quayio-scanner 0.3.1 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/bin/check-container-vulnerabilities.rb +9 -1
- data/lib/quayio/scanner/check.rb +2 -2
- data/lib/quayio/scanner/image.rb +7 -5
- data/lib/quayio/scanner/version.rb +1 -1
- metadata +7 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: de92233c0413236dfeb715ffc2bdf3b0355a7cd7a6cbf1bb8ba1507381b71ac5
|
|
4
|
+
data.tar.gz: 9903c847f82a53e14db535eaced022c774288e89b53ffaf765b3abfa4d40df11
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4c216489fe912aa1a7ec9e6fc504aa241c872b809502c47bdcb72565b8d3ab8dc33504072d5037ab43a06b9a5abf7564db28b7a3ffe7908f1230b2483cf8fefa
|
|
7
|
+
data.tar.gz: a9e5c35ed78d30da1ef5ea51881ae5ad42fec33af3a5d04cf44bf598fd74a8b45555d4cc367d4f710d97099298223ff69fe9d1670e104608f94fa83889271dd5
|
data/Gemfile.lock
CHANGED
|
@@ -44,10 +44,18 @@ class CheckContainerVulnerabilities < Sensu::Plugin::Check::CLI
|
|
|
44
44
|
default: '',
|
|
45
45
|
proc: proc { |w| w.split(',') }
|
|
46
46
|
|
|
47
|
+
option :ignore_namespace_names,
|
|
48
|
+
description: 'Namespace names to ignore',
|
|
49
|
+
short: '-n NAMESPACE_NAME[,NAMESPACE_NAME]',
|
|
50
|
+
long: '--ignore-namespace-names NAMESPACE_NAME[,NAMESPACE_NAME]',
|
|
51
|
+
default: '',
|
|
52
|
+
proc: proc { |w| w.split(',') }
|
|
53
|
+
|
|
47
54
|
def run
|
|
48
55
|
status, message = Quayio::Scanner::Check.new(config[:docker_url],
|
|
49
56
|
config[:quayio_token],
|
|
50
|
-
config[:whitelist]
|
|
57
|
+
config[:whitelist],
|
|
58
|
+
config[:ignore_namespace_names]).run
|
|
51
59
|
|
|
52
60
|
if status == :ok
|
|
53
61
|
ok message
|
data/lib/quayio/scanner/check.rb
CHANGED
|
@@ -2,7 +2,7 @@ require 'docker'
|
|
|
2
2
|
|
|
3
3
|
module Quayio
|
|
4
4
|
module Scanner
|
|
5
|
-
Check = Struct.new(:docker_url, :quayio_token, :whitelist) do
|
|
5
|
+
Check = Struct.new(:docker_url, :quayio_token, :whitelist, :ignore_namespace_names) do
|
|
6
6
|
def run
|
|
7
7
|
Docker.url = docker_url
|
|
8
8
|
|
|
@@ -27,7 +27,7 @@ module Quayio
|
|
|
27
27
|
|
|
28
28
|
def vulnerable_images
|
|
29
29
|
containers
|
|
30
|
-
.map { |container| Image.new(container, quayio_token, whitelist) }
|
|
30
|
+
.map { |container| Image.new(container, quayio_token, whitelist, ignore_namespace_names) }
|
|
31
31
|
.select(&:vulnerable?)
|
|
32
32
|
.map(&:name)
|
|
33
33
|
end
|
data/lib/quayio/scanner/image.rb
CHANGED
|
@@ -5,11 +5,12 @@ module Quayio
|
|
|
5
5
|
QUAY_IO_REPO_NAME =
|
|
6
6
|
%r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w.-]+)}.freeze
|
|
7
7
|
|
|
8
|
-
attr_reader :name, :whitelist, :repository
|
|
8
|
+
attr_reader :name, :whitelist, :repository, :ignore_namespace_names
|
|
9
9
|
|
|
10
|
-
def initialize(name, quayio_token, whitelist)
|
|
10
|
+
def initialize(name, quayio_token, whitelist, ignore_namespace_names)
|
|
11
11
|
@name = name
|
|
12
12
|
@whitelist = whitelist
|
|
13
|
+
@ignore_namespace_names = ignore_namespace_names
|
|
13
14
|
|
|
14
15
|
@name.match(QUAY_IO_REPO_NAME) do |r|
|
|
15
16
|
org, repo, tag = r.captures
|
|
@@ -25,7 +26,7 @@ module Quayio
|
|
|
25
26
|
|
|
26
27
|
def quayio?
|
|
27
28
|
# safe guard, do not trust QUAY_IO_REPO_NAME regex match
|
|
28
|
-
name.match
|
|
29
|
+
!name.match(%r{^quay.io\/}).nil?
|
|
29
30
|
end
|
|
30
31
|
|
|
31
32
|
def scanned?
|
|
@@ -35,8 +36,9 @@ module Quayio
|
|
|
35
36
|
def vulnerabilities_present?
|
|
36
37
|
!raw_scan['data']['Layer']['Features'].detect do |f|
|
|
37
38
|
f['Vulnerabilities']&.detect do |v|
|
|
38
|
-
RELEVANT_SEVERITIES.include?(v['Severity'])
|
|
39
|
-
|
|
39
|
+
RELEVANT_SEVERITIES.include?(v['Severity']) && \
|
|
40
|
+
!whitelist.include?(v['Name']) && \
|
|
41
|
+
!ignore_namespace_names.include?(v['NamespaceName'])
|
|
40
42
|
end
|
|
41
43
|
end.nil?
|
|
42
44
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: quayio-scanner
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Benjamin Meichsner
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-02-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: docker-api
|
|
@@ -114,7 +114,7 @@ dependencies:
|
|
|
114
114
|
- - "<="
|
|
115
115
|
- !ruby/object:Gem::Version
|
|
116
116
|
version: '0.81'
|
|
117
|
-
description:
|
|
117
|
+
description:
|
|
118
118
|
email:
|
|
119
119
|
- benjamin.meichsner@aboutsource.net
|
|
120
120
|
executables:
|
|
@@ -142,7 +142,7 @@ homepage: https://github.com/aboutsource/quayio-scanner
|
|
|
142
142
|
licenses:
|
|
143
143
|
- MIT
|
|
144
144
|
metadata: {}
|
|
145
|
-
post_install_message:
|
|
145
|
+
post_install_message:
|
|
146
146
|
rdoc_options: []
|
|
147
147
|
require_paths:
|
|
148
148
|
- lib
|
|
@@ -157,8 +157,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
157
157
|
- !ruby/object:Gem::Version
|
|
158
158
|
version: '0'
|
|
159
159
|
requirements: []
|
|
160
|
-
rubygems_version: 3.
|
|
161
|
-
signing_key:
|
|
160
|
+
rubygems_version: 3.3.25
|
|
161
|
+
signing_key:
|
|
162
162
|
specification_version: 4
|
|
163
163
|
summary: Scan quay.io for vulnerabilities in running docker containers.
|
|
164
164
|
test_files: []
|