Skip to content

Commit

Permalink
cli/dev - Add getImagesSecurityIssues command to discover images w/ s…
Browse files Browse the repository at this point in the history
…ec issues

The idea is to have a developer command to quickly get a reports
of images with Critical or High security issues level reported by quay.io/Clair.

If any we could just trigger a rebuild of the image.

Change-Id: Ia29de47312e15d7234ce56820af3024ded66caaa
  • Loading branch information
morucci committed Apr 25, 2024
1 parent 8e5b396 commit 9c9ca7f
Show file tree
Hide file tree
Showing 4 changed files with 117 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
## [in development]

### Added

- Dev CLI - Add command "go run ./main.go dev getImagesSecurityIssue" to ease getting a small report of HIGH
and CRITICAL Security issues reported by quay.io on container images used by the sf-operator.

### Changed

- Zookeeper version bumped to 3.8.4
Expand Down
85 changes: 85 additions & 0 deletions cli/cmd/dev/dev.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@ package dev

import (
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
"os"
"path/filepath"
"strings"
Expand All @@ -28,6 +31,7 @@ import (
ms "github.com/softwarefactory-project/sf-operator/cli/cmd/dev/microshift"
cliutils "github.com/softwarefactory-project/sf-operator/cli/cmd/utils"
"github.com/softwarefactory-project/sf-operator/controllers"
"github.com/softwarefactory-project/sf-operator/controllers/libs/base"
"k8s.io/client-go/rest"

"github.com/spf13/cobra"
Expand Down Expand Up @@ -293,6 +297,79 @@ func devCloneAsAdmin(kmd *cobra.Command, args []string) {
gerrit.CloneAsAdmin(&env, fqdn, repoName, dest, verify)
}

func getImagesSecurityIssues(kmd *cobra.Command, args []string) {

const quaySFBaseURL = "https://quay.io/api/v1/repository/software-factory/"

type Vuln struct {
Severity string
Link string
Name string
}

type Feature struct {
Name string
Vulnerabilities []Vuln
}

type Layer struct {
Features []Feature
}

type Data struct {
Layer Layer
}

type Scan struct {
Status string
Data Data
}

type Tag struct {
ManifestDigest string `json:"manifest_digest"`
}

type Image struct {
Name string
Tags map[string]Tag
}

getImageDigest := func(image base.Image) string {

url := quaySFBaseURL + image.Name
resp, _ := http.Get(url)
target := Image{}
json.NewDecoder(resp.Body).Decode(&target)

return target.Tags[image.Version].ManifestDigest

}

getImageReport := func(image base.Image) {

digest := getImageDigest(image)
manifest := image.Name + "/manifest/" + digest
url := quaySFBaseURL + manifest + "/security"
resp, _ := http.Get(url)
target := Scan{}
json.NewDecoder(resp.Body).Decode(&target)

println("\nScan result for: " + image.Name)
for _, feature := range target.Data.Layer.Features {
for _, vuln := range feature.Vulnerabilities {
if vuln.Severity == "High" || vuln.Severity == "Critical" {
fmt.Printf("- %s [%s] %s\n", feature.Name, vuln.Severity, vuln.Name)
}
}
}
}

for _, image := range base.GetSelfManagedImages() {
getImageReport(image)
}

}

func MkDevCmd() *cobra.Command {

var (
Expand Down Expand Up @@ -337,6 +414,11 @@ func MkDevCmd() *cobra.Command {
ValidArgs: devRunTestsAllowedArgs,
Run: devRunTests,
}
getImagesSecurityIssuesCmd = &cobra.Command{
Use: "getImagesSecurityIssues",
Long: "Return the list of security issues reported by Quay.io (only High and Critical)",
Run: getImagesSecurityIssues,
}
)
// args
wipeCmd.Flags().BoolVar(&deleteData, "rm-data", false, "Delete also persistent data. This will result in data loss, like review history.")
Expand All @@ -362,5 +444,8 @@ func MkDevCmd() *cobra.Command {
devCmd.AddCommand(wipeCmd)
devCmd.AddCommand(cloneAsAdminCmd)
devCmd.AddCommand(runTestsCmd)

devCmd.AddCommand(getImagesSecurityIssuesCmd)

return devCmd
}
18 changes: 17 additions & 1 deletion controllers/libs/base/images.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,16 @@ type Image struct {
Source string `yaml:"source,omitempty"`
}

func getImage(name string) string {
func loadImages() ContainerImages {
var images ContainerImages
if err := yaml.UnmarshalStrict([]byte(imagesYAML), &images); err != nil {
panic(err)
}
return images
}

func getImage(name string) string {
images := loadImages()
for _, image := range images.Images {
if image.Name == name {
return image.Container + ":" + image.Version
Expand All @@ -38,6 +43,17 @@ func getImage(name string) string {
panic("Unknown container image: " + name)
}

func GetSelfManagedImages() []Image {
ret := []Image{}
images := loadImages()
for _, image := range images.Images {
if image.Source != "" {
ret = append(ret, image)
}
}
return ret
}

func ZuulExecutorImage() string {
return getImage("zuul-executor")
}
Expand Down
11 changes: 11 additions & 0 deletions doc/reference/cli/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ deployments, beyond what can be defined in a custom resource manifest.
- [create standalone-sf](#create-standalone-sf)
- [run-tests](#run-tests)
- [wipe gerrit](#wipe-gerrit)
- [getImagesSecurityIssues](#getimagessecurityissues)
1. [Init](#init)
1. [Nodepool](#nodepool)
- [configure providers-secrets](#configure-providers-secrets)
Expand Down Expand Up @@ -270,6 +271,16 @@ Flags:
|----------|------|-------|----|----|
| --rm-data | boolean | Also delete persistent data (repositories, reviews) | yes | False |

#### getImagesSecurityIssues

To get a report of Security Issues reported by quay.io for container images used by the
sf-operator run: `dev getImageSecurityIssue`. This command helps to decide if we need to
rebuild container images to benefit last security fixes from the base OS.

```sh
sf-operator dev getImagesSecurityIssues
```

### Init

The `init` subcommand can be used to initialize a CLI configuration file, or a sample manifest for deploying Software Factory.
Expand Down

0 comments on commit 9c9ca7f

Please sign in to comment.