CDPD-33228 Support scanning parcel files for vulnerabilities. (#39)

cloudera · Jan 6, 2022 · 9d550f0 · 9d550f0
1 parent a7d874c
commit 9d550f0
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 5 deletions.
diff --git a/cm_cdp_cdh_log4j_jndi_removal.sh b/cm_cdp_cdh_log4j_jndi_removal.sh
@@ -23,6 +23,7 @@ function scan_for_jndi {
     if grep -q $pattern $jarfile; then
       if is_log4j_vulnerable $jarfile; then
         echo "Vulnerable version $log4j_version of Log4j-core found in '$jarfile'"
+        exitcode=1
       else
         echo "Fixed version $log4j_version of Log4j-core found in '$jarfile'"
       fi
@@ -38,6 +39,7 @@ function scan_for_jndi {
             for log4j_jarfile in $(grep -r -l $pattern $tmpdir/unzip_target); do
               if is_log4j_vulnerable $log4j_jarfile; then
                 echo "Vulnerable version $log4j_version of Log4j-core found in inner '$inner' of '$jarfile'"
+                exitcode=1
               else
                 echo "Fixed version $log4j_version of Log4j-core found in inner '$inner' of '$jarfile'"
               fi
@@ -59,6 +61,7 @@ function scan_for_jndi {
     for jarfile in $(grep -r -l $pattern $tmpdir/unzip_target); do
       if is_log4j_vulnerable $jarfile; then
         echo "Vulnerable version $log4j_version of Log4j-core found in '$warfile'"
+        exitcode=1
       else
         echo "Fixed version $log4j_version of Log4j-core found in '$warfile'"
       fi
@@ -77,6 +80,7 @@ function scan_for_jndi {
       for jarfile in $(grep -r -l $pattern $tmpdir/untar_target); do
         if is_log4j_vulnerable $jarfile; then
           echo "Vulnerable version $log4j_version of Log4j-core found in '$tarfile'"
+          exitcode=1
         else
           echo "Fixed version $log4j_version of Log4j-core found in '$tarfile'"
         fi
@@ -95,10 +99,10 @@ function is_log4j_vulnerable {
     local log4j_pom_prop=$(unzip -l $log4j_jar | grep "log4j-core.*pom.properties" | awk '{print $4}'| head -1)
     log4j_version=UNKNOWN
     if [ -z $log4j_pom_prop ]; then
-      echo "Cannot find the pom.properties file in '$log4j_jar'. Failed to determine the version of log4j-core."
+      echo "pom.properties file is not found in '$log4j_jar'. Failed to determine the version of log4j-core."
       # As a fallback plan, try to find ClassArbiter.class
       if grep -q $good_pattern $log4j_jar; then
-        echo "A good pattern is found in '$log4j_jar'. It is probably a fixed version."
+        echo "Fallback to good pattern based search and a valid pattern is found in '$log4j_jar'. Hence log4j version is 2.16 or above."
         return 1
       else
         return 0
@@ -400,6 +404,7 @@ EOF
 targetdir=${1:-/opt/cloudera}
 backupdir=${2:-/opt/cloudera/log4shell-backup}
 platform=${3:-common}
+parcelfile=${4:-""}
 tmpdir=${TMPDIR:-/tmp} 
 mkdir -p $tmpdir
 echo "Using tmp directory '$tmpdir'"
@@ -476,7 +481,28 @@ else
   echo "Skipped patching .tar.gz in HDFS"
 fi
 
+exitcode=0
 if [ -n "$RUN_SCAN" ]; then
   echo "Running scan for missed JndiLookup classes. This may take a while."
-  scan_for_jndi $targetdir
+  if [ -n "$parcelfile" ]; then
+    # Override target-dir with parcel-file path.
+    echo "Override targetdir='$targetdir' as -f option set parcelfile to '$parcelfile'"
+    parceldir=$(mktemp -d)
+
+    now=$(date +"%T")
+    echo "Start to unpack the parcelfile at $now"
+    tar zxf $parcelfile -C "$parceldir"
+    now=$(date +"%T")
+    echo "Completed unpacking the parcelfile and start scanning at $now"
+
+    scan_for_jndi $parceldir
+    now=$(date +"%T")
+    echo "Completed scan at $now"
+    rm -rf $parceldir
+    if [ -n "$EXIT_ON_FAIL" ]; then
+      exit $exitcode
+    fi
+  else
+    scan_for_jndi $targetdir
+  fi
 fi
diff --git a/run_log4j_patcher.sh b/run_log4j_patcher.sh
@@ -39,12 +39,14 @@ subcommand_usage() {
         -t <targetdir>          Override target directory (default: distro-specific)
         -b <backupdir>          Override backup directory (default: /opt/cloudera/log4shell-backup)
         -p <dell|ibm|common>    Override platform type (default: common)
+        -f <parcelfile>         Override <targetdir> with parcel path to scan for vulnerable libs. (Only CDH/CDP)
 
     Environment Variables:
         SKIP_JAR          If non-empty, skips scanning and patching .jar files
         SKIP_TGZ          If non-empty, skips scanning and patching .tar.gz files (cdh and cdp only)
         SKIP_HDFS         If non-empty, skips scanning and patching .tar.gz files in HDFS
         RUN_SCAN          If non-empty, runs a final scan for missed vulnerable files. This can take several hours.
+        EXIT_ON_FAIL      If non-empty, and if RUN_SCAN fails, script will exit with errcode 1.
 " 1>&2
 }
 
@@ -53,10 +55,11 @@ subcommand_cdh() {
     TARGETDIR=/opt/cloudera
     BACKUPDIR=/opt/cloudera/log4shell-backup
     PLATFORM="common"
+    PARCEL=""
 
     unset OPTIND OPTARG options
 
-    while getopts "t:b:p:" options
+    while getopts "t:b:p:f:" options
     do
         case ${options} in
             (t)
@@ -68,6 +71,9 @@ subcommand_cdh() {
             (p)
                 PLATFORM=${OPTARG}
                 ;;
+            (f)
+                PARCEL=${OPTARG}
+                ;;
             (?)
                 log_error "Invalid option ${OPTARG} passed .. "
                 exit 1
@@ -83,14 +89,15 @@ subcommand_cdh() {
     log_info "Running CDH/CDP patcher script: $CDH_CDP_SCRIPT $TARGETDIR $BACKUPDIR $PLATFORM"
     logfile=$(mktemp output_run_log4j_patcher.XXXXXX)
     log_info "Log file: $logfile"
-    $CDH_CDP_SCRIPT "$TARGETDIR" "$BACKUPDIR" $PLATFORM | tee "$logfile" 2>&1
+    $CDH_CDP_SCRIPT "$TARGETDIR" "$BACKUPDIR" $PLATFORM $PARCEL | tee "$logfile" 2>&1
 
     log_info "Finished"
 }
 
 subcommand_hdp() {
     TARGETDIR="/usr/hdp/current /usr/hdf/current /usr/lib /var/lib"
     BACKUPDIR=/opt/cloudera/log4shell-backup
+    PLATFORM="common"
 
     unset OPTIND OPTARG options