quayio-scanner 0.2.3 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec3e0ce31e72f8fb58ce5bb62ec17af8395f8cbb0dfe6825bd8409e8388167a3
-  data.tar.gz: af37eec22d47077ad5c6cdb761b18071864ab628d459b15ed7130c645a09edc4
+  metadata.gz: 15795d58c96f27ce19472584bd56fecdc49f11c833e2521df12ae54544cdaaec
+  data.tar.gz: ee7a1307813f90b2631086f55e51f991310329e19a6a12dd22c2badcdf577711
 SHA512:
-  metadata.gz: 194cca2abb4781442a8730a9ad0afb5097bc0e63d9dcd1a4c1dc0c92c6832af5020fd3e8dceb44fa5cd9c56da8bff986669146cd2ba8c141c165203fa5d09ee2
-  data.tar.gz: 4ac42a474343fae8c5ce01141cf85ebf514a3d37050fc93f28f7cb5202c231ab1976b94112f7aff278a00c3fac3082a7f1f454e0291ac60b9e7be764689a8d1c
+  metadata.gz: 8f1f0cff0ea95d5488a32fa52f4c206f8a3674f324319aaeed46fb8545c76d9bda0caeab5dccefc718e596a35e7054bea8d66a5f4cc601695f015baec335a2f2
+  data.tar.gz: 86d43813af9825fe5f6129e25b1547050e53a8fc493bb05b3fa1045c616f9b9085b50728fd3e3d0ef4fbfea92b324054d5d3e32e2b0c2b8c57e529c90b5757a2

data/.rubocop.yml

@@ -1,14 +1,28 @@
 AllCops:
   TargetRubyVersion: 2.3
 
+Lint/RaiseException:
+  Enabled: true
+
+Lint/StructNewOverride:
+  Enabled: true
+
+
+Metrics:
+  Enabled: false
+
+
 Style/FrozenStringLiteralComment:
   Enabled: false
 
 Style/Documentation:
   Enabled: false
 
-Metrics/MethodLength:
-  Max: 50
+Style/HashEachMethods:
+  Enabled: true
+
+Style/HashTransformKeys:
+  Enabled: true
 
-Metrics/BlockLength:
-  Max: 200
+Style/HashTransformValues:
+  Enabled: true

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    quayio-scanner (0.2.3)
+    quayio-scanner (0.3.2)
       docker-api (~> 1.33)
       rest-client (~> 2.1)
       sensu-plugin (~> 4.0)
@@ -9,78 +9,75 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    ast (2.4.1)
-    diff-lcs (1.4.4)
+    ast (2.4.2)
+    diff-lcs (1.5.0)
     docker-api (1.34.2)
       excon (>= 0.47.0)
       multi_json
     domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
-    excon (0.85.0)
+    excon (0.92.3)
     http-accept (1.7.0)
-    http-cookie (1.0.4)
+    http-cookie (1.0.5)
       domain_name (~> 0.5)
-    json (2.5.1)
-    mime-types (3.3.1)
+    jaro_winkler (1.5.4)
+    json (2.6.2)
+    mime-types (3.4.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2021.0704)
+    mime-types-data (3.2022.0105)
     mixlib-cli (1.7.0)
     multi_json (1.15.0)
     netrc (0.11.0)
-    parallel (1.19.2)
-    parser (2.7.2.0)
+    parallel (1.22.1)
+    parser (3.1.2.0)
       ast (~> 2.4.1)
-    rainbow (3.0.0)
-    rake (10.5.0)
-    regexp_parser (1.8.2)
+    rainbow (3.1.1)
+    rake (13.0.6)
     rest-client (2.1.0)
       http-accept (>= 1.7.0, < 2.0)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    rexml (3.2.4)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.3)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.3)
+    rexml (3.2.5)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.4)
-    rubocop (0.93.1)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
+    rubocop (0.81.0)
+      jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
-      parser (>= 2.7.1.5)
+      parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
       rexml
-      rubocop-ast (>= 0.6.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.1.0)
-      parser (>= 2.7.1.5)
-    ruby-progressbar (1.10.1)
+    ruby-progressbar (1.11.0)
     sensu-plugin (4.0.0)
       json (< 3.0.0)
       mixlib-cli (~> 1.5)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.7.7)
-    unicode-display_width (1.7.0)
+    unf_ext (0.0.8.2)
+    unicode-display_width (1.8.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 2.2)
+  bundler (~> 2.1)
   quayio-scanner!
-  rake (~> 10.0)
+  rake (~> 13.0)
   rspec (~> 3.7)
-  rubocop (~> 0.49)
+  rubocop (~> 0.49, <= 0.81)
 
 BUNDLED WITH
-   2.2.23
+   2.1.4

data/LICENSE/json/LICENSE.txt

@@ -0,0 +1,56 @@
+Ruby is copyrighted free software by Yukihiro Matsumoto <matz@netlab.jp>.
+You can redistribute it and/or modify it under either the terms of the
+2-clause BSDL (see the file BSDL), or the conditions below:
+
+  1. You may make and give away verbatim copies of the source form of the
+     software without restriction, provided that you duplicate all of the
+     original copyright notices and associated disclaimers.
+
+  2. You may modify your copy of the software in any way, provided that
+     you do at least ONE of the following:
+
+       a) place your modifications in the Public Domain or otherwise
+          make them Freely Available, such as by posting said
+	  modifications to Usenet or an equivalent medium, or by allowing
+	  the author to include your modifications in the software.
+
+       b) use the modified software only within your corporation or
+          organization.
+
+       c) give non-standard binaries non-standard names, with
+          instructions on where to get the original software distribution.
+
+       d) make other distribution arrangements with the author.
+
+  3. You may distribute the software in object code or binary form,
+     provided that you do at least ONE of the following:
+
+       a) distribute the binaries and library files of the software,
+	  together with instructions (in the manual page or equivalent)
+	  on where to get the original distribution.
+
+       b) accompany the distribution with the machine-readable source of
+	  the software.
+
+       c) give non-standard binaries non-standard names, with
+          instructions on where to get the original software distribution.
+
+       d) make other distribution arrangements with the author.
+
+  4. You may modify and include the part of the software into any other
+     software (possibly commercial).  But some files in the distribution
+     are not written by the author, so that they are not under these terms.
+
+     For the list of those files and their copying conditions, see the
+     file LEGAL.
+
+  5. The scripts and library files supplied as input to or produced as
+     output from the software do not automatically fall under the
+     copyright of the software, but belong to whomever generated them,
+     and may be sold commercially, and may be aggregated with this
+     software.
+
+  6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+     IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+     WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+     PURPOSE.

data/README.md

@@ -1,6 +1,7 @@
 # Quayio::Scanner
 
-Scan quay.io for vulnerabilties in running docker containers. Implemented as sensu check.
+Quayio Scanner translates critical vulnerabilities in running docker containers
+into Sensu check results to transform vulnerability scans into actionable alerts.
 
 ## Installation
 
@@ -18,15 +19,34 @@ Or install it yourself as:
 
     $ gem install quayio-scanner
 
+## USAGE
+
+This plugin attempts to fetch vulnerabilities for all running containers
+
+### Parameters
+
+| Parameter     | Description             |
+|---------------|-------------------------|
+| -d URL        | Docker URL              |
+| -t TOKEN      | Quay.io oauth token     |
+| -w WHITELIST  | Vulnerability whitelist |
+
+### Example
+
+    $ check-container-vulnerabilities.rb --docker-url unix:///var/run/docker.sock --quayio-token AccessTokenGoesHere
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/aboutsource/quayio-scanner.
 
-
 ## License
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
 
+### json
+
+Copyright 2019 - present [Florian Frank](mailto:flori@ping.de) - The gem [json](https://github.com/flori/json/) is distributed under the [Ruby License](LICENSE/json/LICENSE.txt).
+
 ## Security
 
-* [Snyk](https://app.snyk.io/org/about-source/project/6eb2d381-87e7-49c4-a47f-ccad97f33ae3)
+- [Snyk](https://app.snyk.io/org/about-source/project/6eb2d381-87e7-49c4-a47f-ccad97f33ae3)

data/bin/check-container-vulnerabilities.rb

@@ -4,7 +4,7 @@
 #
 # DESCRIPTION:
 #
-#   This plugin attempts to fetch vulnerabilties for all running containers
+#   This plugin attempts to fetch vulnerabilities for all running containers
 #
 # OUTPUT:
 #   plain text
@@ -18,7 +18,8 @@
 #   gem: rest-client
 #
 # USAGE:
-#   ./check-container-vulnerabilities.rb -d <docker-url> -t <quay-io-oauth-token>
+#   ./check-container-vulnerabilities.rb \
+#     -d <docker-url> -t <quay-io-oauth-token>
 #
 
 require 'sensu-plugin/check/cli'

data/lib/quayio/scanner/check.rb

@@ -9,7 +9,10 @@ module Quayio
         if vulnerable_images.empty?
           [:ok, "#{containers.size} Containers are ok"]
         else
-          [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
+          [
+            :critical,
+            "The images are insecure: #{vulnerable_images.join(', ')}"
+          ]
         end
       end
 

data/lib/quayio/scanner/image.rb

@@ -2,7 +2,8 @@ module Quayio
   module Scanner
     class Image
       RELEVANT_SEVERITIES = %w[High Critical].freeze
-      QUAY_IO_REPO_NAME = %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w\.-]+)}.freeze
+      QUAY_IO_REPO_NAME =
+        %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w.-]+)}.freeze
 
       attr_reader :name, :whitelist, :repository
 
@@ -24,7 +25,7 @@ module Quayio
 
       def quayio?
         # safe guard, do not trust QUAY_IO_REPO_NAME regex match
-        !!name.match(%r{^quay.io\/})
+        !name.match(%r{^quay.io\/}).nil?
       end
 
       def scanned?
@@ -32,11 +33,12 @@ module Quayio
       end
 
       def vulnerabilities_present?
-        !!raw_scan['data']['Layer']['Features'].detect do |f|
+        !raw_scan['data']['Layer']['Features'].detect do |f|
           f['Vulnerabilities']&.detect do |v|
-            RELEVANT_SEVERITIES.include?(v['Severity']) && !whitelist.include?(v['Name'])
+            RELEVANT_SEVERITIES.include?(v['Severity']) && \
+              !whitelist.include?(v['Name'])
           end
-        end
+        end.nil?
       end
 
       def raw_scan

data/lib/quayio/scanner/repository.rb

@@ -6,19 +6,19 @@ module Quayio
     Repository = Struct.new(:quayio_token, :org, :repo, :tag) do
       MAX_ATTEMPTS = 5
 
-      def id
-        @id ||= fetch_id
-      end
-
       def scan
-        api_call("/image/#{id}/security?vulnerabilities=true")
+        api_call("/manifest/#{manifest_ref}/security?vulnerabilities=true")
       end
 
       private
 
-      def fetch_id
-        result = api_call("/tag/#{tag}/images")
-        (result['images'].first)['id']
+      def manifest_ref
+        @manifest_ref ||= fetch_manifest_ref
+      end
+
+      def fetch_manifest_ref
+        result = api_call("/tag/?specificTag=#{tag}&onlyActiveTags=1")
+        result['tags'].first['manifest_digest']
       end
 
       def api_call(uri)

data/lib/quayio/scanner/version.rb

@@ -1,5 +1,5 @@
 module Quayio
   module Scanner
-    VERSION = '0.2.3'.freeze
+    VERSION = '0.3.2'.freeze
   end
 end

data/quayio-scanner.gemspec

@@ -8,7 +8,8 @@ Gem::Specification.new do |spec|
   spec.authors       = ['Benjamin Meichsner']
   spec.email         = ['benjamin.meichsner@aboutsource.net']
 
-  spec.summary       = 'Scan quay.io for vulnerabilties in running docker containers.'
+  spec.summary       = 'Scan quay.io for vulnerabilities in '\
+                       'running docker containers.'
   spec.homepage      = 'https://github.com/aboutsource/quayio-scanner'
   spec.license       = 'MIT'
 
@@ -17,14 +18,14 @@ Gem::Specification.new do |spec|
   spec.files = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
-  spec.executables   = Dir.glob('bin/**/*.rb').map { |file| File.basename(file) }
+  spec.executables   = Dir.glob('bin/**/*.rb').map { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
   spec.add_dependency 'docker-api', '~> 1.33'
   spec.add_dependency 'rest-client', '~> 2.1'
   spec.add_dependency 'sensu-plugin', '~> 4.0'
-  spec.add_development_dependency 'bundler', '~> 2.2'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler', '~> 2.1'
+  spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.7'
-  spec.add_development_dependency 'rubocop', '~> 0.49'
+  spec.add_development_dependency 'rubocop', '~> 0.49', '<= 0.81'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: quayio-scanner
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.3.2
 platform: ruby
 authors:
 - Benjamin Meichsner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-03 00:00:00.000000000 Z
+date: 2022-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: docker-api
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -101,6 +101,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.49'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '0.81'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -108,6 +111,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.49'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '0.81'
 description: 
 email:
 - benjamin.meichsner@aboutsource.net
@@ -122,6 +128,7 @@ files:
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
+- LICENSE/json/LICENSE.txt
 - README.md
 - Rakefile
 - bin/check-container-vulnerabilities.rb
@@ -153,5 +160,5 @@ requirements: []
 rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
-summary: Scan quay.io for vulnerabilties in running docker containers.
+summary: Scan quay.io for vulnerabilities in running docker containers.
 test_files: []