quayio-scanner 0.2.3 → 0.3.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ec3e0ce31e72f8fb58ce5bb62ec17af8395f8cbb0dfe6825bd8409e8388167a3
4
- data.tar.gz: af37eec22d47077ad5c6cdb761b18071864ab628d459b15ed7130c645a09edc4
3
+ metadata.gz: 15795d58c96f27ce19472584bd56fecdc49f11c833e2521df12ae54544cdaaec
4
+ data.tar.gz: ee7a1307813f90b2631086f55e51f991310329e19a6a12dd22c2badcdf577711
5
5
  SHA512:
6
- metadata.gz: 194cca2abb4781442a8730a9ad0afb5097bc0e63d9dcd1a4c1dc0c92c6832af5020fd3e8dceb44fa5cd9c56da8bff986669146cd2ba8c141c165203fa5d09ee2
7
- data.tar.gz: 4ac42a474343fae8c5ce01141cf85ebf514a3d37050fc93f28f7cb5202c231ab1976b94112f7aff278a00c3fac3082a7f1f454e0291ac60b9e7be764689a8d1c
6
+ metadata.gz: 8f1f0cff0ea95d5488a32fa52f4c206f8a3674f324319aaeed46fb8545c76d9bda0caeab5dccefc718e596a35e7054bea8d66a5f4cc601695f015baec335a2f2
7
+ data.tar.gz: 86d43813af9825fe5f6129e25b1547050e53a8fc493bb05b3fa1045c616f9b9085b50728fd3e3d0ef4fbfea92b324054d5d3e32e2b0c2b8c57e529c90b5757a2
data/.rubocop.yml CHANGED
@@ -1,14 +1,28 @@
1
1
  AllCops:
2
2
  TargetRubyVersion: 2.3
3
3
 
4
+ Lint/RaiseException:
5
+ Enabled: true
6
+
7
+ Lint/StructNewOverride:
8
+ Enabled: true
9
+
10
+
11
+ Metrics:
12
+ Enabled: false
13
+
14
+
4
15
  Style/FrozenStringLiteralComment:
5
16
  Enabled: false
6
17
 
7
18
  Style/Documentation:
8
19
  Enabled: false
9
20
 
10
- Metrics/MethodLength:
11
- Max: 50
21
+ Style/HashEachMethods:
22
+ Enabled: true
23
+
24
+ Style/HashTransformKeys:
25
+ Enabled: true
12
26
 
13
- Metrics/BlockLength:
14
- Max: 200
27
+ Style/HashTransformValues:
28
+ Enabled: true
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- quayio-scanner (0.2.3)
4
+ quayio-scanner (0.3.2)
5
5
  docker-api (~> 1.33)
6
6
  rest-client (~> 2.1)
7
7
  sensu-plugin (~> 4.0)
@@ -9,78 +9,75 @@ PATH
9
9
  GEM
10
10
  remote: https://rubygems.org/
11
11
  specs:
12
- ast (2.4.1)
13
- diff-lcs (1.4.4)
12
+ ast (2.4.2)
13
+ diff-lcs (1.5.0)
14
14
  docker-api (1.34.2)
15
15
  excon (>= 0.47.0)
16
16
  multi_json
17
17
  domain_name (0.5.20190701)
18
18
  unf (>= 0.0.5, < 1.0.0)
19
- excon (0.85.0)
19
+ excon (0.92.3)
20
20
  http-accept (1.7.0)
21
- http-cookie (1.0.4)
21
+ http-cookie (1.0.5)
22
22
  domain_name (~> 0.5)
23
- json (2.5.1)
24
- mime-types (3.3.1)
23
+ jaro_winkler (1.5.4)
24
+ json (2.6.2)
25
+ mime-types (3.4.1)
25
26
  mime-types-data (~> 3.2015)
26
- mime-types-data (3.2021.0704)
27
+ mime-types-data (3.2022.0105)
27
28
  mixlib-cli (1.7.0)
28
29
  multi_json (1.15.0)
29
30
  netrc (0.11.0)
30
- parallel (1.19.2)
31
- parser (2.7.2.0)
31
+ parallel (1.22.1)
32
+ parser (3.1.2.0)
32
33
  ast (~> 2.4.1)
33
- rainbow (3.0.0)
34
- rake (10.5.0)
35
- regexp_parser (1.8.2)
34
+ rainbow (3.1.1)
35
+ rake (13.0.6)
36
36
  rest-client (2.1.0)
37
37
  http-accept (>= 1.7.0, < 2.0)
38
38
  http-cookie (>= 1.0.2, < 2.0)
39
39
  mime-types (>= 1.16, < 4.0)
40
40
  netrc (~> 0.8)
41
- rexml (3.2.4)
42
- rspec (3.9.0)
43
- rspec-core (~> 3.9.0)
44
- rspec-expectations (~> 3.9.0)
45
- rspec-mocks (~> 3.9.0)
46
- rspec-core (3.9.3)
47
- rspec-support (~> 3.9.3)
48
- rspec-expectations (3.9.3)
41
+ rexml (3.2.5)
42
+ rspec (3.11.0)
43
+ rspec-core (~> 3.11.0)
44
+ rspec-expectations (~> 3.11.0)
45
+ rspec-mocks (~> 3.11.0)
46
+ rspec-core (3.11.0)
47
+ rspec-support (~> 3.11.0)
48
+ rspec-expectations (3.11.0)
49
49
  diff-lcs (>= 1.2.0, < 2.0)
50
- rspec-support (~> 3.9.0)
51
- rspec-mocks (3.9.1)
50
+ rspec-support (~> 3.11.0)
51
+ rspec-mocks (3.11.1)
52
52
  diff-lcs (>= 1.2.0, < 2.0)
53
- rspec-support (~> 3.9.0)
54
- rspec-support (3.9.4)
55
- rubocop (0.93.1)
53
+ rspec-support (~> 3.11.0)
54
+ rspec-support (3.11.0)
55
+ rubocop (0.81.0)
56
+ jaro_winkler (~> 1.5.1)
56
57
  parallel (~> 1.10)
57
- parser (>= 2.7.1.5)
58
+ parser (>= 2.7.0.1)
58
59
  rainbow (>= 2.2.2, < 4.0)
59
- regexp_parser (>= 1.8)
60
60
  rexml
61
- rubocop-ast (>= 0.6.0)
62
61
  ruby-progressbar (~> 1.7)
63
62
  unicode-display_width (>= 1.4.0, < 2.0)
64
- rubocop-ast (1.1.0)
65
- parser (>= 2.7.1.5)
66
- ruby-progressbar (1.10.1)
63
+ ruby-progressbar (1.11.0)
67
64
  sensu-plugin (4.0.0)
68
65
  json (< 3.0.0)
69
66
  mixlib-cli (~> 1.5)
70
67
  unf (0.1.4)
71
68
  unf_ext
72
- unf_ext (0.0.7.7)
73
- unicode-display_width (1.7.0)
69
+ unf_ext (0.0.8.2)
70
+ unicode-display_width (1.8.0)
74
71
 
75
72
  PLATFORMS
76
73
  ruby
77
74
 
78
75
  DEPENDENCIES
79
- bundler (~> 2.2)
76
+ bundler (~> 2.1)
80
77
  quayio-scanner!
81
- rake (~> 10.0)
78
+ rake (~> 13.0)
82
79
  rspec (~> 3.7)
83
- rubocop (~> 0.49)
80
+ rubocop (~> 0.49, <= 0.81)
84
81
 
85
82
  BUNDLED WITH
86
- 2.2.23
83
+ 2.1.4
@@ -0,0 +1,56 @@
1
+ Ruby is copyrighted free software by Yukihiro Matsumoto <matz@netlab.jp>.
2
+ You can redistribute it and/or modify it under either the terms of the
3
+ 2-clause BSDL (see the file BSDL), or the conditions below:
4
+
5
+ 1. You may make and give away verbatim copies of the source form of the
6
+ software without restriction, provided that you duplicate all of the
7
+ original copyright notices and associated disclaimers.
8
+
9
+ 2. You may modify your copy of the software in any way, provided that
10
+ you do at least ONE of the following:
11
+
12
+ a) place your modifications in the Public Domain or otherwise
13
+ make them Freely Available, such as by posting said
14
+ modifications to Usenet or an equivalent medium, or by allowing
15
+ the author to include your modifications in the software.
16
+
17
+ b) use the modified software only within your corporation or
18
+ organization.
19
+
20
+ c) give non-standard binaries non-standard names, with
21
+ instructions on where to get the original software distribution.
22
+
23
+ d) make other distribution arrangements with the author.
24
+
25
+ 3. You may distribute the software in object code or binary form,
26
+ provided that you do at least ONE of the following:
27
+
28
+ a) distribute the binaries and library files of the software,
29
+ together with instructions (in the manual page or equivalent)
30
+ on where to get the original distribution.
31
+
32
+ b) accompany the distribution with the machine-readable source of
33
+ the software.
34
+
35
+ c) give non-standard binaries non-standard names, with
36
+ instructions on where to get the original software distribution.
37
+
38
+ d) make other distribution arrangements with the author.
39
+
40
+ 4. You may modify and include the part of the software into any other
41
+ software (possibly commercial). But some files in the distribution
42
+ are not written by the author, so that they are not under these terms.
43
+
44
+ For the list of those files and their copying conditions, see the
45
+ file LEGAL.
46
+
47
+ 5. The scripts and library files supplied as input to or produced as
48
+ output from the software do not automatically fall under the
49
+ copyright of the software, but belong to whomever generated them,
50
+ and may be sold commercially, and may be aggregated with this
51
+ software.
52
+
53
+ 6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
54
+ IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
55
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
56
+ PURPOSE.
data/README.md CHANGED
@@ -1,6 +1,7 @@
1
1
  # Quayio::Scanner
2
2
 
3
- Scan quay.io for vulnerabilties in running docker containers. Implemented as sensu check.
3
+ Quayio Scanner translates critical vulnerabilities in running docker containers
4
+ into Sensu check results to transform vulnerability scans into actionable alerts.
4
5
 
5
6
  ## Installation
6
7
 
@@ -18,15 +19,34 @@ Or install it yourself as:
18
19
 
19
20
  $ gem install quayio-scanner
20
21
 
22
+ ## USAGE
23
+
24
+ This plugin attempts to fetch vulnerabilities for all running containers
25
+
26
+ ### Parameters
27
+
28
+ | Parameter | Description |
29
+ |---------------|-------------------------|
30
+ | -d URL | Docker URL |
31
+ | -t TOKEN | Quay.io oauth token |
32
+ | -w WHITELIST | Vulnerability whitelist |
33
+
34
+ ### Example
35
+
36
+ $ check-container-vulnerabilities.rb --docker-url unix:///var/run/docker.sock --quayio-token AccessTokenGoesHere
37
+
21
38
  ## Contributing
22
39
 
23
40
  Bug reports and pull requests are welcome on GitHub at https://github.com/aboutsource/quayio-scanner.
24
41
 
25
-
26
42
  ## License
27
43
 
28
44
  The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
29
45
 
46
+ ### json
47
+
48
+ Copyright 2019 - present [Florian Frank](mailto:flori@ping.de) - The gem [json](https://github.com/flori/json/) is distributed under the [Ruby License](LICENSE/json/LICENSE.txt).
49
+
30
50
  ## Security
31
51
 
32
- * [Snyk](https://app.snyk.io/org/about-source/project/6eb2d381-87e7-49c4-a47f-ccad97f33ae3)
52
+ - [Snyk](https://app.snyk.io/org/about-source/project/6eb2d381-87e7-49c4-a47f-ccad97f33ae3)
@@ -4,7 +4,7 @@
4
4
  #
5
5
  # DESCRIPTION:
6
6
  #
7
- # This plugin attempts to fetch vulnerabilties for all running containers
7
+ # This plugin attempts to fetch vulnerabilities for all running containers
8
8
  #
9
9
  # OUTPUT:
10
10
  # plain text
@@ -18,7 +18,8 @@
18
18
  # gem: rest-client
19
19
  #
20
20
  # USAGE:
21
- # ./check-container-vulnerabilities.rb -d <docker-url> -t <quay-io-oauth-token>
21
+ # ./check-container-vulnerabilities.rb \
22
+ # -d <docker-url> -t <quay-io-oauth-token>
22
23
  #
23
24
 
24
25
  require 'sensu-plugin/check/cli'
@@ -9,7 +9,10 @@ module Quayio
9
9
  if vulnerable_images.empty?
10
10
  [:ok, "#{containers.size} Containers are ok"]
11
11
  else
12
- [:critical, "The images are insecure: #{vulnerable_images.join(', ')}"]
12
+ [
13
+ :critical,
14
+ "The images are insecure: #{vulnerable_images.join(', ')}"
15
+ ]
13
16
  end
14
17
  end
15
18
 
@@ -2,7 +2,8 @@ module Quayio
2
2
  module Scanner
3
3
  class Image
4
4
  RELEVANT_SEVERITIES = %w[High Critical].freeze
5
- QUAY_IO_REPO_NAME = %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w\.-]+)}.freeze
5
+ QUAY_IO_REPO_NAME =
6
+ %r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w.-]+)}.freeze
6
7
 
7
8
  attr_reader :name, :whitelist, :repository
8
9
 
@@ -24,7 +25,7 @@ module Quayio
24
25
 
25
26
  def quayio?
26
27
  # safe guard, do not trust QUAY_IO_REPO_NAME regex match
27
- !!name.match(%r{^quay.io\/})
28
+ !name.match(%r{^quay.io\/}).nil?
28
29
  end
29
30
 
30
31
  def scanned?
@@ -32,11 +33,12 @@ module Quayio
32
33
  end
33
34
 
34
35
  def vulnerabilities_present?
35
- !!raw_scan['data']['Layer']['Features'].detect do |f|
36
+ !raw_scan['data']['Layer']['Features'].detect do |f|
36
37
  f['Vulnerabilities']&.detect do |v|
37
- RELEVANT_SEVERITIES.include?(v['Severity']) && !whitelist.include?(v['Name'])
38
+ RELEVANT_SEVERITIES.include?(v['Severity']) && \
39
+ !whitelist.include?(v['Name'])
38
40
  end
39
- end
41
+ end.nil?
40
42
  end
41
43
 
42
44
  def raw_scan
@@ -6,19 +6,19 @@ module Quayio
6
6
  Repository = Struct.new(:quayio_token, :org, :repo, :tag) do
7
7
  MAX_ATTEMPTS = 5
8
8
 
9
- def id
10
- @id ||= fetch_id
11
- end
12
-
13
9
  def scan
14
- api_call("/image/#{id}/security?vulnerabilities=true")
10
+ api_call("/manifest/#{manifest_ref}/security?vulnerabilities=true")
15
11
  end
16
12
 
17
13
  private
18
14
 
19
- def fetch_id
20
- result = api_call("/tag/#{tag}/images")
21
- (result['images'].first)['id']
15
+ def manifest_ref
16
+ @manifest_ref ||= fetch_manifest_ref
17
+ end
18
+
19
+ def fetch_manifest_ref
20
+ result = api_call("/tag/?specificTag=#{tag}&onlyActiveTags=1")
21
+ result['tags'].first['manifest_digest']
22
22
  end
23
23
 
24
24
  def api_call(uri)
@@ -1,5 +1,5 @@
1
1
  module Quayio
2
2
  module Scanner
3
- VERSION = '0.2.3'.freeze
3
+ VERSION = '0.3.2'.freeze
4
4
  end
5
5
  end
@@ -8,7 +8,8 @@ Gem::Specification.new do |spec|
8
8
  spec.authors = ['Benjamin Meichsner']
9
9
  spec.email = ['benjamin.meichsner@aboutsource.net']
10
10
 
11
- spec.summary = 'Scan quay.io for vulnerabilties in running docker containers.'
11
+ spec.summary = 'Scan quay.io for vulnerabilities in '\
12
+ 'running docker containers.'
12
13
  spec.homepage = 'https://github.com/aboutsource/quayio-scanner'
13
14
  spec.license = 'MIT'
14
15
 
@@ -17,14 +18,14 @@ Gem::Specification.new do |spec|
17
18
  spec.files = `git ls-files -z`.split("\x0").reject do |f|
18
19
  f.match(%r{^(test|spec|features)/})
19
20
  end
20
- spec.executables = Dir.glob('bin/**/*.rb').map { |file| File.basename(file) }
21
+ spec.executables = Dir.glob('bin/**/*.rb').map { |f| File.basename(f) }
21
22
  spec.require_paths = ['lib']
22
23
 
23
24
  spec.add_dependency 'docker-api', '~> 1.33'
24
25
  spec.add_dependency 'rest-client', '~> 2.1'
25
26
  spec.add_dependency 'sensu-plugin', '~> 4.0'
26
- spec.add_development_dependency 'bundler', '~> 2.2'
27
- spec.add_development_dependency 'rake', '~> 10.0'
27
+ spec.add_development_dependency 'bundler', '~> 2.1'
28
+ spec.add_development_dependency 'rake', '~> 13.0'
28
29
  spec.add_development_dependency 'rspec', '~> 3.7'
29
- spec.add_development_dependency 'rubocop', '~> 0.49'
30
+ spec.add_development_dependency 'rubocop', '~> 0.49', '<= 0.81'
30
31
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: quayio-scanner
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.3
4
+ version: 0.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Benjamin Meichsner
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-08-03 00:00:00.000000000 Z
11
+ date: 2022-06-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: docker-api
@@ -58,28 +58,28 @@ dependencies:
58
58
  requirements:
59
59
  - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: '2.2'
61
+ version: '2.1'
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: '2.2'
68
+ version: '2.1'
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: rake
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
73
  - - "~>"
74
74
  - !ruby/object:Gem::Version
75
- version: '10.0'
75
+ version: '13.0'
76
76
  type: :development
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
80
  - - "~>"
81
81
  - !ruby/object:Gem::Version
82
- version: '10.0'
82
+ version: '13.0'
83
83
  - !ruby/object:Gem::Dependency
84
84
  name: rspec
85
85
  requirement: !ruby/object:Gem::Requirement
@@ -101,6 +101,9 @@ dependencies:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
103
  version: '0.49'
104
+ - - "<="
105
+ - !ruby/object:Gem::Version
106
+ version: '0.81'
104
107
  type: :development
105
108
  prerelease: false
106
109
  version_requirements: !ruby/object:Gem::Requirement
@@ -108,6 +111,9 @@ dependencies:
108
111
  - - "~>"
109
112
  - !ruby/object:Gem::Version
110
113
  version: '0.49'
114
+ - - "<="
115
+ - !ruby/object:Gem::Version
116
+ version: '0.81'
111
117
  description:
112
118
  email:
113
119
  - benjamin.meichsner@aboutsource.net
@@ -122,6 +128,7 @@ files:
122
128
  - Gemfile
123
129
  - Gemfile.lock
124
130
  - LICENSE.txt
131
+ - LICENSE/json/LICENSE.txt
125
132
  - README.md
126
133
  - Rakefile
127
134
  - bin/check-container-vulnerabilities.rb
@@ -153,5 +160,5 @@ requirements: []
153
160
  rubygems_version: 3.1.2
154
161
  signing_key:
155
162
  specification_version: 4
156
- summary: Scan quay.io for vulnerabilties in running docker containers.
163
+ summary: Scan quay.io for vulnerabilities in running docker containers.
157
164
  test_files: []