Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add atomic scanner for pip package manager
- Loading branch information
Showing
6 changed files
with
125 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
FROM registry.centos.org/centos/centos | ||
|
||
LABEL INSTALL='docker run -it --rm --privileged -v /etc/atomic.d:/host/etc/atomic.d/ $IMAGE sh /install.sh' | ||
|
||
RUN yum -y update && \ | ||
yum -y install python-docker-py && \ | ||
yum clean all | ||
|
||
ADD misc-package-updates scanner.py install.sh / |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
job-id: misc-package-managers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#/bin/bash | ||
echo "Copying misc-package-updates scanner configuration file to host filesystem..." | ||
cp -v /misc-package-updates /host/etc/atomic.d/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
type: scanner | ||
scanner_name: misc-package-updates | ||
image_name: registry.centos.org/pipeline-images/misc-package-updates | ||
default_scan: pip-updates | ||
custom_args: ["-v", "/var/run/docker.sock:/var/run/docker.sock", "-e", "IMAGE_NAME=$IMAGE_NAME"] | ||
scans: [ | ||
{ name: pip-updates, | ||
args: ['python', 'scanner.py', 'pip'], | ||
description: "Check for updates from pip package managers" | ||
}, | ||
{ name: gem-updates, | ||
args: ['python', 'scanner.py', 'gem'], | ||
description: "Check for updates from gem package managers" | ||
}, | ||
{ name: npm-updates, | ||
args: ['python', 'scanner.py', 'npm'], | ||
description: "Check for updates from npm package managers" | ||
} | ||
|
||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
#!/usr/bin/env python | ||
|
||
from datetime import datetime | ||
import docker | ||
import json | ||
import os | ||
import sys | ||
|
||
OUTDIR = "/scanout" | ||
IMAGE_NAME = os.environ.get("IMAGE_NAME") | ||
|
||
# Client connecting to Docker socket | ||
client = docker.Client(base_url="unix:///var/run/docker.sock") | ||
|
||
# Argument passed to script. Decides package manager to check for. | ||
cli_arg = sys.argv[1] | ||
|
||
# image UUID | ||
UUID = client.inspect_image(IMAGE_NAME)["Id"] | ||
|
||
|
||
def template_json_data(scan_type): | ||
current_time = datetime.now().strftime('%Y-%m-%d-%H-%M-%S-%f') | ||
json_out = { | ||
"Start Time": current_time, | ||
"Successful": "", | ||
"Scan Type": scan_type + "-updates", | ||
"UUID": UUID, | ||
"CVE Feed Last Updated": "NA", | ||
"Scanner": "Misc Package Updates", | ||
"Scan Results": {} | ||
} | ||
return json_out | ||
|
||
json_out = template_json_data(cli_arg) | ||
|
||
try: | ||
# Create the container before starting/running it | ||
container = client.create_container(image=IMAGE_NAME, | ||
command="tail -f /dev/null") | ||
|
||
# Running the container | ||
client.start(container.get('Id')) | ||
|
||
# Check for pip updates | ||
if cli_arg == "pip": | ||
# variable to store info about exec_start | ||
exe = client.exec_create( | ||
container=container.get("Id"), | ||
cmd="pip list --outdated" | ||
) | ||
|
||
response = client.exec_start(exe) | ||
|
||
# Check for rubygem updates | ||
elif cli_arg == "gem": | ||
exe = client.exec_create( | ||
container=container.get("Id"), | ||
cmd="gem outdated" | ||
) | ||
|
||
response = client.exec_start(exe) | ||
|
||
# Check for npm updates | ||
elif cli_arg == "npm": | ||
exe = client.exec_create( | ||
container=container.get("Id"), | ||
cmd="npm outdated" | ||
) | ||
|
||
response = client.exec_start(exe) | ||
|
||
if 'executable file not found in' in response: | ||
json_out["Scan Results"] = \ | ||
"Could not find {} executable in the image!".format(cli_arg) | ||
else: | ||
json_out["Scan Results"] = response | ||
|
||
# remove the container | ||
client.remove_container(container=container.get("Id"), force=True) | ||
except Exception as e: | ||
pass | ||
|
||
output_dir = os.path.join(OUTDIR, UUID) | ||
os.makedirs(output_dir) | ||
|
||
output_file_relative = "image_scan_results.json" | ||
|
||
output_file_absoulte = os.path.join(output_dir, output_file_relative) | ||
|
||
with open(output_file_absoulte, "w") as f: | ||
f.write(json.dumps(json_out, indent=4)) |