quayio-scanner 0.1.5 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5df176d74b68e0b31a5408b2be36bac9c0cb2171650acb160cfedd90a143de2c
-  data.tar.gz: aab6b7098d7a848294613428d8b514589c949f5d9f1fdf9041af06932d12856c
+  metadata.gz: ec3e0ce31e72f8fb58ce5bb62ec17af8395f8cbb0dfe6825bd8409e8388167a3
+  data.tar.gz: af37eec22d47077ad5c6cdb761b18071864ab628d459b15ed7130c645a09edc4
 SHA512:
-  metadata.gz: 1da63def2a66714fff1b69b709150b444a0b149f7da03c1a9bcdec87f895a1b73a44887d9ded63c928dca958f5edc82ecc06a074957c3103f96958dccb0f2183
-  data.tar.gz: a0c809340d55c456aa639ecebe00926722ece6f156efee325f713fcb25ef371ca8cc44ad828665767175f31fce558300665eb976ebbb8d9d8ac346d386cd1b96
+  metadata.gz: 194cca2abb4781442a8730a9ad0afb5097bc0e63d9dcd1a4c1dc0c92c6832af5020fd3e8dceb44fa5cd9c56da8bff986669146cd2ba8c141c165203fa5d09ee2
+  data.tar.gz: 4ac42a474343fae8c5ce01141cf85ebf514a3d37050fc93f28f7cb5202c231ab1976b94112f7aff278a00c3fac3082a7f1f454e0291ac60b9e7be764689a8d1c

data/.gitignore

@@ -1,6 +1,5 @@
 /.bundle/
 /.yardoc
-/Gemfile.lock
 /_yardoc/
 /coverage/
 /doc/

data/.rubocop.yml

@@ -0,0 +1,14 @@
+AllCops:
+  TargetRubyVersion: 2.3
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Metrics/MethodLength:
+  Max: 50
+
+Metrics/BlockLength:
+  Max: 200

data/.ruby-version

@@ -0,0 +1 @@
+2.7.0

data/Gemfile.lock

@@ -0,0 +1,86 @@
+PATH
+  remote: .
+  specs:
+    quayio-scanner (0.2.3)
+      docker-api (~> 1.33)
+      rest-client (~> 2.1)
+      sensu-plugin (~> 4.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.1)
+    diff-lcs (1.4.4)
+    docker-api (1.34.2)
+      excon (>= 0.47.0)
+      multi_json
+    domain_name (0.5.20190701)
+      unf (>= 0.0.5, < 1.0.0)
+    excon (0.85.0)
+    http-accept (1.7.0)
+    http-cookie (1.0.4)
+      domain_name (~> 0.5)
+    json (2.5.1)
+    mime-types (3.3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2021.0704)
+    mixlib-cli (1.7.0)
+    multi_json (1.15.0)
+    netrc (0.11.0)
+    parallel (1.19.2)
+    parser (2.7.2.0)
+      ast (~> 2.4.1)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    regexp_parser (1.8.2)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
+    rexml (3.2.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.3)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.4)
+    rubocop (0.93.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.5)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8)
+      rexml
+      rubocop-ast (>= 0.6.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (1.1.0)
+      parser (>= 2.7.1.5)
+    ruby-progressbar (1.10.1)
+    sensu-plugin (4.0.0)
+      json (< 3.0.0)
+      mixlib-cli (~> 1.5)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.7)
+    unicode-display_width (1.7.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2.2)
+  quayio-scanner!
+  rake (~> 10.0)
+  rspec (~> 3.7)
+  rubocop (~> 0.49)
+
+BUNDLED WITH
+   2.2.23

data/README.md

@@ -26,3 +26,7 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/abouts
 ## License
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+## Security
+
+* [Snyk](https://app.snyk.io/org/about-source/project/6eb2d381-87e7-49c4-a47f-ccad97f33ae3)

data/bin/check-container-vulnerabilities.rb

@@ -44,8 +44,9 @@ class CheckContainerVulnerabilities < Sensu::Plugin::Check::CLI
          proc: proc { |w| w.split(',') }
 
   def run
-    status, message = Quayio::Scanner::Check.new(
-        config[:docker_url], config[:quayio_token], config[:whitelist]).run
+    status, message = Quayio::Scanner::Check.new(config[:docker_url],
+                                                 config[:quayio_token],
+                                                 config[:whitelist]).run
 
     if status == :ok
       ok message

data/lib/quayio/scanner.rb

@@ -1,5 +1,7 @@
-require 'quayio/scanner/version'
 require 'quayio/scanner/check'
+require 'quayio/scanner/image'
+require 'quayio/scanner/repository'
+require 'quayio/scanner/version'
 
 module Quayio
   module Scanner

data/lib/quayio/scanner/check.rb

@@ -1,19 +1,10 @@
-require 'quayio/scanner/image'
 require 'docker'
 
 module Quayio
   module Scanner
-    class Check < Struct.new(:docker_url, :quayio_token, :whitelist)
+    Check = Struct.new(:docker_url, :quayio_token, :whitelist) do
       def run
         Docker.url = docker_url
-        containers = Docker::Container.all
-                                      .map { |dc| dc.json['Config']['Image'] }
-                                      .uniq
-
-        vulnerable_images = containers
-                            .map { |container| Image.new(container, quayio_token, whitelist) }
-                            .select(&:vulnerable?)
-                            .map(&:name)
 
         if vulnerable_images.empty?
           [:ok, "#{containers.size} Containers are ok"]
@@ -21,6 +12,22 @@ module Quayio
           [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
         end
       end
+
+      private
+
+      def containers
+        Docker::Container
+          .all
+          .map { |dc| dc.json['Config']['Image'] }
+          .uniq
+      end
+
+      def vulnerable_images
+        containers
+          .map { |container| Image.new(container, quayio_token, whitelist) }
+          .select(&:vulnerable?)
+          .map(&:name)
+      end
     end
   end
 end

data/lib/quayio/scanner/image.rb

@@ -1,78 +1,46 @@
-require 'json'
-require 'rest-client'
-
 module Quayio
   module Scanner
-    class Image < Struct.new(:name, :quayio_token, :whitelist)
-      RELEVANT_SEVERITIES = %w(High Critical)
-      MAX_ATTEMPTS = 5
+    class Image
+      RELEVANT_SEVERITIES = %w[High Critical].freeze
+      QUAY_IO_REPO_NAME = %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w\.-]+)}.freeze
+
+      attr_reader :name, :whitelist, :repository
+
+      def initialize(name, quayio_token, whitelist)
+        @name = name
+        @whitelist = whitelist
+
+        @name.match(QUAY_IO_REPO_NAME) do |r|
+          org, repo, tag = r.captures
+          @repository = Repository.new(quayio_token, org, repo, tag)
+        end
+      end
 
       def vulnerable?
-        quayio? && image_exists? && scanned? && high_vulnerabilities_present?
+        quayio? && scanned? && vulnerabilities_present?
       end
 
       private
 
       def quayio?
-        name.match(%r{^quay.io\/})
-      end
-
-      def image_exists?
-        raw_image
+        # safe guard, do not trust QUAY_IO_REPO_NAME regex match
+        !!name.match(%r{^quay.io\/})
       end
 
       def scanned?
         raw_scan['status'] == 'scanned'
       end
 
-      def high_vulnerabilities_present?
-        raw_scan['data']['Layer']['Features'].detect do |f|
-          f['Vulnerabilities'] && f['Vulnerabilities'].detect do |v|
-            RELEVANT_SEVERITIES.include?(v['Severity']) &&
-              !whitelist.include?(v['Name'])
+      def vulnerabilities_present?
+        !!raw_scan['data']['Layer']['Features'].detect do |f|
+          f['Vulnerabilities']&.detect do |v|
+            RELEVANT_SEVERITIES.include?(v['Severity']) && !whitelist.include?(v['Name'])
           end
         end
       end
 
-      def repo
-        name.split(':').first.gsub(%r{quay.io\/}, '')
-      end
-
-      def tag
-        name.split(':').last
-      end
-
-      def raw_image
-        return @raw_image if defined? @raw_image
-
-        (1..MAX_ATTEMPTS).each do |attempt|
-          begin
-            response = RestClient.get(
-              "https://quay.io/api/v1/repository/#{repo}/tag/#{tag}/images",
-              authorization: "Bearer #{quayio_token}",
-              accept: :json)
-          rescue RestClient::ExceptionWithResponse => err
-            return nil if err.http_code == 404 # ignore unknown repos
-            if err.http_code == 520 and attempt < MAX_ATTEMPTS
-              sleep(rand(10))
-              next
-            end
-            raise err
-          end
-          @raw_image = JSON.parse(response)['images'].first
-          return @raw_image
-        end
-      end
-
       def raw_scan
-        return @raw_scan if defined? @raw_scan
-
-        @raw_scan = begin
-          JSON.parse(
-            RestClient.get("https://quay.io/api/v1/repository/#{repo}/image/#{raw_image['id']}/security?vulnerabilities=true",
-                           authorization: "Bearer #{quayio_token}", accept: :json)
-          )
-        end
+        @raw_scan ||= repository.scan
       end
     end
   end

data/lib/quayio/scanner/repository.rb

@@ -0,0 +1,46 @@
+require 'rest-client'
+require 'json'
+
+module Quayio
+  module Scanner
+    Repository = Struct.new(:quayio_token, :org, :repo, :tag) do
+      MAX_ATTEMPTS = 5
+
+      def id
+        @id ||= fetch_id
+      end
+
+      def scan
+        api_call("/image/#{id}/security?vulnerabilities=true")
+      end
+
+      private
+
+      def fetch_id
+        result = api_call("/tag/#{tag}/images")
+        (result['images'].first)['id']
+      end
+
+      def api_call(uri)
+        (1..Float::INFINITY).each do |attempt|
+          begin
+            response = RestClient.get(
+              "https://quay.io/api/v1/repository/#{org}/#{repo}#{uri}",
+              authorization: "Bearer #{quayio_token}",
+              accept: :json,
+              open_timeout: 15
+            )
+            return JSON.parse(response)
+          rescue RestClient::Exception => e
+            raise e if attempt >= MAX_ATTEMPTS
+
+            # retry later, if we hit cdn rate limiting or on connection errors
+            raise e unless e.http_code == 520 || e.http_code.nil?
+
+            sleep(rand(10))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/quayio/scanner/version.rb

@@ -1,5 +1,5 @@
 module Quayio
   module Scanner
-    VERSION = '0.1.5'.freeze
+    VERSION = '0.2.3'.freeze
   end
 end

data/quayio-scanner.gemspec

@@ -12,6 +12,8 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/aboutsource/quayio-scanner'
   spec.license       = 'MIT'
 
+  spec.required_ruby_version = '>= 2.3.0'
+
   spec.files = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
@@ -19,9 +21,9 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'docker-api', '~> 1.33'
-  spec.add_dependency 'rest-client', '~> 2.0'
-  spec.add_dependency 'sensu-plugin', '~> 2.1'
-  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_dependency 'rest-client', '~> 2.1'
+  spec.add_dependency 'sensu-plugin', '~> 4.0'
+  spec.add_development_dependency 'bundler', '~> 2.2'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec', '~> 3.7'
   spec.add_development_dependency 'rubocop', '~> 0.49'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quayio-scanner
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.2.3
 platform: ruby
 authors:
 - Benjamin Meichsner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-31 00:00:00.000000000 Z
+date: 2021-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: docker-api
@@ -30,42 +30,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -117,7 +117,10 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
+- ".ruby-version"
 - Gemfile
+- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -125,6 +128,7 @@ files:
 - lib/quayio/scanner.rb
 - lib/quayio/scanner/check.rb
 - lib/quayio/scanner/image.rb
+- lib/quayio/scanner/repository.rb
 - lib/quayio/scanner/version.rb
 - quayio-scanner.gemspec
 homepage: https://github.com/aboutsource/quayio-scanner
@@ -139,7 +143,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="