Search in sources :

Example 1 with ClairScanResult

use of com.epam.pipeline.manager.docker.scan.clair.ClairScanResult in project cloud-pipeline by epam.

the class AggregatingToolScanManagerTest method setUp.

@Before
public void setUp() throws Exception {
    MockitoAnnotations.initMocks(this);
    Whitebox.setInternalState(aggregatingToolScanManager, "preferenceManager", preferenceManager);
    when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_DENY_NOT_SCANNED)).thenReturn(DENY_NOT_SCANNED);
    when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_CRITICAL_VULNERABILITIES)).thenReturn(MAX_CRITICAL_VULNERABILITIES);
    when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_HIGH_VULNERABILITIES)).thenReturn(MAX_HIGH_VULNERABILITIES);
    when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_MEDIUM_VULNERABILITIES)).thenReturn(MAX_MEDIUM_VULNERABILITIES);
    when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_GRACE_HOURS)).thenReturn(0);
    // Dummy line, to shut up PMD
    Assert.assertNotNull(pipelineConfigurationManager);
    testUser.setAdmin(false);
    DockerRegistry testRegistry = new DockerRegistry();
    testTool = new Tool();
    testTool.setId(1L);
    testTool.setImage(TEST_IMAGE);
    ManifestV2 testManifest = new ManifestV2();
    testManifest.setLayers(Arrays.asList(new ManifestV2.Config(DIGEST_1, null), new ManifestV2.Config(DIGEST_2, null), new ManifestV2.Config(DIGEST_3, null)));
    toolScanResult.setLastLayerRef(DIGEST_1);
    toolScanResult.setScanDate(DateUtils.now());
    toolScanResult.setVulnerabilities(Collections.emptyList());
    ToolVersion attributes = new ToolVersion();
    attributes.setVersion(LATEST_VERSION);
    attributes.setDigest(DIGEST_3);
    ToolVersion actualAttr = new ToolVersion();
    actualAttr.setVersion(ACTUAL_SCANNED_VERSION);
    actualAttr.setDigest(DIGEST_3);
    actual.setLastLayerRef(aggregatingToolScanManager.getLayerName(TEST_IMAGE, ACTUAL_SCANNED_VERSION));
    actual.setScanDate(DateUtils.now());
    actual.setSuccessScanDate(DateUtils.now());
    actual.setDigest(DIGEST_3);
    ClairScanResult testScanResult = new ClairScanResult();
    feature = new ClairScanResult.ClairFeature();
    feature.setName("test");
    feature.setVersion("test1");
    clairVulnerability = new ClairScanResult.ClairVulnerability();
    clairVulnerability.setSeverity(VulnerabilitySeverity.Critical);
    clairVulnerability.setName(TEST_VULNERABILITY_NAME);
    clairVulnerability.setDescription(TEST_VULNERABILITY_DESCRIPTION);
    feature.setVulnerabilities(Collections.singletonList(clairVulnerability));
    testScanResult.setFeatures(Collections.singletonList(feature));
    DockerComponentScanResult dockerComponentScanResult = new DockerComponentScanResult();
    DockerComponentLayerScanResult layerScanResult = new DockerComponentLayerScanResult();
    testDependency = new ToolDependency(1, "latest", "test", "1.0", ToolDependency.Ecosystem.R_PKG, "R Package");
    layerScanResult.setDependencies(Collections.singletonList(testDependency));
    dockerComponentScanResult.setLayers(Collections.singletonList(layerScanResult));
    when(dataStorageApiService.getDataStorages()).thenReturn(Collections.emptyList());
    when(versionManager.getValidDockerImage(TEST_IMAGE)).thenReturn(TEST_IMAGE);
    when(authManager.getCurrentUser()).thenReturn(testUser);
    when(dockerRegistryManager.load(testTool.getRegistryId())).thenReturn(testRegistry);
    when(dockerClientFactory.getDockerClient(eq(testRegistry), anyString())).thenReturn(mockDockerClient);
    when(mockDockerClient.getManifest(any(), Mockito.anyString(), Mockito.anyString())).thenReturn(Optional.of(testManifest));
    when(mockDockerClient.getVersionAttributes(any(), eq(TEST_IMAGE), eq(LATEST_VERSION))).thenReturn(attributes);
    when(mockDockerClient.getVersionAttributes(any(), eq(TEST_IMAGE), eq(ACTUAL_SCANNED_VERSION))).thenReturn(actualAttr);
    when(clairService.scanLayer(any(ClairScanRequest.class))).then((Answer<MockCall<ClairScanRequest>>) invocation -> new MockCall<>((ClairScanRequest) invocation.getArguments()[0]));
    when(clairService.getScanResult(Mockito.anyString())).thenReturn(new MockCall<>(testScanResult));
    when(compScanService.scanLayer(any(DockerComponentScanRequest.class))).then((Answer<MockCall<DockerComponentScanRequest>>) invocation -> new MockCall<>((DockerComponentScanRequest) invocation.getArguments()[0]));
    when(compScanService.getScanResult(Mockito.anyString())).thenReturn(new MockCall<>(dockerComponentScanResult));
    when(messageHelper.getMessage(Mockito.anyString(), Mockito.any())).thenReturn("testMessage");
    when(messageHelper.getMessage(any(), any())).thenReturn("testMessage");
    when(toolManager.loadByNameOrId(TEST_IMAGE)).thenReturn(testTool);
    when(toolManager.loadToolVersionScan(testTool.getId(), LATEST_VERSION)).thenReturn(Optional.of(toolScanResult));
    when(toolManager.loadToolVersionScan(testTool.getId(), ACTUAL_SCANNED_VERSION)).thenReturn(Optional.of(actual));
    ToolVersion actual = new ToolVersion();
    actual.setDigest(DIGEST_3);
    when(toolVersionManager.loadToolVersion(testTool.getId(), ACTUAL_SCANNED_VERSION)).thenReturn(actual);
    ToolVersion old = new ToolVersion();
    old.setDigest(DIGEST_2);
    when(toolVersionManager.loadToolVersion(testTool.getId(), LATEST_VERSION)).thenReturn(old);
    when(toolManager.getTagFromImageName(Mockito.anyString())).thenReturn(LATEST_VERSION);
}
Also used : DockerComponentScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult) SystemPreferences(com.epam.pipeline.manager.preference.SystemPreferences) ManifestV2(com.epam.pipeline.entity.docker.ManifestV2) MockitoAnnotations(org.mockito.MockitoAnnotations) DataStorageApiService(com.epam.pipeline.manager.datastorage.DataStorageApiService) MessageHelper(com.epam.pipeline.common.MessageHelper) Matchers.eq(org.mockito.Matchers.eq) Spy(org.mockito.Spy) TestUtils(com.epam.pipeline.util.TestUtils) PipelineUser(com.epam.pipeline.entity.user.PipelineUser) com.epam.pipeline.entity.scan(com.epam.pipeline.entity.scan) PipelineConfigurationManager(com.epam.pipeline.manager.pipeline.PipelineConfigurationManager) DateUtils(com.epam.pipeline.entity.utils.DateUtils) Request(okhttp3.Request) ClairService(com.epam.pipeline.manager.docker.scan.clair.ClairService) Matchers.any(org.mockito.Matchers.any) Tool(com.epam.pipeline.entity.pipeline.Tool) PreferenceDao(com.epam.pipeline.dao.preference.PreferenceDao) ClairScanResult(com.epam.pipeline.manager.docker.scan.clair.ClairScanResult) Whitebox(org.mockito.internal.util.reflection.Whitebox) DockerClientFactory(com.epam.pipeline.manager.docker.DockerClientFactory) ToolVersionManager(com.epam.pipeline.manager.docker.ToolVersionManager) Call(retrofit2.Call) java.util(java.util) Mock(org.mockito.Mock) ToolManager(com.epam.pipeline.manager.pipeline.ToolManager) ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException) Response(retrofit2.Response) ClairScanRequest(com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest) PipelineVersionManager(com.epam.pipeline.manager.pipeline.PipelineVersionManager) Matchers.anyString(org.mockito.Matchers.anyString) DockerRegistryManager(com.epam.pipeline.manager.docker.DockerRegistryManager) Answer(org.mockito.stubbing.Answer) DockerComponentScanService(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanService) ToolVersion(com.epam.pipeline.entity.docker.ToolVersion) Before(org.junit.Before) InjectMocks(org.mockito.InjectMocks) DockerComponentLayerScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult) PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager) DockerComponentScanRequest(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest) Test(org.junit.Test) Mockito.when(org.mockito.Mockito.when) DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry) Mockito(org.mockito.Mockito) Callback(retrofit2.Callback) Preference(com.epam.pipeline.entity.preference.Preference) AuthManager(com.epam.pipeline.manager.security.AuthManager) Assert(org.junit.Assert) DockerClient(com.epam.pipeline.manager.docker.DockerClient) ManifestV2(com.epam.pipeline.entity.docker.ManifestV2) DockerComponentLayerScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult) ClairScanResult(com.epam.pipeline.manager.docker.scan.clair.ClairScanResult) DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry) DockerComponentScanRequest(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest) ClairScanRequest(com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest) ToolVersion(com.epam.pipeline.entity.docker.ToolVersion) DockerComponentScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult) Tool(com.epam.pipeline.entity.pipeline.Tool) Before(org.junit.Before)

Example 2 with ClairScanResult

use of com.epam.pipeline.manager.docker.scan.clair.ClairScanResult in project cloud-pipeline by epam.

the class AggregatingToolScanManager method doScan.

private ToolVersionScanResult doScan(Tool tool, String tag, DockerRegistry registry) throws ToolScanExternalServiceException {
    if (clairService == null) {
        LOGGER.error("Clair service is not configured!");
        ToolVersionScanResult result = new ToolVersionScanResult();
        result.setToolId(tool.getId());
        result.setVersion(tag);
        result.setStatus(ToolScanStatus.NOT_SCANNED);
        return result;
    }
    try {
        String clairRef = scanLayers(tool, tag, registry);
        String digest = getDockerClient(tool.getImage(), registry).getVersionAttributes(registry, tool.getImage(), tag).getDigest();
        ClairScanResult clairResult = getScanResult(tool, clairService.getScanResult(clairRef));
        DockerComponentScanResult dockerScanResult = dockerComponentService == null ? null : getScanResult(tool, dockerComponentService.getScanResult(clairRef));
        return convertResults(clairResult, dockerScanResult, tool, tag, digest);
    } catch (IOException e) {
        throw new ToolScanExternalServiceException(tool, e);
    }
}
Also used : ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult) ClairScanResult(com.epam.pipeline.manager.docker.scan.clair.ClairScanResult) DockerComponentScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult) IOException(java.io.IOException) ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException)

Example 3 with ClairScanResult

use of com.epam.pipeline.manager.docker.scan.clair.ClairScanResult in project cloud-pipeline by epam.

the class AggregatingToolScanManager method convertResults.

private ToolVersionScanResult convertResults(ClairScanResult clairScanResult, DockerComponentScanResult compScanResult, Tool tool, String tag, String digest) {
    List<Vulnerability> vulnerabilities = Optional.ofNullable(clairScanResult).map(result -> ListUtils.emptyIfNull(result.getFeatures()).stream()).orElse(Stream.empty()).flatMap(f -> f.getVulnerabilities() != null ? f.getVulnerabilities().stream().map(v -> {
        Vulnerability vulnerability = new Vulnerability();
        vulnerability.setName(v.getName());
        vulnerability.setDescription(v.getDescription());
        vulnerability.setFixedBy(v.getFixedBy());
        vulnerability.setLink(v.getLink());
        vulnerability.setSeverity(v.getSeverity());
        vulnerability.setFeature(f.getName());
        vulnerability.setFeatureVersion(f.getVersion());
        return vulnerability;
    }) : Stream.empty()).collect(Collectors.toList());
    LOGGER.debug("Found: " + vulnerabilities.size() + " vulnerabilities for " + tool.getImage() + ":" + tag);
    // Concat dependencies from Clair and DockerCompScan
    List<ToolDependency> dependencies = Stream.concat(Optional.ofNullable(compScanResult).map(result -> ListUtils.emptyIfNull(result.getLayers()).stream()).orElse(Stream.empty()).flatMap(l -> l.getDependencies().stream().peek(dependency -> {
        dependency.setToolVersion(tag);
        dependency.setToolId(tool.getId());
    })), Optional.ofNullable(clairScanResult).map(result -> ListUtils.emptyIfNull(result.getFeatures()).stream()).orElse(Stream.empty()).map(f -> new ToolDependency(tool.getId(), tag, f.getName(), f.getVersion(), ToolDependency.Ecosystem.SYSTEM, null))).collect(Collectors.toList());
    LOGGER.debug("Found: " + dependencies.size() + " dependencies for " + tool.getImage() + ":" + tag);
    return new ToolVersionScanResult(tag, vulnerabilities, dependencies, ToolScanStatus.COMPLETED, clairScanResult.getName(), digest);
}
Also used : DockerComponentScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult) Arrays(java.util.Arrays) LoggerFactory(org.slf4j.LoggerFactory) SystemPreferences(com.epam.pipeline.manager.preference.SystemPreferences) Autowired(org.springframework.beans.factory.annotation.Autowired) ManifestV2(com.epam.pipeline.entity.docker.ManifestV2) Vulnerability(com.epam.pipeline.entity.scan.Vulnerability) URLUtils(com.epam.pipeline.utils.URLUtils) StringUtils(org.apache.commons.lang3.StringUtils) DeserializationFeature(com.fasterxml.jackson.databind.DeserializationFeature) ToolDependency(com.epam.pipeline.entity.scan.ToolDependency) MessageHelper(com.epam.pipeline.common.MessageHelper) ListUtils(org.apache.commons.collections4.ListUtils) Map(java.util.Map) VulnerabilitySeverity(com.epam.pipeline.entity.scan.VulnerabilitySeverity) DateUtils(com.epam.pipeline.entity.utils.DateUtils) ClairService(com.epam.pipeline.manager.docker.scan.clair.ClairService) UUID(java.util.UUID) Instant(java.time.Instant) Collectors(java.util.stream.Collectors) Retrofit(retrofit2.Retrofit) Tool(com.epam.pipeline.entity.pipeline.Tool) List(java.util.List) ClairScanResult(com.epam.pipeline.manager.docker.scan.clair.ClairScanResult) Stream(java.util.stream.Stream) JacksonConverterFactory(retrofit2.converter.jackson.JacksonConverterFactory) PostConstruct(javax.annotation.PostConstruct) Optional(java.util.Optional) StringPreference(com.epam.pipeline.manager.preference.AbstractSystemPreference.StringPreference) DockerClientFactory(com.epam.pipeline.manager.docker.DockerClientFactory) Call(retrofit2.Call) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ToolScanPolicy(com.epam.pipeline.entity.scan.ToolScanPolicy) MessageConstants(com.epam.pipeline.common.MessageConstants) ToolManager(com.epam.pipeline.manager.pipeline.ToolManager) ToolScanExternalServiceException(com.epam.pipeline.exception.ToolScanExternalServiceException) HashMap(java.util.HashMap) Response(retrofit2.Response) ClairScanRequest(com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest) DockerRegistryManager(com.epam.pipeline.manager.docker.DockerRegistryManager) MapperFeature(com.fasterxml.jackson.databind.MapperFeature) Service(org.springframework.stereotype.Service) DockerComponentScanService(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanService) ToolScanStatus(com.epam.pipeline.entity.pipeline.ToolScanStatus) DockerComponentLayerScanResult(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult) AbstractSystemPreference(com.epam.pipeline.manager.preference.AbstractSystemPreference) PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager) Logger(org.slf4j.Logger) DockerComponentScanRequest(com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) IOException(java.io.IOException) TimeUnit(java.util.concurrent.TimeUnit) DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry) URLEncoder(java.net.URLEncoder) OkHttpClient(okhttp3.OkHttpClient) ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult) DockerClient(com.epam.pipeline.manager.docker.DockerClient) ToolVersionScanResult(com.epam.pipeline.entity.scan.ToolVersionScanResult) Vulnerability(com.epam.pipeline.entity.scan.Vulnerability) ToolDependency(com.epam.pipeline.entity.scan.ToolDependency)

Aggregations

ToolScanExternalServiceException (com.epam.pipeline.exception.ToolScanExternalServiceException)3 ClairScanResult (com.epam.pipeline.manager.docker.scan.clair.ClairScanResult)3 DockerComponentScanResult (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanResult)3 MessageHelper (com.epam.pipeline.common.MessageHelper)2 ManifestV2 (com.epam.pipeline.entity.docker.ManifestV2)2 DockerRegistry (com.epam.pipeline.entity.pipeline.DockerRegistry)2 Tool (com.epam.pipeline.entity.pipeline.Tool)2 ToolVersionScanResult (com.epam.pipeline.entity.scan.ToolVersionScanResult)2 DateUtils (com.epam.pipeline.entity.utils.DateUtils)2 DockerClient (com.epam.pipeline.manager.docker.DockerClient)2 DockerClientFactory (com.epam.pipeline.manager.docker.DockerClientFactory)2 DockerRegistryManager (com.epam.pipeline.manager.docker.DockerRegistryManager)2 ClairScanRequest (com.epam.pipeline.manager.docker.scan.clair.ClairScanRequest)2 ClairService (com.epam.pipeline.manager.docker.scan.clair.ClairService)2 DockerComponentLayerScanResult (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentLayerScanResult)2 DockerComponentScanRequest (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanRequest)2 DockerComponentScanService (com.epam.pipeline.manager.docker.scan.dockercompscan.DockerComponentScanService)2 ToolManager (com.epam.pipeline.manager.pipeline.ToolManager)2 PreferenceManager (com.epam.pipeline.manager.preference.PreferenceManager)2 SystemPreferences (com.epam.pipeline.manager.preference.SystemPreferences)2