.artifacts.href'",
+            returnStdout: true
+    ).trim()
+    String dockerTxtScanUrl = sh(
+            script: "curl -s -XGET \"${JENKINS_BASE_URL}${artifactsUrl}\" | jq -r '.[] | select(.name | endswith(\".txt\")) | .url'",
+            returnStdout: true
+    ).trim()
+    String fullDockerTxtScanUrl = "${JENKINS_BASE_URL}${dockerTxtScanUrl}"
+    // Do not trim as it messes the text table.
+    String dockerScanResult = sh(
+            script: "curl -s -XGET \"${fullDockerTxtScanUrl}\"",
+            returnStdout: true
+    )
+    return [dockerScanUrl: fullDockerTxtScanUrl, dockerScanResult: dockerScanResult]
+}