Example 1 with ToolScanExternalServiceException
use of com.epam.pipeline.exception.ToolScanExternalServiceException in project cloud-pipeline by epam.
the class AggregatingToolScanManager method doScan.
private ToolVersionScanResult doScan(Tool tool, String tag, DockerRegistry registry) throws ToolScanExternalServiceException {
if (clairService == null) {
LOGGER.error("Clair service is not configured!");
ToolVersionScanResult result = new ToolVersionScanResult();
result.setToolId(tool.getId());
result.setVersion(tag);
result.setStatus(ToolScanStatus.NOT_SCANNED);
return result;
}
try {
String clairRef = scanLayers(tool, tag, registry);
String digest = getDockerClient(tool.getImage(), registry).getVersionAttributes(registry, tool.getImage(), tag).getDigest();
ClairScanResult clairResult = getScanResult(tool, clairService.getScanResult(clairRef));
DockerComponentScanResult dockerScanResult = dockerComponentService == null ? null : getScanResult(tool, dockerComponentService.getScanResult(clairRef));
return convertResults(clairResult, dockerScanResult, tool, tag, digest);
} catch (IOException e) {
throw new ToolScanExternalServiceException(tool, e);
}
}
Also used :
ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult)
ClairScanResult(com.epam.pipeline.manager.docker.scan.clair.ClairScanResult)
DockerComponentScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult)
IOException(java.io.IOException)
ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException)
Example 2 with ToolScanExternalServiceException
use of com.epam.pipeline.exception.ToolScanExternalServiceException in project cloud-pipeline by epam.
the class AggregatingToolScanManager method scanLayers.
private String scanLayers(Tool tool, String tag, DockerRegistry registry) throws IOException, ToolScanExternalServiceException {
List<String> layers = fetchLayers(tool, tag, registry);
String lastLayer = null;
for (int i = 0; i < layers.size(); i++) {
String layerDigest = layers.get(i);
// Debug: use "172.31.38.143:5000" as registry path
Response<ClairScanRequest> clairResp;
Response<DockerComponentLayerScanResult> dockerCompResp;
String layerRef = getLayerName(tool.getImage(), tag);
ClairScanRequest clairRequest;
DockerComponentScanRequest dockerComponentScanRequest;
if (registry.isPipelineAuth()) {
clairRequest = new ClairScanRequest(layerRef, layerDigest, registry.getPath(), tool.getImage(), lastLayer, dockerRegistryManager.getImageToken(registry, tool.getImage()));
dockerComponentScanRequest = new DockerComponentScanRequest(layerRef, layerDigest, registry.getPath(), tool.getImage(), lastLayer, dockerRegistryManager.getImageToken(registry, tool.getImage()));
} else {
clairRequest = new ClairScanRequest(layerRef, layerDigest, registry.getPath(), tool.getImage(), lastLayer, registry.getUserName(), registry.getPassword());
dockerComponentScanRequest = new DockerComponentScanRequest(layerRef, layerDigest, registry.getPath(), tool.getImage(), lastLayer, registry.getUserName(), registry.getPassword());
}
clairResp = clairService.scanLayer(clairRequest).execute();
dockerCompResp = dockerComponentService == null ? null : dockerComponentService.scanLayer(dockerComponentScanRequest).execute();
if (!clairResp.isSuccessful()) {
String errorBody = clairResp.errorBody() != null ? clairResp.errorBody().string() : null;
throw new ToolScanExternalServiceException(tool, String.format("Service: %s : Failed on %d of %d layers: %s:%s response code: %d", ClairService.class, i + 1, layers.size(), clairResp.message(), errorBody, clairResp.code()));
}
if (dockerCompResp != null && !dockerCompResp.isSuccessful()) {
String errorBody = dockerCompResp.errorBody() != null ? dockerCompResp.errorBody().string() : null;
throw new ToolScanExternalServiceException(tool, String.format("Service: %s : Failed on %d of %d layers: %s:%s response code: %d", DockerComponentScanService.class, i + 1, layers.size(), dockerCompResp.message(), errorBody, dockerCompResp.code()));
}
ClairScanRequest clairFulfilled = clairResp.body();
lastLayer = clairFulfilled.getLayer().getName();
LOGGER.debug("Scanning {}:{}, done {} of {} layers", tool.getImage(), tag, i + 1, layers.size());
}
return lastLayer;
}
Also used :
DockerComponentScanRequest(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest)
ClairScanRequest(com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest)
ClairService(com.epam.pipeline.manager.docker.scan.clair.ClairService)
DockerComponentLayerScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult)
ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException)
DockerComponentScanService(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanService)
Example 3 with ToolScanExternalServiceException
use of com.epam.pipeline.exception.ToolScanExternalServiceException in project cloud-pipeline by epam.
the class AggregatingToolScanManager method fetchLayers.
private List<String> fetchLayers(Tool tool, String tag, DockerRegistry registry) throws ToolScanExternalServiceException {
DockerClient dockerClient = getDockerClient(tool.getImage(), registry);
ManifestV2 manifest = dockerClient.getManifest(registry, tool.getImage(), tag).orElseThrow(() -> new ToolScanExternalServiceException(tool, messageHelper.getMessage(MessageConstants.ERROR_REGISTRY_COULD_NOT_GET_MANIFEST, tool.getImage())));
return manifest.getLayers().stream().map(c -> c.getDigest()).collect(Collectors.toList());
}
Also used :
DockerComponentScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult)
Arrays(java.util.Arrays)
LoggerFactory(org.slf4j.LoggerFactory)
SystemPreferences(com.epam.pipeline.manager.preference.SystemPreferences)
Autowired(org.springframework.beans.factory.annotation.Autowired)
ManifestV2(com.epam.pipeline.entity.docker.ManifestV2)
Vulnerability(com.epam.pipeline.entity.scan.Vulnerability)
URLUtils(com.epam.pipeline.utils.URLUtils)
StringUtils(org.apache.commons.lang3.StringUtils)
DeserializationFeature(com.fasterxml.jackson.databind.DeserializationFeature)
ToolDependency(com.epam.pipeline.entity.scan.ToolDependency)
MessageHelper(com.epam.pipeline.common.MessageHelper)
ListUtils(org.apache.commons.collections4.ListUtils)
Map(java.util.Map)
VulnerabilitySeverity(com.epam.pipeline.entity.scan.VulnerabilitySeverity)
DateUtils(com.epam.pipeline.entity.utils.DateUtils)
ClairService(com.epam.pipeline.manager.docker.scan.clair.ClairService)
UUID(java.util.UUID)
Instant(java.time.Instant)
Collectors(java.util.stream.Collectors)
Retrofit(retrofit2.Retrofit)
Tool(com.epam.pipeline.entity.pipeline.Tool)
List(java.util.List)
ClairScanResult(com.epam.pipeline.manager.docker.scan.clair.ClairScanResult)
Stream(java.util.stream.Stream)
JacksonConverterFactory(retrofit2.converter.jackson.JacksonConverterFactory)
PostConstruct(javax.annotation.PostConstruct)
Optional(java.util.Optional)
StringPreference(com.epam.pipeline.manager.preference.AbstractSystemPreference.StringPreference)
DockerClientFactory(com.epam.pipeline.manager.docker.DockerClientFactory)
Call(retrofit2.Call)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ToolScanPolicy(com.epam.pipeline.entity.scan.ToolScanPolicy)
MessageConstants(com.epam.pipeline.common.MessageConstants)
ToolManager(com.epam.pipeline.manager.pipeline.ToolManager)
ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException)
HashMap(java.util.HashMap)
Response(retrofit2.Response)
ClairScanRequest(com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest)
DockerRegistryManager(com.epam.pipeline.manager.docker.DockerRegistryManager)
MapperFeature(com.fasterxml.jackson.databind.MapperFeature)
Service(org.springframework.stereotype.Service)
DockerComponentScanService(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanService)
ToolScanStatus(com.epam.pipeline.entity.pipeline.ToolScanStatus)
DockerComponentLayerScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult)
AbstractSystemPreference(com.epam.pipeline.manager.preference.AbstractSystemPreference)
PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager)
Logger(org.slf4j.Logger)
DockerComponentScanRequest(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
IOException(java.io.IOException)
TimeUnit(java.util.concurrent.TimeUnit)
DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry)
URLEncoder(java.net.URLEncoder)
OkHttpClient(okhttp3.OkHttpClient)
ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult)
DockerClient(com.epam.pipeline.manager.docker.DockerClient)
ManifestV2(com.epam.pipeline.entity.docker.ManifestV2)
DockerClient(com.epam.pipeline.manager.docker.DockerClient)
ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException)
Example 4 with ToolScanExternalServiceException
use of com.epam.pipeline.exception.ToolScanExternalServiceException in project cloud-pipeline by epam.
the class ToolScanScheduler method scheduledToolScan.
/**
* A scheduled scan, that runs for all the registries, all tools and all tool versions, sends them to Tool Scanning
* System and stores scanning results to the database.
*/
public void scheduledToolScan() {
if (!preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_SCAN_ENABLED)) {
LOGGER.info(messageHelper.getMessage(MessageConstants.ERROR_TOOL_SCAN_DISABLED));
return;
} else {
LOGGER.info(messageHelper.getMessage(MessageConstants.INFO_TOOL_SCAN_SCHEDULED_STARTED));
}
boolean scanAllRegistries = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_SCAN_ALL_REGISTRIES);
List<DockerRegistry> registries = scanAllRegistries ? dockerRegistryDao.loadAllDockerRegistry() : dockerRegistryDao.loadDockerRegistriesWithSecurityScanEnabled();
for (DockerRegistry registry : registries) {
LOGGER.info(messageHelper.getMessage(MessageConstants.INFO_TOOL_SCAN_REGISTRY_STARTED, registry.getPath()));
for (Tool tool : registry.getTools()) {
DockerClient dockerClient = getDockerClient(registry, tool);
try {
List<String> versions = toolManager.loadTags(tool.getId());
for (String version : versions) {
try {
ToolVersionScanResult result = toolScanManager.scanTool(tool, version, false);
toolManager.updateToolVulnerabilities(result.getVulnerabilities(), tool.getId(), version);
toolManager.updateToolDependencies(result.getDependencies(), tool.getId(), version);
toolManager.updateToolVersionScanStatus(tool.getId(), ToolScanStatus.COMPLETED, new Date(), version, result.getLastLayerRef(), result.getDigest());
updateToolVersion(tool, version, registry, dockerClient);
} catch (ToolScanExternalServiceException e) {
LOGGER.error(messageHelper.getMessage(MessageConstants.ERROR_TOOL_SCAN_FAILED, tool.getImage(), version), e);
toolManager.updateToolVersionScanStatus(tool.getId(), ToolScanStatus.FAILED, new Date(), version, null, null);
}
}
} catch (Exception e) {
LOGGER.error(messageHelper.getMessage(MessageConstants.ERROR_TOOL_SCAN_FAILED, tool.getImage()), e);
toolManager.updateToolVersionScanStatus(tool.getId(), ToolScanStatus.FAILED, new Date(), "latest", null, null);
}
}
}
LOGGER.info(messageHelper.getMessage(MessageConstants.INFO_TOOL_SCAN_SCHEDULED_DONE));
}
Also used :
DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry)
DockerClient(com.epam.pipeline.manager.docker.DockerClient)
ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult)
ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException)
Date(java.util.Date)
ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException)
PipelineException(com.epam.pipeline.exception.PipelineException)
Tool(com.epam.pipeline.entity.pipeline.Tool)
Aggregations
ToolScanExternalServiceException (com.epam.pipeline.exception.ToolScanExternalServiceException)4
ToolVersionScanResult (com.epam.pipeline.entity.scan.ToolVersionScanResult)3
DockerRegistry (com.epam.pipeline.entity.pipeline.DockerRegistry)2
Tool (com.epam.pipeline.entity.pipeline.Tool)2
DockerClient (com.epam.pipeline.manager.docker.DockerClient)2
ClairScanRequest (com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest)2
ClairScanResult (com.epam.pipeline.manager.docker.scan.clair.ClairScanResult)2
ClairService (com.epam.pipeline.manager.docker.scan.clair.ClairService)2
DockerComponentLayerScanResult (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult)2
DockerComponentScanRequest (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest)2
DockerComponentScanResult (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult)2
DockerComponentScanService (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanService)2
IOException (java.io.IOException)2
MessageConstants (com.epam.pipeline.common.MessageConstants)1
MessageHelper (com.epam.pipeline.common.MessageHelper)1
ManifestV2 (com.epam.pipeline.entity.docker.ManifestV2)1
ToolScanStatus (com.epam.pipeline.entity.pipeline.ToolScanStatus)1
ToolDependency (com.epam.pipeline.entity.scan.ToolDependency)1
ToolScanPolicy (com.epam.pipeline.entity.scan.ToolScanPolicy)1
Vulnerability (com.epam.pipeline.entity.scan.Vulnerability)1
