Skip to content
Permalink
Browse files

Stop scan to cached image file (#35)

* dont save image cache and delete --clear-cache

* add ignore setuid in usr/lib files
  • Loading branch information
tomoyamachi committed Jun 19, 2019
1 parent af62592 commit 486a078a22975e7dfd2afbd6fbf7596f92bcb1c9
Showing with 16 additions and 14 deletions.
  1. +0 −4 cmd/dockle/main.go
  2. +12 −2 pkg/assessor/privilege/suid.go
  3. +4 −8 pkg/run.go
@@ -60,10 +60,6 @@ OPTIONS:
Usage: "Exit code when alert were found",
Value: 0,
},
cli.BoolFlag{
Name: "clear-cache, c",
Usage: "clear image caches",
},
cli.BoolFlag{
Name: "debug, d",
Usage: "debug mode",
@@ -11,11 +11,13 @@ import (

type PrivilegeAssessor struct{}

var ignorePaths = []string{"bin/", "usr/lib/"}

func (a PrivilegeAssessor) Assess(fileMap extractor.FileMap) ([]*types.Assessment, error) {
var assesses []*types.Assessment

for filename, filedata := range fileMap {
if strings.Contains(filename, "bin/") {
if containIgnorePath(filename) {
continue
}
if filedata.FileMode&os.ModeSetuid != 0 {
@@ -41,12 +43,20 @@ func (a PrivilegeAssessor) Assess(fileMap extractor.FileMap) ([]*types.Assessmen
return assesses, nil
}

func containIgnorePath(filename string) bool {
for _, ignoreDir := range ignorePaths {
if strings.Contains(filename, ignoreDir) {
return true
}
}
return false
}

func (a PrivilegeAssessor) RequiredFiles() []string {
return []string{}
}

//const GidMode os.FileMode = 4000

func (a PrivilegeAssessor) RequiredPermissions() []os.FileMode {
return []os.FileMode{os.ModeSocket, os.ModeSetuid}
}
@@ -42,12 +42,9 @@ func Run(c *cli.Context) (err error) {
log.Logger.Warnf("A new version %s is now available! You have %s.", latestVersion, cliVersion)
}

clearCache := c.Bool("clear-cache")
if clearCache {
log.Logger.Info("Removing image caches...")
if err = cache.Clear(); err != nil {
return xerrors.New("failed to remove image layer cache")
}
// delete image cache each time
if err = cache.Clear(); err != nil {
return xerrors.New("failed to remove image layer cache")
}
args := c.Args()
filePath := c.String("input")
@@ -69,9 +66,8 @@ func Run(c *cli.Context) (err error) {
if err != nil {
return xerrors.Errorf("invalid image: %w", err)
}
if image.Tag == "latest" && !clearCache {
if image.Tag == "latest" {
useLatestTag = true
log.Logger.Warn("You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed")
}
}

0 comments on commit 486a078

Please sign in to comment.
You can’t perform that action at this time.