quayio-scanner 0.1.4 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5870d44003c0600c96604760935938ecad1576818ae94f997e01ba5172390952
-  data.tar.gz: e1476f3dc385413bfbfb47b26345710774889913767bb0c9d9fcd2ab00996c6e
+  metadata.gz: 9682167dd4f87703d927a236079beb847abd6d787e1e95b63e9517c8e79572cf
+  data.tar.gz: 37b75014b47d09dc7ccd293526a98b90d3d7ef81d8daa4302da1f24dbf51a441
 SHA512:
-  metadata.gz: e85522f956cca1178c249269124af889f9937c75e442894cddcd0c7e45e9d191d7fa1cff688e15e95eb28f62ae8de3b0fe6bdb285ef4d33c3053eb2b041e563d
-  data.tar.gz: 1b763e457f3ed56c1d8a812fb567fd93a38e31c1d93f1dc7a6108ec455ca0263cc4c552eae3bfdf7150f11b8c29816b77d72303f4f132c77567e51a4366db95b
+  metadata.gz: 27ae72de19649c10f00d11e6dc461c5aea63cdb98449039354fc8345686f6def8c984ae6a6f6cf1a3ea24034a04fe1a229bfa078ea21bbae261f1c268373f9a6
+  data.tar.gz: 79915aaeb679343ad481d0a1b1171bb3c6a62bb841ffe657fbe18ac57550310eecfe2c9ce33b069313564f5a0ce581283e1d70aec38d1f74b528c05876994c53

data/.rubocop.yml

@@ -0,0 +1,14 @@
+AllCops:
+  TargetRubyVersion: 2.3
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Metrics/MethodLength:
+  Max: 50
+
+Metrics/BlockLength:
+  Max: 200

data/bin/check-container-vulnerabilities.rb

@@ -44,8 +44,9 @@ class CheckContainerVulnerabilities < Sensu::Plugin::Check::CLI
          proc: proc { |w| w.split(',') }
 
   def run
-    status, message = Quayio::Scanner::Check.new(
-        config[:docker_url], config[:quayio_token], config[:whitelist]).run
+    status, message = Quayio::Scanner::Check.new(config[:docker_url],
+                                                 config[:quayio_token],
+                                                 config[:whitelist]).run
 
     if status == :ok
       ok message

data/lib/quayio/scanner.rb

@@ -1,5 +1,7 @@
-require 'quayio/scanner/version'
 require 'quayio/scanner/check'
+require 'quayio/scanner/image'
+require 'quayio/scanner/repository'
+require 'quayio/scanner/version'
 
 module Quayio
   module Scanner

data/lib/quayio/scanner/check.rb

@@ -1,19 +1,10 @@
-require 'quayio/scanner/image'
 require 'docker'
 
 module Quayio
   module Scanner
-    class Check < Struct.new(:docker_url, :quayio_token, :whitelist)
+    Check = Struct.new(:docker_url, :quayio_token, :whitelist) do
       def run
         Docker.url = docker_url
-        containers = Docker::Container.all
-                                      .map { |dc| dc.json['Config']['Image'] }
-                                      .uniq
-
-        vulnerable_images = containers
-                            .map { |container| Image.new(container, quayio_token, whitelist) }
-                            .select(&:vulnerable?)
-                            .map(&:name)
 
         if vulnerable_images.empty?
           [:ok, "#{containers.size} Containers are ok"]
@@ -21,6 +12,22 @@ module Quayio
           [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
         end
       end
+
+      private
+
+      def containers
+        Docker::Container
+          .all
+          .map { |dc| dc.json['Config']['Image'] }
+          .uniq
+      end
+
+      def vulnerable_images
+        containers
+          .map { |container| Image.new(container, quayio_token, whitelist) }
+          .select(&:vulnerable?)
+          .map(&:name)
+      end
     end
   end
 end

data/lib/quayio/scanner/image.rb

@@ -1,69 +1,46 @@
-require 'json'
-require 'rest-client'
-
 module Quayio
   module Scanner
-    class Image < Struct.new(:name, :quayio_token, :whitelist)
-      RELEVANT_SEVERITIES = %w(High Critical)
+    class Image
+      RELEVANT_SEVERITIES = %w[High Critical].freeze
+      QUAY_IO_REPO_NAME = %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w\.-]+)}.freeze
+
+      attr_reader :name, :whitelist, :repository
+
+      def initialize(name, quayio_token, whitelist)
+        @name = name
+        @whitelist = whitelist
+
+        @name.match(QUAY_IO_REPO_NAME) do |r|
+          org, repo, tag = r.captures
+          @repository = Repository.new(quayio_token, org, repo, tag)
+        end
+      end
 
       def vulnerable?
-        quayio? && image_exists? && scanned? && high_vulnerabilities_present?
+        quayio? && scanned? && vulnerabilities_present?
       end
 
       private
 
       def quayio?
-        name.match(%r{^quay.io\/})
-      end
-
-      def image_exists?
-        raw_image
+        # safe guard, do not trust QUAY_IO_REPO_NAME regex match
+        !!name.match(%r{^quay.io\/})
       end
 
       def scanned?
         raw_scan['status'] == 'scanned'
       end
 
-      def high_vulnerabilities_present?
-        raw_scan['data']['Layer']['Features'].detect do |f|
-          f['Vulnerabilities'] && f['Vulnerabilities'].detect do |v|
-            RELEVANT_SEVERITIES.include?(v['Severity']) &&
-              !whitelist.include?(v['Name'])
+      def vulnerabilities_present?
+        !!raw_scan['data']['Layer']['Features'].detect do |f|
+          f['Vulnerabilities']&.detect do |v|
+            RELEVANT_SEVERITIES.include?(v['Severity']) && !whitelist.include?(v['Name'])
           end
         end
       end
 
-      def repo
-        name.split(':').first.gsub(%r{quay.io\/}, '')
-      end
-
-      def tag
-        name.split(':').last
-      end
-
-      def raw_image
-        return @raw_image if defined? @raw_image
-
-        @raw_image = begin
-          JSON.parse(
-            RestClient.get("https://quay.io/api/v1/repository/#{repo}/tag/#{tag}/images",
-                           authorization: "Bearer #{quayio_token}", accept: :json)
-          )['images'].first
-        rescue RestClient::ExceptionWithResponse => err
-          return nil if err.http_code == 404 # ignore unknown repos
-          raise err
-        end
-      end
-
       def raw_scan
-        return @raw_scan if defined? @raw_scan
-
-        @raw_scan = begin
-          JSON.parse(
-            RestClient.get("https://quay.io/api/v1/repository/#{repo}/image/#{raw_image['id']}/security?vulnerabilities=true",
-                           authorization: "Bearer #{quayio_token}", accept: :json)
-          )
-        end
+        @raw_scan ||= repository.scan
       end
     end
   end

data/lib/quayio/scanner/repository.rb

@@ -0,0 +1,46 @@
+require 'rest-client'
+require 'json'
+
+module Quayio
+  module Scanner
+    Repository = Struct.new(:quayio_token, :org, :repo, :tag) do
+      MAX_ATTEMPTS = 5
+
+      def id
+        @id ||= fetch_id
+      end
+
+      def scan
+        api_call("/image/#{id}/security?vulnerabilities=true")
+      end
+
+      private
+
+      def fetch_id
+        result = api_call("/tag/#{tag}/images")
+        (result['images'].first)['id']
+      end
+
+      def api_call(uri)
+        (1..Float::INFINITY).each do |attempt|
+          begin
+            response = RestClient.get(
+              "https://quay.io/api/v1/repository/#{org}/#{repo}#{uri}",
+              authorization: "Bearer #{quayio_token}",
+              accept: :json,
+              open_timeout: 15
+            )
+            return JSON.parse(response)
+          rescue RestClient::Exception => e
+            raise e if attempt >= MAX_ATTEMPTS
+
+            # retry later, if we hit cdn rate limiting or on connection errors
+            raise e unless e.http_code == 520 || e.http_code.nil?
+
+            sleep(rand(10))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/quayio/scanner/version.rb

@@ -1,5 +1,5 @@
 module Quayio
   module Scanner
-    VERSION = '0.1.4'.freeze
+    VERSION = '0.2.2'.freeze
   end
 end

data/quayio-scanner.gemspec

@@ -12,6 +12,8 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/aboutsource/quayio-scanner'
   spec.license       = 'MIT'
 
+  spec.required_ruby_version = '>= 2.3.0'
+
   spec.files = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
@@ -19,9 +21,9 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'docker-api', '~> 1.33'
-  spec.add_dependency 'rest-client', '~> 2.0'
-  spec.add_dependency 'sensu-plugin', '~> 2.1'
-  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_dependency 'rest-client', '~> 2.1'
+  spec.add_dependency 'sensu-plugin', '~> 4.0'
+  spec.add_development_dependency 'bundler', '~> 2.2'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec', '~> 3.7'
   spec.add_development_dependency 'rubocop', '~> 0.49'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quayio-scanner
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.2.2
 platform: ruby
 authors:
 - Benjamin Meichsner
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-01-10 00:00:00.000000000 Z
+date: 2021-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: docker-api
@@ -30,42 +30,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -108,7 +108,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.49'
-description: 
+description:
 email:
 - benjamin.meichsner@aboutsource.net
 executables:
@@ -117,6 +117,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -125,13 +126,14 @@ files:
 - lib/quayio/scanner.rb
 - lib/quayio/scanner/check.rb
 - lib/quayio/scanner/image.rb
+- lib/quayio/scanner/repository.rb
 - lib/quayio/scanner/version.rb
 - quayio-scanner.gemspec
 homepage: https://github.com/aboutsource/quayio-scanner
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -139,15 +141,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.2.21
+signing_key:
 specification_version: 4
 summary: Scan quay.io for vulnerabilties in running docker containers.
 test_files: []