Skip to content
Permalink
Browse files

Stop scan to cached image file (#35)

* dont save image cache and delete --clear-cache

* add ignore setuid in usr/lib files
  • Loading branch information
tomoyamachi committed Jun 19, 2019
1 parent af62592 commit 486a078a22975e7dfd2afbd6fbf7596f92bcb1c9
Showing with 16 additions and 14 deletions.
  1. +0 −4 cmd/dockle/main.go
  2. +12 −2 pkg/assessor/privilege/suid.go
  3. +4 −8 pkg/run.go
@@ -60,10 +60,6 @@ OPTIONS:
Usage: "Exit code when alert were found", Usage: "Exit code when alert were found",
Value: 0, Value: 0,
}, },
cli.BoolFlag{
Name: "clear-cache, c",
Usage: "clear image caches",
},
cli.BoolFlag{ cli.BoolFlag{
Name: "debug, d", Name: "debug, d",
Usage: "debug mode", Usage: "debug mode",
@@ -11,11 +11,13 @@ import (


type PrivilegeAssessor struct{} type PrivilegeAssessor struct{}


var ignorePaths = []string{"bin/", "usr/lib/"}

func (a PrivilegeAssessor) Assess(fileMap extractor.FileMap) ([]*types.Assessment, error) { func (a PrivilegeAssessor) Assess(fileMap extractor.FileMap) ([]*types.Assessment, error) {
var assesses []*types.Assessment var assesses []*types.Assessment


for filename, filedata := range fileMap { for filename, filedata := range fileMap {
if strings.Contains(filename, "bin/") { if containIgnorePath(filename) {
continue continue
} }
if filedata.FileMode&os.ModeSetuid != 0 { if filedata.FileMode&os.ModeSetuid != 0 {
@@ -41,12 +43,20 @@ func (a PrivilegeAssessor) Assess(fileMap extractor.FileMap) ([]*types.Assessmen
return assesses, nil return assesses, nil
} }


func containIgnorePath(filename string) bool {
for _, ignoreDir := range ignorePaths {
if strings.Contains(filename, ignoreDir) {
return true
}
}
return false
}

func (a PrivilegeAssessor) RequiredFiles() []string { func (a PrivilegeAssessor) RequiredFiles() []string {
return []string{} return []string{}
} }


//const GidMode os.FileMode = 4000 //const GidMode os.FileMode = 4000

func (a PrivilegeAssessor) RequiredPermissions() []os.FileMode { func (a PrivilegeAssessor) RequiredPermissions() []os.FileMode {
return []os.FileMode{os.ModeSocket, os.ModeSetuid} return []os.FileMode{os.ModeSocket, os.ModeSetuid}
} }
@@ -42,12 +42,9 @@ func Run(c *cli.Context) (err error) {
log.Logger.Warnf("A new version %s is now available! You have %s.", latestVersion, cliVersion) log.Logger.Warnf("A new version %s is now available! You have %s.", latestVersion, cliVersion)
} }


clearCache := c.Bool("clear-cache") // delete image cache each time
if clearCache { if err = cache.Clear(); err != nil {
log.Logger.Info("Removing image caches...") return xerrors.New("failed to remove image layer cache")
if err = cache.Clear(); err != nil {
return xerrors.New("failed to remove image layer cache")
}
} }
args := c.Args() args := c.Args()
filePath := c.String("input") filePath := c.String("input")
@@ -69,9 +66,8 @@ func Run(c *cli.Context) (err error) {
if err != nil { if err != nil {
return xerrors.Errorf("invalid image: %w", err) return xerrors.Errorf("invalid image: %w", err)
} }
if image.Tag == "latest" && !clearCache { if image.Tag == "latest" {
useLatestTag = true useLatestTag = true
log.Logger.Warn("You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed")
} }
} }


0 comments on commit 486a078

Please sign in to comment.
You can’t perform that action at this time.