use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.
the class AggregatingToolScanManager method checkTool.
public boolean checkTool(Tool tool, String tag) {
Optional<ToolVersionScanResult> versionScanOp = toolManager.loadToolVersionScan(tool.getId(), tag);
int graceHours = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_GRACE_HOURS);
boolean isGracePeriodOrWhiteList = versionScanOp.isPresent() && (gracePeriodIsActive(versionScanOp.get(), graceHours) || versionScanOp.get().isFromWhiteList());
if (isGracePeriodOrWhiteList) {
LOGGER.debug("Tool: " + tool.getId() + " version: " + tag + " is from White list or Grace period still active! Proceed with running!");
return true;
}
boolean denyNotScanned = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_DENY_NOT_SCANNED);
if (denyNotScanned && (!versionScanOp.isPresent() || versionScanOp.get().getStatus() == ToolScanStatus.NOT_SCANNED || versionScanOp.get().getSuccessScanDate() == null)) {
return false;
}
if (versionScanOp.isPresent()) {
ToolVersionScanResult toolVersionScanResult = versionScanOp.get();
Map<VulnerabilitySeverity, Integer> severityCounters = toolVersionScanResult.getVulnerabilities().stream().collect(HashMap::new, (map, v) -> {
if (map.containsKey(v.getSeverity())) {
map.put(v.getSeverity(), map.get(v.getSeverity()) + 1);
} else {
map.put(v.getSeverity(), 1);
}
}, (map1, map2) -> map1.keySet().forEach(k -> map1.merge(k, map2.get(k), (a, b) -> a + b)));
int maxCriticalVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_CRITICAL_VULNERABILITIES);
if (maxCriticalVulnerabilities != DISABLED && maxCriticalVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.Critical, 0)) {
return false;
}
int maxHighVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_HIGH_VULNERABILITIES);
if (maxHighVulnerabilities != DISABLED && maxHighVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.High, 0)) {
return false;
}
int maxMediumVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_MEDIUM_VULNERABILITIES);
if (maxMediumVulnerabilities != DISABLED && maxMediumVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.Medium, 0)) {
return false;
}
}
return true;
}
use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.
the class ToolScanScheduler method init.
@PostConstruct
public void init() {
forceScanExecutor = Executors.newSingleThreadExecutor();
DelegatingSecurityContextRunnable secureRunnable = new DelegatingSecurityContextRunnable(this::scheduledToolScan, authManager.createSchedulerSecurityContext());
String cron = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_SCAN_SCHEDULE_CRON);
LOGGER.info("Scheduled Tool Security Scan at " + cron);
scheduledFuture.set(scheduler.schedule(secureRunnable, new CronTrigger(cron)));
preferenceManager.getObservablePreference(SystemPreferences.DOCKER_SECURITY_TOOL_SCAN_SCHEDULE_CRON).subscribe(newCron -> scheduledFuture.updateAndGet(f -> {
LOGGER.info("Rescheduling Tool Security Scan at " + newCron);
f.cancel(false);
return scheduler.schedule(secureRunnable, new CronTrigger(newCron));
}));
}
use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.
the class DockerRegistryManager method enableToolIfNeeded.
private Optional<Tool> enableToolIfNeeded(DockerRegistryEvent event, DockerRegistry registry, String toolName, ToolGroup toolGroup) {
String actor = event.getActor().getName();
Tool tool = buildTool(registry, toolGroup, toolName, actor);
// check that this tool isn't registered yet.
Optional<Tool> toolInGroup = toolManager.loadToolInGroup(tool.getImage(), tool.getToolGroupId());
if (toolInGroup.isPresent()) {
LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_TOOL_ALREADY_EXIST, tool.getImage(), toolGroup.getName()));
toolManager.updateToolVersionScanStatus(toolInGroup.get().getId(), ToolScanStatus.NOT_SCANNED, DateUtils.now(), event.getTarget().getTag(), null, event.getTarget().getDigest());
return toolInGroup;
}
if (!permissionManager.isActionAllowedForUser(toolGroup, actor, AclPermission.WRITE)) {
LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_PERMISSION_IS_NOT_GRANTED, registry.getPath(), AclPermission.WRITE_PERMISSION));
return Optional.empty();
}
return Optional.of(toolManager.create(tool, false));
}
use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.
the class ToolVersionManager method createToolVersionSettings.
/**
* Creates settings for specific tool version.
* @param toolId tool ID
* @param version tool version (tag)
* @param settings list of tool version settings
*/
@Transactional(propagation = Propagation.REQUIRED)
public ToolVersion createToolVersionSettings(final Long toolId, final String version, final List<ConfigurationEntry> settings) {
Tool tool = toolManager.load(toolId);
Assert.notNull(tool, messageHelper.getMessage(MessageConstants.ERROR_TOOL_NOT_FOUND));
Optional<ToolVersion> toolVersion = toolVersionDao.loadToolVersion(toolId, version);
ToolVersion toolVersionWithSettings;
if (toolVersion.isPresent()) {
toolVersionWithSettings = toolVersion.get();
toolVersionWithSettings.setSettings(settings);
toolVersionDao.updateToolVersionWithSettings(toolVersionWithSettings);
} else {
toolVersionWithSettings = ToolVersion.builder().toolId(toolId).version(version).settings(settings).build();
toolVersionDao.createToolVersionWithSettings(toolVersionWithSettings);
}
return toolVersionWithSettings;
}
use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.
the class ToolSecurityPolicyAspect method checkToolBySecurityPolicy.
@Before("@annotation(com.epam.pipeline.manager.docker.scan.ToolSecurityPolicyCheck) && args(runVO,..)")
public void checkToolBySecurityPolicy(JoinPoint joinPoint, PipelineStart runVO) {
if (runVO.isForce()) {
PipelineUser user = authManager.getCurrentUser();
if (user != null && user.isAdmin()) {
return;
}
}
PipelineConfiguration configuration = configurationManager.getPipelineConfiguration(runVO);
String tag = toolManager.getTagFromImageName(configuration.getDockerImage());
Tool tool = toolManager.loadByNameOrId(configuration.getDockerImage());
if (!clairToolScanManager.checkTool(tool, tag)) {
throw new ToolExecutionDeniedException(messageHelper.getMessage(MessageConstants.ERROR_TOOL_SECURITY_POLICY_VIOLATION));
}
}
Aggregations