From 0e2899ee3092eafef3f75f0043cb7189717dc338 Mon Sep 17 00:00:00 2001
From: Zain Nasir <zainasir1999@gmail.com>
Date: Fri, 3 Jan 2025 12:52:05 -0500
Subject: [PATCH 1/4] add docker scout to security tests

---
 .circleci/config.yml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index beb5738923b..2ff8cfe3733 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -351,6 +351,40 @@ jobs:
         - store_artifacts:
             path: /tmp/repos/docker-compose-logs.txt
 
+    run_security_tests:
+      machine:
+        image: ubuntu-2204:2024.08.1
+        docker_layer_caching: true
+      resource_class: medium
+      environment:
+        BASE_REPO: cbioportal/cbioportal
+        DEV_REPO: cbioportal/cbioportal-dev
+      steps:
+        - run:
+            name: Log in to Docker
+            command: |
+              echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin;
+        - run:
+            name: Run Docker Scout vulnerability test
+            command: |
+              BASE_IMAGE=$BASE_REPO:master-web-shenandoah
+              PR_IMAGE=$DEV_REPO:$CIRCLE_SHA1-web-shenandoah
+              OUTPUT_FORMAT='{severity: .cvss.severity, source_id: .source_id, vulnerable_range: .vulnerable_range, fixed_by: .fixed_by, url: .url, description: .description}'
+              SORT='sort_by(.severity | if . == "CRITICAL" then 0 elif . == "HIGH" then 1 elif . == "MEDIUM" then 2 elif . == "LOW" then 3 else 4 end)'
+              docker pull $BASE_IMAGE
+              docker pull $PR_IMAGE
+              docker scout cves $BASE_IMAGE --format sbom | jq -r "[.vulnerabilities.[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > base_report.sbom
+              docker scout cves $PR_IMAGE --format sbom | jq -r "[.vulnerabilities.[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > pr_report.sbom
+              DIFF=$(jq -s 'map(map(.source_id)) | .[0] - .[1]' pr_report.sbom base_report.sbom)
+              COUNT=$(echo $DIFF | jq 'length')
+              if [ "$COUNT" -gt 0 ]; then
+                printf "New vulnerabilities found: $COUNT\n"
+                jq '.[] | select(.source_id as $a | '"$DIFF"' | index($a))' pr_report.sbom
+                exit 1
+              else
+                echo "No new vulnerabilities found!"
+                exit 0
+              fi
 
 workflows:
     version: 2
@@ -383,5 +417,13 @@ workflows:
         - run_api_tests:
             context:
               - api-tests
+            requires:
+              - build_push_image
+
+    security_tests:
+      jobs:
+        - run_security_tests:
+            context:
+              - docker-scout
             requires:
               - build_push_image
\ No newline at end of file

From 5128f9ce2b87fd8cdeaed64c89aaca32e5c1e1af Mon Sep 17 00:00:00 2001
From: Zain Nasir <zainasir1999@gmail.com>
Date: Fri, 3 Jan 2025 12:58:31 -0500
Subject: [PATCH 2/4] check for docker image

---
 .circleci/config.yml | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 2ff8cfe3733..85781baf2ac 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -364,6 +364,19 @@ jobs:
             name: Log in to Docker
             command: |
               echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin;
+        - run:
+            name: Wait for cbioportal docker images
+            command: |
+              URL="https://hub.docker.com/v2/repositories/$DEV_REPO/tags/$CIRCLE_SHA1-web-shenandoah"
+              while true; do
+                TAG_FOUND=$(curl -s $URL | jq -r .name)
+                if [ $TAG_FOUND = "$CIRCLE_SHA1-web-shenandoah" ]; then
+                  echo "Image found!"
+                  exit 0
+                fi
+                echo "Image not built yet. Retrying in 30 seconds..."
+                sleep 30
+              done
         - run:
             name: Run Docker Scout vulnerability test
             command: |
@@ -424,6 +437,4 @@ workflows:
       jobs:
         - run_security_tests:
             context:
-              - docker-scout
-            requires:
-              - build_push_image
\ No newline at end of file
+              - docker-scout
\ No newline at end of file

From 3aabb4a27a603659ecaab96aaed487260c94c27b Mon Sep 17 00:00:00 2001
From: Zain Nasir <zainasir1999@gmail.com>
Date: Fri, 3 Jan 2025 13:32:36 -0500
Subject: [PATCH 3/4] install docker scout

---
 .circleci/config.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 85781baf2ac..3dc45ad8ffc 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -360,6 +360,10 @@ jobs:
         BASE_REPO: cbioportal/cbioportal
         DEV_REPO: cbioportal/cbioportal-dev
       steps:
+        - run:
+            name: Install Docker Scout
+            command: |
+              curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- -b /home/circleci/bin
         - run:
             name: Log in to Docker
             command: |
@@ -386,8 +390,8 @@ jobs:
               SORT='sort_by(.severity | if . == "CRITICAL" then 0 elif . == "HIGH" then 1 elif . == "MEDIUM" then 2 elif . == "LOW" then 3 else 4 end)'
               docker pull $BASE_IMAGE
               docker pull $PR_IMAGE
-              docker scout cves $BASE_IMAGE --format sbom | jq -r "[.vulnerabilities.[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > base_report.sbom
-              docker scout cves $PR_IMAGE --format sbom | jq -r "[.vulnerabilities.[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > pr_report.sbom
+              docker-scout cves $BASE_IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > base_report.sbom
+              docker-scout cves $PR_IMAGE --format sbom | jq -r "[.vulnerabilities[].vulnerabilities[] | $OUTPUT_FORMAT] | $SORT" > pr_report.sbom
               DIFF=$(jq -s 'map(map(.source_id)) | .[0] - .[1]' pr_report.sbom base_report.sbom)
               COUNT=$(echo $DIFF | jq 'length')
               if [ "$COUNT" -gt 0 ]; then

From cd40cf263e08259354c3925a3e89dacc5a1f1ce2 Mon Sep 17 00:00:00 2001
From: Zain Nasir <zainasir1999@gmail.com>
Date: Fri, 3 Jan 2025 13:53:33 -0500
Subject: [PATCH 4/4] Improve logs

---
 .circleci/config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 3dc45ad8ffc..2abf7456dcf 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -378,7 +378,7 @@ jobs:
                   echo "Image found!"
                   exit 0
                 fi
-                echo "Image not built yet. Retrying in 30 seconds..."
+                echo "Image not found yet. Waiting for API Tests to finish building. Retrying in 30 seconds..."
                 sleep 30
               done
         - run: