greenbone · nichtsfrei · Feb 10, 2025 · Feb 4, 2025 · Feb 4, 2025 · Feb 4, 2025
@@ -34,17 +34,21 @@ RUN apt-get update && apt-get install --no-install-recommends --no-install-sugge
   libpopt0 \
   libcurl4-gnutls-dev \
   libcurl4 \
-  libcgreen1-dev \
+  # libcgreen1-dev \
   libhiredis-dev \
   libkrb5-dev \
   && rm -rf /var/lib/apt/lists/*
 
+RUN curl -L -o cgreen.tar.gz https://github.com/cgreen-devs/cgreen/archive/refs/tags/1.6.3.tar.gz -k
+RUN tar -xzf cgreen.tar.gz && cd cgreen-1.6.3
+RUN make install
+RUN ldconfig
 COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/
 RUN cmake -DCMAKE_BUILD_TYPE=Release -DINSTALL_OLD_SYNC_SCRIPT=OFF -B/build /source
 RUN DESTDIR=/install cmake --build /build -- install
+# TODO: add rust?
 
 FROM registry.community.greenbone.net/community/gvm-libs:${GVM_LIBS_VERSION}
-ARG TARGETPLATFORM
 RUN apt-get update && apt-get install --no-install-recommends --no-install-suggests -y \
   bison \
   libglib2.0-0 \
@@ -75,11 +79,6 @@ RUN apt-get update && apt-get install --no-install-recommends --no-install-sugge
   zlib1g\
   && rm -rf /var/lib/apt/lists/*
 COPY .docker/openvas.conf /etc/openvas/
-# must be pre built within the rust dir and moved to the bin dir
-# usually this image is created within in a ci ensuring that the
-# binary is available.
-COPY assets/$TARGETPLATFORM/scannerctl /usr/local/bin/scannerctl
-RUN chmod +x /usr/local/bin/scannerctl
 COPY --from=build /install/ /
 COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/
 COPY --from=openvas-smb /usr/local/bin/ /usr/local/bin/

@@ -4,6 +4,7 @@ ARG REPOSITORY=greenbone/openvas-scanner
 ARG GVM_LIBS_VERSION=testing-edge
 
 FROM greenbone/openvas-smb:testing-edge AS openvas-smb
+FROM rust AS rust
 
 FROM registry.community.greenbone.net/community/gvm-libs:${GVM_LIBS_VERSION} AS build
 COPY . /source
@@ -42,8 +43,17 @@ COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/
 RUN cmake -DCMAKE_BUILD_TYPE=Release -DINSTALL_OLD_SYNC_SCRIPT=OFF -B/build /source
 RUN DESTDIR=/install cmake --build /build -- install
 
+COPY --from=rust /usr/local/cargo/ /usr/local/cargo/
+COPY --from=rust /usr/local/rustup/ /usr/local/rustup/
+ENV RUSTUP_HOME=/usr/local/rustup \
+    CARGO_HOME=/usr/local/cargo \
+    PATH=/usr/local/cargo/bin:$PATH
+RUN apt update && apt install -y ca-certificates
+RUN cargo build --release
+RUN cp target/release/openvasd /install/usr/local/bin
+RUN cp target/release/scannerctl /install/usr/local/bin
+
 FROM registry.community.greenbone.net/community/gvm-libs:${GVM_LIBS_VERSION}
-ARG TARGETPLATFORM
 RUN apt-get update
 RUN apt-get install --no-install-recommends --no-install-suggests -y \
   bison \
@@ -76,11 +86,6 @@ RUN apt-get install --no-install-recommends --no-install-suggests -y \
   zlib1g
 RUN rm -rf /var/lib/apt/lists/*
 COPY .docker/openvas.conf /etc/openvas/
-# must be pre built within the rust dir and moved to the bin dir
-# usually this image is created within in a ci ensuring that the
-# binary is available.
-COPY assets/$TARGETPLATFORM/scannerctl /usr/local/bin/scannerctl
-RUN chmod +x /usr/local/bin/scannerctl
 COPY --from=build /install/ /
 COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/
 COPY --from=openvas-smb /usr/local/bin/ /usr/local/bin/

@@ -2,6 +2,7 @@
 # this allows to work on forked repository
 ARG REPOSITORY=greenbone/openvas-scanner
 
+FROM rust AS rust
 FROM greenbone/openvas-smb AS openvas-smb
 
 FROM registry.community.greenbone.net/community/gvm-libs:${VERSION} AS build
@@ -10,9 +11,20 @@
 COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/
 RUN cmake -DCMAKE_BUILD_TYPE=Release -DINSTALL_OLD_SYNC_SCRIPT=OFF -B/build /source
 RUN DESTDIR=/install cmake --build /build -- install
+WORKDIR /source/rust
+COPY --from=rust /usr/local/cargo/ /usr/local/cargo/
+COPY --from=rust /usr/local/rustup/ /usr/local/rustup/
+ENV RUSTUP_HOME=/usr/local/rustup \
+    CARGO_HOME=/usr/local/cargo \
+    PATH=/usr/local/cargo/bin:$PATH
+RUN apt update && apt install -y ca-certificates
+RUN cargo build --release
+RUN cp target/release/openvasd /install/usr/local/bin
+RUN cp target/release/scannerctl /install/usr/local/bin
+# Do we want to copy feed verifier as well?
+# RUN cp release/feed-verifier /install/bin
 
 FROM registry.community.greenbone.net/community/gvm-libs:${VERSION}
-ARG TARGETPLATFORM
 RUN apt-get update && apt-get install --no-install-recommends --no-install-suggests -y \
   bison \
   libglib2.0-0 \
@@ -42,13 +54,11 @@
   libssh-4 \
   && rm -rf /var/lib/apt/lists/*
 COPY .docker/openvas.conf /etc/openvas/
+
+
 # must be pre built within the rust dir and moved to the bin dir
 # usually this image is created within in a ci ensuring that the
 # binary is available.
-COPY assets/$TARGETPLATFORM/scannerctl /usr/local/bin/scannerctl
-COPY assets/$TARGETPLATFORM/openvasd /usr/local/bin/openvasd
-RUN chmod +x /usr/local/bin/scannerctl
-RUN chmod +x /usr/local/bin/openvasd
 COPY --from=build /install/ /
 COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/
 COPY --from=openvas-smb /usr/local/bin/ /usr/local/bin/
@@ -58,4 +68,4 @@
 # allow nmap to send e.g. UDP or TCP SYN probes without root permissions
 ENV NMAP_PRIVILEGED=1
 RUN setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
 CMD /usr/local/bin/openvasd
@@ -0,0 +1,32 @@
+name: "Compile Rust aarch64"
+runs:
+  using: "composite"
+  steps:
+    - uses: ./.github/actions/setup-rust
+    - run: cargo install cross || true
+      shell: bash
+    - run: CROSS_CONFIG=Cross.toml cross -v build --release --target aarch64-unknown-linux-gnu
+      working-directory: rust
+      shell: bash
+    - name: "patch for debian stable"
+      working-directory: rust
+      run: |
+        find . -type f -name "scannerctl"
+        patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/aarch64-unknown-linux-gnu/release/scannerctl
+        patchelf --replace-needed libz.so libz.so.1 target/aarch64-unknown-linux-gnu/release/scannerctl
+    - run: mkdir assets/
+      shell: bash
+    - run: mkdir -p assets/linux/arm64
+      shell: bash
+    - run: mv rust/target/aarch64-unknown-linux-gnu/release/openvasd assets/linux/arm64/openvasd
+      shell: bash
+    - run: mv rust/target/aarch64-unknown-linux-gnu/release/scannerctl assets/linux/arm64/scannerctl
+      shell: bash
+    - run: mv rust/target/aarch64-unknown-linux-gnu/release/feed-verifier assets/linux/arm64/feed-verifier
+      shell: bash
+    - name: archive
+      uses: actions/upload-artifact@v4
+      with:
+        name: rs-binaries
+        path: assets/*
+        retention-days: 1
@@ -0,0 +1,33 @@
+name: "Compile Rust x86_64"
+runs:
+  using: "composite"
+  steps:
+    - uses: ./.github/actions/setup-rust
+    - run: cargo install cross || true
+      shell: bash
+    - run: CROSS_CONFIG=Cross.toml cross build --release --target x86_64-unknown-linux-gnu
+      working-directory: rust
+      shell: bash
+    - name: "patch for debian stable"
+      working-directory: rust
+      shell: bash
+      run: |
+        find . -type f -name "scannerctl"
+        patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/x86_64-unknown-linux-gnu/release/scannerctl
+        patchelf --replace-needed libz.so libz.so.1 target/x86_64-unknown-linux-gnu/release/scannerctl
+    - run: mkdir assets/
+      shell: bash
+    - run: mkdir -p assets/linux/amd64
+      shell: bash
+    - run: mv rust/target/x86_64-unknown-linux-gnu/release/openvasd assets/linux/amd64/openvasd
+      shell: bash
+    - run: mv rust/target/x86_64-unknown-linux-gnu/release/scannerctl assets/linux/amd64/scannerctl
+      shell: bash
+    - run: mv rust/target/x86_64-unknown-linux-gnu/release/feed-verifier assets/linux/amd64/feed-verifier
+      shell: bash
+    - name: archive
+      uses: actions/upload-artifact@v4
+      with:
+        name: rs-binaries
+        path: assets/*
+        retention-days: 1
@@ -3,6 +3,15 @@ description: "Install necessary dependencies and set up Rust stable"
 runs:
   using: "composite"
   steps:
+    - uses: actions/cache@v4
+      with:
+        path: |
+          ~/.cargo/bin/
+          ~/.cargo/registry/index/
+          ~/.cargo/registry/cache/
+          ~/.cargo/git/db/
+          rust/target/
+        key: ${{ runner.os }}-cargo-${{ hashFiles('rust/Cargo.lock') }}
     - run: sudo apt update || true
       shell: bash
     - run: sudo apt-get install -y libpcap-dev

@@ -35,7 +35,7 @@ apt-get update && apt-get install --no-install-recommends --no-install-suggests
     libhiredis-dev \
     && rm -rf /var/lib/apt/lists/*
 
-curl -L -o cgreen.tar.gz https://github.com/cgreen-devs/cgreen/archive/refs/tags/1.6.2.tar.gz -k
-tar -xzf cgreen.tar.gz && cd cgreen-1.6.2
+curl -L -o cgreen.tar.gz https://github.com/cgreen-devs/cgreen/archive/refs/tags/1.6.3.tar.gz -k
+tar -xzf cgreen.tar.gz && cd cgreen-1.6.3
 make install
 ldconfig
@@ -4,7 +4,7 @@
 # workflow.
 [ -z $FEED_DIR ] && FEED_DIR="/var/lib/openvas/plugins"
 DOCKER_CMD=docker
-FEED_IMAGE="greenbone/vulnerability-tests"
+FEED_IMAGE="registry.community.greenbone.net/community/vulnerability-tests"
 set -e
 printf "Copying feed $FEED_IMAGE "
 FEED_VERSION=$($DOCKER_CMD run --rm $FEED_IMAGE sh -c 'ls /var/lib/openvas/' | sort -r | head -n 1)

@@ -19,42 +19,10 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            rust/target/
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-      - run: rustup update stable && rustup default stable
-        # ignore failing install, it may already be installed
-      - run: cargo install cross || true
-      - run: CROSS_CONFIG=Cross.toml cross -v build --release --target aarch64-unknown-linux-gnu
+      - uses: ./.github/actions/setup-rust
+      # we just check if it is compilable, the actual compilation is now done in:
+      # - in the Dockefiles
+      # - in functional.yml (x86_64) only
+      # - in release.yml (aarch64, x86_64)
+      - run: cargo check
         working-directory: rust
-      - run: CROSS_CONFIG=Cross.toml cross build --release --target x86_64-unknown-linux-gnu
-        working-directory: rust
-      - name: "patch for debian stable"
-        working-directory: rust
-        run: |
-          find . -type f -name "scannerctl"
-          patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/aarch64-unknown-linux-gnu/release/scannerctl
-          patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/x86_64-unknown-linux-gnu/release/scannerctl
-          patchelf --replace-needed libz.so libz.so.1 target/aarch64-unknown-linux-gnu/release/scannerctl
-          patchelf --replace-needed libz.so libz.so.1 target/x86_64-unknown-linux-gnu/release/scannerctl
-      - run: mkdir assets/
-      - run: mkdir -p assets/linux/amd64
-      - run: mkdir -p assets/linux/arm64
-      - run: mv rust/target/aarch64-unknown-linux-gnu/release/openvasd assets/linux/arm64/openvasd
-      - run: mv rust/target/x86_64-unknown-linux-gnu/release/openvasd assets/linux/amd64/openvasd
-      - run: mv rust/target/aarch64-unknown-linux-gnu/release/scannerctl assets/linux/arm64/scannerctl
-      - run: mv rust/target/x86_64-unknown-linux-gnu/release/scannerctl assets/linux/amd64/scannerctl
-      - run: mv rust/target/aarch64-unknown-linux-gnu/release/feed-verifier assets/linux/arm64/feed-verifier
-      - run: mv rust/target/x86_64-unknown-linux-gnu/release/feed-verifier assets/linux/amd64/feed-verifier
-      - name: archive
-        uses: actions/upload-artifact@v4
-        with:
-          name: rs-binaries
-          path: assets/*
-          retention-days: 1
@@ -75,15 +75,14 @@ jobs:
     name: unit-tests
     uses: ./.github/workflows/tests.yml
   build:
-    needs: [unittests]
     uses: ./.github/workflows/build.yml
   linting:
     uses: ./.github/workflows/linting.yml
   functional:
-    needs: [build]
+    needs: [unittests, build]
     uses: ./.github/workflows/functional.yaml
   container:
-    needs: [build, init, functional]
+    needs: [build, init]
     uses: ./.github/workflows/push-container.yml
     secrets:
       dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }}

@@ -22,9 +22,14 @@ jobs:
       - run: docker run --rm test ldd /usr/local/sbin/openvas
       - run: docker run --rm test ldd /usr/local/sbin/openvas | grep libopenvas_wmiclient
       - run: docker rmi test || true
-  # TESTS that are possible before pushing an image
+  build-rs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/compile-x86_64
   tests:
     runs-on: ubuntu-latest
+    needs: [build-rs]
     services:
       redis:
         image: redis

@@ -28,7 +28,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-rust
-      - run: cargo install typos-cli
+      - run: cargo install typos-cli || true
       - run: typos
   Rust-Audit:
     runs-on: ubuntu-latest
@@ -37,7 +37,7 @@ jobs:
         working-directory: rust
     steps:
       - uses: actions/checkout@v4
-      - run: cargo install cargo-audit
+      - run: cargo install cargo-audit || true
       - run: cargo audit
   License-Headers:
     runs-on: ubuntu-latest

@@ -17,45 +17,30 @@ on:
 
 jobs:
   debian_oldstable:
-    name: debian:oldstable
-    runs-on: ubuntu-latest
+    name: ghcr:debian:oldstable
+    runs-on: "ubuntu-latest"
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Container build and push 3rd gen
+        id: build-and-push
+        uses: greenbone/actions/container-build-push-generic@v3
         with:
-          name: rs-binaries
-          path: assets
-      - name: "Set labels and tags"
-        id: old_stable_meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ github.repository }}
-          labels: |
+          build-docker-file: .docker/prod.Dockerfile
+          build-args: |
+            REPOSITORY=${{ github.repository }}
+          cosign-key: ${{ secrets.cosign_key_opensight }}
+          cosign-key-password: ${{ secrets.cosign_password_opensight }}
+          # The tlog function does not currently support an ed25519 key.
+          cosign-tlog-upload: "false"
+          image-labels: |
             org.opencontainers.image.vendor=Greenbone
             org.opencontainers.image.base.name=greenbone/gvm-libs
-          flavor: latest=false # no auto latest container tag for git tags
-          tags: |
-            # for the images provided for debian:oldstable we just provide
-            # oldstable on an new version or oldstable-edge when it is on main.
-            # oldstable-branch-sha on a branch
+          image-tags: |
             type=raw,value=oldstable,enable=${{ inputs.is_latest_tag }}
             type=raw,value=oldstable-edge,enable=${{ github.ref_name == 'main' }}
             type=raw,value=oldstable-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }}
             type=ref,event=pr
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - name: Login to DockerHub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.dockerhub_user }}
-          password: ${{ secrets.dockerhub_token }}
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }}
-          file: .docker/prod-oldstable.Dockerfile
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.old_stable_meta.outputs.tags }}
-          labels: ${{ steps.old_stable_meta.outputs.labels }}
+          registry: ${{ vars.IMAGE_REGISTRY }}
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}