Skip to content

Commit

Permalink
disable clair scanner
Browse files Browse the repository at this point in the history
  • Loading branch information
rfaircloth-splunk committed Oct 7, 2019
1 parent ce0e85e commit 3cecbca
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 59 deletions.
63 changes: 4 additions & 59 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -174,63 +174,7 @@ jobs:
- run:
name: "Vulnerability scan"
command: |
#!/usr/bin/env bash
set -e
REPORT_DIR=clair-reports
mkdir $REPORT_DIR
DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest)
CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest)
CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null)
clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml"
WHITELIST="-w /whitelist.yml"
function scan() {
local image=$1
# replace forward-slashes and colons with underscores
munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g')
sanitised_image_filename="${munged_image}.json"
local ret=0
local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \
--ip "$scanner_ip" \
--clair=http://"$clair_ip":6060 \
-t "high" \
--report "/$sanitised_image_filename" \
--log "/log.json" ${WHITELIST:+"-x"}
--reportAll=true \
--exit-when-no-features=false \
"$image")
docker pull "$image"
"${docker_cmd[@]}" 2>&1 || ret=$?
if [ $ret -eq 0 ]; then
echo "No unapproved vulnerabilities"
elif [ $ret -eq 1 ]; then
echo "Unapproved vulnerabilities found"
EXIT_STATUS=1
elif [ $ret -eq 5 ]; then
echo "Image was not scanned, not supported."
EXIT_STATUS=1
else
echo "Unknown clair-scanner return code $ret."
EXIT_STATUS=1
fi
docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true
}
EXIT_STATUS=0
scan "$IMAGE_NAME:$CIRCLE_SHA1"
exit $EXIT_STATUS
- store_artifacts:
path: clair-reports

Expand Down Expand Up @@ -341,9 +285,10 @@ workflows:
- test-scan-synk:
requires:
- build
- test-scan-clair:
requires:
- build
#Clair scanner image is broken using synk for now
# - test-scan-clair:
# requires:
# - build
- publish-common:
requires:
- dgoss
Expand Down
68 changes: 68 additions & 0 deletions clair-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
#!/usr/bin/env bash

set -e

REPORT_DIR=clair-reports
mkdir $REPORT_DIR || true

#DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest)
docker run -p 5432:5432 -d --rm --name db arminc/clair-db:latest
#CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest)'
sleep 30
docker run -p 6060:6060 --link db:postgres -d --rm --name clair arminc/clair-local-scan:latest
#CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null)

CLAIR_SCANNER=$(docker run --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null)

#clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
#scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')

docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml"
WHITELIST="-w /whitelist.yml"

function scan() {
echo Scanning $1
local image=$1
# replace forward-slashes and colons with underscores
munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g')
sanitised_image_filename="${munged_image}.json"
local ret=0
#--ip "$scanner_ip" \
#
local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \
--clair=http://clair:6060 \
-t "high" \
--report "$REPORT_DIR/$sanitised_image_filename" \
--log "$REPORT_DIR/log.json" --whitelist=${WHITELIST:+"-x"}
--reportAll=true \
--exit-when-no-features=false \
"$image")

docker pull "$image"

"${docker_cmd[@]}" 2>&1 || ret=$?
if [ $ret -eq 0 ]; then
echo "No unapproved vulnerabilities"
elif [ $ret -eq 1 ]; then
echo "Unapproved vulnerabilities found"
EXIT_STATUS=1
elif [ $ret -eq 5 ]; then
echo "Image was not scanned, not supported."
EXIT_STATUS=1
else
echo "Unknown clair-scanner return code $ret."
EXIT_STATUS=1
fi

docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true
}

EXIT_STATUS=0

scan "$IMAGE_NAME:$CIRCLE_SHA1"

docker kill clairscanner
docker kill clair
docker kill db

exit $EXIT_STATUS

0 comments on commit 3cecbca

Please sign in to comment.