From ece0db813169ea5f142bcd2a27a3ebe1e49eba67 Mon Sep 17 00:00:00 2001
From: chrisvintc <chris.vondrachek@intel.com>
Date: Wed, 26 Jan 2022 22:44:44 -0800
Subject: [PATCH] Adding support for network-share installed XCC (#13)

* Adding support for network-share installed XCC

* CVE scan: only block CD on critical
---
 .../workflows/1rtos-container-image-build.yml | 26 +++++++++++++++----
 .../workflows/1rtos-container-image-push.yml  |  2 +-
 Dockerfile                                    |  4 +++
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/1rtos-container-image-build.yml b/.github/workflows/1rtos-container-image-build.yml
index b1ce24c6a336a7..447753fb6ad130 100644
--- a/.github/workflows/1rtos-container-image-build.yml
+++ b/.github/workflows/1rtos-container-image-build.yml
@@ -25,8 +25,8 @@ jobs:
           docker build --build-arg UID=$(id -u) --build-arg GID=$(id -g) --build-arg HTTPPROXY=$http_proxy --build-arg HTTPSPROXY=$https_proxy --build-arg NOPROXY=$no_proxy -t 127.0.0.1:5000/sdk-docker-intel:main.stg .
           docker push 127.0.0.1:5000/sdk-docker-intel:main.stg
         shell: bash
-# Run aquasecurity/trivy-action for CRITICAL & HIGH CVS
-  scanImage:
+# Run aquasecurity/trivy-action for CRITICAL CVEs, will block CI
+  scanImageCritical:
     runs-on: testhead
     needs: [ buildAndStageImage ]
     steps:
@@ -39,12 +39,28 @@ jobs:
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: 'CRITICAL'
+
+# Run aquasecurity/trivy-action for HIGH CVEs, does not gate CI
+  scanImageHigh:
+    runs-on: testhead
+    needs: [ buildAndStageImage ]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: '127.0.0.1:5000/sdk-docker-intel:main.stg'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'HIGH'
 
 # now run twister, using the -B option along with matrix expansion to distribute workload
   runTwister:
     runs-on: uzdo128
-    needs: [ scanImage ]
+    needs: [ scanImageCritical ]
     defaults:
       run:
         shell: bash
@@ -80,7 +96,7 @@ jobs:
 # For this build workflow, no actions are taken by OneRTOS-CI-Passed, just status
 # echo.
   OneRTOS-CI-Passed:
-    needs: [ buildAndStageImage, scanImage, runTwister ]
+    needs: [ buildAndStageImage, scanImageCritical, runTwister ]
     runs-on: testhead
     steps:
       - name: Post run steps
diff --git a/.github/workflows/1rtos-container-image-push.yml b/.github/workflows/1rtos-container-image-push.yml
index f4671939c75a3e..60b31ed3a1bbbd 100644
--- a/.github/workflows/1rtos-container-image-push.yml
+++ b/.github/workflows/1rtos-container-image-push.yml
@@ -27,7 +27,7 @@ jobs:
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          severity: 'CRITICAL'
 
 # now run twister, using the -B option along with matrix expansion to distribute workload
   runTwister:
diff --git a/Dockerfile b/Dockerfile
index f82299adab3654..b1d3f04187e0d5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -172,6 +172,10 @@ RUN	apt update && apt install -y --no-install-recommends curl && \
 		echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
 		apt update && apt install gh
 
+# Support xcc compiler installed on NFS share
+RUN	apt update && apt install -y --no-install-recommends zlib1g:i386 libc6-i386 lib32ncurses6 lib32ncurses-dev
+ENV	XTENSAD_LICENSE_FILE=84300@xtensa01p.elic.intel.com
+
 RUN apt-get clean && \
 	sudo apt-get autoremove --purge