RubyGems - quayio-scanner - Versions diffs - 0.1.1 → 0.2.0 - Mend

quayio-scanner 0.1.1 → 0.2.0

Files changed (12) hide show

checksums.yaml +5 -5
data/.gitignore +2 -0
data/.rubocop.yml +11 -0
data/Rakefile +6 -1
data/bin/check-container-vulnerabilities.rb +9 -1
data/lib/quayio/scanner.rb +3 -1
data/lib/quayio/scanner/check.rb +17 -10
data/lib/quayio/scanner/image.rb +24 -46
data/lib/quayio/scanner/repository.rb +42 -0
data/lib/quayio/scanner/version.rb +1 -1
data/quayio-scanner.gemspec +6 -5
metadata +37 -22

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 968d7b786053e45ce5630a356686d164b8d3a342
-  data.tar.gz: cfb261c4c614818113b1f5fe58da950b1d5f6762
+SHA256:
+  metadata.gz: 62a2ef4b20397cec2c5a06cd141f61c4f9b0ab00ccdef0dbc235f39ada492232
+  data.tar.gz: a6bf579dc9491d3c4a8cc5d002148bed5bdadba1bb7b28ec17a3b4f6c429ac75
 SHA512:
-  metadata.gz: d07176ec4c37a6c257fa45ae946a6724033513275ea610072a9beee69a84aa6440bd48c7dfa01a311da9a9adf36b80267ea1da51b6ac8cc2da09ff814cf88084
-  data.tar.gz: ab925a960a68a6507468a6b7a0315d8029bcf714b5a2a4909c3d1779faebc317774c0760b9d67a0d7c995092b5a651563e7f0c460a3ddd1d620d23d002b96476
+  metadata.gz: fbf6cc4db97ce33820084256632012ecb42d50ea049d0f5f1a09cee19119edc92d97cf4a2b32ac5f12be0bd3594d71fd4bb7ed5050382fbf9c83287652afb529
+  data.tar.gz: c71f7a7dc9aaf747ea57485988a7fe261bddc4c69425fb7a33f07c550ee503c4bfd0e051496853333e9cba1ff5da6a2cc4f3cd4fa2d8819d3703d60937470a43

data/.gitignore CHANGED

@@ -8,3 +8,5 @@
 /spec/reports/
 /tmp/
 /vendor/bundle
+.project
+.pydevproject

data/.rubocop.yml ADDED

@@ -0,0 +1,11 @@
+Style/FrozenStringLiteralComment:
+  Enabled: false
+Style/Documentation:
+  Enabled: false
+Metrics/MethodLength:
+  Max: 50
+Metrics/BlockLength:
+  Max: 200

data/Rakefile CHANGED

@@ -1,2 +1,7 @@
 require 'bundler/gem_tasks'
-task default: :spec
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+RuboCop::RakeTask.new
+task default: %i[rubocop]

data/bin/check-container-vulnerabilities.rb CHANGED

@@ -36,9 +36,17 @@ class CheckContainerVulnerabilities < Sensu::Plugin::Check::CLI
          short: '-t TOKEN',
          long: '--quayio-token TOKEN'
+  option :whitelist,
+         description: 'Vulnerability whitelist',
+         short: '-w WHITELIST[,WHITELIST]',
+         long: '--whitelist WHITELIST[,WHITELIST]',
+         default: '',
+         proc: proc { |w| w.split(',') }
   def run
     status, message = Quayio::Scanner::Check.new(config[:docker_url],
-                                        config[:quayio_token]).run
+                                                 config[:quayio_token],
+                                                 config[:whitelist]).run
     if status == :ok
       ok message

data/lib/quayio/scanner.rb CHANGED

@@ -1,5 +1,7 @@
-require 'quayio/scanner/version'
 require 'quayio/scanner/check'
+require 'quayio/scanner/image'
+require 'quayio/scanner/repository'
+require 'quayio/scanner/version'
 module Quayio
   module Scanner

data/lib/quayio/scanner/check.rb CHANGED

@@ -1,19 +1,10 @@
-require 'quayio/scanner/image'
 require 'docker'
 module Quayio
   module Scanner
-    class Check < Struct.new(:docker_url, :quayio_token)
+    Check = Struct.new(:docker_url, :quayio_token, :whitelist) do
       def run
         Docker.url = docker_url
-        containers = Docker::Container.all
-                                      .map { |dc| dc.json['Config']['Image'] }
-                                      .uniq
-        vulnerable_images = containers
-                            .map { |container| Image.new(container, quayio_token) }
-                            .select(&:vulnerable?)
-                            .map(&:name)
         if vulnerable_images.empty?
           [:ok, "#{containers.size} Containers are ok"]
@@ -21,6 +12,22 @@ module Quayio
           [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
         end
       end
+      private
+      def containers
+        Docker::Container
+          .all
+          .map { |dc| dc.json['Config']['Image'] }
+          .uniq
+      end
+      def vulnerable_images
+        containers
+          .map { |container| Image.new(container, quayio_token, whitelist) }
+          .select(&:vulnerable?)
+          .map(&:name)
+      end
     end
   end
 end

data/lib/quayio/scanner/image.rb CHANGED

@@ -1,68 +1,46 @@
-require 'json'
-require 'rest-client'
 module Quayio
   module Scanner
-    class Image < Struct.new(:name, :quayio_token)
-      RELEVANT_SEVERITIES = %w(High Critical)
+    class Image
+      RELEVANT_SEVERITIES = %w[High Critical].freeze
+      QUAY_IO_REPO_NAME = %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w\.-]+)}.freeze
+      attr_reader :name, :whitelist, :repository
+      def initialize(name, quayio_token, whitelist)
+        @name = name
+        @whitelist = whitelist
+        @name.match(QUAY_IO_REPO_NAME) do |r|
+          org, repo, tag = r.captures
+          @repository = Repository.new(quayio_token, org, repo, tag)
+        end
+      end
       def vulnerable?
-        quayio? && image_exists? && scanned? && high_vulnerabilities_present?
+        quayio? && scanned? && vulnerabilities_present?
       end
       private
       def quayio?
-        name.match(%r{^quay.io\/})
-      end
-      def image_exists?
-        raw_image
+        # safe guard, do not trust QUAY_IO_REPO_NAME regex match
+        !!name.match(%r{^quay.io\/})
       end
       def scanned?
         raw_scan['status'] == 'scanned'
       end
-      def high_vulnerabilities_present?
-        raw_scan['data']['Layer']['Features'].detect do |f|
-          f['Vulnerabilities'] &&
-            f['Vulnerabilities']
-              .detect { |v| RELEVANT_SEVERITIES.include?(v['Severity']) }
-        end
-      end
-      def repo
-        name.split(':').first.gsub(%r{quay.io\/}, '')
-      end
-      def tag
-        name.split(':').last
-      end
-      def raw_image
-        return @raw_image if defined? @raw_image
-        @raw_image = begin
-          JSON.parse(
-            RestClient.get("https://quay.io/api/v1/repository/#{repo}/tag/#{tag}/images",
-                           authorization: "Bearer #{quayio_token}", accept: :json)
-          )['images'].first
-        rescue RestClient::ExceptionWithResponse => err
-          return nil if err.http_code == 404 # ignore unknown repos
-          raise err
+      def vulnerabilities_present?
+        !!raw_scan['data']['Layer']['Features'].detect do |f|
+          f['Vulnerabilities']&.detect do |v|
+            RELEVANT_SEVERITIES.include?(v['Severity']) && !whitelist.include?(v['Name'])
+          end
         end
       end
       def raw_scan
-        return @raw_scan if defined? @raw_scan
-        @raw_scan = begin
-          JSON.parse(
-            RestClient.get("https://quay.io/api/v1/repository/#{repo}/image/#{raw_image['id']}/security?vulnerabilities=true",
-                           authorization: "Bearer #{quayio_token}", accept: :json)
-          )
-        end
+        @raw_scan ||= repository.scan
       end
     end
   end

data/lib/quayio/scanner/repository.rb ADDED

@@ -0,0 +1,42 @@
+require 'rest-client'
+require 'json'
+module Quayio
+  module Scanner
+    Repository = Struct.new(:quayio_token, :org, :repo, :tag) do
+      MAX_ATTEMPTS = 5
+      def id
+        @id ||= fetch_id
+      end
+      def scan
+        api_call("/image/#{id}/security?vulnerabilities=true")
+      end
+      private
+      def fetch_id
+        result = api_call("/tag/#{tag}/images")
+        (result['images'].first)['id']
+      end
+      def api_call(uri)
+        (1..Float::INFINITY).each do |attempt|
+          begin
+            response = RestClient.get(
+              "https://quay.io/api/v1/repository/#{org}/#{repo}#{uri}",
+              authorization: "Bearer #{quayio_token}",
+              accept: :json
+            )
+            return JSON.parse(response)
+          rescue RestClient::ExceptionWithResponse => e
+            raise e if e.http_code != 520 || attempt >= MAX_ATTEMPTS
+            sleep(rand(10))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/quayio/scanner/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Quayio
   module Scanner
-    VERSION = '0.1.1'.freeze
+    VERSION = '0.2.0'.freeze
   end
 end

data/quayio-scanner.gemspec CHANGED

@@ -1,6 +1,4 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'quayio/scanner/version'
@@ -14,16 +12,19 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/aboutsource/quayio-scanner'
   spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 2.4.0'
   spec.files = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
   spec.executables   = Dir.glob('bin/**/*.rb').map { |file| File.basename(file) }
   spec.require_paths = ['lib']
-  spec.add_dependency 'sensu-plugin', '~> 2.1'
   spec.add_dependency 'docker-api', '~> 1.33'
   spec.add_dependency 'rest-client', '~> 2.0'
-  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_dependency 'sensu-plugin', '~> 2.1'
+  spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.7'
   spec.add_development_dependency 'rubocop', '~> 0.49'
 end

metadata CHANGED

@@ -1,71 +1,71 @@
 --- !ruby/object:Gem::Specification
 name: quayio-scanner
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Benjamin Meichsner
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-11-27 00:00:00.000000000 Z
+date: 2020-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: sensu-plugin
+  name: docker-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '1.33'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '1.33'
 - !ruby/object:Gem::Dependency
-  name: docker-api
+  name: rest-client
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.33'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.33'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: rest-client
+  name: sensu-plugin
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -94,7 +108,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.49'
-description:
+description:
 email:
 - benjamin.meichsner@aboutsource.net
 executables:
@@ -103,6 +117,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -111,13 +126,14 @@ files:
 - lib/quayio/scanner.rb
 - lib/quayio/scanner/check.rb
 - lib/quayio/scanner/image.rb
+- lib/quayio/scanner/repository.rb
 - lib/quayio/scanner/version.rb
 - quayio-scanner.gemspec
 homepage: https://github.com/aboutsource/quayio-scanner
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -125,16 +141,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
-signing_key:
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Scan quay.io for vulnerabilties in running docker containers.
 test_files: []