Upgrade Supply Chain Security Tools - Scan
This topic describes how you can upgrade Supply Chain Security Tools (SCST) - Scan from the Tanzu Application Platform package repository.
NoteThis topic assumes that you use SCST - Scan 1.0 because, although it is deprecated, it is still the default option in Supply Chain with Testing in this version of Tanzu Application Platform. For more information, see Add testing and scanning to your application.
VMware recommends using SCST - Scan 2.0 instead because SCST - Scan 1.0 will be removed from future versions of Tanzu Application Platform. For more information, see SCST - Scan versions. You can perform a fresh install of SCST - Scan by following the instructions in Install Supply Chain Security Tools - Scan.
Before you begin
Before you upgrade SCST - Scan, upgrade the Tanzu Application Platform by following the instructions in Upgrading Tanzu Application Platform.
General Upgrades for SCST - Scan
Before upgrading to any version of SCST - Scan:
-
See the release notes for the version you want to upgrade to learn about any breaking changes for the upgrade.
-
Get the values schema for the package version you want to upgrade by running:
tanzu package available get scanning.apps.tanzu.vmware.com/$VERSION --values-schema -n tap-installWhere
$VERSIONis the new version. This gives you insights on the values you can configure in yourtap-values.yamlfor the new version.
Upgrade a scanner in all namespaces
This section describes how to upgrade a supported scanner in all namespaces. The procedure is different depending on whether you install manually or by using Namespace Provisioner.
- Use Namespace Provisioner
- All scanners installed by the Namespace Provisioner in all managed namespaces are upgraded automatically. For example, if you upgrade your installation of Tanzu Application Platform and the version of Grype is updated, all Grype scanners installed by the Namespace Provisioner for all managed namespaces are automatically upgraded.
- Install manually
-
To install manually:
-
If a scanner, such as Grype Scanner, was installed as part of Tanzu Application Platform by using the full profile, run to upgrade:
tanzu package installed update tap -p tap.tanzu.vmware.com -v VERSION --values-file tap-values.yaml -n tap-installWhere
VERSIONis your Tanzu Application Platform version. -
If a scanner, such as Grype Scanner, was installed by using component installation you must manually run:
tanzu package installed update grype -p grype.scanning.apps.tanzu.vmware.com -v GRYPE-VERSION \ --values-file grype-values.yaml -n NAMESPACEWhere:
GRYPE-VERSIONis the version of Grype that you are upgrading to.NAMESPACEis the namespace in which Grype is installed in.
-
Upgrade to v1.2.0
To upgrade from a previous version of SCST - Scan to the version v1.2.0:
-
Change the
SecretExportsfrom SCST - Store.SCST - Scan needs information to connect to the SCST - Store deployment. You must change where these secrets are exported to enable the connection with SCST - Scan v1.2.0.
- Single-cluster deployment
-
For a single-cluster deployment:
-
Edit the
tap-values.yamlfile you used to deploy SCST - Store to export the CA certificate to your developer namespace.metadata_store: ns_for_export_app_cert: "DEV-NAMESPACE"Note
The
ns_for_export_app_certsupports one namespace at a time. If you have multiple namespaces you can replace this value with a*, but this exports the CA certificate to all namespaces. Consider whether this increased visibility presents a risk. -
Update Tanzu Application Platform to apply the changes:
tanzu package installed update tap -f tap-values.yaml -n tap-install
-
- Multicluster deployment
-
For a multicluster deployment you must reapply the
SecretExportby changing thetoNamespace: scan-link-systemtotoNamespace: DEV-NAMESPACE. For example:--- apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretExport metadata: name: store-ca-cert namespace: metadata-store-secrets spec: toNamespace: "DEV-NAMESPACE" --- apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretExport metadata: name: store-auth-token namespace: metadata-store-secrets spec: toNamespace: "DEV-NAMESPACE"
-
Update your
tap-values.yamlfile.The installation of SCST - Scan and Grype Scanner has some changes. The connection to the SCST - Store component has moved to the Grype Scanner package. The connection from SCST - Scan still exists for backward compatibility, but is deprecated and is removed in v1.3.0.
To deactivate the connection, edit
tap-values.yamlas follows:# Deactivate scan controller embedded SCST - Store integration scanning: metadataStore: url: "" # Install Grype Scanner v1.2.0 grype: namespace: "DEV-NAMESPACE" # The developer namespace where the ScanTemplates are going to be deployed metadataStore: url: "METADATA-STORE-URL" # The base URL where the Store deployment can be reached caSecret: name: "CA-SECRET-NAME" # The name of the secret containing the ca.crt importFromNamespace: "SECRET-NAMESPACE" # The namespace where Store is deployed (if single cluster) or where the connection secrets were created (if multi-cluster) authSecret: name: "TOKEN-SECRET-NAME" # The name of the secret containing the auth token to connect to Store importFromNamespace: "SECRET-NAMESPACE" # The namespace where the connection secrets were created (if multi-cluster)For more information about how to install Grype, see Install SCST - Scan (Grype Scanner).
Note
If a mix of Grype templates is used, such as templates before and after v1.2.0 and v1.2.0, both
scanningandgrypemust configure the parameters. The secret must also export to bothscan-link-systemand the developer namespace. Configure this by exporting to*or by defining multiple secrets and exports. If Grype is installed in multiple namespaces there must be corresponding exports. For more information, see Install SCST - Scan (Grype Scanner). -
Update Tanzu Application Platform to apply the changes by running:
tanzu package installed update tap -f tap-values.yaml -n tap-install -
Update the
ScanPolicyto include the latest structure changes for v1.2.0.To update to the latest valid Rego file in
ScanPolicy, enforce compliance policy by using Open Policy Agent. v1.2.0 introduced some breaking changes in the Rego file structure used forScanPolicies. For more information, see the release notes. -
Create a
verify-upgrade.yamlfile in your system with the following content:--- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ScanPolicy metadata: name: scan-policy labels: 'app.kubernetes.io/part-of': 'enable-in-gui' spec: regoFile: | package main # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" notAllowedSeverities := ["Critical", "High", "UnknownSeverity"] ignoreCves := [] contains(array, elem) = true { array[_] = elem } else = false { true } isSafe(match) { severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } some i fails := contains(notAllowedSeverities, severities[i]) not fails } isSafe(match) { ignore := contains(ignoreCves, match.id) ignore } deny[msg] { comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } some i comp := comps[i] vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } some j vuln := vulns[j] ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } not isSafe(vuln) msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) } --- apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ImageScan metadata: name: sample-public-image-scan spec: registry: image: "nginx:1.16" scanTemplate: public-image-scan-template scanPolicy: scan-policy -
Deploy the resources by running:
kubectl apply -f verify-upgrade.yaml -n DEV-NAMESPACE -
View the scan results by running:
kubectl describe imagescan sample-public-image-scan -n DEV-NAMESPACEIf it is successful, the
ImageScangoes to theFailedphase and shows the results of the scan inStatus. You can run anyImageScanorSourceScanin yourDEV-NAMESPACEwhere the Grype Scanner was installed, and it finishes.
