test: ImageScanningTest

dcaravel · dcaravel · commit 3fd6f0ac5ea9 · 2026-03-20T18:30:52.000-05:00
Images had to be updated that were too old for scanner v4 results,
Artifact Registry tests skipped because didn't have access to update
the images and the ones there are too old / EoL so were getting no results.
diff --git a/qa-tests-backend/src/main/groovy/objects/ImageIntegration.groovy b/qa-tests-backend/src/main/groovy/objects/ImageIntegration.groovy
@@ -2,19 +2,23 @@ package objects
 
 import common.Constants
 import io.stackrox.proto.storage.ImageIntegrationOuterClass
+import services.FeatureFlagService
 import services.ImageIntegrationService
 import util.Env
 
 trait ImageIntegration {
     abstract static ImageIntegrationOuterClass.ImageIntegration.Builder getCustomBuilder(Map customArgs)
+
+    // Returns true for integrations that can be deleted, false otherwise.
+    static boolean isDeletable() { true }
 }
 
 class StackroxScannerIntegration implements ImageIntegration {
 
     static String name() { Constants.AUTO_REGISTERED_STACKROX_SCANNER_INTEGRATION }
 
     static Boolean isTestable() {
-        return true
+        return !FeatureFlagService.isFeatureFlagEnabled("ROX_SCANNER_V4")
     }
 
     static String createDefaultIntegration() {
@@ -428,6 +432,28 @@ class GoogleArtifactRegistry implements ImageIntegration {
     }
 }
 
+class ScannerV4Integration implements ImageIntegration {
+
+    static String name() { "Scanner V4" }
+
+    static Boolean isTestable() {
+        return FeatureFlagService.isFeatureFlagEnabled("ROX_SCANNER_V4")
+    }
+
+    static boolean isDeletable() { false }
+
+    // The Scanner V4 integration is auto-registered and cannot be deleted.
+    // createDefaultIntegration() looks up the existing integration rather than creating one.
+    static String createDefaultIntegration() {
+        ImageIntegrationOuterClass.ImageIntegration existing =
+                ImageIntegrationService.getImageIntegrationByName(name())
+        if (!existing) {
+            return ""
+        }
+        return existing.id
+    }
+}
+
 class GCRImageIntegration implements ImageIntegration {
 
     static String name() { "GCR Registry+Scanner" }
diff --git a/qa-tests-backend/src/test/groovy/ImageScanningTest.groovy b/qa-tests-backend/src/test/groovy/ImageScanningTest.groovy
@@ -19,6 +19,7 @@ import objects.ECRRegistryIntegration
 import objects.GCRImageIntegration
 import objects.GoogleArtifactRegistry
 import objects.QuayImageIntegration
+import objects.ScannerV4Integration
 import objects.Secret
 import objects.StackroxScannerIntegration
 import services.ClusterService
@@ -43,15 +44,16 @@ class ImageScanningTest extends BaseSpecification {
 
     static final private String UBI8_0_IMAGE = "registry.access.redhat.com/ubi8:8.0-208"
     static final private String RHEL7_IMAGE = "quay.io/rhacs-eng/qa-multi-arch:rhel7-minimal-7.5-422"
+    static final private String RHEL9_IMAGE = "quay.io/rhacs-eng/qa-multi-arch:ubi9-minimal-9.6-1760515502"
     static final private String QUAY_IMAGE_WITH_CLAIR_SCAN_DATA = "quay.io/rhacs-eng/qa:nginx-unprivileged"
     static final private String GCR_IMAGE   = "us.gcr.io/acs-san-stackroxci/qa-multi-arch/registry-image:0.2"
     static final private String NGINX_IMAGE = "quay.io/rhacs-eng/qa:nginx-1-12-1"
     static final private String OCI_IMAGE   = "quay.io/rhacs-eng/qa:oci-manifest"
     static final private String LIST_IMAGE_OCI_MANIFEST = "quay.io/rhacs-eng/qa:list-image-oci-manifest"
     static final private String AR_IMAGE =
         "us-west1-docker.pkg.dev/acs-san-stackroxci/artifact-registry-test/nginx:1.17"
-    static final private String CENTOS_IMAGE = "quay.io/rhacs-eng/qa:centos7-base"
-    static final private String CENTOS_ECHO_IMAGE = "quay.io/rhacs-eng/qa:centos7-base-echo"
+    static final private String UBI9_MINIMAL_IMAGE = "quay.io/rhacs-eng/qa:ubi9-minimal-9.5-1747111267-amd64"
+    static final private String UBI9_MINIMAL_ECHO_IMAGE = "quay.io/rhacs-eng/qa:ubi9-minimal-9.5-1747111267-amd64-echo"
     static final private String LINEAGE_IMAGE_A = "quay.io/rhacs-eng/qa:lineage-jdk-17.0.11"
     static final private String LINEAGE_IMAGE_B = "quay.io/rhacs-eng/qa:lineage-jdk-17.0.13"
 
@@ -419,7 +421,9 @@ class ImageScanningTest extends BaseSpecification {
         "Add scanner"
         String integrationId = scanner.createDefaultIntegration()
         assert integrationId
-        integrationIds.add(integrationId)
+        if (scanner.isDeletable()) {
+            integrationIds.add(integrationId)
+        }
 
         and:
         "Scan Image and verify results"
@@ -465,12 +469,20 @@ class ImageScanningTest extends BaseSpecification {
         new ClairV4ScannerIntegration()  | "platform-python-pip"      | "9.0.3-13.el8"                | 0   | "RHSA-2020:4432" | UBI8_0_IMAGE            | ""
         new StackroxScannerIntegration() | "java-17-openjdk-headless" | "1:17.0.11.0.9-2.el8.x86_64"  | 135 | ""               | LINEAGE_IMAGE_A         | ""
         new StackroxScannerIntegration() | "java-17-openjdk-headless" | "1:17.0.13.0.11-3.el8.x86_64" | 137 | ""               | LINEAGE_IMAGE_B         | ""
+        new ScannerV4Integration()       | "openssl-libs"             | "1:3.2.2-6.el9_5.1"           | 18  | "CVE-2025-15467" | RHEL9_IMAGE             | ""
+        new ScannerV4Integration()       | "systemd"                  | "229-4ubuntu21.29"            | 0   | "CVE-2021-33910" | OCI_IMAGE               | ""
+        new ScannerV4Integration()       | "libc6"                    | "2.35-0ubuntu3.1"             | 4   | "CVE-2023-4911"  | LIST_IMAGE_OCI_MANIFEST | ""
+        new ScannerV4Integration()       | "java-17-openjdk-headless" | "1:17.0.11.0.9-2.el8"         | 135 | ""               | LINEAGE_IMAGE_A         | ""
+        new ScannerV4Integration()       | "java-17-openjdk-headless" | "1:17.0.13.0.11-3.el8"        | 137 | ""               | LINEAGE_IMAGE_B         | ""
     }
 
     @Unroll
     @Tag("BAT")
     @Tag("Integration")
     def "Verify Scan Results from Registries - #registry.name() - #component:#version - #image - #cve - #idx"() {
+        // The current images in the AR repo are too old to produce scan results with Scanner V4.
+        Assume.assumeFalse("Skipping: AR image produces no results with Scanner V4", scannerV4Enabled)
+
         ImageIntegrationService.addStackroxScannerIntegration()
 
         when:
@@ -531,7 +543,9 @@ class ImageScanningTest extends BaseSpecification {
         "Add scanner"
         String integrationId = scanner.createDefaultIntegration()
         assert integrationId
-        integrationIds.add(integrationId)
+        if (scanner.isDeletable()) {
+            integrationIds.add(integrationId)
+        }
 
         and:
         "Scan image"
@@ -726,28 +740,32 @@ class ImageScanningTest extends BaseSpecification {
 
     def "Validate image deletion does not affect other images"() {
         given:
-        ImageIntegrationService.addStackroxScannerIntegration()
+        if (!scannerV4Enabled) {
+            ImageIntegrationService.addStackroxScannerIntegration()
+        }
 
         when:
-        "Scan CentOS image and derivative echo image (centos + touch file)"
-        ImageService.scanImage(CENTOS_ECHO_IMAGE, false)
-        def expectedDetails = ImageService.scanImage(CENTOS_IMAGE, false)
+        "Scan UBI9 image and derivative echo image (UBI9 + touch file)"
+        ImageService.scanImage(UBI9_MINIMAL_ECHO_IMAGE, false)
+        def expectedDetails = ImageService.scanImage(UBI9_MINIMAL_IMAGE, false)
 
         and:
-        "Delete CentOS image and ensure echo still same number of vulns"
+        "Delete UBI9 image and ensure echo still same number of vulns"
         ImageService.deleteImages(
-                SearchServiceOuterClass.RawQuery.newBuilder().setQuery("Image:${CENTOS_ECHO_IMAGE}").build(), true)
+                SearchServiceOuterClass.RawQuery.newBuilder().setQuery("Image:${UBI9_MINIMAL_ECHO_IMAGE}").build(), true)
         def actualDetails = ImageService.getImage(expectedDetails.id)
         assert actualDetails.scan.componentsList.sum { it.vulnsList.size() } > 0
 
         then:
-        "Delete CentOS image and ensure echo still same number of vulns"
+        "Delete UBI9 image and ensure echo still same number of vulns"
         expectedDetails.scan.componentsList.size() == actualDetails.scan.componentsList.size()
         expectedDetails.scan.componentsList.sum { it.vulnsList.size() } ==
                 actualDetails.scan.componentsList.sum { it.vulnsList.size() }
 
         cleanup:
-        deleteStackroxScanner = true
+        if (!scannerV4Enabled) {
+            deleteStackroxScanner = true
+        }
     }
 
     @Unroll
@@ -802,7 +820,7 @@ class ImageScanningTest extends BaseSpecification {
         }
 
         where:
-        testName                                           | integrationName  | scannerName |
+        testName                                           | integrationName  | defaultScannerName |
                 imageIntegrationConfig
         "quay registry with token"                         | "quay"           | "Stackrox Scanner" |
                 { -> QuayImageIntegration.createCustomIntegration(
@@ -819,6 +837,9 @@ class ImageScanningTest extends BaseSpecification {
                 { -> QuayImageIntegration.createCustomIntegration(
                         [oauthToken: Env.mustGet("QUAY_RHACS_ENG_BEARER_TOKEN"), useRobotCreds: true,
                          includeScanner: true,]) }
+
+        // Change the scanner name to Scanner V4 if it is enabled and the test mentions Stackrox Scanner specific.
+        scannerName = (defaultScannerName == "Stackrox Scanner" && scannerV4Enabled) ? "Scanner V4" : defaultScannerName
     }
 
     private static String expectAutoGeneratedRegistry(Secret secret) {
