quayio-scanner 0.3.2 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +1 -1
- data/Gemfile.lock +39 -36
- data/README.md +6 -5
- data/bin/check-container-vulnerabilities.rb +9 -1
- data/lib/quayio/scanner/check.rb +2 -2
- data/lib/quayio/scanner/image.rb +5 -3
- data/lib/quayio/scanner/repository.rb +14 -16
- data/lib/quayio/scanner/version.rb +1 -1
- data/quayio-scanner.gemspec +3 -3
- metadata +11 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2ab390e409e94c94ca9097786c8ff05a4c94e24b40d0fd78d2621f8bd752c60c
|
4
|
+
data.tar.gz: c0c4030b04c344eec2bce1f28e40179c0fed6e7db9660c2d62e514f2ee0a2e56
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7e4515512e9e08ca58895302fac1cffd954683aba481f2dda77d93c88d7695ecef403373e8314a442c9d8146d98d85e7beb894f195bf59631968933f46bcc489
|
7
|
+
data.tar.gz: 67e97c27c4bf9db2a256c7258f983fb9bbfeed980aca6276f9d5b29b37cf4706a5f881327f84af572c47235313932b48b8b38abaa0a1d6519c9d69a3a02d3642
|
data/.rubocop.yml
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
quayio-scanner (0.
|
5
|
-
docker-api (~>
|
4
|
+
quayio-scanner (0.4.0)
|
5
|
+
docker-api (~> 2.4)
|
6
6
|
rest-client (~> 2.1)
|
7
7
|
sensu-plugin (~> 4.0)
|
8
8
|
|
@@ -10,63 +10,66 @@ GEM
|
|
10
10
|
remote: https://rubygems.org/
|
11
11
|
specs:
|
12
12
|
ast (2.4.2)
|
13
|
-
diff-lcs (1.5.
|
14
|
-
docker-api (
|
15
|
-
excon (>= 0.
|
13
|
+
diff-lcs (1.5.1)
|
14
|
+
docker-api (2.4.0)
|
15
|
+
excon (>= 0.64.0)
|
16
16
|
multi_json
|
17
|
-
domain_name (0.
|
18
|
-
|
19
|
-
excon (0.92.3)
|
17
|
+
domain_name (0.6.20240107)
|
18
|
+
excon (1.2.3)
|
20
19
|
http-accept (1.7.0)
|
21
|
-
http-cookie (1.0.
|
20
|
+
http-cookie (1.0.8)
|
22
21
|
domain_name (~> 0.5)
|
23
|
-
|
24
|
-
|
25
|
-
mime-types (3.
|
22
|
+
json (2.9.1)
|
23
|
+
logger (1.6.5)
|
24
|
+
mime-types (3.6.0)
|
25
|
+
logger
|
26
26
|
mime-types-data (~> 3.2015)
|
27
|
-
mime-types-data (3.
|
27
|
+
mime-types-data (3.2025.0204)
|
28
28
|
mixlib-cli (1.7.0)
|
29
29
|
multi_json (1.15.0)
|
30
30
|
netrc (0.11.0)
|
31
|
-
parallel (1.
|
32
|
-
parser (3.
|
31
|
+
parallel (1.26.3)
|
32
|
+
parser (3.3.7.1)
|
33
33
|
ast (~> 2.4.1)
|
34
|
+
racc
|
35
|
+
racc (1.8.1)
|
34
36
|
rainbow (3.1.1)
|
35
|
-
rake (13.
|
37
|
+
rake (13.2.1)
|
38
|
+
regexp_parser (2.10.0)
|
36
39
|
rest-client (2.1.0)
|
37
40
|
http-accept (>= 1.7.0, < 2.0)
|
38
41
|
http-cookie (>= 1.0.2, < 2.0)
|
39
42
|
mime-types (>= 1.16, < 4.0)
|
40
43
|
netrc (~> 0.8)
|
41
|
-
rexml (3.
|
42
|
-
rspec (3.
|
43
|
-
rspec-core (~> 3.
|
44
|
-
rspec-expectations (~> 3.
|
45
|
-
rspec-mocks (~> 3.
|
46
|
-
rspec-core (3.
|
47
|
-
rspec-support (~> 3.
|
48
|
-
rspec-expectations (3.
|
44
|
+
rexml (3.4.0)
|
45
|
+
rspec (3.13.0)
|
46
|
+
rspec-core (~> 3.13.0)
|
47
|
+
rspec-expectations (~> 3.13.0)
|
48
|
+
rspec-mocks (~> 3.13.0)
|
49
|
+
rspec-core (3.13.3)
|
50
|
+
rspec-support (~> 3.13.0)
|
51
|
+
rspec-expectations (3.13.3)
|
49
52
|
diff-lcs (>= 1.2.0, < 2.0)
|
50
|
-
rspec-support (~> 3.
|
51
|
-
rspec-mocks (3.
|
53
|
+
rspec-support (~> 3.13.0)
|
54
|
+
rspec-mocks (3.13.2)
|
52
55
|
diff-lcs (>= 1.2.0, < 2.0)
|
53
|
-
rspec-support (~> 3.
|
54
|
-
rspec-support (3.
|
55
|
-
rubocop (0.
|
56
|
-
jaro_winkler (~> 1.5.1)
|
56
|
+
rspec-support (~> 3.13.0)
|
57
|
+
rspec-support (3.13.2)
|
58
|
+
rubocop (0.93.1)
|
57
59
|
parallel (~> 1.10)
|
58
|
-
parser (>= 2.7.
|
60
|
+
parser (>= 2.7.1.5)
|
59
61
|
rainbow (>= 2.2.2, < 4.0)
|
62
|
+
regexp_parser (>= 1.8)
|
60
63
|
rexml
|
64
|
+
rubocop-ast (>= 0.6.0)
|
61
65
|
ruby-progressbar (~> 1.7)
|
62
66
|
unicode-display_width (>= 1.4.0, < 2.0)
|
63
|
-
|
67
|
+
rubocop-ast (1.38.0)
|
68
|
+
parser (>= 3.3.1.0)
|
69
|
+
ruby-progressbar (1.13.0)
|
64
70
|
sensu-plugin (4.0.0)
|
65
71
|
json (< 3.0.0)
|
66
72
|
mixlib-cli (~> 1.5)
|
67
|
-
unf (0.1.4)
|
68
|
-
unf_ext
|
69
|
-
unf_ext (0.0.8.2)
|
70
73
|
unicode-display_width (1.8.0)
|
71
74
|
|
72
75
|
PLATFORMS
|
@@ -77,7 +80,7 @@ DEPENDENCIES
|
|
77
80
|
quayio-scanner!
|
78
81
|
rake (~> 13.0)
|
79
82
|
rspec (~> 3.7)
|
80
|
-
rubocop (~> 0.
|
83
|
+
rubocop (~> 0.93)
|
81
84
|
|
82
85
|
BUNDLED WITH
|
83
86
|
2.1.4
|
data/README.md
CHANGED
@@ -25,11 +25,12 @@ This plugin attempts to fetch vulnerabilities for all running containers
|
|
25
25
|
|
26
26
|
### Parameters
|
27
27
|
|
28
|
-
| Parameter
|
29
|
-
|
30
|
-
| -d URL
|
31
|
-
| -t TOKEN
|
32
|
-
| -w WHITELIST
|
28
|
+
| Parameter | Description |
|
29
|
+
|--------------------------|-----------------------------------------|
|
30
|
+
| -d URL | Docker URL |
|
31
|
+
| -t TOKEN | Quay.io oauth token |
|
32
|
+
| -w WHITELIST[,WHITELIST] | Vulnerability whitelist |
|
33
|
+
| -n NAMESPACE[,NAMESPACE] | Namespaces (quay.io scanners) to ignore |
|
33
34
|
|
34
35
|
### Example
|
35
36
|
|
@@ -44,10 +44,18 @@ class CheckContainerVulnerabilities < Sensu::Plugin::Check::CLI
|
|
44
44
|
default: '',
|
45
45
|
proc: proc { |w| w.split(',') }
|
46
46
|
|
47
|
+
option :ignore_namespace_names,
|
48
|
+
description: 'Namespace names to ignore',
|
49
|
+
short: '-n NAMESPACE_NAME[,NAMESPACE_NAME]',
|
50
|
+
long: '--ignore-namespace-names NAMESPACE_NAME[,NAMESPACE_NAME]',
|
51
|
+
default: '',
|
52
|
+
proc: proc { |w| w.split(',') }
|
53
|
+
|
47
54
|
def run
|
48
55
|
status, message = Quayio::Scanner::Check.new(config[:docker_url],
|
49
56
|
config[:quayio_token],
|
50
|
-
config[:whitelist]
|
57
|
+
config[:whitelist],
|
58
|
+
config[:ignore_namespace_names]).run
|
51
59
|
|
52
60
|
if status == :ok
|
53
61
|
ok message
|
data/lib/quayio/scanner/check.rb
CHANGED
@@ -2,7 +2,7 @@ require 'docker'
|
|
2
2
|
|
3
3
|
module Quayio
|
4
4
|
module Scanner
|
5
|
-
Check = Struct.new(:docker_url, :quayio_token, :whitelist) do
|
5
|
+
Check = Struct.new(:docker_url, :quayio_token, :whitelist, :ignore_namespace_names) do
|
6
6
|
def run
|
7
7
|
Docker.url = docker_url
|
8
8
|
|
@@ -27,7 +27,7 @@ module Quayio
|
|
27
27
|
|
28
28
|
def vulnerable_images
|
29
29
|
containers
|
30
|
-
.map { |container| Image.new(container, quayio_token, whitelist) }
|
30
|
+
.map { |container| Image.new(container, quayio_token, whitelist, ignore_namespace_names) }
|
31
31
|
.select(&:vulnerable?)
|
32
32
|
.map(&:name)
|
33
33
|
end
|
data/lib/quayio/scanner/image.rb
CHANGED
@@ -5,11 +5,12 @@ module Quayio
|
|
5
5
|
QUAY_IO_REPO_NAME =
|
6
6
|
%r{quay.io\/(?<org>[\w-]+)\/(?<repo>[\w-]+):(?<tag>[\w.-]+)}.freeze
|
7
7
|
|
8
|
-
attr_reader :name, :whitelist, :repository
|
8
|
+
attr_reader :name, :whitelist, :repository, :ignore_namespace_names
|
9
9
|
|
10
|
-
def initialize(name, quayio_token, whitelist)
|
10
|
+
def initialize(name, quayio_token, whitelist, ignore_namespace_names)
|
11
11
|
@name = name
|
12
12
|
@whitelist = whitelist
|
13
|
+
@ignore_namespace_names = ignore_namespace_names
|
13
14
|
|
14
15
|
@name.match(QUAY_IO_REPO_NAME) do |r|
|
15
16
|
org, repo, tag = r.captures
|
@@ -36,7 +37,8 @@ module Quayio
|
|
36
37
|
!raw_scan['data']['Layer']['Features'].detect do |f|
|
37
38
|
f['Vulnerabilities']&.detect do |v|
|
38
39
|
RELEVANT_SEVERITIES.include?(v['Severity']) && \
|
39
|
-
!whitelist.include?(v['Name'])
|
40
|
+
!whitelist.include?(v['Name']) && \
|
41
|
+
!ignore_namespace_names.include?(v['NamespaceName'])
|
40
42
|
end
|
41
43
|
end.nil?
|
42
44
|
end
|
@@ -23,22 +23,20 @@ module Quayio
|
|
23
23
|
|
24
24
|
def api_call(uri)
|
25
25
|
(1..Float::INFINITY).each do |attempt|
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
sleep(rand(10))
|
41
|
-
end
|
26
|
+
response = RestClient.get(
|
27
|
+
"https://quay.io/api/v1/repository/#{org}/#{repo}#{uri}",
|
28
|
+
authorization: "Bearer #{quayio_token}",
|
29
|
+
accept: :json,
|
30
|
+
open_timeout: 15
|
31
|
+
)
|
32
|
+
return JSON.parse(response)
|
33
|
+
rescue RestClient::Exception => e
|
34
|
+
raise e if attempt >= MAX_ATTEMPTS
|
35
|
+
|
36
|
+
# retry later, if we hit cdn rate limiting or on connection errors
|
37
|
+
raise e unless e.http_code == 520 || e.http_code.nil?
|
38
|
+
|
39
|
+
sleep(rand(10))
|
42
40
|
end
|
43
41
|
end
|
44
42
|
end
|
data/quayio-scanner.gemspec
CHANGED
@@ -13,7 +13,7 @@ Gem::Specification.new do |spec|
|
|
13
13
|
spec.homepage = 'https://github.com/aboutsource/quayio-scanner'
|
14
14
|
spec.license = 'MIT'
|
15
15
|
|
16
|
-
spec.required_ruby_version = '>= 2.
|
16
|
+
spec.required_ruby_version = '>= 2.7.0'
|
17
17
|
|
18
18
|
spec.files = `git ls-files -z`.split("\x0").reject do |f|
|
19
19
|
f.match(%r{^(test|spec|features)/})
|
@@ -21,11 +21,11 @@ Gem::Specification.new do |spec|
|
|
21
21
|
spec.executables = Dir.glob('bin/**/*.rb').map { |f| File.basename(f) }
|
22
22
|
spec.require_paths = ['lib']
|
23
23
|
|
24
|
-
spec.add_dependency 'docker-api', '~>
|
24
|
+
spec.add_dependency 'docker-api', '~> 2.4'
|
25
25
|
spec.add_dependency 'rest-client', '~> 2.1'
|
26
26
|
spec.add_dependency 'sensu-plugin', '~> 4.0'
|
27
27
|
spec.add_development_dependency 'bundler', '~> 2.1'
|
28
28
|
spec.add_development_dependency 'rake', '~> 13.0'
|
29
29
|
spec.add_development_dependency 'rspec', '~> 3.7'
|
30
|
-
spec.add_development_dependency 'rubocop', '~> 0.
|
30
|
+
spec.add_development_dependency 'rubocop', '~> 0.93'
|
31
31
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: quayio-scanner
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Benjamin Meichsner
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2025-02-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: docker-api
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '
|
19
|
+
version: '2.4'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
26
|
+
version: '2.4'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rest-client
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -100,21 +100,15 @@ dependencies:
|
|
100
100
|
requirements:
|
101
101
|
- - "~>"
|
102
102
|
- !ruby/object:Gem::Version
|
103
|
-
version: '0.
|
104
|
-
- - "<="
|
105
|
-
- !ruby/object:Gem::Version
|
106
|
-
version: '0.81'
|
103
|
+
version: '0.93'
|
107
104
|
type: :development
|
108
105
|
prerelease: false
|
109
106
|
version_requirements: !ruby/object:Gem::Requirement
|
110
107
|
requirements:
|
111
108
|
- - "~>"
|
112
109
|
- !ruby/object:Gem::Version
|
113
|
-
version: '0.
|
114
|
-
|
115
|
-
- !ruby/object:Gem::Version
|
116
|
-
version: '0.81'
|
117
|
-
description:
|
110
|
+
version: '0.93'
|
111
|
+
description:
|
118
112
|
email:
|
119
113
|
- benjamin.meichsner@aboutsource.net
|
120
114
|
executables:
|
@@ -142,7 +136,7 @@ homepage: https://github.com/aboutsource/quayio-scanner
|
|
142
136
|
licenses:
|
143
137
|
- MIT
|
144
138
|
metadata: {}
|
145
|
-
post_install_message:
|
139
|
+
post_install_message:
|
146
140
|
rdoc_options: []
|
147
141
|
require_paths:
|
148
142
|
- lib
|
@@ -150,7 +144,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
150
144
|
requirements:
|
151
145
|
- - ">="
|
152
146
|
- !ruby/object:Gem::Version
|
153
|
-
version: 2.
|
147
|
+
version: 2.7.0
|
154
148
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
155
149
|
requirements:
|
156
150
|
- - ">="
|
@@ -158,7 +152,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
158
152
|
version: '0'
|
159
153
|
requirements: []
|
160
154
|
rubygems_version: 3.1.2
|
161
|
-
signing_key:
|
155
|
+
signing_key:
|
162
156
|
specification_version: 4
|
163
157
|
summary: Scan quay.io for vulnerabilities in running docker containers.
|
164
158
|
test_files: []
|