Add a new workflow to check vulnerabilities using trivy (#9044)

* Add a new workflow to check vulnerabilities using trivy

* Add EOF new line

* Run Pinot dependencies check only when dependency related files change

.github/workflows/pinot_vuln_check.yml

@@ -0,0 +1,66 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: Pinot Dependencies
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+    paths:
+      - "**/pom.xml"
+      - "**/package.json"
+      - "**/package-lock.json"
+      - "docker/images/pinot/**"
+      - ".github/workflows/**"
+jobs:
+  verify-docker:
+    name: Verify Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: docker/setup-qemu-action@v1
+        name: Set up QEMU
+      - uses: docker/setup-buildx-action@v1
+        name: Set up Docker Buildx
+      - uses: actions/checkout@v3
+      - name: Build the Docker image
+        env:
+          DOCKER_FILE_BASE_DIR: "docker/images/pinot"
+          DOCKER_IMAGE_NAME: "apachepinot/pinot"
+          BUILD_PLATFORM: "linux/amd64"
+          PINOT_GIT_URL: ${{ github.event.inputs.gitUrl }}
+          PINOT_BRANCH: ${{ env.GITHUB_REF }}
+          TAGS: ${{ github.sha }}
+        run: .github/workflows/scripts/docker/.pinot_docker_image_build.sh
+
+      - name: Run Trivy vulnerability scanner (sarif)
+        uses: aquasecurity/trivy-action@master
+        with:
+          trivyignores: '.trivyignore'
+          image-ref: 'apachepinot/pinot:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/scripts/docker/.pinot_docker_image_build.sh

@@ -0,0 +1,61 @@
+#!/bin/bash -x
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+if [ -z "${DOCKER_IMAGE_NAME}" ]; then
+  DOCKER_IMAGE_NAME="apachepinot/pinot"
+fi
+if [ -z "${PINOT_GIT_URL}" ]; then
+  PINOT_GIT_URL="https://github.com/apache/pinot.git"
+fi
+if [ -z "${PINOT_BRANCH}" ]; then
+  PINOT_BRANCH="master"
+fi
+if [ -z "${BUILD_PLATFORM}" ]; then
+  BUILD_PLATFORM="linux/arm64,linux/amd64"
+fi
+
+COMMIT_ID=`git rev-parse --short HEAD`
+DATE=`date +%Y%m%d`
+VERSION=`mvn help:evaluate -Dexpression=project.version -q -DforceStdout`
+tags=()
+if [ -z "${TAGS}" ]; then
+  tags=("${VERSION}-${COMMIT_ID}-${DATE}")
+  tags+=("latest")
+else
+  declare -a tags=($(echo ${TAGS} | tr "," " "))
+fi
+
+DOCKER_BUILD_TAGS=""
+for tag in "${tags[@]}"
+do
+  echo "Plan to build docker images for: ${DOCKER_IMAGE_NAME}:${tag}"
+  DOCKER_BUILD_TAGS+=" --tag ${DOCKER_IMAGE_NAME}:${tag} "
+done
+
+cd ${DOCKER_FILE_BASE_DIR}
+
+docker buildx build \
+    --no-cache \
+    --platform=${BUILD_PLATFORM} \
+    --file Dockerfile \
+    --load \
+    --build-arg PINOT_GIT_URL=${PINOT_GIT_URL} --build-arg PINOT_BRANCH=${PINOT_BRANCH} \
+    ${DOCKER_BUILD_TAGS} \
+    .

pinot-distribution/pinot-source-assembly.xml

@@ -39,6 +39,7 @@
         <exclude>**/.github/**</exclude>
         <exclude>.codecov*</exclude>
         <exclude>.gitignore</exclude>
+        <exclude>.trivyignore</exclude>
 
         <!-- Do not inclue node_modules in pinot-controller -->
         <exclude>pinot-controller/src/main/resources/node_modules/**</exclude>

pom.xml

@@ -1659,6 +1659,7 @@
             <exclude>HEADER</exclude>
             <exclude>LICENSE*</exclude>
             <exclude>NOTICE*</exclude>
+            <exclude>.trivyignore</exclude>
 
             <!-- js, css files that are exact copies of the third-party works. In this case, the original header has to
             be kept. Please refer to 'Treatment of Third-party works' in https://www.apache.org/legal/src-headers.html
@@ -1776,6 +1777,7 @@
             <!-- Docker and Kubernetes (not part of the distribution) -->
             <exclude>kubernetes/**</exclude>
             <exclude>docker/**</exclude>
+            <exclude>.trivyignore</exclude>
 
             <!-- Pinot-Druid Benchmark (not part of the distribution) -->
             <exclude>contrib/**</exclude>