From 3cecbca82c8411a022b2ef23f3d0d496b7fbe675 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Mon, 7 Oct 2019 10:19:33 -0400 Subject: [PATCH] disable clair scanner --- .circleci/config.yml | 63 +++------------------------------------- clair-scan.sh | 68 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 59 deletions(-) create mode 100755 clair-scan.sh diff --git a/.circleci/config.yml b/.circleci/config.yml index 3be25bd..8dc6844 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -174,63 +174,7 @@ jobs: - run: name: "Vulnerability scan" command: | - #!/usr/bin/env bash - set -e - - REPORT_DIR=clair-reports - mkdir $REPORT_DIR - - DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest) - CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest) - CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null) - - clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') - scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') - - docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml" - WHITELIST="-w /whitelist.yml" - - function scan() { - local image=$1 - # replace forward-slashes and colons with underscores - munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g') - sanitised_image_filename="${munged_image}.json" - local ret=0 - local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \ - --ip "$scanner_ip" \ - --clair=http://"$clair_ip":6060 \ - -t "high" \ - --report "/$sanitised_image_filename" \ - --log "/log.json" ${WHITELIST:+"-x"} - --reportAll=true \ - --exit-when-no-features=false \ - "$image") - - docker pull "$image" - - "${docker_cmd[@]}" 2>&1 || ret=$? - if [ $ret -eq 0 ]; then - echo "No unapproved vulnerabilities" - elif [ $ret -eq 1 ]; then - echo "Unapproved vulnerabilities found" - EXIT_STATUS=1 - elif [ $ret -eq 5 ]; then - echo "Image was not scanned, not supported." - EXIT_STATUS=1 - else - echo "Unknown clair-scanner return code $ret." - EXIT_STATUS=1 - fi - - docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true - } - - EXIT_STATUS=0 - - scan "$IMAGE_NAME:$CIRCLE_SHA1" - - exit $EXIT_STATUS - store_artifacts: path: clair-reports @@ -341,9 +285,10 @@ workflows: - test-scan-synk: requires: - build - - test-scan-clair: - requires: - - build +#Clair scanner image is broken using synk for now +# - test-scan-clair: +# requires: +# - build - publish-common: requires: - dgoss diff --git a/clair-scan.sh b/clair-scan.sh new file mode 100755 index 0000000..e890ce3 --- /dev/null +++ b/clair-scan.sh @@ -0,0 +1,68 @@ +#!/usr/bin/env bash + + set -e + + REPORT_DIR=clair-reports + mkdir $REPORT_DIR || true + + #DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest) + docker run -p 5432:5432 -d --rm --name db arminc/clair-db:latest + #CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest)' + sleep 30 + docker run -p 6060:6060 --link db:postgres -d --rm --name clair arminc/clair-local-scan:latest + #CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null) + + CLAIR_SCANNER=$(docker run --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null) + + #clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') + #scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') + + docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml" + WHITELIST="-w /whitelist.yml" + + function scan() { + echo Scanning $1 + local image=$1 + # replace forward-slashes and colons with underscores + munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g') + sanitised_image_filename="${munged_image}.json" + local ret=0 + #--ip "$scanner_ip" \ + # + local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \ + --clair=http://clair:6060 \ + -t "high" \ + --report "$REPORT_DIR/$sanitised_image_filename" \ + --log "$REPORT_DIR/log.json" --whitelist=${WHITELIST:+"-x"} + --reportAll=true \ + --exit-when-no-features=false \ + "$image") + + docker pull "$image" + + "${docker_cmd[@]}" 2>&1 || ret=$? + if [ $ret -eq 0 ]; then + echo "No unapproved vulnerabilities" + elif [ $ret -eq 1 ]; then + echo "Unapproved vulnerabilities found" + EXIT_STATUS=1 + elif [ $ret -eq 5 ]; then + echo "Image was not scanned, not supported." + EXIT_STATUS=1 + else + echo "Unknown clair-scanner return code $ret." + EXIT_STATUS=1 + fi + + docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true + } + + EXIT_STATUS=0 + + scan "$IMAGE_NAME:$CIRCLE_SHA1" + + docker kill clairscanner + docker kill clair + docker kill db + + exit $EXIT_STATUS \ No newline at end of file