Skip to content
This repository has been archived by the owner on Oct 10, 2020. It is now read-only.

atomic - Add CVE scan atomic #152

Merged
merged 1 commit into from
Sep 14, 2015
Merged

atomic - Add CVE scan atomic #152

merged 1 commit into from
Sep 14, 2015

Conversation

baude
Copy link
Member

@baude baude commented Sep 9, 2015 

Add the ability to scan a container or image leveraging
a containerized version of the openscap-daemon and atomic.

i.e. atomic scan image_id

@rhatdan
Copy link
Member

rhatdan commented Sep 9, 2015

Needs man page

This was referenced Sep 9, 2015
Closed
Closed
Closed
@rhatdan
Copy link
Member

rhatdan commented Sep 10, 2015

Does not work on python3

@baude
Copy link
Member Author

baude commented Sep 10, 2015

@rhatdan There is now a man page and I have cleaned up the python print statements. I also double checked and it ran properly under python3

@rhatdan
Copy link
Member

rhatdan commented Sep 11, 2015

man page should probably mention where to get the scap content from.

How about this change?

diff --git a/Atomic/atomic.py b/Atomic/atomic.py
index 6726c0b..b15c27f 100644
--- a/Atomic/atomic.py
+++ b/Atomic/atomic.py
@@ -453,10 +453,9 @@ class Atomic(object):
             oscap_d = bus.get_object(BUS_NAME, OBJECT_PATH)
             scan_return = json.loads(oscap_d.scan_list(scan_list, 4))
         except dbus.exceptions.DBusException:
-            error = "Unable to find the openscap-daemon dbus service."\
-                    "Either start the openscap-daemon service or pull and run"\
-                    " the openscap-daemon image"
-            sys.stderr.write("\n{0}\n\n".format(error))
+            error = "Unable to find the openscap-daemon dbus service.\n"\
+                    "You need to install and run the openscap-daemon image/application."
+            sys.stderr.write("{0}\n".format(error))
             sys.exit(1)

         if self.args.json:

@baude
Copy link
Member Author

baude commented Sep 11, 2015

@rhatdan that looks good to me.

@rhatdan
Copy link
Member

rhatdan commented Sep 11, 2015

Could you use writeout rather then print statements.

  •    print("")

  •    print(image[:12])

Should just be

writeout("\n" + image[:12])

@baude
Copy link
Member Author

baude commented Sep 11, 2015

Basic atomic scan output

[bbaude@localhost atomic]$ sudo ./atomic scan bef54 10acc ded7 275be1

Scanning...

Container/Image   Cri   Imp   Med   Low  
---------------   ---   ---   ---   ---  
275be1d3d070      0     0     3     0    
ded7cd95 is not based on RHEL                          
bef54b8f8a2f      1     5     15    1    
10acc31def5d      0     1     8     0

@baude
Copy link
Member Author

baude commented Sep 11, 2015

atomic scan single image with detail

[bbaude@localhost atomic]$ sudo ./atomic scan 275be1 --detail

Scanning...


275be1d3d070
  OS        : Red Hat Enterprise Linux Server release 7.1 (Maipo)
  Moderate  : 3
     CVE       : RHSA-2015:1699: nss-softokn security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-2730
     RHSA ID   : RHSA-2015:1699-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1699.html

     CVE       : RHSA-2015:1640: pam security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-3238
     RHSA ID   : RHSA-2015:1640-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1640.html

     CVE       : RHSA-2015:1635: sqlite security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-3414
     RHSA ID   : RHSA-2015:1635-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1635.html

@baude
Copy link
Member Author

baude commented Sep 11, 2015

atomic scan of multiple images with --detail

bbaude@localhost atomic]$ sudo ./atomic scan 275be1 10acc ded7cd95 --detail

Scanning...


275be1d3d070
  OS        : Fedora release 22 (Twenty Two)
  Moderate  : 3
     CVE       : RHSA-2015:1699: nss-softokn security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-2730
     RHSA ID   : RHSA-2015:1699-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1699.html

     CVE       : RHSA-2015:1640: pam security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-3238
     RHSA ID   : RHSA-2015:1640-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1640.html

     CVE       : RHSA-2015:1635: sqlite security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-3414
     RHSA ID   : RHSA-2015:1635-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1635.html


ded7cd95e059
  Result    : Not based on Red Hat Enterprise Linux

10acc31def5d
  OS        : Fedora release 22 (Twenty Two)
  Important : 1
     CVE       : RHSA-2015:1483: libuser security update (Important)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-3245
     RHSA ID   : RHSA-2015:1483-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1483.html

  Moderate  : 8
     CVE       : RHSA-2015:1699: nss-softokn security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-2730
     RHSA ID   : RHSA-2015:1699-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1699.html

     CVE       : RHSA-2015:1640: pam security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-3238
     RHSA ID   : RHSA-2015:1640-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1640.html

     CVE       : RHSA-2015:1635: sqlite security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-3414
     RHSA ID   : RHSA-2015:1635-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1635.html

     CVE       : RHSA-2015:1185: nss security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-2721
     RHSA ID   : RHSA-2015:1185-01
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1185.html

     CVE       : RHSA-2015:1115: openssl security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2014-8176
     RHSA ID   : RHSA-2015:1115-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1115.html

     CVE       : RHSA-2015:1072: openssl security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-4000
     RHSA ID   : RHSA-2015:1072-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-1072.html

     CVE       : RHSA-2015:0749: libxml2 security update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2014-0191
     RHSA ID   : RHSA-2015:0749-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-0749.html

     CVE       : RHSA-2015:0716: openssl security and bug fix update (Moderate)
     CVE URL   : https://access.redhat.com/security/cve/CVE-2015-0209
     RHSA ID   : RHSA-2015:0716-00
     RHSA URL  : https://rhn.redhat.com/errata/RHSA-2015-0716.html

@rhatdan
Copy link
Member

rhatdan commented Sep 11, 2015

Looks good.

@baude
atomic - Add CVE scan atomic
c9b154e 
    Add the ability to scan a container or image leveraging
    a containerized version of the openscap-daemon and atomic.

    i.e. atomic scan image_id

    man page added

    python3 fixes for this content
@rhatdan
Copy link
Member

rhatdan commented Sep 14, 2015

LGTM

rhatdan added a commit that referenced this pull request Sep 14, 2015
@rhatdan
Merge pull request #152 from baude/scan2
3f09a63 
atomic - Add CVE scan atomic
@rhatdan rhatdan merged commit 3f09a63 into projectatomic:master Sep 14, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@baude @rhatdan