quayio-scanner 0.2.2 → 0.3.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9682167dd4f87703d927a236079beb847abd6d787e1e95b63e9517c8e79572cf
4
- data.tar.gz: 37b75014b47d09dc7ccd293526a98b90d3d7ef81d8daa4302da1f24dbf51a441
3
+ metadata.gz: 5c3eabc5c737c5a7e3e6c104f221de20f4dc1be4e91bb54241f308f5367b84c5
4
+ data.tar.gz: 457e6d878eb67842929377ffe54589efe832335275c4a0ef0ea5845ea9d68fd0
5
5
  SHA512:
6
- metadata.gz: 27ae72de19649c10f00d11e6dc461c5aea63cdb98449039354fc8345686f6def8c984ae6a6f6cf1a3ea24034a04fe1a229bfa078ea21bbae261f1c268373f9a6
7
- data.tar.gz: 79915aaeb679343ad481d0a1b1171bb3c6a62bb841ffe657fbe18ac57550310eecfe2c9ce33b069313564f5a0ce581283e1d70aec38d1f74b528c05876994c53
6
+ metadata.gz: a89b445dfb42e088056cfa4b07634eb7fab13b5d7a5d342a39188f660e8b7da7f521d04b76540c084f59b364b7af322ae3718d017c56c100a556e9baffa8231c
7
+ data.tar.gz: e459485a56218b2305bfe7294f2936fba44cb1d063ac0951060290a5c77e6ad8aaa341e2ffa1dd4e0dcab13583ff64cda96e861ccac0ed6f3be030fdb308e2e0
data/.gitignore CHANGED
@@ -1,6 +1,5 @@
1
1
  /.bundle/
2
2
  /.yardoc
3
- /Gemfile.lock
4
3
  /_yardoc/
5
4
  /coverage/
6
5
  /doc/
data/.rubocop.yml CHANGED
@@ -1,14 +1,28 @@
1
1
  AllCops:
2
2
  TargetRubyVersion: 2.3
3
3
 
4
+ Lint/RaiseException:
5
+ Enabled: true
6
+
7
+ Lint/StructNewOverride:
8
+ Enabled: true
9
+
10
+
11
+ Metrics:
12
+ Enabled: false
13
+
14
+
4
15
  Style/FrozenStringLiteralComment:
5
16
  Enabled: false
6
17
 
7
18
  Style/Documentation:
8
19
  Enabled: false
9
20
 
10
- Metrics/MethodLength:
11
- Max: 50
21
+ Style/HashEachMethods:
22
+ Enabled: true
23
+
24
+ Style/HashTransformKeys:
25
+ Enabled: true
12
26
 
13
- Metrics/BlockLength:
14
- Max: 200
27
+ Style/HashTransformValues:
28
+ Enabled: true
data/.ruby-version ADDED
@@ -0,0 +1 @@
1
+ 2.7.0
data/Gemfile.lock ADDED
@@ -0,0 +1,83 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ quayio-scanner (0.3.1)
5
+ docker-api (~> 1.33)
6
+ rest-client (~> 2.1)
7
+ sensu-plugin (~> 4.0)
8
+
9
+ GEM
10
+ remote: https://rubygems.org/
11
+ specs:
12
+ ast (2.4.2)
13
+ diff-lcs (1.5.0)
14
+ docker-api (1.34.2)
15
+ excon (>= 0.47.0)
16
+ multi_json
17
+ domain_name (0.5.20190701)
18
+ unf (>= 0.0.5, < 1.0.0)
19
+ excon (0.92.3)
20
+ http-accept (1.7.0)
21
+ http-cookie (1.0.5)
22
+ domain_name (~> 0.5)
23
+ jaro_winkler (1.5.4)
24
+ json (2.6.2)
25
+ mime-types (3.4.1)
26
+ mime-types-data (~> 3.2015)
27
+ mime-types-data (3.2022.0105)
28
+ mixlib-cli (1.7.0)
29
+ multi_json (1.15.0)
30
+ netrc (0.11.0)
31
+ parallel (1.22.1)
32
+ parser (3.1.2.0)
33
+ ast (~> 2.4.1)
34
+ rainbow (3.1.1)
35
+ rake (13.0.6)
36
+ rest-client (2.1.0)
37
+ http-accept (>= 1.7.0, < 2.0)
38
+ http-cookie (>= 1.0.2, < 2.0)
39
+ mime-types (>= 1.16, < 4.0)
40
+ netrc (~> 0.8)
41
+ rexml (3.2.5)
42
+ rspec (3.11.0)
43
+ rspec-core (~> 3.11.0)
44
+ rspec-expectations (~> 3.11.0)
45
+ rspec-mocks (~> 3.11.0)
46
+ rspec-core (3.11.0)
47
+ rspec-support (~> 3.11.0)
48
+ rspec-expectations (3.11.0)
49
+ diff-lcs (>= 1.2.0, < 2.0)
50
+ rspec-support (~> 3.11.0)
51
+ rspec-mocks (3.11.1)
52
+ diff-lcs (>= 1.2.0, < 2.0)
53
+ rspec-support (~> 3.11.0)
54
+ rspec-support (3.11.0)
55
+ rubocop (0.81.0)
56
+ jaro_winkler (~> 1.5.1)
57
+ parallel (~> 1.10)
58
+ parser (>= 2.7.0.1)
59
+ rainbow (>= 2.2.2, < 4.0)
60
+ rexml
61
+ ruby-progressbar (~> 1.7)
62
+ unicode-display_width (>= 1.4.0, < 2.0)
63
+ ruby-progressbar (1.11.0)
64
+ sensu-plugin (4.0.0)
65
+ json (< 3.0.0)
66
+ mixlib-cli (~> 1.5)
67
+ unf (0.1.4)
68
+ unf_ext
69
+ unf_ext (0.0.8.2)
70
+ unicode-display_width (1.8.0)
71
+
72
+ PLATFORMS
73
+ ruby
74
+
75
+ DEPENDENCIES
76
+ bundler (~> 2.1)
77
+ quayio-scanner!
78
+ rake (~> 13.0)
79
+ rspec (~> 3.7)
80
+ rubocop (~> 0.49, <= 0.81)
81
+
82
+ BUNDLED WITH
83
+ 2.1.4
@@ -0,0 +1,56 @@
1
+ Ruby is copyrighted free software by Yukihiro Matsumoto <matz@netlab.jp>.
2
+ You can redistribute it and/or modify it under either the terms of the
3
+ 2-clause BSDL (see the file BSDL), or the conditions below:
4
+
5
+ 1. You may make and give away verbatim copies of the source form of the
6
+ software without restriction, provided that you duplicate all of the
7
+ original copyright notices and associated disclaimers.
8
+
9
+ 2. You may modify your copy of the software in any way, provided that
10
+ you do at least ONE of the following:
11
+
12
+ a) place your modifications in the Public Domain or otherwise
13
+ make them Freely Available, such as by posting said
14
+ modifications to Usenet or an equivalent medium, or by allowing
15
+ the author to include your modifications in the software.
16
+
17
+ b) use the modified software only within your corporation or
18
+ organization.
19
+
20
+ c) give non-standard binaries non-standard names, with
21
+ instructions on where to get the original software distribution.
22
+
23
+ d) make other distribution arrangements with the author.
24
+
25
+ 3. You may distribute the software in object code or binary form,
26
+ provided that you do at least ONE of the following:
27
+
28
+ a) distribute the binaries and library files of the software,
29
+ together with instructions (in the manual page or equivalent)
30
+ on where to get the original distribution.
31
+
32
+ b) accompany the distribution with the machine-readable source of
33
+ the software.
34
+
35
+ c) give non-standard binaries non-standard names, with
36
+ instructions on where to get the original software distribution.
37
+
38
+ d) make other distribution arrangements with the author.
39
+
40
+ 4. You may modify and include the part of the software into any other
41
+ software (possibly commercial). But some files in the distribution
42
+ are not written by the author, so that they are not under these terms.
43
+
44
+ For the list of those files and their copying conditions, see the
45
+ file LEGAL.
46
+
47
+ 5. The scripts and library files supplied as input to or produced as
48
+ output from the software do not automatically fall under the
49
+ copyright of the software, but belong to whomever generated them,
50
+ and may be sold commercially, and may be aggregated with this
51
+ software.
52
+
53
+ 6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
54
+ IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
55
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56
+ PURPOSE.
data/README.md CHANGED
@@ -1,6 +1,7 @@
1
1
  # Quayio::Scanner
2
2
 
3
- Scan quay.io for vulnerabilties in running docker containers. Implemented as sensu check.
3
+ Quayio Scanner translates critical vulnerabilities in running docker containers
4
+ into Sensu check results to transform vulnerability scans into actionable alerts.
4
5
 
5
6
  ## Installation
6
7
 
@@ -18,11 +19,34 @@ Or install it yourself as:
18
19
 
19
20
  $ gem install quayio-scanner
20
21
 
22
+ ## USAGE
23
+
24
+ This plugin attempts to fetch vulnerabilities for all running containers
25
+
26
+ ### Parameters
27
+
28
+ | Parameter | Description |
29
+ |---------------|-------------------------|
30
+ | -d URL | Docker URL |
31
+ | -t TOKEN | Quay.io oauth token |
32
+ | -w WHITELIST | Vulnerability whitelist |
33
+
34
+ ### Example
35
+
36
+ $ check-container-vulnerabilities.rb --docker-url unix:///var/run/docker.sock --quayio-token AccessTokenGoesHere
37
+
21
38
  ## Contributing
22
39
 
23
40
  Bug reports and pull requests are welcome on GitHub at https://github.com/aboutsource/quayio-scanner.
24
41
 
25
-
26
42
  ## License
27
43
 
28
44
  The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
45
+
46
+ ### json
47
+
48
+ Copyright 2019 - present [Florian Frank](mailto:flori@ping.de) - The gem [json](https://github.com/flori/json/) is distributed under the [Ruby License](LICENSE/json/LICENSE.txt).
49
+
50
+ ## Security
51
+
52
+ - [Snyk](https://app.snyk.io/org/about-source/project/6eb2d381-87e7-49c4-a47f-ccad97f33ae3)
@@ -4,7 +4,7 @@
4
4
  #
5
5
  # DESCRIPTION:
6
6
  #
7
- # This plugin attempts to fetch vulnerabilties for all running containers
7
+ # This plugin attempts to fetch vulnerabilities for all running containers
8
8
  #
9
9
  # OUTPUT:
10
10
  # plain text
@@ -18,7 +18,8 @@
18
18
  # gem: rest-client
19
19
  #
20
20
  # USAGE:
21
- # ./check-container-vulnerabilities.rb -d <docker-url> -t <quay-io-oauth-token>
21
+ # ./check-container-vulnerabilities.rb \
22
+ # -d <docker-url> -t <quay-io-oauth-token>
22
23
  #
23
24
 
24
25
  require 'sensu-plugin/check/cli'
@@ -9,7 +9,10 @@ module Quayio
9
9
  if vulnerable_images.empty?
10
10
  [:ok, "#{containers.size} Containers are ok"]
11
11
  else
12
- [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
12
+ [
13
+ :critical,
14
+ "The images are insecure: #{vulnerable_images.join(', ')}"
15
+ ]
13
16
  end
14
17
  end
15
18
 
@@ -2,7 +2,8 @@ module Quayio
2
2
  module Scanner
3
3
  class Image
4
4
  RELEVANT_SEVERITIES = %w[High Critical].freeze
5
- QUAY_IO_REPO_NAME = %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w\.-]+)}.freeze
5
+ QUAY_IO_REPO_NAME =
6
+ %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w.-]+)}.freeze
6
7
 
7
8
  attr_reader :name, :whitelist, :repository
8
9
 
@@ -24,7 +25,7 @@ module Quayio
24
25
 
25
26
  def quayio?
26
27
  # safe guard, do not trust QUAY_IO_REPO_NAME regex match
27
- !!name.match(%r{^quay.io\/})
28
+ name.match?(%r{^quay.io\/})
28
29
  end
29
30
 
30
31
  def scanned?
@@ -32,11 +33,12 @@ module Quayio
32
33
  end
33
34
 
34
35
  def vulnerabilities_present?
35
- !!raw_scan['data']['Layer']['Features'].detect do |f|
36
+ !raw_scan['data']['Layer']['Features'].detect do |f|
36
37
  f['Vulnerabilities']&.detect do |v|
37
- RELEVANT_SEVERITIES.include?(v['Severity']) && !whitelist.include?(v['Name'])
38
+ RELEVANT_SEVERITIES.include?(v['Severity']) &&\
39
+ !whitelist.include?(v['Name'])
38
40
  end
39
- end
41
+ end.nil?
40
42
  end
41
43
 
42
44
  def raw_scan
@@ -6,19 +6,19 @@ module Quayio
6
6
  Repository = Struct.new(:quayio_token, :org, :repo, :tag) do
7
7
  MAX_ATTEMPTS = 5
8
8
 
9
- def id
10
- @id ||= fetch_id
11
- end
12
-
13
9
  def scan
14
- api_call("/image/#{id}/security?vulnerabilities=true")
10
+ api_call("/manifest/#{manifest_ref}/security?vulnerabilities=true")
15
11
  end
16
12
 
17
13
  private
18
14
 
19
- def fetch_id
20
- result = api_call("/tag/#{tag}/images")
21
- (result['images'].first)['id']
15
+ def manifest_ref
16
+ @manifest_ref ||= fetch_manifest_ref
17
+ end
18
+
19
+ def fetch_manifest_ref
20
+ result = api_call("/tag/?specificTag=#{tag}&onlyActiveTags=1")
21
+ result['tags'].first['manifest_digest']
22
22
  end
23
23
 
24
24
  def api_call(uri)
@@ -1,5 +1,5 @@
1
1
  module Quayio
2
2
  module Scanner
3
- VERSION = '0.2.2'.freeze
3
+ VERSION = '0.3.1'.freeze
4
4
  end
5
5
  end
@@ -8,7 +8,8 @@ Gem::Specification.new do |spec|
8
8
  spec.authors = ['Benjamin Meichsner']
9
9
  spec.email = ['benjamin.meichsner@aboutsource.net']
10
10
 
11
- spec.summary = 'Scan quay.io for vulnerabilties in running docker containers.'
11
+ spec.summary = 'Scan quay.io for vulnerabilities in '\
12
+ 'running docker containers.'
12
13
  spec.homepage = 'https://github.com/aboutsource/quayio-scanner'
13
14
  spec.license = 'MIT'
14
15
 
@@ -17,14 +18,14 @@ Gem::Specification.new do |spec|
17
18
  spec.files = `git ls-files -z`.split("\x0").reject do |f|
18
19
  f.match(%r{^(test|spec|features)/})
19
20
  end
20
- spec.executables = Dir.glob('bin/**/*.rb').map { |file| File.basename(file) }
21
+ spec.executables = Dir.glob('bin/**/*.rb').map { |f| File.basename(f) }
21
22
  spec.require_paths = ['lib']
22
23
 
23
24
  spec.add_dependency 'docker-api', '~> 1.33'
24
25
  spec.add_dependency 'rest-client', '~> 2.1'
25
26
  spec.add_dependency 'sensu-plugin', '~> 4.0'
26
- spec.add_development_dependency 'bundler', '~> 2.2'
27
- spec.add_development_dependency 'rake', '~> 10.0'
27
+ spec.add_development_dependency 'bundler', '~> 2.1'
28
+ spec.add_development_dependency 'rake', '~> 13.0'
28
29
  spec.add_development_dependency 'rspec', '~> 3.7'
29
- spec.add_development_dependency 'rubocop', '~> 0.49'
30
+ spec.add_development_dependency 'rubocop', '~> 0.49', '<= 0.81'
30
31
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: quayio-scanner
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.2
4
+ version: 0.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Benjamin Meichsner
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-07-14 00:00:00.000000000 Z
11
+ date: 2022-05-31 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: docker-api
@@ -58,28 +58,28 @@ dependencies:
58
58
  requirements:
59
59
  - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: '2.2'
61
+ version: '2.1'
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: '2.2'
68
+ version: '2.1'
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: rake
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
73
  - - "~>"
74
74
  - !ruby/object:Gem::Version
75
- version: '10.0'
75
+ version: '13.0'
76
76
  type: :development
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
80
  - - "~>"
81
81
  - !ruby/object:Gem::Version
82
- version: '10.0'
82
+ version: '13.0'
83
83
  - !ruby/object:Gem::Dependency
84
84
  name: rspec
85
85
  requirement: !ruby/object:Gem::Requirement
@@ -101,6 +101,9 @@ dependencies:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
103
  version: '0.49'
104
+ - - "<="
105
+ - !ruby/object:Gem::Version
106
+ version: '0.81'
104
107
  type: :development
105
108
  prerelease: false
106
109
  version_requirements: !ruby/object:Gem::Requirement
@@ -108,7 +111,10 @@ dependencies:
108
111
  - - "~>"
109
112
  - !ruby/object:Gem::Version
110
113
  version: '0.49'
111
- description:
114
+ - - "<="
115
+ - !ruby/object:Gem::Version
116
+ version: '0.81'
117
+ description:
112
118
  email:
113
119
  - benjamin.meichsner@aboutsource.net
114
120
  executables:
@@ -118,8 +124,11 @@ extra_rdoc_files: []
118
124
  files:
119
125
  - ".gitignore"
120
126
  - ".rubocop.yml"
127
+ - ".ruby-version"
121
128
  - Gemfile
129
+ - Gemfile.lock
122
130
  - LICENSE.txt
131
+ - LICENSE/json/LICENSE.txt
123
132
  - README.md
124
133
  - Rakefile
125
134
  - bin/check-container-vulnerabilities.rb
@@ -133,7 +142,7 @@ homepage: https://github.com/aboutsource/quayio-scanner
133
142
  licenses:
134
143
  - MIT
135
144
  metadata: {}
136
- post_install_message:
145
+ post_install_message:
137
146
  rdoc_options: []
138
147
  require_paths:
139
148
  - lib
@@ -148,8 +157,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
148
157
  - !ruby/object:Gem::Version
149
158
  version: '0'
150
159
  requirements: []
151
- rubygems_version: 3.2.21
152
- signing_key:
160
+ rubygems_version: 3.1.2
161
+ signing_key:
153
162
  specification_version: 4
154
- summary: Scan quay.io for vulnerabilties in running docker containers.
163
+ summary: Scan quay.io for vulnerabilities in running docker containers.
155
164
  test_files: []