quayio-scanner 0.2.2 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9682167dd4f87703d927a236079beb847abd6d787e1e95b63e9517c8e79572cf
-  data.tar.gz: 37b75014b47d09dc7ccd293526a98b90d3d7ef81d8daa4302da1f24dbf51a441
+  metadata.gz: 5c3eabc5c737c5a7e3e6c104f221de20f4dc1be4e91bb54241f308f5367b84c5
+  data.tar.gz: 457e6d878eb67842929377ffe54589efe832335275c4a0ef0ea5845ea9d68fd0
 SHA512:
-  metadata.gz: 27ae72de19649c10f00d11e6dc461c5aea63cdb98449039354fc8345686f6def8c984ae6a6f6cf1a3ea24034a04fe1a229bfa078ea21bbae261f1c268373f9a6
-  data.tar.gz: 79915aaeb679343ad481d0a1b1171bb3c6a62bb841ffe657fbe18ac57550310eecfe2c9ce33b069313564f5a0ce581283e1d70aec38d1f74b528c05876994c53
+  metadata.gz: a89b445dfb42e088056cfa4b07634eb7fab13b5d7a5d342a39188f660e8b7da7f521d04b76540c084f59b364b7af322ae3718d017c56c100a556e9baffa8231c
+  data.tar.gz: e459485a56218b2305bfe7294f2936fba44cb1d063ac0951060290a5c77e6ad8aaa341e2ffa1dd4e0dcab13583ff64cda96e861ccac0ed6f3be030fdb308e2e0

data/.gitignore

@@ -1,6 +1,5 @@
 /.bundle/
 /.yardoc
-/Gemfile.lock
 /_yardoc/
 /coverage/
 /doc/

data/.rubocop.yml

@@ -1,14 +1,28 @@
 AllCops:
   TargetRubyVersion: 2.3
 
+Lint/RaiseException:
+  Enabled: true
+
+Lint/StructNewOverride:
+  Enabled: true
+
+
+Metrics:
+  Enabled: false
+
+
 Style/FrozenStringLiteralComment:
   Enabled: false
 
 Style/Documentation:
   Enabled: false
 
-Metrics/MethodLength:
-  Max: 50
+Style/HashEachMethods:
+  Enabled: true
+
+Style/HashTransformKeys:
+  Enabled: true
 
-Metrics/BlockLength:
-  Max: 200
+Style/HashTransformValues:
+  Enabled: true

data/.ruby-version

@@ -0,0 +1 @@
+2.7.0

data/Gemfile.lock

@@ -0,0 +1,83 @@
+PATH
+  remote: .
+  specs:
+    quayio-scanner (0.3.1)
+      docker-api (~> 1.33)
+      rest-client (~> 2.1)
+      sensu-plugin (~> 4.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.2)
+    diff-lcs (1.5.0)
+    docker-api (1.34.2)
+      excon (>= 0.47.0)
+      multi_json
+    domain_name (0.5.20190701)
+      unf (>= 0.0.5, < 1.0.0)
+    excon (0.92.3)
+    http-accept (1.7.0)
+    http-cookie (1.0.5)
+      domain_name (~> 0.5)
+    jaro_winkler (1.5.4)
+    json (2.6.2)
+    mime-types (3.4.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2022.0105)
+    mixlib-cli (1.7.0)
+    multi_json (1.15.0)
+    netrc (0.11.0)
+    parallel (1.22.1)
+    parser (3.1.2.0)
+      ast (~> 2.4.1)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
+    rexml (3.2.5)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
+    rubocop (0.81.0)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      rexml
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    ruby-progressbar (1.11.0)
+    sensu-plugin (4.0.0)
+      json (< 3.0.0)
+      mixlib-cli (~> 1.5)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.8.2)
+    unicode-display_width (1.8.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2.1)
+  quayio-scanner!
+  rake (~> 13.0)
+  rspec (~> 3.7)
+  rubocop (~> 0.49, <= 0.81)
+
+BUNDLED WITH
+   2.1.4

data/LICENSE/json/LICENSE.txt

@@ -0,0 +1,56 @@
+Ruby is copyrighted free software by Yukihiro Matsumoto <matz@netlab.jp>.
+You can redistribute it and/or modify it under either the terms of the
+2-clause BSDL (see the file BSDL), or the conditions below:
+
+  1. You may make and give away verbatim copies of the source form of the
+     software without restriction, provided that you duplicate all of the
+     original copyright notices and associated disclaimers.
+
+  2. You may modify your copy of the software in any way, provided that
+     you do at least ONE of the following:
+
+       a) place your modifications in the Public Domain or otherwise
+          make them Freely Available, such as by posting said
+	  modifications to Usenet or an equivalent medium, or by allowing
+	  the author to include your modifications in the software.
+
+       b) use the modified software only within your corporation or
+          organization.
+
+       c) give non-standard binaries non-standard names, with
+          instructions on where to get the original software distribution.
+
+       d) make other distribution arrangements with the author.
+
+  3. You may distribute the software in object code or binary form,
+     provided that you do at least ONE of the following:
+
+       a) distribute the binaries and library files of the software,
+	  together with instructions (in the manual page or equivalent)
+	  on where to get the original distribution.
+
+       b) accompany the distribution with the machine-readable source of
+	  the software.
+
+       c) give non-standard binaries non-standard names, with
+          instructions on where to get the original software distribution.
+
+       d) make other distribution arrangements with the author.
+
+  4. You may modify and include the part of the software into any other
+     software (possibly commercial).  But some files in the distribution
+     are not written by the author, so that they are not under these terms.
+
+     For the list of those files and their copying conditions, see the
+     file LEGAL.
+
+  5. The scripts and library files supplied as input to or produced as
+     output from the software do not automatically fall under the
+     copyright of the software, but belong to whomever generated them,
+     and may be sold commercially, and may be aggregated with this
+     software.
+
+  6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+     IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+     WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+     PURPOSE.

data/README.md

@@ -1,6 +1,7 @@
 # Quayio::Scanner
 
-Scan quay.io for vulnerabilties in running docker containers. Implemented as sensu check.
+Quayio Scanner translates critical vulnerabilities in running docker containers
+into Sensu check results to transform vulnerability scans into actionable alerts.
 
 ## Installation
 
@@ -18,11 +19,34 @@ Or install it yourself as:
 
     $ gem install quayio-scanner
 
+## USAGE
+
+This plugin attempts to fetch vulnerabilities for all running containers
+
+### Parameters
+
+| Parameter     | Description             |
+|---------------|-------------------------|
+| -d URL        | Docker URL              |
+| -t TOKEN      | Quay.io oauth token     |
+| -w WHITELIST  | Vulnerability whitelist |
+
+### Example
+
+    $ check-container-vulnerabilities.rb --docker-url unix:///var/run/docker.sock --quayio-token AccessTokenGoesHere
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/aboutsource/quayio-scanner.
 
-
 ## License
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+### json
+
+Copyright 2019 - present [Florian Frank](mailto:flori@ping.de) - The gem [json](https://github.com/flori/json/) is distributed under the [Ruby License](LICENSE/json/LICENSE.txt).
+
+## Security
+
+- [Snyk](https://app.snyk.io/org/about-source/project/6eb2d381-87e7-49c4-a47f-ccad97f33ae3)

data/bin/check-container-vulnerabilities.rb

@@ -4,7 +4,7 @@
 #
 # DESCRIPTION:
 #
-#   This plugin attempts to fetch vulnerabilties for all running containers
+#   This plugin attempts to fetch vulnerabilities for all running containers
 #
 # OUTPUT:
 #   plain text
@@ -18,7 +18,8 @@
 #   gem: rest-client
 #
 # USAGE:
-#   ./check-container-vulnerabilities.rb -d <docker-url> -t <quay-io-oauth-token>
+#   ./check-container-vulnerabilities.rb \
+#     -d <docker-url> -t <quay-io-oauth-token>
 #
 
 require 'sensu-plugin/check/cli'

data/lib/quayio/scanner/check.rb

@@ -9,7 +9,10 @@ module Quayio
         if vulnerable_images.empty?
           [:ok, "#{containers.size} Containers are ok"]
         else
-          [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
+          [
+            :critical,
+            "The images are insecure: #{vulnerable_images.join(', ')}"
+          ]
         end
       end
 

data/lib/quayio/scanner/image.rb

@@ -2,7 +2,8 @@ module Quayio
   module Scanner
     class Image
       RELEVANT_SEVERITIES = %w[High Critical].freeze
-      QUAY_IO_REPO_NAME = %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w\.-]+)}.freeze
+      QUAY_IO_REPO_NAME =
+        %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w.-]+)}.freeze
 
       attr_reader :name, :whitelist, :repository
 
@@ -24,7 +25,7 @@ module Quayio
 
       def quayio?
         # safe guard, do not trust QUAY_IO_REPO_NAME regex match
-        !!name.match(%r{^quay.io\/})
+        name.match?(%r{^quay.io\/})
       end
 
       def scanned?
@@ -32,11 +33,12 @@ module Quayio
       end
 
       def vulnerabilities_present?
-        !!raw_scan['data']['Layer']['Features'].detect do |f|
+        !raw_scan['data']['Layer']['Features'].detect do |f|
           f['Vulnerabilities']&.detect do |v|
-            RELEVANT_SEVERITIES.include?(v['Severity']) && !whitelist.include?(v['Name'])
+            RELEVANT_SEVERITIES.include?(v['Severity']) &&\
+            !whitelist.include?(v['Name'])
           end
-        end
+        end.nil?
       end
 
       def raw_scan

data/lib/quayio/scanner/repository.rb

@@ -6,19 +6,19 @@ module Quayio
     Repository = Struct.new(:quayio_token, :org, :repo, :tag) do
       MAX_ATTEMPTS = 5
 
-      def id
-        @id ||= fetch_id
-      end
-
       def scan
-        api_call("/image/#{id}/security?vulnerabilities=true")
+        api_call("/manifest/#{manifest_ref}/security?vulnerabilities=true")
       end
 
       private
 
-      def fetch_id
-        result = api_call("/tag/#{tag}/images")
-        (result['images'].first)['id']
+      def manifest_ref
+        @manifest_ref ||= fetch_manifest_ref
+      end
+
+      def fetch_manifest_ref
+        result = api_call("/tag/?specificTag=#{tag}&onlyActiveTags=1")
+        result['tags'].first['manifest_digest']
       end
 
       def api_call(uri)

data/lib/quayio/scanner/version.rb

@@ -1,5 +1,5 @@
 module Quayio
   module Scanner
-    VERSION = '0.2.2'.freeze
+    VERSION = '0.3.1'.freeze
   end
 end

data/quayio-scanner.gemspec

@@ -8,7 +8,8 @@ Gem::Specification.new do |spec|
   spec.authors       = ['Benjamin Meichsner']
   spec.email         = ['benjamin.meichsner@aboutsource.net']
 
-  spec.summary       = 'Scan quay.io for vulnerabilties in running docker containers.'
+  spec.summary       = 'Scan quay.io for vulnerabilities in '\
+                       'running docker containers.'
   spec.homepage      = 'https://github.com/aboutsource/quayio-scanner'
   spec.license       = 'MIT'
 
@@ -17,14 +18,14 @@ Gem::Specification.new do |spec|
   spec.files = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
-  spec.executables   = Dir.glob('bin/**/*.rb').map { |file| File.basename(file) }
+  spec.executables   = Dir.glob('bin/**/*.rb').map { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
   spec.add_dependency 'docker-api', '~> 1.33'
   spec.add_dependency 'rest-client', '~> 2.1'
   spec.add_dependency 'sensu-plugin', '~> 4.0'
-  spec.add_development_dependency 'bundler', '~> 2.2'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler', '~> 2.1'
+  spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.7'
-  spec.add_development_dependency 'rubocop', '~> 0.49'
+  spec.add_development_dependency 'rubocop', '~> 0.49', '<= 0.81'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quayio-scanner
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.1
 platform: ruby
 authors:
 - Benjamin Meichsner
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-14 00:00:00.000000000 Z
+date: 2022-05-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: docker-api
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -101,6 +101,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.49'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '0.81'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -108,7 +111,10 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.49'
-description:
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '0.81'
+description: 
 email:
 - benjamin.meichsner@aboutsource.net
 executables:
@@ -118,8 +124,11 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rubocop.yml"
+- ".ruby-version"
 - Gemfile
+- Gemfile.lock
 - LICENSE.txt
+- LICENSE/json/LICENSE.txt
 - README.md
 - Rakefile
 - bin/check-container-vulnerabilities.rb
@@ -133,7 +142,7 @@ homepage: https://github.com/aboutsource/quayio-scanner
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -148,8 +157,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.21
-signing_key:
+rubygems_version: 3.1.2
+signing_key: 
 specification_version: 4
-summary: Scan quay.io for vulnerabilties in running docker containers.
+summary: Scan quay.io for vulnerabilities in running docker containers.
 test_files: []