Example 1 with VulnerabilitySeverity
use of com.epam.pipeline.entity.scan.VulnerabilitySeverity in project cloud-pipeline by epam.
the class AggregatingToolScanManager method checkTool.
public boolean checkTool(Tool tool, String tag) {
Optional<ToolVersionScanResult> versionScanOp = toolManager.loadToolVersionScan(tool.getId(), tag);
int graceHours = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_GRACE_HOURS);
boolean isGracePeriodOrWhiteList = versionScanOp.isPresent() && (gracePeriodIsActive(versionScanOp.get(), graceHours) || versionScanOp.get().isFromWhiteList());
if (isGracePeriodOrWhiteList) {
LOGGER.debug("Tool: " + tool.getId() + " version: " + tag + " is from White list or Grace period still active! Proceed with running!");
return true;
}
boolean denyNotScanned = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_DENY_NOT_SCANNED);
if (denyNotScanned && (!versionScanOp.isPresent() || versionScanOp.get().getStatus() == ToolScanStatus.NOT_SCANNED || versionScanOp.get().getSuccessScanDate() == null)) {
return false;
}
if (versionScanOp.isPresent()) {
ToolVersionScanResult toolVersionScanResult = versionScanOp.get();
Map<VulnerabilitySeverity, Integer> severityCounters = toolVersionScanResult.getVulnerabilities().stream().collect(HashMap::new, (map, v) -> {
if (map.containsKey(v.getSeverity())) {
map.put(v.getSeverity(), map.get(v.getSeverity()) + 1);
} else {
map.put(v.getSeverity(), 1);
}
}, (map1, map2) -> map1.keySet().forEach(k -> map1.merge(k, map2.get(k), (a, b) -> a + b)));
int maxCriticalVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_CRITICAL_VULNERABILITIES);
if (maxCriticalVulnerabilities != DISABLED && maxCriticalVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.Critical, 0)) {
return false;
}
int maxHighVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_HIGH_VULNERABILITIES);
if (maxHighVulnerabilities != DISABLED && maxHighVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.High, 0)) {
return false;
}
int maxMediumVulnerabilities = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_MEDIUM_VULNERABILITIES);
if (maxMediumVulnerabilities != DISABLED && maxMediumVulnerabilities < severityCounters.getOrDefault(VulnerabilitySeverity.Medium, 0)) {
return false;
}
}
return true;
}
Also used :
DockerComponentScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult)
Arrays(java.util.Arrays)
LoggerFactory(org.slf4j.LoggerFactory)
SystemPreferences(com.epam.pipeline.manager.preference.SystemPreferences)
Autowired(org.springframework.beans.factory.annotation.Autowired)
ManifestV2(com.epam.pipeline.entity.docker.ManifestV2)
Vulnerability(com.epam.pipeline.entity.scan.Vulnerability)
URLUtils(com.epam.pipeline.utils.URLUtils)
StringUtils(org.apache.commons.lang3.StringUtils)
DeserializationFeature(com.fasterxml.jackson.databind.DeserializationFeature)
ToolDependency(com.epam.pipeline.entity.scan.ToolDependency)
MessageHelper(com.epam.pipeline.common.MessageHelper)
ListUtils(org.apache.commons.collections4.ListUtils)
Map(java.util.Map)
VulnerabilitySeverity(com.epam.pipeline.entity.scan.VulnerabilitySeverity)
DateUtils(com.epam.pipeline.entity.utils.DateUtils)
ClairService(com.epam.pipeline.manager.docker.scan.clair.ClairService)
UUID(java.util.UUID)
Instant(java.time.Instant)
Collectors(java.util.stream.Collectors)
Retrofit(retrofit2.Retrofit)
Tool(com.epam.pipeline.entity.pipeline.Tool)
List(java.util.List)
ClairScanResult(com.epam.pipeline.manager.docker.scan.clair.ClairScanResult)
Stream(java.util.stream.Stream)
JacksonConverterFactory(retrofit2.converter.jackson.JacksonConverterFactory)
PostConstruct(javax.annotation.PostConstruct)
Optional(java.util.Optional)
StringPreference(com.epam.pipeline.manager.preference.AbstractSystemPreference.StringPreference)
DockerClientFactory(com.epam.pipeline.manager.docker.DockerClientFactory)
Call(retrofit2.Call)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ToolScanPolicy(com.epam.pipeline.entity.scan.ToolScanPolicy)
MessageConstants(com.epam.pipeline.common.MessageConstants)
ToolManager(com.epam.pipeline.manager.pipeline.ToolManager)
ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException)
HashMap(java.util.HashMap)
Response(retrofit2.Response)
ClairScanRequest(com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest)
DockerRegistryManager(com.epam.pipeline.manager.docker.DockerRegistryManager)
MapperFeature(com.fasterxml.jackson.databind.MapperFeature)
Service(org.springframework.stereotype.Service)
DockerComponentScanService(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanService)
ToolScanStatus(com.epam.pipeline.entity.pipeline.ToolScanStatus)
DockerComponentLayerScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult)
AbstractSystemPreference(com.epam.pipeline.manager.preference.AbstractSystemPreference)
PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager)
Logger(org.slf4j.Logger)
DockerComponentScanRequest(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
IOException(java.io.IOException)
TimeUnit(java.util.concurrent.TimeUnit)
DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry)
URLEncoder(java.net.URLEncoder)
OkHttpClient(okhttp3.OkHttpClient)
ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult)
DockerClient(com.epam.pipeline.manager.docker.DockerClient)
ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult)
HashMap(java.util.HashMap)
VulnerabilitySeverity(com.epam.pipeline.entity.scan.VulnerabilitySeverity)
Aggregations
MessageConstants (com.epam.pipeline.common.MessageConstants)1
MessageHelper (com.epam.pipeline.common.MessageHelper)1
ManifestV2 (com.epam.pipeline.entity.docker.ManifestV2)1
DockerRegistry (com.epam.pipeline.entity.pipeline.DockerRegistry)1
Tool (com.epam.pipeline.entity.pipeline.Tool)1
ToolScanStatus (com.epam.pipeline.entity.pipeline.ToolScanStatus)1
ToolDependency (com.epam.pipeline.entity.scan.ToolDependency)1
ToolScanPolicy (com.epam.pipeline.entity.scan.ToolScanPolicy)1
ToolVersionScanResult (com.epam.pipeline.entity.scan.ToolVersionScanResult)1
Vulnerability (com.epam.pipeline.entity.scan.Vulnerability)1
VulnerabilitySeverity (com.epam.pipeline.entity.scan.VulnerabilitySeverity)1
DateUtils (com.epam.pipeline.entity.utils.DateUtils)1
ToolScanExternalServiceException (com.epam.pipeline.exception.ToolScanExternalServiceException)1
DockerClient (com.epam.pipeline.manager.docker.DockerClient)1
DockerClientFactory (com.epam.pipeline.manager.docker.DockerClientFactory)1
DockerRegistryManager (com.epam.pipeline.manager.docker.DockerRegistryManager)1
ClairScanRequest (com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest)1
ClairScanResult (com.epam.pipeline.manager.docker.scan.clair.ClairScanResult)1
ClairService (com.epam.pipeline.manager.docker.scan.clair.ClairService)1
DockerComponentLayerScanResult (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult)1
