RubyGems - quayio-scanner - Versions diffs - 0.1.5 → 0.2.3 - Mend

quayio-scanner 0.1.5 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/.gitignore +0 -1
data/.rubocop.yml +14 -0
data/.ruby-version +1 -0
data/Gemfile.lock +86 -0
data/README.md +4 -0
data/bin/check-container-vulnerabilities.rb +3 -2
data/lib/quayio/scanner.rb +3 -1
data/lib/quayio/scanner/check.rb +17 -10
data/lib/quayio/scanner/image.rb +23 -55
data/lib/quayio/scanner/repository.rb +46 -0
data/lib/quayio/scanner/version.rb +1 -1
data/quayio-scanner.gemspec +5 -3
metadata +13 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5df176d74b68e0b31a5408b2be36bac9c0cb2171650acb160cfedd90a143de2c
-  data.tar.gz: aab6b7098d7a848294613428d8b514589c949f5d9f1fdf9041af06932d12856c
+  metadata.gz: ec3e0ce31e72f8fb58ce5bb62ec17af8395f8cbb0dfe6825bd8409e8388167a3
+  data.tar.gz: af37eec22d47077ad5c6cdb761b18071864ab628d459b15ed7130c645a09edc4
 SHA512:
-  metadata.gz: 1da63def2a66714fff1b69b709150b444a0b149f7da03c1a9bcdec87f895a1b73a44887d9ded63c928dca958f5edc82ecc06a074957c3103f96958dccb0f2183
-  data.tar.gz: a0c809340d55c456aa639ecebe00926722ece6f156efee325f713fcb25ef371ca8cc44ad828665767175f31fce558300665eb976ebbb8d9d8ac346d386cd1b96
+  metadata.gz: 194cca2abb4781442a8730a9ad0afb5097bc0e63d9dcd1a4c1dc0c92c6832af5020fd3e8dceb44fa5cd9c56da8bff986669146cd2ba8c141c165203fa5d09ee2
+  data.tar.gz: 4ac42a474343fae8c5ce01141cf85ebf514a3d37050fc93f28f7cb5202c231ab1976b94112f7aff278a00c3fac3082a7f1f454e0291ac60b9e7be764689a8d1c

data/.gitignore CHANGED Viewed

@@ -1,6 +1,5 @@
 /.bundle/
 /.yardoc
-/Gemfile.lock
 /_yardoc/
 /coverage/
 /doc/

data/.rubocop.yml ADDED Viewed

@@ -0,0 +1,14 @@
+AllCops:
+  TargetRubyVersion: 2.3
+Style/FrozenStringLiteralComment:
+  Enabled: false
+Style/Documentation:
+  Enabled: false
+Metrics/MethodLength:
+  Max: 50
+Metrics/BlockLength:
+  Max: 200

data/.ruby-version ADDED Viewed

	@@ -0,0 +1 @@
1	+ 2.7.0

data/Gemfile.lock ADDED Viewed

@@ -0,0 +1,86 @@
+PATH
+  remote: .
+  specs:
+    quayio-scanner (0.2.3)
+      docker-api (~> 1.33)
+      rest-client (~> 2.1)
+      sensu-plugin (~> 4.0)
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.1)
+    diff-lcs (1.4.4)
+    docker-api (1.34.2)
+      excon (>= 0.47.0)
+      multi_json
+    domain_name (0.5.20190701)
+      unf (>= 0.0.5, < 1.0.0)
+    excon (0.85.0)
+    http-accept (1.7.0)
+    http-cookie (1.0.4)
+      domain_name (~> 0.5)
+    json (2.5.1)
+    mime-types (3.3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2021.0704)
+    mixlib-cli (1.7.0)
+    multi_json (1.15.0)
+    netrc (0.11.0)
+    parallel (1.19.2)
+    parser (2.7.2.0)
+      ast (~> 2.4.1)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    regexp_parser (1.8.2)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
+    rexml (3.2.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.3)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.4)
+    rubocop (0.93.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.5)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8)
+      rexml
+      rubocop-ast (>= 0.6.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (1.1.0)
+      parser (>= 2.7.1.5)
+    ruby-progressbar (1.10.1)
+    sensu-plugin (4.0.0)
+      json (< 3.0.0)
+      mixlib-cli (~> 1.5)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.7)
+    unicode-display_width (1.7.0)
+PLATFORMS
+  ruby
+DEPENDENCIES
+  bundler (~> 2.2)
+  quayio-scanner!
+  rake (~> 10.0)
+  rspec (~> 3.7)
+  rubocop (~> 0.49)
+BUNDLED WITH
+   2.2.23

data/README.md CHANGED Viewed

@@ -26,3 +26,7 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/abouts
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+## Security
+* [Snyk](https://app.snyk.io/org/about-source/project/6eb2d381-87e7-49c4-a47f-ccad97f33ae3)

data/bin/check-container-vulnerabilities.rb CHANGED Viewed

@@ -44,8 +44,9 @@ class CheckContainerVulnerabilities < Sensu::Plugin::Check::CLI
          proc: proc { |w| w.split(',') }
   def run
-    status, message = Quayio::Scanner::Check.new(
-        config[:docker_url], config[:quayio_token], config[:whitelist]).run
+    status, message = Quayio::Scanner::Check.new(config[:docker_url],
+                                                 config[:quayio_token],
+                                                 config[:whitelist]).run
     if status == :ok
       ok message

data/lib/quayio/scanner.rb CHANGED Viewed

@@ -1,5 +1,7 @@
-require 'quayio/scanner/version'
 require 'quayio/scanner/check'
+require 'quayio/scanner/image'
+require 'quayio/scanner/repository'
+require 'quayio/scanner/version'
 module Quayio
   module Scanner

data/lib/quayio/scanner/check.rb CHANGED Viewed

@@ -1,19 +1,10 @@
-require 'quayio/scanner/image'
 require 'docker'
 module Quayio
   module Scanner
-    class Check < Struct.new(:docker_url, :quayio_token, :whitelist)
+    Check = Struct.new(:docker_url, :quayio_token, :whitelist) do
       def run
         Docker.url = docker_url
-        containers = Docker::Container.all
-                                      .map { |dc| dc.json['Config']['Image'] }
-                                      .uniq
-        vulnerable_images = containers
-                            .map { |container| Image.new(container, quayio_token, whitelist) }
-                            .select(&:vulnerable?)
-                            .map(&:name)
         if vulnerable_images.empty?
           [:ok, "#{containers.size} Containers are ok"]
@@ -21,6 +12,22 @@ module Quayio
           [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
         end
       end
+      private
+      def containers
+        Docker::Container
+          .all
+          .map { |dc| dc.json['Config']['Image'] }
+          .uniq
+      end
+      def vulnerable_images
+        containers
+          .map { |container| Image.new(container, quayio_token, whitelist) }
+          .select(&:vulnerable?)
+          .map(&:name)
+      end
     end
   end
 end

data/lib/quayio/scanner/image.rb CHANGED Viewed

@@ -1,78 +1,46 @@
-require 'json'
-require 'rest-client'
 module Quayio
   module Scanner
-    class Image < Struct.new(:name, :quayio_token, :whitelist)
-      RELEVANT_SEVERITIES = %w(High Critical)
-      MAX_ATTEMPTS = 5
+    class Image
+      RELEVANT_SEVERITIES = %w[High Critical].freeze
+      QUAY_IO_REPO_NAME = %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w\.-]+)}.freeze
+      attr_reader :name, :whitelist, :repository
+      def initialize(name, quayio_token, whitelist)
+        @name = name
+        @whitelist = whitelist
+        @name.match(QUAY_IO_REPO_NAME) do |r|
+          org, repo, tag = r.captures
+          @repository = Repository.new(quayio_token, org, repo, tag)
+        end
+      end
       def vulnerable?
-        quayio? && image_exists? && scanned? && high_vulnerabilities_present?
+        quayio? && scanned? && vulnerabilities_present?
       end
       private
       def quayio?
-        name.match(%r{^quay.io\/})
-      end
-      def image_exists?
-        raw_image
+        # safe guard, do not trust QUAY_IO_REPO_NAME regex match
+        !!name.match(%r{^quay.io\/})
       end
       def scanned?
         raw_scan['status'] == 'scanned'
       end
-      def high_vulnerabilities_present?
-        raw_scan['data']['Layer']['Features'].detect do |f|
-          f['Vulnerabilities'] && f['Vulnerabilities'].detect do |v|
-            RELEVANT_SEVERITIES.include?(v['Severity']) &&
-              !whitelist.include?(v['Name'])
+      def vulnerabilities_present?
+        !!raw_scan['data']['Layer']['Features'].detect do |f|
+          f['Vulnerabilities']&.detect do |v|
+            RELEVANT_SEVERITIES.include?(v['Severity']) && !whitelist.include?(v['Name'])
           end
         end
       end
-      def repo
-        name.split(':').first.gsub(%r{quay.io\/}, '')
-      end
-      def tag
-        name.split(':').last
-      end
-      def raw_image
-        return @raw_image if defined? @raw_image
-        (1..MAX_ATTEMPTS).each do |attempt|
-          begin
-            response = RestClient.get(
-              "https://quay.io/api/v1/repository/#{repo}/tag/#{tag}/images",
-              authorization: "Bearer #{quayio_token}",
-              accept: :json)
-          rescue RestClient::ExceptionWithResponse => err
-            return nil if err.http_code == 404 # ignore unknown repos
-            if err.http_code == 520 and attempt < MAX_ATTEMPTS
-              sleep(rand(10))
-              next
-            end
-            raise err
-          end
-          @raw_image = JSON.parse(response)['images'].first
-          return @raw_image
-        end
-      end
       def raw_scan
-        return @raw_scan if defined? @raw_scan
-        @raw_scan = begin
-          JSON.parse(
-            RestClient.get("https://quay.io/api/v1/repository/#{repo}/image/#{raw_image['id']}/security?vulnerabilities=true",
-                           authorization: "Bearer #{quayio_token}", accept: :json)
-          )
-        end
+        @raw_scan ||= repository.scan
       end
     end
   end

data/lib/quayio/scanner/repository.rb ADDED Viewed

@@ -0,0 +1,46 @@
+require 'rest-client'
+require 'json'
+module Quayio
+  module Scanner
+    Repository = Struct.new(:quayio_token, :org, :repo, :tag) do
+      MAX_ATTEMPTS = 5
+      def id
+        @id ||= fetch_id
+      end
+      def scan
+        api_call("/image/#{id}/security?vulnerabilities=true")
+      end
+      private
+      def fetch_id
+        result = api_call("/tag/#{tag}/images")
+        (result['images'].first)['id']
+      end
+      def api_call(uri)
+        (1..Float::INFINITY).each do |attempt|
+          begin
+            response = RestClient.get(
+              "https://quay.io/api/v1/repository/#{org}/#{repo}#{uri}",
+              authorization: "Bearer #{quayio_token}",
+              accept: :json,
+              open_timeout: 15
+            )
+            return JSON.parse(response)
+          rescue RestClient::Exception => e
+            raise e if attempt >= MAX_ATTEMPTS
+            # retry later, if we hit cdn rate limiting or on connection errors
+            raise e unless e.http_code == 520 || e.http_code.nil?
+            sleep(rand(10))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/quayio/scanner/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Quayio
   module Scanner
-    VERSION = '0.1.5'.freeze
+    VERSION = '0.2.3'.freeze
   end
 end

data/quayio-scanner.gemspec CHANGED Viewed

@@ -12,6 +12,8 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/aboutsource/quayio-scanner'
   spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 2.3.0'
   spec.files = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
@@ -19,9 +21,9 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
   spec.add_dependency 'docker-api', '~> 1.33'
-  spec.add_dependency 'rest-client', '~> 2.0'
-  spec.add_dependency 'sensu-plugin', '~> 2.1'
-  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_dependency 'rest-client', '~> 2.1'
+  spec.add_dependency 'sensu-plugin', '~> 4.0'
+  spec.add_development_dependency 'bundler', '~> 2.2'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec', '~> 3.7'
   spec.add_development_dependency 'rubocop', '~> 0.49'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quayio-scanner
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.2.3
 platform: ruby
 authors:
 - Benjamin Meichsner
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-01-31 00:00:00.000000000 Z
+date: 2021-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: docker-api
@@ -30,42 +30,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.1'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -117,7 +117,10 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
+- ".ruby-version"
 - Gemfile
+- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -125,6 +128,7 @@ files:
 - lib/quayio/scanner.rb
 - lib/quayio/scanner/check.rb
 - lib/quayio/scanner/image.rb
+- lib/quayio/scanner/repository.rb
 - lib/quayio/scanner/version.rb
 - quayio-scanner.gemspec
 homepage: https://github.com/aboutsource/quayio-scanner
@@ -139,7 +143,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="