diff --git a/clair-scan.sh b/clair-scan.sh deleted file mode 100755 index e890ce3..0000000 --- a/clair-scan.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash - - set -e - - REPORT_DIR=clair-reports - mkdir $REPORT_DIR || true - - #DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest) - docker run -p 5432:5432 -d --rm --name db arminc/clair-db:latest - #CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest)' - sleep 30 - docker run -p 6060:6060 --link db:postgres -d --rm --name clair arminc/clair-local-scan:latest - #CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null) - - CLAIR_SCANNER=$(docker run --link clair:clair --name clairscanner --rm -d ovotech/clair-scanner@sha256:53fe8e8ac63af330d2dfc63498d23d8825d07f916f7d230271176de06d12acd6 tail -f /dev/null) - - #clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') - #scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') - - docker cp "clair-whitelist.yml" "$CLAIR_SCANNER:/whitelist.yml" - WHITELIST="-w /whitelist.yml" - - function scan() { - echo Scanning $1 - local image=$1 - # replace forward-slashes and colons with underscores - munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g') - sanitised_image_filename="${munged_image}.json" - local ret=0 - #--ip "$scanner_ip" \ - # - local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \ - --clair=http://clair:6060 \ - -t "high" \ - --report "$REPORT_DIR/$sanitised_image_filename" \ - --log "$REPORT_DIR/log.json" --whitelist=${WHITELIST:+"-x"} - --reportAll=true \ - --exit-when-no-features=false \ - "$image") - - docker pull "$image" - - "${docker_cmd[@]}" 2>&1 || ret=$? - if [ $ret -eq 0 ]; then - echo "No unapproved vulnerabilities" - elif [ $ret -eq 1 ]; then - echo "Unapproved vulnerabilities found" - EXIT_STATUS=1 - elif [ $ret -eq 5 ]; then - echo "Image was not scanned, not supported." - EXIT_STATUS=1 - else - echo "Unknown clair-scanner return code $ret." - EXIT_STATUS=1 - fi - - docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true - } - - EXIT_STATUS=0 - - scan "$IMAGE_NAME:$CIRCLE_SHA1" - - docker kill clairscanner - docker kill clair - docker kill db - - exit $EXIT_STATUS \ No newline at end of file diff --git a/clair-whitelist.yml b/clair-whitelist.yml deleted file mode 100644 index 586bcb7..0000000 --- a/clair-whitelist.yml +++ /dev/null @@ -1,24 +0,0 @@ -#Splunk Connect for Syslog (SC4S) by Splunk, Inc. -# -#To the extent possible under law, the person who associated CC0 with -#Splunk Connect for Syslog (SC4S) has waived all copyright and related or neighboring rights -#to Splunk Connect for Syslog (SC4S). -# -#You should have received a copy of the CC0 legalcode along with this -#work. If not, see . -generalwhitelist: - RHSA-2019:1619: False Positive - RHSA-2018:0654: False Positive - RHSA-2018:1967: False Positive - RHSA-2017:0372: False Positive - RHSA-2018:0502: False Positive - RHSA-2018:2772: False Positive - RHSA-2018:1374: False Positive - RHSA-2018:0180: False Positive - RHSA-2019:2029: False Positive - RHSA-2019:1873: False Positive - - - -images: - scs: diff --git a/clair_to_junit_parser.py b/clair_to_junit_parser.py deleted file mode 100644 index 7dbc220..0000000 --- a/clair_to_junit_parser.py +++ /dev/null @@ -1,80 +0,0 @@ -#Copyright 2019 Splunk, Inc. -# -#Use of this source code is governed by a BSD-2-clause-style -#license that can be found in the LICENSE-BSD2 file or at -#https://opensource.org/licenses/BSD-2-Clause -import json -from junit_xml import TestSuite, TestCase -import os -import argparse -import logging - -logger = logging.getLogger('clair_scanner_converter') -logger.setLevel(logging.WARN) -console_logger = logging.StreamHandler() -console_logger.setLevel(logging.WARN) -formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') -console_logger.setFormatter(formatter) -logger.addHandler(console_logger) - -def parse_args(): - parser = argparse.ArgumentParser(description="Process Json File") - parser.add_argument("clairfile", type=str, default=None, help="Location of clair scanner ouptut file to convert to cucumber.json") - parser.add_argument("--output", type=str, default=None, help="name of output file to store in new format. Defaults to clair inputfile") - args = parser.parse_args() - if not args.output: - logger.warning("No output file specified, replacing input file.") - args.output = args.clairfile - return args - -def main(): - cwd = os.getcwd() - args = parse_args() - try: - if os.path.exists(args.clairfile): - with open(args.clairfile) as clairfile: - clair_parsed_file = json.load(clairfile) - if os.path.exists(os.path.join("clair-scanner-logs", "/clair_setup_errors.log")): - with open(os.path.join("clair-scanner-logs", "/clair_setup_errors.log"), 'r') as clairfile_errors: - clair_parsed_error_file = clairfile_errors.readlines() - else: - clair_parsed_error_file = None - except: - logger.exception("Failed to parse clair / clair_error file. Exiting.") - - current_sorted_level = None - current_suite = None - test_suites = [] - if clair_parsed_error_file: - current_suite = TestSuite("SetupError") - new_step = TestCase(name="SetupError", classname="SetupError", status="unapproved", stderr=clair_parsed_error_file) - new_step.log = clair_parsed_error_file - new_step.category = "SetupError" - new_step.failure_type = "unapproved" - new_step.failure_message = "Please have the following security issue reviewed by Splunk: {}".format(vuln["link"]) - new_step.failure_output = clair_parsed_error_file - current_suite.test_cases.append(new_step) - test_suites.append(current_suite) - for vuln in clair_parsed_file["vulnerabilities"]: - if current_sorted_level != vuln["severity"]: - if current_suite: - test_suites.append(current_suite) - current_suite = TestSuite(name=vuln["severity"]) - current_sorted_level = vuln["severity"] - new_step = TestCase(name=vuln["vulnerability"], classname=vuln["severity"], status="unapproved", url=vuln["link"], stderr=vuln["description"]) - new_step.log = vuln - new_step.category = vuln["severity"] - new_step.failure_type = "unapproved" - new_step.failure_message = "Please have the following security issue reviewed by Splunk: {}".format(vuln["link"]) - new_step.failure_output = vuln["description"] - current_suite.test_cases.append(new_step) - # try to write new file - try: - with open(args.output, 'w') as outfile: - outfile.write(TestSuite.to_xml_string(test_suites)) - except: - logger.exception("Filed saving file.") - - -if __name__ == "__main__": - main() \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 0c106f2..db9f4e5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,7 +19,6 @@ services: - SPLUNK_USER=admin - SPLUNK_PASSWORD=${SPLUNK_PASSWORD} - SPLUNK_HOST=splunk - - docke=sc4s sc4s: build: @@ -58,7 +57,7 @@ services: context: splunk hostname: splunk ports: - - "8000" + - "8000:8000" - "8088" - "8089" environment: