Generalized security scan (#468)

* changes * cl * correct CL * code format * don't use os.readfile * debug line * example constraints
solo-io · Sep 30, 2021 · 8cbeb6a · 8cbeb6a
1 parent db47530
commit 8cbeb6a
Show file tree

Hide file tree

Showing 7 changed files with 478 additions and 50 deletions.
diff --git a/changelog/v0.21.20/trivy-scan-generalization.yaml b/changelog/v0.21.20/trivy-scan-generalization.yaml
@@ -0,0 +1,4 @@
+changelog:
+  - type: NON_USER_FACING
+    description: Add generalized CLI to security scan utils.
+    issueLink: https://github.com/solo-io/go-utils/issues/467
diff --git a/securityscanutils/README.md b/securityscanutils/README.md
@@ -7,60 +7,43 @@ trivy image --severity HIGH,CRITICAL quay.io/solo-io/<IMAGE>:<VERSION>
 ```
 
 ## Using securityscanutils
-The following code snippet shows how to import and use the `SecurityScanner` to scan a repositories' releases. Multiple
-repositories can be specified for scanning. 
+Using the utils here is as easy as using the CLI defined in the cli subdirectory. The snippet
+below shows the output the said CLI's `help` command.
 
 The `GITHUB_TOKEN` environment variable must be set for security scanning to work.
 
-```go
-package main
+```bash
+go-utils/securityscan/cli % go run ./run_scan.go help                                                                                                                                            
+Usage:
+   [command]
 
-import (
-	"context"
-	"log"
+Available Commands:
+  echo-inputs          Prints out all the state of all inputs (including inputted, defaults, and derived) for debugging purposes
+  gen-releases         cache github releases for inputted repository. This is its own command to protect against rate-limiting by github by trying to pull releases too much.
+  gen-security-scan-md pull down security scan files from gcloud bucket and generate docs markdown file
+  help                 Help about any command
+  run-security-scan    runs trivy scans on images from repo specified
 
-	"github.com/Masterminds/semver/v3"
-	. "github.com/solo-io/go-utils/securityscanutils"
-)
+Flags:
+  -c, --CachedReleasesFile string   The name of the file that contains a list of all releases from the given repository. This file is generated by the 'gen-releases' command, and used by the others.
+  -i, --CreateIssues                If true, open/update a Github Issue for each version that has images that have vulnerabilities. Defaults to true. (default true)
+  -p, --GenerateCachedReleases      If true, then populate the file specified by the CachedReleasesFile flag with all releases from Github. If false, then the command assumes that the file has already been created and populated.  Should be set to false for testing to avoid rate-limiting by Github. Defaults to true. (default true)
+  -f, --ImageFile string            Different release versions may have different images to scan.
+                                    To deal with this, the run-security-scan command expects a file input that maps version constraints to images
+                                    to be scanned if a version matches that constraint. Constraints must be mutually exclusive.
+                                    The file is expected to be a csv, where the first element of each line is the constraint, and every subsequent element
+                                    in that line is an image to be scanned if that constraint is matched.
+                                    Read https://github.com/Masterminds/semver#checking-version-constraints for more about how to use semver constraints.
+      --ImageRepo string            The repository where images to scan are located. Defaults to 'quay.io/solo-io' (default "quay.io/solo-io")
+  -m, --MinScannedVersion string    The minimum version of images to scan. If set, will scan every image from this to the present, and will scan all images otherwise
+      --RepoOwner string            The owner of the repository to scan. Defaults to 'solo-io' (default "solo-io")
+  -r, --TargetRepo string           The repository to scan
+  -w, --TargetRepoWritten string    Specify the human readable name of the repository to scan for output purposes.
+  -u, --UploadToGithub              Setting this to true will upload any generated sarif files to the github repository endpoint, 
+                                    e.g. https://github.com/solo-io/gloo/security/code-scanning
+                                    read more here: https://docs.github.com/en/rest/reference/code-scanning.
+                                    Defaults to false.
+  -h, --help                        help for this command
 
-func main() {
-    // This is a constraint on which releases from the repository are scanned.
-    // Any releases that don't pass this constraint will not be scanned. Passed into the `VersionConstraint` option.
-	constraint, _ := semver.NewConstraint(">= v1.7.0")
-	scanner := SecurityScanner{
-		Repos: []*SecurityScanRepo{
-			{
-				Repo:  "gloo",
-				Owner: "solo-io",
-				Opts: &SecurityScanOpts{
-					OutputDir: "_output/scans",
-                    // Different release versions may have different images to scan.
-                    // In this example, we introduced the "discovery" image in 1.7.0, and
-                    // specify the constraint as such. 
-                    // Each version should only match only ONE constraint, else an error will be thrown.
-                    // Read https://github.com/Masterminds/semver#checking-version-constraints for more about how to use
-                    // semver constraints
-					ImagesPerVersion: map[string][]string{
-					    "1.7.x": {"gloo", "gloo-envoy-wrapper"},
-						">=v1.7.0 <= v1.8.0": {"gloo", "gloo-envoy-wrapper", "discovery"},
-					},
-                    // If VersionConstraint is not specified, all releases from the repo will be scanned, including
-                    // pre-releases, which is not recommended.
-					VersionConstraint:      constraint,
-					ImageRepo:              "quay.io/solo-io",
-                    // Setting this to true will upload any generated sarif files to the github repository
-                    // endpoint, e.g. https://github.com/solo-io/gloo/security/code-scanning
-                    // read more here: https://docs.github.com/en/rest/reference/code-scanning
-					UploadCodeScanToGithub: true,
-					// Opens/Updates Github Issue for each version that has images that have vulnerabilities
-                    CreateGithubIssuePerVersion: true,
-				},
-			},
-		},
-	}
-	err := scanner.GenerateSecurityScans(context.Background())
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-}
+Use " [command] --help" for more information about a command.
 ```
diff --git a/securityscanutils/cli/exampleVersionImageConstraints.txt b/securityscanutils/cli/exampleVersionImageConstraints.txt
@@ -0,0 +1,6 @@
+# comments are skipped, as are empty lines
+# format
+constraint-a , image1, image2, image3
+constraint-b , image2, image3, image4
+#valid example for GME
+# >=0.0.0,enterprise-networking,enterprise-agent,istiod-agent,gloo-mesh-apiserver,gloo-mesh-ui,gloo-mesh-envoy,rbac-webhook
diff --git a/securityscanutils/cli/example_use.sh b/securityscanutils/cli/example_use.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# go run ./run_scan.go help
+# booleans must be set in the form: -flag=true/false
+# list inputs must be set with multiple uses of the string input: -arrayInput firstInput -arrayInput secondInput
+# go run ./run_scan.go testing -r testRepo -w "test repo" -s a -s b -s c -i=false -u=true
diff --git a/securityscanutils/cli/run_scan.go b/securityscanutils/cli/run_scan.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"context"
+	"log"
+
+	"github.com/solo-io/go-utils/securityscanutils"
+)
+
+func main() {
+	ctx := context.Background()
+	app := securityscanutils.RootApp(ctx)
+	if err := app.Execute(); err != nil {
+		log.Fatalf("unable to run: %v\n", err)
+	}
+}