From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Wed, 25 Mar 2020 13:08:24 +0000 (+0100)
Subject: Update git submodules
X-Git-Tag: 6.0.0-ONAP~1293
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=doc.git;a=commitdiff_plain;h=80c83b6b10fabfed85733e0b0073d3f8cfee58ce

Update git submodules

* Update docs/submodules/integration.git from branch 'master'
  to d688c4c4e37526e276690b5b51d1044b7e220aff
  - Reduce cyclomatic complexity

    Moving CSV data conversion and "expected failure" filtering away from
    main function made testing these features easier. Utility behaviour
    remained unchanged.

    Issue-ID: SECCOM-261
    Change-Id: I4cabfc7b352434c84a613c02f44af3c9630be970
    Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

  - Add "expected failure" support to non-SSL NodePort scanner

    This patch makes scanner compatible with its shell predecessor. The same
    "expected failure" list format is used i.e.

     # Comment line; will be ignored
     SERVICE1 NODEPORT1
     SERVICE2 NODEPORT2

    Single space character is used as a field separator.

    Issue-ID: SECCOM-261
    Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2
    Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

  - Run port scan

    Issue-ID: SECCOM-261
    Change-Id: I465282a8793191c45d288284a127e80e1fecf513
    Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

  - Add IP addresses filtering

    Each node might be described with 3 types of addresses [1]. Some
    providers also use node annotations [2] for assigned addresses.

    This patch filters out all IP addresses from nodes list. External IPs
    take precedence over internal ones. The first address on the extracted
    slice will be later used to run the scan on.

    This behaviour could be later modified to e.g. loop over all extracted
    IP addresses (if scan fails).

    [1] https://kubernetes.io/docs/concepts/architecture/nodes/#addresses
    [2] https://github.com/rancher/rke/blob/master/k8s/node.go#L18

    Issue-ID: SECCOM-261
    Change-Id: Ifd094447f778da378dfe1aee765f552b6ebd669f
    Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

  - Add temporary "make" target for automated testing compatibility

    Utility "sslendpoints" and related packages make use of idiomatic Go
    testing commands, i.e. go test [./...]. Thanks to Go Modules [1] nothing
    else is needed to run internal tests for this tool.

    Unfortunately it's not the case for all Go-based Integration tools. In
    order to use a single automated verification script in CI additional
    "make" target is required. It will provide temporary compatibility layer
    with utilities setting up test environment on their own with "make test"
    target.

    This patch should be reverted upon removal of such cases (currently:
    after dropping "../k8s/check" tool in favour of Aquasec solution).

    [1] https://blog.golang.org/using-go-modules (see "Adding a dependency"
    test execution explanation)

    Issue-ID: INT-1498
    Change-Id: I14c83f7f193c7688590366db988ff02c13c036a4
    Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

  - Add NodePorts filtering with development environment basis

    This patch has not made "sslendpoints" fully compatible with
    "check_for_nonssl_endpoints.sh" script yet. It sets up basic development
    environment for Golang-based checkers, though.

    Tool output will be added to the README after reaching full
    compatibility with previous (script) version.

    Development environment brought by this patch is heavily based on:
    https://github.com/SamsungSLAV/boruta

    Issue-ID: SECCOM-261
    Change-Id: I8f035b63bea13785c40971ede5fdbbc9b6810168
    Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

  - Increase verifiability of security checks

    This patch introduces a series of patches that will provide tools which
    will succeed current security check scripts. Its two main reasons are:

    * increasing tools verifiability by providing internal tests,
    * improving "expected failure" support by suppressing carefully selected
      set of special cases.

    Each tool will use following directory structure (generated with
    "tree -a --charset=ascii" command):

    .
    `-- check_module
        |-- Dockerfile
        |-- .dockerignore
        |-- .gitignore
        |-- go.mod
        |-- main.go
        |-- Makefile
        |-- README
        |-- README.rst -> README
        `-- submodule
            |-- submodule.go
            `-- submodule_test.go

    This will allow using Go Modules mechanism within its limitations [1]
    for "non-go-get-able modules" [2][3][4] - also in case of separating
    code into several modules used by multiple "check modules", e.g.

    .
    |-- common
    |   |-- common.go
    |   |-- common_test.go
    |   `-- go.mod
    `-- check_module
        |-- go.mod
        `-- ...

    It would require migration from separate Dockerfiles to a single one
    (multi-stage), though.

    Provided Makefiles are intended to simplify local development
    (Docker-less building) and container images preparation. READMEs clarify
    utility requirements and usage - file without extension is for VCS
    reference, symlink for proper syntax rendering.

    [1] https://github.com/golang/go/wiki/Modules#is-it-possible-to-add-a-module-to-a-multi-module-repository
    [2] https://github.com/golang/go/wiki/Modules#can-i-work-entirely-outside-of-vcs-on-my-local-filesystem
    [3] https://github.com/golang/go/issues/26645#issuecomment-408572701
    [4] https://www.dim13.org/go-get-cgit

    Issue-ID: SECCOM-261
    Change-Id: I48eeeda66bd5570d249e96e101e431e6bab75cb3
    Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---

diff --git a/docs/submodules/integration.git b/docs/submodules/integration.git
index 3d0d6a9a7..d688c4c4e 160000
--- a/docs/submodules/integration.git
+++ b/docs/submodules/integration.git
@@ -1 +1 @@
-Subproject commit 3d0d6a9a7fc64e42c36c31ff7f371b562ec691f1
+Subproject commit d688c4c4e37526e276690b5b51d1044b7e220aff