update vendor

Signed-off-by: Jess Frazelle <acidburn@microsoft.com>

vendor/github.com/genuinetools/reg/clair/ancestry.go

@@ -0,0 +1,71 @@
+package clair
+
+import (
+	"context"
+	"errors"
+
+	"github.com/coreos/clair/api/v3/clairpb"
+)
+
+var (
+	// ErrNilGRPCConn holds the error for when the grpc connection is nil.
+	ErrNilGRPCConn = errors.New("grpcConn cannot be nil")
+)
+
+// GetAncestry displays an ancestry and all of its features and vulnerabilities.
+func (c *Clair) GetAncestry(name string) (*clairpb.GetAncestryResponse_Ancestry, error) {
+	c.Logf("clair.ancestry.get name=%s", name)
+
+	if c.grpcConn == nil {
+		return nil, ErrNilGRPCConn
+	}
+
+	client := clairpb.NewAncestryServiceClient(c.grpcConn)
+
+	resp, err := client.GetAncestry(context.Background(), &clairpb.GetAncestryRequest{
+		AncestryName: name,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if resp == nil {
+		return nil, errors.New("ancestry response was nil")
+	}
+
+	if resp.GetStatus() != nil {
+		c.Logf("clair.ancestry.get ClairStatus=%#v", *resp.GetStatus())
+	}
+
+	return resp.GetAncestry(), nil
+}
+
+// PostAncestry performs the analysis of all layers from the provided path.
+func (c *Clair) PostAncestry(name string, layers []*clairpb.PostAncestryRequest_PostLayer) error {
+	c.Logf("clair.ancestry.post name=%s", name)
+
+	if c.grpcConn == nil {
+		return ErrNilGRPCConn
+	}
+
+	client := clairpb.NewAncestryServiceClient(c.grpcConn)
+
+	resp, err := client.PostAncestry(context.Background(), &clairpb.PostAncestryRequest{
+		AncestryName: name,
+		Layers:       layers,
+		Format:       "Docker",
+	})
+	if err != nil {
+		return err
+	}
+
+	if resp == nil {
+		return errors.New("ancestry response was nil")
+	}
+
+	if resp.GetStatus() != nil {
+		c.Logf("clair.ancestry.post ClairStatus=%#v", *resp.GetStatus())
+	}
+
+	return nil
+}

vendor/github.com/genuinetools/reg/clair/clair.go

@@ -0,0 +1,105 @@
+package clair
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"time"
+
+	"google.golang.org/grpc"
+)
+
+// Clair defines the client for retriving information from the clair API.
+type Clair struct {
+	URL      string
+	Client   *http.Client
+	Logf     LogfCallback
+	grpcConn *grpc.ClientConn
+}
+
+// LogfCallback is the callback for formatting logs.
+type LogfCallback func(format string, args ...interface{})
+
+// Quiet discards logs silently.
+func Quiet(format string, args ...interface{}) {}
+
+// Log passes log messages to the logging package.
+func Log(format string, args ...interface{}) {
+	log.Printf(format, args...)
+}
+
+// Opt holds the options for a new clair client.
+type Opt struct {
+	Debug    bool
+	Insecure bool
+	Timeout  time.Duration
+}
+
+// New creates a new Clair struct with the given URL and credentials.
+func New(url string, opt Opt) (*Clair, error) {
+	transport := http.DefaultTransport
+
+	grpcOpt := []grpc.DialOption{}
+
+	if opt.Insecure {
+		transport = &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+
+		grpcOpt = append(grpcOpt, grpc.WithInsecure())
+	}
+
+	errorTransport := &ErrorTransport{
+		Transport: transport,
+	}
+
+	// set the logging
+	logf := Quiet
+	if opt.Debug {
+		logf = Log
+	}
+
+	conn, err := grpc.Dial(url, grpcOpt...)
+	if err != nil {
+		logf("grpc dial %s failed: %v", url, err)
+	}
+
+	registry := &Clair{
+		URL: url,
+		Client: &http.Client{
+			Timeout:   opt.Timeout,
+			Transport: errorTransport,
+		},
+		Logf:     logf,
+		grpcConn: conn,
+	}
+
+	return registry, nil
+}
+
+// url returns a clair URL with the passed arguements concatenated.
+func (c *Clair) url(pathTemplate string, args ...interface{}) string {
+	pathSuffix := fmt.Sprintf(pathTemplate, args...)
+	url := fmt.Sprintf("%s%s", c.URL, pathSuffix)
+	return url
+}
+
+func (c *Clair) getJSON(url string, response interface{}) (http.Header, error) {
+	resp, err := c.Client.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	c.Logf("clair.clair resp.Status=%s", resp.Status)
+
+	if err := json.NewDecoder(resp.Body).Decode(response); err != nil {
+		c.Logf("clair.clair resp.Status=%s, body=%s", resp.Status, response)
+		return nil, err
+	}
+
+	return resp.Header, nil
+}

vendor/github.com/genuinetools/reg/clair/errortransport.go

@@ -0,0 +1,46 @@
+package clair
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+type httpStatusError struct {
+	Response *http.Response
+	Body     []byte // Copied from `Response.Body` to avoid problems with unclosed bodies later. Nobody calls `err.Response.Body.Close()`, ever.
+}
+
+func (err *httpStatusError) Error() string {
+	return fmt.Sprintf("http: non-successful response (status=%v body=%q)", err.Response.StatusCode, err.Body)
+}
+
+var _ error = &httpStatusError{}
+
+// ErrorTransport defines the data structure for returning errors from the round tripper.
+type ErrorTransport struct {
+	Transport http.RoundTripper
+}
+
+// RoundTrip defines the round tripper for the error transport.
+func (t *ErrorTransport) RoundTrip(request *http.Request) (*http.Response, error) {
+	resp, err := t.Transport.RoundTrip(request)
+	if err != nil {
+		return resp, err
+	}
+
+	if resp.StatusCode >= 500 {
+		defer resp.Body.Close()
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return nil, fmt.Errorf("http: failed to read response body (status=%v, err=%q)", resp.StatusCode, err)
+		}
+
+		return nil, &httpStatusError{
+			Response: resp,
+			Body:     body,
+		}
+	}
+
+	return resp, err
+}

vendor/github.com/genuinetools/reg/clair/layer.go

@@ -0,0 +1,81 @@
+package clair
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+)
+
+// GetLayer displays a Layer and optionally all of its features and vulnerabilities.
+func (c *Clair) GetLayer(name string, features, vulnerabilities bool) (*Layer, error) {
+	url := c.url("/v1/layers/%s?features=%t&vulnerabilities=%t", name, features, vulnerabilities)
+	c.Logf("clair.layers.get url=%s name=%s", url, name)
+
+	var respLayer layerEnvelope
+	if _, err := c.getJSON(url, &respLayer); err != nil {
+		return nil, err
+	}
+
+	if respLayer.Error != nil {
+		return nil, fmt.Errorf("clair error: %s", respLayer.Error.Message)
+	}
+
+	return respLayer.Layer, nil
+}
+
+// PostLayer performs the analysis of a Layer from the provided path.
+func (c *Clair) PostLayer(layer *Layer) (*Layer, error) {
+	url := c.url("/v1/layers")
+	c.Logf("clair.layers.post url=%s name=%s", url, layer.Name)
+
+	b, err := json.Marshal(layerEnvelope{Layer: layer})
+	if err != nil {
+		return nil, err
+	}
+
+	c.Logf("clair.layers.post req.Body=%s", string(b))
+
+	resp, err := c.Client.Post(url, "application/json", bytes.NewReader(b))
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	c.Logf("clair.layers.post resp.Status=%s", resp.Status)
+
+	var respLayer layerEnvelope
+	if err := json.NewDecoder(resp.Body).Decode(&respLayer); err != nil {
+		return nil, err
+	}
+
+	if respLayer.Error != nil {
+		return nil, fmt.Errorf("clair error: %s", respLayer.Error.Message)
+	}
+
+	return respLayer.Layer, err
+}
+
+// DeleteLayer removes a layer reference from clair.
+func (c *Clair) DeleteLayer(name string) error {
+	url := c.url("/v1/layers/%s", name)
+	c.Logf("clair.layers.delete url=%s name=%s", url, name)
+
+	req, err := http.NewRequest("DELETE", url, nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := c.Client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	c.Logf("clair.clair resp.Status=%s", resp.Status)
+
+	if resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusAccepted || resp.StatusCode == http.StatusNotFound {
+		return nil
+	}
+
+	return fmt.Errorf("Got status code: %d", resp.StatusCode)
+}

vendor/github.com/genuinetools/reg/clair/layerutil.go

@@ -0,0 +1,95 @@
+package clair
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/coreos/clair/api/v3/clairpb"
+	"github.com/docker/distribution"
+	"github.com/genuinetools/reg/registry"
+)
+
+// NewClairLayer will form a layer struct required for a clair scan.
+func (c *Clair) NewClairLayer(r *registry.Registry, image string, fsLayers map[int]distribution.Descriptor, index int) (*Layer, error) {
+	var parentName string
+	if index < len(fsLayers)-1 {
+		parentName = fsLayers[index+1].Digest.String()
+	}
+
+	// Form the path.
+	p := strings.Join([]string{r.URL, "v2", image, "blobs", fsLayers[index].Digest.String()}, "/")
+
+	// Get the headers.
+	h, err := r.Headers(p)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Layer{
+		Name:       fsLayers[index].Digest.String(),
+		Path:       p,
+		ParentName: parentName,
+		Format:     "Docker",
+		Headers:    h,
+	}, nil
+}
+
+// NewClairV3Layer will form a layer struct required for a clair scan.
+func (c *Clair) NewClairV3Layer(r *registry.Registry, image string, fsLayer distribution.Descriptor) (*clairpb.PostAncestryRequest_PostLayer, error) {
+	// Form the path.
+	p := strings.Join([]string{r.URL, "v2", image, "blobs", fsLayer.Digest.String()}, "/")
+
+	// Get the headers.
+	h, err := r.Headers(p)
+	if err != nil {
+		return nil, err
+	}
+
+	return &clairpb.PostAncestryRequest_PostLayer{
+		Hash:    fsLayer.Digest.String(),
+		Path:    p,
+		Headers: h,
+	}, nil
+}
+
+func (c *Clair) getLayers(r *registry.Registry, repo, tag string, filterEmpty bool) (map[int]distribution.Descriptor, error) {
+	ok := true
+	// Get the manifest to pass to clair.
+	mf, err := r.ManifestV2(repo, tag)
+	if err != nil {
+		ok = false
+		c.Logf("couldn't retrieve manifest v2, falling back to v1")
+	}
+
+	filteredLayers := map[int]distribution.Descriptor{}
+
+	// Filter out the empty layers.
+	if ok {
+		for i := 0; i < len(mf.Layers); i++ {
+			if filterEmpty && IsEmptyLayer(mf.Layers[i].Digest) {
+				continue
+			} else {
+				filteredLayers[len(mf.Layers)-i-1] = mf.Layers[i]
+			}
+		}
+
+		return filteredLayers, nil
+	}
+
+	m, err := r.ManifestV1(repo, tag)
+	if err != nil {
+		return nil, fmt.Errorf("getting the v1 manifest for %s:%s failed: %v", repo, tag, err)
+	}
+
+	for i := 0; i < len(m.FSLayers); i++ {
+		if filterEmpty && IsEmptyLayer(m.FSLayers[i].BlobSum) {
+			continue
+		} else {
+			filteredLayers[i] = distribution.Descriptor{
+				Digest: m.FSLayers[i].BlobSum,
+			}
+		}
+	}
+
+	return filteredLayers, nil
+}

vendor/github.com/genuinetools/reg/clair/types.go

@@ -0,0 +1,77 @@
+package clair
+
+import "github.com/opencontainers/go-digest"
+
+const (
+	// EmptyLayerBlobSum is the blob sum of empty layers.
+	EmptyLayerBlobSum = "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+
+	// LegacyEmptyLayerBlobSum is the blob sum of empty layers used by docker
+	// before it could support a truly empty layer.
+	LegacyEmptyLayerBlobSum = "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+)
+
+// IsEmptyLayer determines whether the blob sum is one of the known empty
+// layers.
+func IsEmptyLayer(blobSum digest.Digest) bool {
+	return blobSum == EmptyLayerBlobSum || blobSum == LegacyEmptyLayerBlobSum
+}
+
+var (
+	// Priorities are the vulnerability priority labels.
+	Priorities = []string{"Unknown", "Negligible", "Low", "Medium", "High", "Critical", "Defcon1", "Fixable"}
+)
+
+// Error describes the structure of a clair error.
+type Error struct {
+	Message string `json:"Message,omitempty"`
+}
+
+// Layer represents an image layer.
+type Layer struct {
+	Name             string            `json:"Name,omitempty"`
+	NamespaceName    string            `json:"NamespaceName,omitempty"`
+	Path             string            `json:"Path,omitempty"`
+	Headers          map[string]string `json:"Headers,omitempty"`
+	ParentName       string            `json:"ParentName,omitempty"`
+	Format           string            `json:"Format,omitempty"`
+	IndexedByVersion int               `json:"IndexedByVersion,omitempty"`
+	Features         []feature         `json:"Features,omitempty"`
+}
+
+type layerEnvelope struct {
+	Layer *Layer `json:"Layer,omitempty"`
+	Error *Error `json:"Error,omitempty"`
+}
+
+// Vulnerability represents vulnerability entity returned by Clair.
+type Vulnerability struct {
+	Name          string                 `json:"Name,omitempty"`
+	NamespaceName string                 `json:"NamespaceName,omitempty"`
+	Description   string                 `json:"Description,omitempty"`
+	Link          string                 `json:"Link,omitempty"`
+	Severity      string                 `json:"Severity,omitempty"`
+	Metadata      map[string]interface{} `json:"Metadata,omitempty"`
+	FixedBy       string                 `json:"FixedBy,omitempty"`
+	FixedIn       []feature              `json:"FixedIn,omitempty"`
+}
+
+// VulnerabilityReport represents the result of a vulnerability scan of a repo.
+type VulnerabilityReport struct {
+	Name            string
+	RegistryURL     string
+	Repo            string
+	Tag             string
+	Date            string
+	Vulns           []Vulnerability
+	VulnsBySeverity map[string][]Vulnerability
+	BadVulns        int
+}
+type feature struct {
+	Name            string          `json:"Name,omitempty"`
+	NamespaceName   string          `json:"NamespaceName,omitempty"`
+	VersionFormat   string          `json:"VersionFormat,omitempty"`
+	Version         string          `json:"Version,omitempty"`
+	Vulnerabilities []Vulnerability `json:"Vulnerabilities,omitempty"`
+	AddedBy         string          `json:"AddedBy,omitempty"`
+}

vendor/github.com/genuinetools/reg/clair/vulns.go

@@ -0,0 +1,163 @@
+package clair
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/coreos/clair/api/v3/clairpb"
+	"github.com/genuinetools/reg/registry"
+)
+
+// Vulnerabilities scans the given repo and tag.
+func (c *Clair) Vulnerabilities(r *registry.Registry, repo, tag string) (VulnerabilityReport, error) {
+	report := VulnerabilityReport{
+		RegistryURL:     r.Domain,
+		Repo:            repo,
+		Tag:             tag,
+		Date:            time.Now().Local().Format(time.RFC1123),
+		VulnsBySeverity: make(map[string][]Vulnerability),
+	}
+
+	filteredLayers, err := c.getLayers(r, repo, tag, true)
+	if err != nil {
+		return report, fmt.Errorf("getting filtered layers failed: %v", err)
+	}
+
+	if len(filteredLayers) == 0 {
+		fmt.Printf("No need to analyse image %s:%s as there is no non-emtpy layer", repo, tag)
+		return report, nil
+	}
+
+	for i := len(filteredLayers) - 1; i >= 0; i-- {
+		// Form the clair layer.
+		l, err := c.NewClairLayer(r, repo, filteredLayers, i)
+		if err != nil {
+			return report, err
+		}
+
+		// Post the layer.
+		if _, err := c.PostLayer(l); err != nil {
+			return report, err
+		}
+	}
+
+	report.Name = filteredLayers[0].Digest.String()
+
+	vl, err := c.GetLayer(filteredLayers[0].Digest.String(), true, true)
+	if err != nil {
+		return report, err
+	}
+
+	// Get the vulns.
+	for _, f := range vl.Features {
+		report.Vulns = append(report.Vulns, f.Vulnerabilities...)
+	}
+
+	vulnsBy := func(sev string, store map[string][]Vulnerability) []Vulnerability {
+		items, found := store[sev]
+		if !found {
+			items = make([]Vulnerability, 0)
+			store[sev] = items
+		}
+		return items
+	}
+
+	// group by severity
+	for _, v := range report.Vulns {
+		sevRow := vulnsBy(v.Severity, report.VulnsBySeverity)
+		report.VulnsBySeverity[v.Severity] = append(sevRow, v)
+	}
+
+	// calculate number of bad vulns
+	report.BadVulns = len(report.VulnsBySeverity["High"]) + len(report.VulnsBySeverity["Critical"]) + len(report.VulnsBySeverity["Defcon1"])
+
+	return report, nil
+}
+
+// VulnerabilitiesV3 scans the given repo and tag using the clair v3 API.
+func (c *Clair) VulnerabilitiesV3(r *registry.Registry, repo, tag string) (VulnerabilityReport, error) {
+	report := VulnerabilityReport{
+		RegistryURL:     r.Domain,
+		Repo:            repo,
+		Tag:             tag,
+		Date:            time.Now().Local().Format(time.RFC1123),
+		VulnsBySeverity: make(map[string][]Vulnerability),
+	}
+
+	layers, err := c.getLayers(r, repo, tag, false)
+	if err != nil {
+		return report, fmt.Errorf("getting filtered layers failed: %v", err)
+	}
+
+	if len(layers) == 0 {
+		fmt.Printf("No need to analyse image %s:%s as there is no non-empty layer", repo, tag)
+		return report, nil
+	}
+
+	report.Name = layers[0].Digest.String()
+
+	clairLayers := []*clairpb.PostAncestryRequest_PostLayer{}
+	for i := len(layers) - 1; i >= 0; i-- {
+		// Form the clair layer.
+		l, err := c.NewClairV3Layer(r, repo, layers[i])
+		if err != nil {
+			return report, err
+		}
+
+		// Append the layer.
+		clairLayers = append(clairLayers, l)
+	}
+
+	// Post the ancestry.
+	if err := c.PostAncestry(layers[0].Digest.String(), clairLayers); err != nil {
+		return report, fmt.Errorf("posting ancestry failed: %v", err)
+	}
+
+	// Get the ancestry.
+	vl, err := c.GetAncestry(layers[0].Digest.String())
+	if err != nil {
+		return report, err
+	}
+
+	if vl == nil {
+		return report, errors.New("ancestry response was nil")
+	}
+
+	// Get the vulns.
+	for _, l := range vl.GetLayers() {
+		for _, f := range l.GetDetectedFeatures() {
+			for _, v := range f.GetVulnerabilities() {
+				report.Vulns = append(report.Vulns, Vulnerability{
+					Name:          v.Name,
+					NamespaceName: v.NamespaceName,
+					Description:   v.Description,
+					Link:          v.Link,
+					Severity:      v.Severity,
+					Metadata:      map[string]interface{}{v.Metadata: ""},
+					FixedBy:       v.FixedBy,
+				})
+			}
+		}
+	}
+
+	vulnsBy := func(sev string, store map[string][]Vulnerability) []Vulnerability {
+		items, found := store[sev]
+		if !found {
+			items = make([]Vulnerability, 0)
+			store[sev] = items
+		}
+		return items
+	}
+
+	// Group by severity.
+	for _, v := range report.Vulns {
+		sevRow := vulnsBy(v.Severity, report.VulnsBySeverity)
+		report.VulnsBySeverity[v.Severity] = append(sevRow, v)
+	}
+
+	// calculate number of bad vulns
+	report.BadVulns = len(report.VulnsBySeverity["High"]) + len(report.VulnsBySeverity["Critical"]) + len(report.VulnsBySeverity["Defcon1"])
+
+	return report, nil
+}