Revert "update to use containerd seccomp package"

This reverts commit 4f8e065faf055d3f0463a92622297ca3afac07f4.

vendor/github.com/genuinetools/reg/clair/clair.go

@@ -0,0 +1,76 @@
+package clair
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"time"
+)
+
+// Clair defines the client for retriving information from the clair API.
+type Clair struct {
+	URL    string
+	Client *http.Client
+	Logf   LogfCallback
+}
+
+// LogfCallback is the callback for formatting logs.
+type LogfCallback func(format string, args ...interface{})
+
+// Quiet discards logs silently.
+func Quiet(format string, args ...interface{}) {}
+
+// Log passes log messages to the logging package.
+func Log(format string, args ...interface{}) {
+	log.Printf(format, args...)
+}
+
+// New creates a new Clair struct with the given URL and credentials.
+func New(url string, debug bool) (*Clair, error) {
+	transport := http.DefaultTransport
+
+	errorTransport := &ErrorTransport{
+		Transport: transport,
+	}
+
+	// set the logging
+	logf := Quiet
+	if debug {
+		logf = Log
+	}
+
+	registry := &Clair{
+		URL: url,
+		Client: &http.Client{
+			Timeout:   5 * time.Minute,
+			Transport: errorTransport,
+		},
+		Logf: logf,
+	}
+
+	return registry, nil
+}
+
+// url returns a clair URL with the passed arguements concatenated.
+func (c *Clair) url(pathTemplate string, args ...interface{}) string {
+	pathSuffix := fmt.Sprintf(pathTemplate, args...)
+	url := fmt.Sprintf("%s%s", c.URL, pathSuffix)
+	return url
+}
+
+func (c *Clair) getJSON(url string, response interface{}) (http.Header, error) {
+	resp, err := c.Client.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	c.Logf("clair.clair resp.Status=%s", resp.Status)
+
+	if err := json.NewDecoder(resp.Body).Decode(response); err != nil {
+		c.Logf("clair.clair resp.Status=%s, body=%s", resp.Status, response)
+		return nil, err
+	}
+
+	return resp.Header, nil
+}

vendor/github.com/genuinetools/reg/clair/errortransport.go

@@ -0,0 +1,46 @@
+package clair
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+type httpStatusError struct {
+	Response *http.Response
+	Body     []byte // Copied from `Response.Body` to avoid problems with unclosed bodies later. Nobody calls `err.Response.Body.Close()`, ever.
+}
+
+func (err *httpStatusError) Error() string {
+	return fmt.Sprintf("http: non-successful response (status=%v body=%q)", err.Response.StatusCode, err.Body)
+}
+
+var _ error = &httpStatusError{}
+
+// ErrorTransport defines the data structure for returning errors from the round tripper.
+type ErrorTransport struct {
+	Transport http.RoundTripper
+}
+
+// RoundTrip defines the round tripper for the error transport.
+func (t *ErrorTransport) RoundTrip(request *http.Request) (*http.Response, error) {
+	resp, err := t.Transport.RoundTrip(request)
+	if err != nil {
+		return resp, err
+	}
+
+	if resp.StatusCode >= 500 {
+		defer resp.Body.Close()
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return nil, fmt.Errorf("http: failed to read response body (status=%v, err=%q)", resp.StatusCode, err)
+		}
+
+		return nil, &httpStatusError{
+			Response: resp,
+			Body:     body,
+		}
+	}
+
+	return resp, err
+}

vendor/github.com/genuinetools/reg/clair/layer.go

@@ -0,0 +1,78 @@
+package clair
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+)
+
+// GetLayer displays a Layer and optionally all of its features and vulnerabilities.
+func (c *Clair) GetLayer(name string, features, vulnerabilities bool) (*Layer, error) {
+	url := c.url("/v1/layers/%s?features=%t&vulnerabilities=%t", name, features, vulnerabilities)
+	c.Logf("clair.layers.get url=%s name=%s", url, name)
+
+	var respLayer layerEnvelope
+	if _, err := c.getJSON(url, &respLayer); err != nil {
+		return nil, err
+	}
+
+	if respLayer.Error != nil {
+		return nil, fmt.Errorf("clair error: %s", respLayer.Error.Message)
+	}
+
+	return respLayer.Layer, nil
+}
+
+// PostLayer performs the analysis of a Layer from the provided path.
+func (c *Clair) PostLayer(layer *Layer) (*Layer, error) {
+	url := c.url("/v1/layers")
+	c.Logf("clair.layers.post url=%s name=%s", url, layer.Name)
+
+	b, err := json.Marshal(layerEnvelope{Layer: layer})
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := c.Client.Post(url, "application/json", bytes.NewReader(b))
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	c.Logf("clair.clair resp.Status=%s", resp.Status)
+
+	var respLayer layerEnvelope
+	if err := json.NewDecoder(resp.Body).Decode(&respLayer); err != nil {
+		return nil, err
+	}
+
+	if respLayer.Error != nil {
+		return nil, fmt.Errorf("clair error: %s", respLayer.Error.Message)
+	}
+
+	return respLayer.Layer, err
+}
+
+// DeleteLayer removes a layer reference from clair.
+func (c *Clair) DeleteLayer(name string) error {
+	url := c.url("/v1/layers/%s", name)
+	c.Logf("clair.layers.delete url=%s name=%s", url, name)
+
+	req, err := http.NewRequest("DELETE", url, nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.Client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	c.Logf("clair.clair resp.Status=%s", resp.Status)
+
+	if resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusAccepted || resp.StatusCode == http.StatusNotFound {
+		return nil
+	}
+
+	return fmt.Errorf("Got status code: %d", resp.StatusCode)
+}

vendor/github.com/genuinetools/reg/clair/types.go

@@ -0,0 +1,76 @@
+package clair
+
+import "github.com/opencontainers/go-digest"
+
+const (
+	// EmptyLayerBlobSum is the blob sum of empty layers.
+	EmptyLayerBlobSum = "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+
+	// LegacyEmptyLayerBlobSum is the blob sum of empty layers used by docker
+	// before it could support a truly empty layer.
+	LegacyEmptyLayerBlobSum = "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+)
+
+// IsEmptyLayer determines whether the blob sum is one of the known empty
+// layers.
+func IsEmptyLayer(blobSum digest.Digest) bool {
+	return blobSum == EmptyLayerBlobSum || blobSum == LegacyEmptyLayerBlobSum
+}
+
+var (
+	// Priorities are the vulnerability priority labels.
+	Priorities = []string{"Unknown", "Negligible", "Low", "Medium", "High", "Critical", "Defcon1", "Fixable"}
+)
+
+// Error describes the structure of a clair error.
+type Error struct {
+	Message string `json:"Message,omitempty"`
+}
+
+// Layer represents an image layer.
+type Layer struct {
+	Name             string            `json:"Name,omitempty"`
+	NamespaceName    string            `json:"NamespaceName,omitempty"`
+	Path             string            `json:"Path,omitempty"`
+	Headers          map[string]string `json:"Headers,omitempty"`
+	ParentName       string            `json:"ParentName,omitempty"`
+	Format           string            `json:"Format,omitempty"`
+	IndexedByVersion int               `json:"IndexedByVersion,omitempty"`
+	Features         []feature         `json:"Features,omitempty"`
+}
+
+type layerEnvelope struct {
+	Layer *Layer `json:"Layer,omitempty"`
+	Error *Error `json:"Error,omitempty"`
+}
+
+// Vulnerability represents vulnerability entity returned by Clair.
+type Vulnerability struct {
+	Name          string                 `json:"Name,omitempty"`
+	NamespaceName string                 `json:"NamespaceName,omitempty"`
+	Description   string                 `json:"Description,omitempty"`
+	Link          string                 `json:"Link,omitempty"`
+	Severity      string                 `json:"Severity,omitempty"`
+	Metadata      map[string]interface{} `json:"Metadata,omitempty"`
+	FixedBy       string                 `json:"FixedBy,omitempty"`
+	FixedIn       []feature              `json:"FixedIn,omitempty"`
+}
+
+// VulnerabilityReport represents the result of a vulnerability scan of a repo.
+type VulnerabilityReport struct {
+	RegistryURL     string
+	Repo            string
+	Tag             string
+	Date            string
+	Vulns           []Vulnerability
+	VulnsBySeverity map[string][]Vulnerability
+	BadVulns        int
+}
+type feature struct {
+	Name            string          `json:"Name,omitempty"`
+	NamespaceName   string          `json:"NamespaceName,omitempty"`
+	VersionFormat   string          `json:"VersionFormat,omitempty"`
+	Version         string          `json:"Version,omitempty"`
+	Vulnerabilities []Vulnerability `json:"Vulnerabilities,omitempty"`
+	AddedBy         string          `json:"AddedBy,omitempty"`
+}

vendor/github.com/genuinetools/reg/clair/vulns.go

@@ -0,0 +1,131 @@
+package clair
+
+import (
+	"encoding/base64"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/manifest/schema1"
+	"github.com/genuinetools/reg/registry"
+)
+
+// Vulnerabilities scans the given repo and tag
+func (c *Clair) Vulnerabilities(r *registry.Registry, repo, tag string) (VulnerabilityReport, error) {
+	report := VulnerabilityReport{
+		RegistryURL:     r.Domain,
+		Repo:            repo,
+		Tag:             tag,
+		Date:            time.Now().Local().Format(time.RFC1123),
+		VulnsBySeverity: make(map[string][]Vulnerability),
+	}
+
+	// Get the v1 manifest to pass to clair.
+	m, err := r.ManifestV1(repo, tag)
+	if err != nil {
+		return report, fmt.Errorf("getting the v1 manifest for %s:%s failed: %v", repo, tag, err)
+	}
+
+	// Filter out the empty layers.
+	var filteredLayers []schema1.FSLayer
+	for _, layer := range m.FSLayers {
+		if layer.BlobSum != EmptyLayerBlobSum {
+			filteredLayers = append(filteredLayers, layer)
+		}
+	}
+
+	m.FSLayers = filteredLayers
+	if len(m.FSLayers) == 0 {
+		fmt.Printf("No need to analyse image %s:%s as there is no non-emtpy layer", repo, tag)
+		return report, nil
+	}
+
+	for i := len(m.FSLayers) - 1; i >= 0; i-- {
+		// Form the clair layer.
+		l, err := c.NewClairLayer(r, repo, m.FSLayers, i)
+		if err != nil {
+			return report, err
+		}
+
+		// Post the layer.
+		if _, err := c.PostLayer(l); err != nil {
+			return report, err
+		}
+	}
+
+	vl, err := c.GetLayer(m.FSLayers[0].BlobSum.String(), false, true)
+	if err != nil {
+		return report, err
+	}
+
+	// Get the vulns.
+	for _, f := range vl.Features {
+		report.Vulns = append(report.Vulns, f.Vulnerabilities...)
+	}
+
+	vulnsBy := func(sev string, store map[string][]Vulnerability) []Vulnerability {
+		items, found := store[sev]
+		if !found {
+			items = make([]Vulnerability, 0)
+			store[sev] = items
+		}
+		return items
+	}
+
+	// group by severity
+	for _, v := range report.Vulns {
+		sevRow := vulnsBy(v.Severity, report.VulnsBySeverity)
+		report.VulnsBySeverity[v.Severity] = append(sevRow, v)
+	}
+
+	// calculate number of bad vulns
+	report.BadVulns = len(report.VulnsBySeverity["High"]) + len(report.VulnsBySeverity["Critical"]) + len(report.VulnsBySeverity["Defcon1"])
+
+	return report, nil
+}
+
+// NewClairLayer will form a layer struct required for a clar scan
+func (c *Clair) NewClairLayer(r *registry.Registry, image string, fsLayers []schema1.FSLayer, index int) (*Layer, error) {
+	var parentName string
+	if index < len(fsLayers)-1 {
+		parentName = fsLayers[index+1].BlobSum.String()
+	}
+
+	// form the path
+	p := strings.Join([]string{r.URL, "v2", image, "blobs", fsLayers[index].BlobSum.String()}, "/")
+
+	useBasicAuth := false
+
+	// get the token
+	token, err := r.Token(p)
+	if err != nil {
+		// if we get an error here of type: malformed auth challenge header: 'Basic realm="Registry Realm"'
+		// we need to use basic auth for the registry
+		if !strings.Contains(err.Error(), `malformed auth challenge header: 'Basic realm="Registry`) {
+			return nil, err
+		}
+		useBasicAuth = true
+	}
+
+	h := make(map[string]string)
+	if token != "" && !useBasicAuth {
+		h = map[string]string{
+			"Authorization": fmt.Sprintf("Bearer %s", token),
+		}
+	}
+
+	if token == "" || useBasicAuth {
+		c.Logf("clair.vulns using basic auth")
+		h = map[string]string{
+			"Authorization": fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(r.Username+":"+r.Password))),
+		}
+	}
+
+	return &Layer{
+		Name:       fsLayers[index].BlobSum.String(),
+		Path:       p,
+		ParentName: parentName,
+		Format:     "Docker",
+		Headers:    h,
+	}, nil
+}