Examples with Tool com.epam.pipeline.entity.pipeline.Tool used on opensource projects

Search in sources :

Example 21 with Tool

use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.

the class AggregatingToolScanManager method checkTool.

public boolean checkTool(Tool tool, String tag) {
    Optional<ToolVersionScanResult> versionScanOp = toolManager.loadToolVersionScan(tool.getId(), tag);
    int graceHours = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_GRACE_HOURS);
    boolean isGracePeriodOrWhiteList = versionScanOp.isPresent() && (gracePeriodIsActive(versionScanOp.get(), graceHours) || versionScanOp.get().isFromWhiteList());
    if (isGracePeriodOrWhiteList) {
        LOGGER.debug("Tool: " + tool.getId() + " version: " + tag + " is from White list or Grace period still active! Proceed with running!");
        return true;
    }
    boolean denyNotScanned = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_DENY_NOT_SCANNED);
    if (denyNotScanned && (!versionScanOp.isPresent() || versionScanOp.get().getStatus() == ToolScanStatus.NOT_SCANNED || versionScanOp.get().getSuccessScanDate() == null)) {
        return false;
    }
    if (versionScanOp.isPresent()) {
        ToolVersionScanResult toolVersionScanResult = versionScanOp.get();
        Map<VulnerabilitySeverity, Integer> severityCounters = toolVersionScanResult.getVulnerabilities().stream().collect(HashMap::new, (map, v) -> {
            if (map.containsKey(v.getSeverity())) {
                map.put(v.getSeverity(), map.get(v.getSeverity()) + 1);
            } else {
                map.put(v.getSeverity(), 1);
            }
        }, (map1, map2) -> map1.keySet().forEach(k -> map1.merge(k, map2.get(k), (a, b) -> a + b)));
        int maxCriticalVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_CRITICAL_VULNERABILITIES);
        if (maxCriticalVulnerabilities != DISABLED && maxCriticalVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.Critical, 0)) {
            return false;
        }
        int maxHighVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_HIGH_VULNERABILITIES);
        if (maxHighVulnerabilities != DISABLED && maxHighVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.High, 0)) {
            return false;
        }
        int maxMediumVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_MEDIUM_VULNERABILITIES);
        if (maxMediumVulnerabilities != DISABLED && maxMediumVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.Medium, 0)) {
            return false;
        }
    }
    return true;
}
Also used : DockerComponentScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult) Arrays(java.util.Arrays) LoggerFactory(org.slf4j.LoggerFactory) SystemPreferences(com.epam.pipeline.manager.preference.SystemPreferences) Autowired(org.springframework.beans.factory.annotation.Autowired) ManifestV2(com.epam.pipeline.entity.docker.ManifestV2) Vulnerability(com.epam.pipeline.entity.scan.Vulnerability) URLUtils(com.epam.pipeline.utils.URLUtils) StringUtils(org.apache.commons.lang3.StringUtils) DeserializationFeature(com.fasterxml.jackson.databind.DeserializationFeature) ToolDependency(com.epam.pipeline.entity.scan.ToolDependency) MessageHelper(com.epam.pipeline.common.MessageHelper) ListUtils(org.apache.commons.collections4.ListUtils) Map(java.util.Map) VulnerabilitySeverity(com.epam.pipeline.entity.scan.VulnerabilitySeverity) DateUtils(com.epam.pipeline.entity.utils.DateUtils) ClairService(com.epam.pipeline.manager.docker.scan.clair.ClairService) UUID(java.util.UUID) Instant(java.time.Instant) Collectors(java.util.stream.Collectors) Retrofit(retrofit2.Retrofit) Tool(com.epam.pipeline.entity.pipeline.Tool) List(java.util.List) ClairScanResult(com.epam.pipeline.manager.docker.scan.clair.ClairScanResult) Stream(java.util.stream.Stream) JacksonConverterFactory(retrofit2.converter.jackson.JacksonConverterFactory) PostConstruct(javax.annotation.PostConstruct) Optional(java.util.Optional) StringPreference(com.epam.pipeline.manager.preference.AbstractSystemPreference.StringPreference) DockerClientFactory(com.epam.pipeline.manager.docker.DockerClientFactory) Call(retrofit2.Call) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ToolScanPolicy(com.epam.pipeline.entity.scan.ToolScanPolicy) MessageConstants(com.epam.pipeline.common.MessageConstants) ToolManager(com.epam.pipeline.manager.pipeline.ToolManager) ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException) HashMap(java.util.HashMap) Response(retrofit2.Response) ClairScanRequest(com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest) DockerRegistryManager(com.epam.pipeline.manager.docker.DockerRegistryManager) MapperFeature(com.fasterxml.jackson.databind.MapperFeature) Service(org.springframework.stereotype.Service) DockerComponentScanService(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanService) ToolScanStatus(com.epam.pipeline.entity.pipeline.ToolScanStatus) DockerComponentLayerScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult) AbstractSystemPreference(com.epam.pipeline.manager.preference.AbstractSystemPreference) PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager) Logger(org.slf4j.Logger) DockerComponentScanRequest(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) IOException(java.io.IOException) TimeUnit(java.util.concurrent.TimeUnit) DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry) URLEncoder(java.net.URLEncoder) OkHttpClient(okhttp3.OkHttpClient) ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult) DockerClient(com.epam.pipeline.manager.docker.DockerClient) ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult) HashMap(java.util.HashMap) VulnerabilitySeverity(com.epam.pipeline.entity.scan.VulnerabilitySeverity)

Example 22 with Tool

use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.

the class ToolScanScheduler method init.

@PostConstruct
public void init() {
    forceScanExecutor = Executors.newSingleThreadExecutor();
    DelegatingSecurityContextRunnable secureRunnable = new DelegatingSecurityContextRunnable(this::scheduledToolScan, authManager.createSchedulerSecurityContext());
    String cron = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_SCAN_SCHEDULE_CRON);
    LOGGER.info("Scheduled Tool Security Scan at " + cron);
    scheduledFuture.set(scheduler.schedule(secureRunnable, new CronTrigger(cron)));
    preferenceManager.getObservablePreference(SystemPreferences.DOCKER_SECURITY_TOOL_SCAN_SCHEDULE_CRON).subscribe(newCron -> scheduledFuture.updateAndGet(f -> {
        LOGGER.info("Rescheduling Tool Security Scan at " + newCron);
        f.cancel(false);
        return scheduler.schedule(secureRunnable, new CronTrigger(newCron));
    }));
}
Also used : DelegatingSecurityContextRunnable(org.springframework.security.concurrent.DelegatingSecurityContextRunnable) MessageConstants(com.epam.pipeline.common.MessageConstants) Date(java.util.Date) LoggerFactory(org.slf4j.LoggerFactory) ToolManager(com.epam.pipeline.manager.pipeline.ToolManager) SystemPreferences(com.epam.pipeline.manager.preference.SystemPreferences) Autowired(org.springframework.beans.factory.annotation.Autowired) ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException) CompletableFuture(java.util.concurrent.CompletableFuture) DockerRegistryManager(com.epam.pipeline.manager.docker.DockerRegistryManager) PreDestroy(javax.annotation.PreDestroy) Future(java.util.concurrent.Future) MessageHelper(com.epam.pipeline.common.MessageHelper) Service(org.springframework.stereotype.Service) SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder) DelegatingSecurityContextCallable(org.springframework.security.concurrent.DelegatingSecurityContextCallable) ExecutorService(java.util.concurrent.ExecutorService) ToolScanStatus(com.epam.pipeline.entity.pipeline.ToolScanStatus) Logger(org.slf4j.Logger) AbstractSchedulingManager(com.epam.pipeline.manager.scheduling.AbstractSchedulingManager) DockerRegistryDao(com.epam.pipeline.dao.docker.DockerRegistryDao) Executors(java.util.concurrent.Executors) CronTrigger(org.springframework.scheduling.support.CronTrigger) DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry) Tool(com.epam.pipeline.entity.pipeline.Tool) List(java.util.List) ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult) PostConstruct(javax.annotation.PostConstruct) PipelineException(com.epam.pipeline.exception.PipelineException) Optional(java.util.Optional) AuthManager(com.epam.pipeline.manager.security.AuthManager) DockerClientFactory(com.epam.pipeline.manager.docker.DockerClientFactory) ToolVersionManager(com.epam.pipeline.manager.docker.ToolVersionManager) Collections(java.util.Collections) DockerClient(com.epam.pipeline.manager.docker.DockerClient) CronTrigger(org.springframework.scheduling.support.CronTrigger) DelegatingSecurityContextRunnable(org.springframework.security.concurrent.DelegatingSecurityContextRunnable) PostConstruct(javax.annotation.PostConstruct)

Example 23 with Tool

use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.

the class DockerRegistryManager method enableToolIfNeeded.

private Optional<Tool> enableToolIfNeeded(DockerRegistryEvent event, DockerRegistry registry, String toolName, ToolGroup toolGroup) {
    String actor = event.getActor().getName();
    Tool tool = buildTool(registry, toolGroup, toolName, actor);
    // check that this tool isn't registered yet.
    Optional<Tool> toolInGroup = toolManager.loadToolInGroup(tool.getImage(), tool.getToolGroupId());
    if (toolInGroup.isPresent()) {
        LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_TOOL_ALREADY_EXIST, tool.getImage(), toolGroup.getName()));
        toolManager.updateToolVersionScanStatus(toolInGroup.get().getId(), ToolScanStatus.NOT_SCANNED, DateUtils.now(), event.getTarget().getTag(), null, event.getTarget().getDigest());
        return toolInGroup;
    }
    if (!permissionManager.isActionAllowedForUser(toolGroup, actor, AclPermission.WRITE)) {
        LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_PERMISSION_IS_NOT_GRANTED, registry.getPath(), AclPermission.WRITE_PERMISSION));
        return Optional.empty();
    }
    return Optional.of(toolManager.create(tool, false));
}
Also used : Tool(com.epam.pipeline.entity.pipeline.Tool)

Example 24 with Tool

use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.

the class ToolVersionManager method createToolVersionSettings.

/**
 * Creates settings for specific tool version.
 * @param toolId tool ID
 * @param version tool version (tag)
 * @param settings list of tool version settings
 */
@Transactional(propagation = Propagation.REQUIRED)
public ToolVersion createToolVersionSettings(final Long toolId, final String version, final List<ConfigurationEntry> settings) {
    Tool tool = toolManager.load(toolId);
    Assert.notNull(tool, messageHelper.getMessage(MessageConstants.ERROR_TOOL_NOT_FOUND));
    Optional<ToolVersion> toolVersion = toolVersionDao.loadToolVersion(toolId, version);
    ToolVersion toolVersionWithSettings;
    if (toolVersion.isPresent()) {
        toolVersionWithSettings = toolVersion.get();
        toolVersionWithSettings.setSettings(settings);
        toolVersionDao.updateToolVersionWithSettings(toolVersionWithSettings);
    } else {
        toolVersionWithSettings = ToolVersion.builder().toolId(toolId).version(version).settings(settings).build();
        toolVersionDao.createToolVersionWithSettings(toolVersionWithSettings);
    }
    return toolVersionWithSettings;
}
Also used : ToolVersion(com.epam.pipeline.entity.docker.ToolVersion) Tool(com.epam.pipeline.entity.pipeline.Tool) Transactional(org.springframework.transaction.annotation.Transactional)

Example 25 with Tool

use of com.epam.pipeline.entity.pipeline.Tool in project cloud-pipeline by epam.

the class ToolSecurityPolicyAspect method checkToolBySecurityPolicy.

@Before("@annotation(com.epam.pipeline.manager.docker.scan.ToolSecurityPolicyCheck) && args(runVO,..)")
public void checkToolBySecurityPolicy(JoinPoint joinPoint, PipelineStart runVO) {
    if (runVO.isForce()) {
        PipelineUser user = authManager.getCurrentUser();
        if (user != null && user.isAdmin()) {
            return;
        }
    }
    PipelineConfiguration configuration = configurationManager.getPipelineConfiguration(runVO);
    String tag = toolManager.getTagFromImageName(configuration.getDockerImage());
    Tool tool = toolManager.loadByNameOrId(configuration.getDockerImage());
    if (!clairToolScanManager.checkTool(tool, tag)) {
        throw new ToolExecutionDeniedException(messageHelper.getMessage(MessageConstants.ERROR_TOOL_SECURITY_POLICY_VIOLATION));
    }
}
Also used : PipelineUser(com.epam.pipeline.entity.user.PipelineUser) ToolExecutionDeniedException(com.epam.pipeline.exception.ToolExecutionDeniedException) PipelineConfiguration(com.epam.pipeline.entity.configuration.PipelineConfiguration) Tool(com.epam.pipeline.entity.pipeline.Tool) Before(org.aspectj.lang.annotation.Before)

Aggregations

Tool (com.epam.pipeline.entity.pipeline.Tool)72 Transactional (org.springframework.transaction.annotation.Transactional)28 DockerRegistry (com.epam.pipeline.entity.pipeline.DockerRegistry)24 Test (org.junit.Test)22 ToolGroup (com.epam.pipeline.entity.pipeline.ToolGroup)14 AbstractManagerTest (com.epam.pipeline.manager.AbstractManagerTest)11 AbstractSpringTest (com.epam.pipeline.AbstractSpringTest)9 DockerClient (com.epam.pipeline.manager.docker.DockerClient)9 List (java.util.List)9 PipelineConfiguration (com.epam.pipeline.entity.configuration.PipelineConfiguration)8 MessageHelper (com.epam.pipeline.common.MessageHelper)7 PipelineRun (com.epam.pipeline.entity.pipeline.PipelineRun)7 ToolVersionScanResult (com.epam.pipeline.entity.scan.ToolVersionScanResult)7 ToolScanExternalServiceException (com.epam.pipeline.exception.ToolScanExternalServiceException)7 DockerRegistryManager (com.epam.pipeline.manager.docker.DockerRegistryManager)7 Optional (java.util.Optional)7 MessageConstants (com.epam.pipeline.common.MessageConstants)6 ManifestV2 (com.epam.pipeline.entity.docker.ManifestV2)6 ToolScanStatus (com.epam.pipeline.entity.pipeline.ToolScanStatus)6 DockerClientFactory (com.epam.pipeline.manager.docker.DockerClientFactory)6
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial