Examples with ToolVersionScanResult com.epam.pipeline.entity.scan.ToolVersionScanResult used on opensource projects

Example 1 with ToolVersionScanResult

use of com.epam.pipeline.entity.scan.ToolVersionScanResult in project cloud-pipeline by epam.

the class ToolVulnerabilityDao method loadAllToolVersionScans.

public Map<String, ToolVersionScanResult> loadAllToolVersionScans(long toolId) {
    MapSqlParameterSource params = new MapSqlParameterSource();
    params.addValue(ToolVersionColumns.TOOL_ID.name(), toolId);
    Map<String, ToolVersionScanResult> resultMap = new HashMap<>();
    List<ToolVersionScanResult> toolVersionScanResults = getNamedParameterJdbcTemplate().query(loadToolAllVersionScansQuery, params, ToolVersionColumns.getRowMapper());
    Map<String, List<Vulnerability>> vulnerabilitiesByVersion = loadVulnerabilities(toolId);
    Map<String, List<ToolDependency>> dependenciesByVersion = loadDependencies(toolId);
    for (ToolVersionScanResult scanResult : toolVersionScanResults) {
        scanResult.setVulnerabilities(vulnerabilitiesByVersion.get(scanResult.getVersion()));
        scanResult.setDependencies(dependenciesByVersion.get(scanResult.getVersion()));
        resultMap.put(scanResult.getVersion(), scanResult);
    }
    return resultMap;
}

Example 2 with ToolVersionScanResult

use of com.epam.pipeline.entity.scan.ToolVersionScanResult in project cloud-pipeline by epam.

the class AggregatingToolScanManager method doScan.

private ToolVersionScanResult doScan(Tool tool, String tag, DockerRegistry registry) throws ToolScanExternalServiceException {
    if (clairService == null) {
        LOGGER.error("Clair service is not configured!");
        ToolVersionScanResult result = new ToolVersionScanResult();
        result.setToolId(tool.getId());
        result.setVersion(tag);
        result.setStatus(ToolScanStatus.NOT_SCANNED);
        return result;
    }
    try {
        String clairRef = scanLayers(tool, tag, registry);
        String digest = getDockerClient(tool.getImage(), registry).getVersionAttributes(registry, tool.getImage(), tag).getDigest();
        ClairScanResult clairResult = getScanResult(tool, clairService.getScanResult(clairRef));
        DockerComponentScanResult dockerScanResult = dockerComponentService == null ? null : getScanResult(tool, dockerComponentService.getScanResult(clairRef));
        return convertResults(clairResult, dockerScanResult, tool, tag, digest);
    } catch (IOException e) {
        throw new ToolScanExternalServiceException(tool, e);
    }
}

Example 3 with ToolVersionScanResult

use of com.epam.pipeline.entity.scan.ToolVersionScanResult in project cloud-pipeline by epam.

the class AggregatingToolScanManager method getActualScan.

private Optional<ToolVersionScanResult> getActualScan(Tool tool, String tag, DockerRegistry registry) {
    Optional<ToolVersionScanResult> versionScanResult = toolManager.loadToolVersionScan(tool.getId(), tag);
    if (versionScanResult.isPresent() && versionScanResult.get().getLastLayerRef() != null) {
        ToolVersionScanResult vs = versionScanResult.get();
        LOGGER.info(messageHelper.getMessage(MessageConstants.INFO_TOOL_SCAN_ALREADY_SCANNED, tool.getImage()));
        DockerClient dockerClient = getDockerClient(tool.getImage(), registry);
        String dockerRef = dockerClient.getVersionAttributes(registry, tool.getImage(), tag).getDigest();
        boolean isActual = vs.getDigest() != null && dockerRef.equals(vs.getDigest());
        if (isActual) {
            vs.setScanDate(DateUtils.now());
            return Optional.of(vs);
        } else {
            LOGGER.info(messageHelper.getMessage(MessageConstants.INFO_TOOL_SCAN_NEW_LAYERS, tool.getImage(), tag, vs.getDigest(), dockerRef));
        }
    }
    return Optional.empty();
}

Example 4 with ToolVersionScanResult

use of com.epam.pipeline.entity.scan.ToolVersionScanResult in project cloud-pipeline by epam.

the class AggregatingToolScanManager method checkTool.

public boolean checkTool(Tool tool, String tag) {
    Optional<ToolVersionScanResult> versionScanOp = toolManager.loadToolVersionScan(tool.getId(), tag);
    int graceHours = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_GRACE_HOURS);
    boolean isGracePeriodOrWhiteList = versionScanOp.isPresent() && (gracePeriodIsActive(versionScanOp.get(), graceHours) || versionScanOp.get().isFromWhiteList());
    if (isGracePeriodOrWhiteList) {
        LOGGER.debug("Tool: " + tool.getId() + " version: " + tag + " is from White list or Grace period still active! Proceed with running!");
        return true;
    }
    boolean denyNotScanned = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_DENY_NOT_SCANNED);
    if (denyNotScanned && (!versionScanOp.isPresent() || versionScanOp.get().getStatus() == ToolScanStatus.NOT_SCANNED || versionScanOp.get().getSuccessScanDate() == null)) {
        return false;
    }
    if (versionScanOp.isPresent()) {
        ToolVersionScanResult toolVersionScanResult = versionScanOp.get();
        Map<VulnerabilitySeverity, Integer> severityCounters = toolVersionScanResult.getVulnerabilities().stream().collect(HashMap::new, (map, v) -> {
            if (map.containsKey(v.getSeverity())) {
                map.put(v.getSeverity(), map.get(v.getSeverity()) + 1);
            } else {
                map.put(v.getSeverity(), 1);
            }
        }, (map1, map2) -> map1.keySet().forEach(k -> map1.merge(k, map2.get(k), (a, b) -> a + b)));
        int maxCriticalVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_CRITICAL_VULNERABILITIES);
        if (maxCriticalVulnerabilities != DISABLED && maxCriticalVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.Critical, 0)) {
            return false;
        }
        int maxHighVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_HIGH_VULNERABILITIES);
        if (maxHighVulnerabilities != DISABLED && maxHighVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.High, 0)) {
            return false;
        }
        int maxMediumVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_MEDIUM_VULNERABILITIES);
        if (maxMediumVulnerabilities != DISABLED && maxMediumVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.Medium, 0)) {
            return false;
        }
    }
    return true;
}

Example 5 with ToolVersionScanResult

use of com.epam.pipeline.entity.scan.ToolVersionScanResult in project cloud-pipeline by epam.

the class ToolManagerTest method testUpdateToolScanStatusWithFail.

@Test
@Transactional(propagation = Propagation.REQUIRES_NEW, rollbackFor = Throwable.class)
public void testUpdateToolScanStatusWithFail() {
    Tool tool = generateTool(TEST_GROUP_ID1);
    tool.setToolGroupId(firstToolGroup.getId());
    toolManager.create(tool, true);
    String layerRef = "layerref";
    String digest = "digest";
    Date scanDate = new Date();
    ToolScanStatus status = ToolScanStatus.COMPLETED;
    toolManager.updateToolVersionScanStatus(tool.getId(), status, scanDate, LATEST_TAG, layerRef, digest);
    ToolVersionScanResult versionScan = toolManager.loadToolVersionScan(tool.getId(), LATEST_TAG).get();
    Assert.assertEquals(status, versionScan.getStatus());
    Assert.assertEquals(scanDate, versionScan.getScanDate());
    Assert.assertEquals(scanDate, versionScan.getSuccessScanDate());
    status = ToolScanStatus.FAILED;
    layerRef = "newlayerref";
    digest = "newdigest";
    Date newScanDate = new Date();
    toolManager.updateToolVersionScanStatus(tool.getId(), status, newScanDate, LATEST_TAG, layerRef, digest);
    Assert.assertEquals(1, toolManager.loadToolScanResult(tool).getToolVersionScanResults().values().size());
    versionScan = toolManager.loadToolVersionScan(tool.getId(), LATEST_TAG).get();
    Assert.assertEquals(newScanDate, versionScan.getScanDate());
    Assert.assertEquals(scanDate, versionScan.getSuccessScanDate());
}