[isar-cip-core,v1,2/3] scripts/deploy-cip-core.sh: Upload dpkg-status file to aws s3 bucket

Commit Message

Sai.Sathujoda@toshiba-tsip.com Nov. 22, 2023, 7:01 a.m. UTC

From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>

For every build job executed in CI, the dpkg-status file shall be uploaded
to a respective directory in aws s3 bucket.

Signed-off-by: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
---
 scripts/deploy-cip-core.sh | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Patch

diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh
index 5855acb..834ba8e 100755
--- a/scripts/deploy-cip-core.sh
+++ b/scripts/deploy-cip-core.sh
@@ -15,6 +15,7 @@  TARGET=$2
 EXTENSION=$3
 DTB=$4
 REF=$5
+DPKG_STATUS=$6
 
 BASE_FILENAME=cip-core-image-cip-core-$RELEASE-$TARGET
 if [ "${EXTENSION}" != "none" ]; then
@@ -53,3 +54,17 @@  else
 		aws s3 cp --no-progress --acl public-read build/tmp/deploy/images/*/"$DTB" "${S3_TARGET}"
 	fi
 fi
+
+# Deploy the dpkg status file (/var/lib/dpkg/status) to AWS for the CIP CVE checker (cip-core-sec)
+# to periodically extract and report pending CVEs.
+# * CI builds will override the previous dpkg status file
+# * Released images will contain the commit_id in the file name, and will not be automatically overriden
+#   * they have to be signed and released separately from the CI
+# * CVE checks will only scan the latest builds, and the released images
+# * AWS S3 bucket structure
+#   * download.cip-project.org/cip-core/cve-checks/
+#     * dpkg-status: folder to store the dpkg status files generated by the CI and released images
+#     * cve-reports: folder to store the cve-reports generated from the dpkg status files
+#       * they can be linked from the release website
+DPKG_STATUS_FILENAME=${CI_JOB_NAME#build:}.dpkg_status
+aws s3 cp --no-progress build/tmp/deploy/images/$TARGET/$DPKG_STATUS s3://download.cip-project.org/cip-core/cve-checks/dpkg-status/$DPKG_STATUS_FILENAME