Add atomic scanner for pip, npm and gem package managers #130
Conversation
dharmit
force-pushed
the
misc-package-updates
branch
4 times, most recently
from
64eb0c3
to
3f9127e
Compare
|
#dotests |
dharmit
force-pushed
the
misc-package-updates
branch
20 times, most recently
from
181bd19
to
6147a21
Compare
dharmit
changed the title
|
In this PR, I've added a new @navidshaikh We can modify @bamachrn @mohammedzee1000 @navidshaikh need PR review. |
dharmit
force-pushed
the
misc-package-updates
branch
from
6147a21
to
8356008
Compare
| @@ -0,0 +1,20 @@ | |||
| type: scanner | |||
| scanner_name: misc-package-updates | |||
| image_name: registry.centos.org/pipeline-images/misc-package-updates | |||
There was a problem hiding this comment.
we are meaning it would be built with :latest tag right?
There was a problem hiding this comment.
@bamachrn yes, it'll be built with latest tag.
| @@ -0,0 +1,95 @@ | |||
| #!/usr/bin/env python | |||
There was a problem hiding this comment.
this file is the central scanner right?
There was a problem hiding this comment.
@bamachrn yep, it's the base class that would be inherited by other scanners.
| -------------------------------- | ||
|
|
||
| This is a container image scanner based on `atomic scan`. The goal of the | ||
| scanner is to scan CentOS based Docker images in the CentOS Community Container |
There was a problem hiding this comment.
*CentOS based container images
|
|
||
| Steps to use: | ||
|
|
||
| - Pull Docker image from **registry.centos.org**: |
There was a problem hiding this comment.
*Pull container image from registry.centos.org
| return response | ||
|
|
||
|
|
||
| def list_of_outdated_packages(response): |
There was a problem hiding this comment.
Updated. Not sure why GitHub doesn't say "Show outdated".
|
|
||
| # remove the container | ||
| client.remove_container(container=container.get("Id"), force=True) | ||
| except Exception as e: |
There was a problem hiding this comment.
log the exception /error message and we should put another error message about failure.
There was a problem hiding this comment.
Updated. Not sure why GitHub doesn't say "Show outdated".
| - name: Set SELinux to permissive | ||
| selinux: | ||
| state: permissive | ||
|
|
There was a problem hiding this comment.
@navidshaikh because we're mounting Docker socket /var/run/docker.sock inside the container that's going to scan the image. Using which a new container is spunn off to check for respective package manager updates.
dharmit
force-pushed
the
misc-package-updates
branch
from
8356008
to
03099bc
Compare
| elif cli_arg == "npm": | ||
| exe = client.exec_create( | ||
| container=container.get("Id"), | ||
| cmd="npm outdated" |
There was a problem hiding this comment.
I am not sure if this command can do the trick. There can be modules installed globally (npm list -g) and also in npm_modules directories located basically anywhere on the filesystem.
There was a problem hiding this comment.
@msrb agreed. This one takes care of globally installed npm modules. However, I doubt we can go through all the directories on the filesystem.
Also, what you mention about npm holds true for pip as well. If a dev prefers to use virtualenv inside the container, we are going to face similar issue.
It boils down to whether a dev wants to use npm/pip inside container in such a way that they can have multiple environments or a global environment. Our scanner should handle the latter scenario. Not sure if we can handle the former effectively.
There was a problem hiding this comment.
Although ideally, putting stuff into containers should eliminate the need of again using a virtualenv as the container itself is a box in its own right.
The same should apply to npm.
There was a problem hiding this comment.
@dharmit I am no NPM expert, so don't quote me on this :) I think if you want to check globally installed modules, you need to add -g, i.e.: npm outdated -g. Otherwise you're checking modules installed in ./npm_modules/ directory.
There was a problem hiding this comment.
@mohammedzee1000 whatever path you guys will take, just make sure that known limitations are documented. And you'll be fine 😉
There was a problem hiding this comment.
@msrb I hate to admit it but I hadn't looked at the npm_modules dir that gets created whenever you do a npm install <package>@<version>. The -g tip is more than helpful. It's savior because that's what I actually wanted to accomplish. Having worked with pip, I didn't realize npm would create a dir at whatever location you execute npm install if it doesn't have a -g switch.
Thank you!
dharmit
force-pushed
the
misc-package-updates
branch
9 times, most recently
from
e6fdb36
to
b9979de
Compare
dharmit
force-pushed
the
misc-package-updates
branch
from
b9979de
to
44c8c99
Compare
|
#dotests |
|
#dotests |
|
#dotests |
No description provided.