foreman_cve_scanner 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4c537f1b7be3308efc867b96bb838fe5cad23d5f4994327a6ab50c1c478f1c9
-  data.tar.gz: 3da22a4c998072bb98fbd822ecbe40c2863a3e4c8857a99d5266db1636d4f126
+  metadata.gz: 9eb6f60deb30166fd16ad5e1b8900650207187a7f369ec6143c3ae09c4863ba9
+  data.tar.gz: 5858c93d78633437209e5dfe60047f6e208de6b18643d3d6df6ac10b18c47fa2
 SHA512:
-  metadata.gz: d7f9d8896d88d663c8b2c39a176fe21ed72837d3af69f02d7ea09c9661672fa8791840b0e69cd1529d8cadaf7afb05c7a3870de80124bc2a869dbaa029f40c67
-  data.tar.gz: 01f880e09ae39020890b80871ceeecfdd6ea6029f4f6c9a481910839eae39ec796d313650f24fac8cf4148e45f2592d5f285d85936d9b6b193f7b87520b73954
+  metadata.gz: ab8170a8a127e4be11132dec5ff4325fa910380a6cdfa475feabd71dc22cbf7e48c93fd4ae2071dac78de06fced9a038847ddba4cbf36b29fc61608d3a3e55c6
+  data.tar.gz: b5e3bd7b539425c0c05d00041dca257bc037164a5bf9dc0d326abde21e32bc7ef99f57785f60592f448aac955ed68930575c959bb528e8ebd308a72c891ab571

data/README.md

@@ -4,11 +4,8 @@ Plugin to
 1. install trivy/grype CVE scanners on a host using a Foreman Remote Execution (REX) job
 2. run a CVE scan using a REX job, collect the output and generate a Config Report
    
-
    ![image](https://github.com/ATIX-AG/foreman_cve_scanner/assets/25485845/85e3b676-7d90-41e5-bea5-7e0b5f4a685c)
 
-Not finished yet....
-   
 
 *Introdction here*
 
@@ -19,11 +16,19 @@ for how to install Foreman plugins
 
 ## Usage
 
-*Usage here*
+- Run the REX job to install trivy and/or grype
+- Run the REX job to scan a host
+- Go to the Config Report page for a host to view the scan report
 
 ## TODO
 
-*Todo list here*
+- Better possiblities to filter the Config Report (maybe an extension to ConfigReport in Foreman)
+- Have a scheduled REX Job to scan the hosts
+- Make it visible on the Host Details page or on Foreman directly, if a high priority CVE on a host occurs
+- Export a CVE scan
+- Deliver trivy / grype via Katello
+- More tests
+- API
 
 ## Contributing
 

data/Rakefile

@@ -1,4 +1,3 @@
-#!/usr/bin/env rake
 begin
   require 'bundler/setup'
 rescue LoadError
@@ -14,7 +13,7 @@ end
 
 RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'ForemanPluginTemplate'
+  rdoc.title    = 'ForemanCveScanner'
   rdoc.options << '--line-numbers'
   rdoc.rdoc_files.include('README.rdoc')
   rdoc.rdoc_files.include('lib/**/*.rb')
@@ -38,7 +37,7 @@ task default: :test
 begin
   require 'rubocop/rake_task'
   RuboCop::RakeTask.new
-rescue
+rescue StandardError => _e
   puts 'Rubocop not loaded.'
 end
 

data/app/lib/actions/{cve_scanner_job.rb → foreman_cve_scanner/cve_scanner_job.rb}

@@ -15,16 +15,16 @@ module Actions
 
       def finalize(*_args)
         host = Host.find(input[:host_id])
-        if host.present?
-          cve_scan_report = format_output(task.main_action.continuous_output.humanize)
-          report = Hash.new
-          report["host"] = host.name
-          report["logs"] = []
-          report["scan"] = cve_scan_report
-          report["reported_at"] = Time.now.utc.to_s
-          report['reporter'] = 'cve_scan'
-          ConfigReportImporter::import(report)
-	end
+        return if host.blank?
+
+        report = {
+          'host' => host.name,
+          'logs' => [],
+          'scan' => format_output(task.main_action.continuous_output.humanize),
+          'reported_at' => Time.now.utc.to_s,
+          'reporter' => 'cve_scan'
+        }
+        ConfigReportImporter.import(report)
       end
 
       private
@@ -46,4 +46,3 @@ module Actions
     end
   end
 end
-

data/app/services/foreman_cve_scanner/cve_report_scanner.rb

@@ -35,27 +35,21 @@ module ForemanCveScanner
       @logs
     end
 
-    def logs
-      @logs
-    end
-
-    def status
-      @status
-    end
+    attr_reader :logs, :status
 
     def metrics
       res = @status
       res['total'] = @status.values.sum
-      return res
+      res
     end
 
     private
 
     def generate_log_from_unified(id, entry)
-      return {
+      {
         'log': {
           'level': consume_severity_level(entry['severity']),
-          'messages': { 
+          'messages': {
             message: "#{id}: #{entry['title']} # url: #{entry['url']}"
           },
           sources: {
@@ -66,68 +60,71 @@ module ForemanCveScanner
     end
 
     def consume_severity_level(severity)
-      @status[severity.downcase] = 0 unless @status.has_key?(severity.downcase)
+      @status[severity.downcase] = 0 unless @status.key?(severity.downcase)
       @status[severity.downcase] += 1
 
-      log = case severity
-            when 'CRITICAL'
-              'err'
-            when 'HIGH'
-              'warning'
-            when 'MEDIUM'
-              'info'
-            when 'LOW'
-              'debug'
-            else 
-              'info'
-            end
-      return log
+      case severity
+      when 'CRITICAL'
+        'err'
+      when 'HIGH'
+        'warning'
+      when 'MEDIUM'
+        'info'
+      when 'LOW'
+        'debug'
+      else
+        'info'
+      end
     end
 
     def generate_grype_entry(entry)
-      unified = {}
-      unified['name'] = entry['artifact']['name']
-      unified['version'] = entry['artifact']['version']
-      unified['title'] = entry['vulnerability']['description'].gsub(/[\[\]"\\]/, "")
-      unified['severity'] = entry['vulnerability']['severity']
-      unified['url'] = entry['vulnerability']['dataSource']
-      return unified
+      {
+        'name' => entry['artifact']['name'],
+        'version' => entry['artifact']['version'],
+        'title' => entry['vulnerability']['description'].gsub(/[\[\]"\\]/, ''),
+        'severity' => entry['vulnerability']['severity'],
+        'url' => entry['vulnerability']['dataSource']
+      }
     end
 
     def generate_trivy_entry(entry)
-      unified = {}
-      unified['name'] = entry['PkgName']
-      unified['version'] = entry['InstalledVersion']
-      unified['title'] = entry['Title'].gsub(/[\[\]"\\]/, "")
-      unified['severity'] = entry['Severity']
-      unified['url'] = entry['PrimaryURL']  
-      unified['status'] = entry['Status'] 
-      unified['fixed'] = entry['FixedVersion'] || 'open'
-      unified['published'] = entry['PublishedDate'] if entry.has_key?('PublishedDate')
-      return unified
+      unified = {
+        'name' => entry['PkgName'],
+        'version' => entry['InstalledVersion'],
+        'title' => entry['Title'].gsub(/[\[\]"\\]/, ''),
+        'severity' => entry['Severity'],
+        'url' => entry['PrimaryURL'],
+        'status' => entry['Status'],
+        'fixed' => entry['FixedVersion'] || 'open'
+      }
+      unified['published'] = entry['PublishedDate'] if entry.key?('PublishedDate')
+      unified
     end
 
+    # rubocop:disable Metrics/AbcSize
     def generate_unified_vuls
-      j = @raw_data['scan']
+      raise ::Foreman::Exception, _('Invalid CVE scanner report') unless @raw_data.key?('scan')
 
+      j = @raw_data['scan']
       vuls = {}
-      if j.has_key?('matches')  # Grype
+      if j.key?('matches') # Grype
         j['matches'].each do |vul|
           vuls[vul['vulnerability']['id']] = generate_grype_entry(vul)
         end
-      elsif j.has_key?('Results') # Trivy
+      elsif j.key?('Results') # Trivy
         j['Results'].each do |r|
-          next unless r.has_key? 'Vulnerabilities'
+          next unless r.key? 'Vulnerabilities'
           r['Vulnerabilities'].each do |vul|
             vuls[vul['VulnerabilityID']] = generate_trivy_entry(vul)
           end
-        end   
+        end
       else
-        Rails.logger.error "Unsupported cve scanner report format"
-        raise ::Foreman::Exception.new(_('Invalid report'))
+        Rails.logger.error 'Unsupported cve scanner report format'
+        raise ::Foreman::Exception, _('Unsupported cve scanner report format')
       end
 
       vuls
     end
+    # rubocop:enable Metrics/AbcSize
   end
 end

data/app/views/foreman_cve_scanner/job_templates/install_cve_scanners.erb

@@ -7,27 +7,65 @@ job_category: Security
 provider_type: script
 template_inputs:
 - name: trivy_version
+  description: 'Trivy version to install'
   required: true
   input_type: user
   advanced: false
-  value_type: plain
-  default: 0.48.1
-  hidden_value: false
+  default: 0.53.0
 - name: grype_version
+  description: 'Grype version to install'
   required: true
   input_type: user
   advanced: false
-  value_type: plain
-  default: 0.73.5
-  hidden_value: false
+  default: 0.79.3
+- name: scanner_to_install
+  description: 'Choose which scanner to install (Default: both)'
+  required: false
+  input_type: user
+  advanced: false
+  default: both
+  options: "both\r\ntrivy\r\ngrype"
 %>
 # Install CVE scanners from github
 <%
 trivy_version = input('trivy_version')
 grype_version = input('grype_version')
 
-trivy_url = "https://github.com/aquasecurity/trivy/releases/download/v#{trivy_version}/trivy_#{trivy_version}_Linux-64bit.rpm"
-grype_url = "https://github.com/anchore/grype/releases/download/v#{grype_version}/grype_#{grype_version}_linux_amd64.rpm"
+case @host.operatingsystem.family.to_s
+when 'Debian'
+  pkg = 'deb'
+when 'Redhat', 'Suse'
+  pkg = 'rpm'
+else
+  raise("OS '#{@host.operatingsystem.family}' not supported by template #{template_name}")
+end
+
+case @host.architecture.to_s
+when 'x86_64'
+  trivy_arch = 'Linux-64bit'
+  grype_arch = 'linux-amd64'
+when 'ppc64le'
+  trivy_arch = 'Linux-PPC64LE'
+  grype_arch = 'linux-ppc64le'
+when 'aarch64'
+  trivy_arch = 'Linux-ARM64'
+  grype_arch = 'linux-arm64'
+else
+  raise("Architecture '#{@host.architecture}' not supported by template #{template_name}")
+end
+
+trivy_url = "https://github.com/aquasecurity/trivy/releases/download/v#{trivy_version}/trivy_#{trivy_version}_#{trivy_arch}.#{pkg}"
+grype_url = "https://github.com/anchore/grype/releases/download/v#{grype_version}/grype_#{grype_version}_#{grype_arch}.#{pkg}"
+
+case @host.operatingsystem.family
+when 'Debian'
+  trivy_install_cmd = "wget -o /tmp/outfile.deb #{trivy_url} && dpkg -i /tmp/outfile.deb; rm -f /tmp/outfile.deb"
+  grype_install_cmd = "wget -o /tmp/outfile.deb #{grype_url} && dpkg -i /tmp/outfile.deb; rm -f /tmp/outfile.deb"
+when 'Redhat', 'Suse'
+  trivy_install_cmd = "rpm -ivh #{trivy_url}"
+  grype_install_cmd = "rpm -ivh #{grype_url}"
+end
 -%>
 
-yum install --assumeyes <%= trivy_url %> <%= grype_url %>
+<%= trivy_install_cmd if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'trivy' %>
+<%= grype_install_cmd if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'grype' %>

data/app/views/foreman_cve_scanner/job_templates/run_cve_scanner.erb

@@ -54,7 +54,7 @@ scanners = {
 
 if scanner == 'trivy'
     cmd = "#{scanners[:trivy][target]} #{path}"
-    options += " --scanners vuln --quiet --format json"
+    options += " --exit-code 0 --scanners vuln --quiet --format json"
 elsif scanner == 'grype'
     cmd = "#{scanners[:grype][target]}:#{path}"
     options += " --quiet --quiet --output json"

data/lib/foreman_cve_scanner/engine.rb

@@ -1,15 +1,16 @@
+require 'foreman_remote_execution'
+
 module ForemanCveScanner
   class Engine < ::Rails::Engine
     engine_name 'foreman_cve_scanner'
 
-    config.autoload_paths += Dir["#{config.root}/app/services"]
-    config.autoload_paths += Dir["#{config.root}/app/lib"]
-
-    initializer 'foreman_cve_scanner.register_plugin', :before => :finisher_hook do |_app|
-      Foreman::Plugin.register :foreman_cve_scanner do
-        requires_foreman '>= 3.5.0'
-        register_report_scanner ForemanCveScanner::CveReportScanner
-        register_report_origin 'CveScanner', 'ConfigReport'
+    initializer 'foreman_cve_scanner.register_plugin', :before => :finisher_hook do |app|
+      app.reloader.to_prepare do
+        Foreman::Plugin.register :foreman_cve_scanner do
+          requires_foreman '>= 3.13'
+          register_report_scanner ForemanCveScanner::CveReportScanner
+          register_report_origin 'CveScanner', 'ConfigReport'
+        end
       end
     end
 

data/lib/foreman_cve_scanner/version.rb

@@ -1,3 +1,3 @@
 module ForemanCveScanner
-  VERSION = '0.0.1'.freeze
+  VERSION = '0.0.2'.freeze
 end

data/lib/tasks/foreman_cve_scanner_tasks.rake

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Tests
+namespace :test do
+  desc 'Foreman Cve Scanner plugin tests'
+  Rake::TestTask.new(:foreman_cve_scanner) do |t|
+    test_dir = File.join(__dir__, '..', '..', 'test')
+    t.libs << ['test', test_dir]
+    t.pattern = "#{test_dir}/**/*_test.rb"
+    t.test_files = [Rails.root.join('test/unit/foreman/access_permissions_test.rb')]
+    t.verbose = false
+    t.warning = false
+  end
+end
+
+Rake::Task[:test].enhance ['test:foreman_cve_scanner']