- add: Dockerfile for retirejs plugin

- add: IMAGE_NAME for the plugin. It determinate the plugin name in the DockerHub and inside the plugin .py files - updated: travis to automatic build plugin images - add: script to upload all the plugin images to DockerHub - fix: retirejs Plugin script
BBVA · Oct 4, 2017 · d72dd1e · d72dd1e
1 parent d9150b3
commit d72dd1e
Show file tree

Hide file tree

Showing 7 changed files with 116 additions and 58 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -10,3 +10,11 @@ install:
 
 script:
   - tox
+
+deploy:
+
+    # Deploy container to DockerHub
+  - provider: script
+    script: deploy/upload_plugins_images.sh
+    on:
+      branch: master
diff --git a/plugins/retirejs/Dockerfile b/plugins/retirejs/Dockerfile
@@ -6,4 +6,6 @@ RUN mkdir /opt/retire
 ADD run_retire.sh /opt/retire
 RUN chmod +x /opt/retire/run_retire.sh
 
+WORKDIR /tmp/scan
+
 CMD ["/opt/retire/run_retire.sh"]
diff --git a/plugins/retirejs/IMAGE_NAME b/plugins/retirejs/IMAGE_NAME
@@ -0,0 +1 @@
+deeptracy-retirejs
diff --git a/plugins/retirejs/retirejs-docker.py b/plugins/retirejs/retirejs-docker.py
@@ -1,69 +1,79 @@
 # -*- coding: utf-8 -*-
 
-import os
-import re
+import json
 
+from types import SimpleNamespace as Namespace
 from typing import List, Dict
 
-from deeptracy_core.decorator import deeptracy_plugin
-from deeptracy_core.docker_helpers import run_in_docker
 from deeptracy_core import PluginResult, PluginSeverityEnum
-
-REGEX_SEVERITY = r'''(severity[\s]*:[\s]*)([\w]+)(;)'''
-DOCKER_IMAGE = 'deeptracy/retirejs'
-OUTPUT_FILE = 'retirejs_task.txt'
+from deeptracy_core.decorator import deeptracy_plugin
+from deeptracy_core.docker_helpers import run_in_docker, get_plugin_image
 
 
 @deeptracy_plugin("nodejs")
 def retirejs(source_code_location: str) -> List[Dict]:
 
-    output_path = os.path.join(source_code_location, OUTPUT_FILE)
-    os.chdir(source_code_location)
-    os.system('docker run -v $(pwd):/opt/app -e OUTPUT_FILE={} {}'
-              .format(OUTPUT_FILE, DOCKER_IMAGE))
+    current_plugin_path = get_plugin_image()
 
-    f = open(output_path, "r").readlines()
-    # with run_in_docker('deeptracy/retirejs'):
-    #     f = open(output_path, "r").readlines()
+    with run_in_docker(current_plugin_path,
+                       source_code_location) as f:
+        # raw_results = f.splitlines()
+        json_raw_results = json.loads(f, object_hook=lambda d: Namespace(**d))
 
     results = []
-
-    for x in f:
-        if "has known vulnerabilities" in x:
-            # Find the start of string
-            for i, y in enumerate(x):
-                if y.isalnum():
-                    break
-
-            line = x[i:]
-
-            library, version, _ = line.split(" ", maxsplit=2)
-            try:
-                severity = re.search(REGEX_SEVERITY, line).group(2)
-            except AttributeError:
-                severity = "unknown"
-
-            if "summary:" in x:
-                start = x.find("summary") + len("summary:")
-            elif "advisory:":
-                start = x.find("advisory") + len("advisory:")
-            else:
-                start = 0
-            summary = x[start:].replace("\n", '').strip()
-            if not summary:
-                summary = "Unknown"
-
-            results.append(dict(library=library,
-                                version=version,
-                                severity=severity,
-                                summary=summary,
-                                advisory=''))
-
-            # results.append(PluginResult(
-            #     library,
-            #     version,
-            #     PluginSeverityEnum.NONE,
-            #     summary=summary
-            # ))
+    for result in json_raw_results:
+
+        # Load partial result
+        for v_info in result.results:
+
+            v_info_library = v_info.component
+            v_info_version = v_info.version
+            v_info_summary = ""
+            v_info_advisory = ""
+            v_info_severity = "xxxx"
+
+            for vuln in v_info.vulnerabilities:
+
+                # -------------------------------------------------------------
+                # Severity
+                # -------------------------------------------------------------
+                if vuln.severity == "high":
+                    v_info_severity = PluginSeverityEnum.HIGH
+                elif vuln.severity == "medium":
+                    v_info_severity = PluginSeverityEnum.MEDIUM
+                elif vuln.severity == "low":
+                    v_info_severity = PluginSeverityEnum.MEDIUM
+                else:
+                    raise ValueError("Invalid Plugin Severity: {}".format(
+                        vuln.severity
+                    ))
+
+                # -------------------------------------------------------------
+                # Identifier + Summary
+                # -------------------------------------------------------------
+                if hasattr(vuln.identifiers, "summary"):
+                    v_info_summary = vuln.identifiers.summary
+                    v_info_advisory = ""
+                elif hasattr(vuln.identifiers, "CVE"):
+                    v_info_summary = vuln.identifiers.advisory
+                    v_info_advisory = vuln.identifiers.CVE
+                else:
+                    v_info_summary = ""
+                    v_info_advisory = ""
+
+                v_info_summary = vuln.identifiers.summary
+
+            results.append(PluginResult(
+                library=v_info_library,
+                version=v_info_version,
+                severity=v_info_severity,
+                summary=v_info_summary,
+                advisory=v_info_advisory
+            ))
 
     return results
+
+
+if __name__ == '__main__':
+    import os.path as op
+    print(retirejs(op.abspath(op.join(op.dirname(__file__), "..", "..", "vulnerable-node"))))
diff --git a/plugins/retirejs/run_retire.sh b/plugins/retirejs/run_retire.sh
@@ -1,11 +1,24 @@
 #!/bin/bash
 
-SCAN_DIR=/tmp/scan
-APP_DIR=/opt/app
+# Directories that need to be mapped in run
+export SOURCE_CODE_DIR=/opt/app
+export RESULTS_PATH=/tmp/results
+
+# Temporal dir used to run the app to avoid the modification of original source
+# code
+export SCAN_DIR=/tmp/scan
 
 mkdir $SCAN_DIR
-cp $APP_DIR/* $SCAN_DIR
+cp -R $SOURCE_CODE_DIR/* $SCAN_DIR/
 
+#
+# Install project dependencies
+#
 cd $SCAN_DIR && npm install
 
-retire -c -p --outputformat text --outputpath $APP_DIR/${OUTPUT_FILE} --jspath $SCAN_DIR
+#
+# Launch app
+#
+retire -c -p --outputformat json --outputpath ${RESULTS_PATH}/${OUTPUT_FILE}
+
+exit 0
diff --git a/requirements.txt b/requirements.txt
@@ -3,5 +3,5 @@ redis==2.10.6
 psycopg2==2.7.3.1
 pluginbase==0.5
 redis==2.10.6
-deeptracy_core==0.0.8
+deeptracy-core==0.0.11
 requests==2.18.4
diff --git a/upload_plugins_images.sh b/upload_plugins_images.sh
@@ -0,0 +1,24 @@
+## Deploy to DockerHub
+for d in $(find $(pwd)/plugins -maxdepth 2)
+do
+  # Build docker image
+  if [[ $d == *"Dockerfile" ]]; then
+        PLUGIN_PATH=$(echo $d | sed 's/Dockerfile//g')
+
+        # Go to the plugin home
+        cd $PLUGIN_PATH
+
+        # Build docker
+        VERSION=$(cat VERSION)
+        IMAGE_NAME=$(cat IMAGE_NAME)
+
+        echo "[*] Building image for $IMAGE_NAME"
+
+        docker build -t bbvalabs/$IMAGE_NAME:$VERSION .
+        docker login -u $DOCKER_USER -p $DOCKER_PASS
+
+        echo "[*] Uploading image"
+        docker push bbvalabs/$IMAGE_NAME:$VERSION
+        docker push bbvalabs/$IMAGE_NAME:latest
+  fi
+done