quay/endpoints/api/secscan.py

""" List and manage repository vulnerabilities and other security information. """

import logging
import features

from app import app, secscan_api
from auth.decorators import process_basic_auth_no_pass
from data.registry_model import registry_model
from data.registry_model.datatypes import SecurityScanStatus
from endpoints.api import (require_repo_read, path_param,
                           RepositoryParamResource, resource, nickname, show_if, parse_args,
                           query_param, truthy_bool, disallow_for_app_repositories)
from endpoints.exception import NotFound, DownstreamIssue
from endpoints.api.manifest import MANIFEST_DIGEST_ROUTE
from util.secscan.api import APIRequestFailure


logger = logging.getLogger(__name__)

def _security_info(manifest_or_legacy_image, include_vulnerabilities=True):
  """ Returns a dict representing the result of a call to the security status API for the given
      manifest or image.
  """
  status = registry_model.get_security_status(manifest_or_legacy_image)
  if status is None:
    raise NotFound()

  if status != SecurityScanStatus.SCANNED:
    return {
      'status': status.value,
    }

  try:
    if include_vulnerabilities:
      data = secscan_api.get_layer_data(manifest_or_legacy_image, include_vulnerabilities=True)
    else:
      data = secscan_api.get_layer_data(manifest_or_legacy_image, include_features=True)
  except APIRequestFailure as arf:
    raise DownstreamIssue(arf.message)

  if data is None:
    # If no data was found but we reached this point, then it indicates we have incorrect security
    # status for the manifest or legacy image. Mark the manifest or legacy image as unindexed
    # so it automatically gets re-indexed.
    if app.config.get('REGISTRY_STATE', 'normal') == 'normal':
      registry_model.reset_security_status(manifest_or_legacy_image)

    return {
      'status': SecurityScanStatus.QUEUED.value,
    }

  return {
    'status': status.value,
    'data': data,
  }


@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/security')
@show_if(features.SECURITY_SCANNER)
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
@path_param('imageid', 'The image ID')
class RepositoryImageSecurity(RepositoryParamResource):
  """ Operations for managing the vulnerabilities in a repository image. """

  @process_basic_auth_no_pass
  @require_repo_read
  @nickname('getRepoImageSecurity')
  @disallow_for_app_repositories
  @parse_args()
  @query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
               default=False)
  def get(self, namespace, repository, imageid, parsed_args):
    """ Fetches the features and vulnerabilities (if any) for a repository image. """
    repo_ref = registry_model.lookup_repository(namespace, repository)
    if repo_ref is None:
      raise NotFound()

    legacy_image = registry_model.get_legacy_image(repo_ref, imageid)
    if legacy_image is None:
      raise NotFound()

    return _security_info(legacy_image, parsed_args.vulnerabilities)


@resource(MANIFEST_DIGEST_ROUTE + '/security')
@show_if(features.SECURITY_SCANNER)
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
@path_param('manifestref', 'The digest of the manifest')
class RepositoryManifestSecurity(RepositoryParamResource):
  """ Operations for managing the vulnerabilities in a repository manifest. """

  @process_basic_auth_no_pass
  @require_repo_read
  @nickname('getRepoManifestSecurity')
  @disallow_for_app_repositories
  @parse_args()
  @query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
               default=False)
  def get(self, namespace, repository, manifestref, parsed_args):
    repo_ref = registry_model.lookup_repository(namespace, repository)
    if repo_ref is None:
      raise NotFound()

    manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref, allow_dead=True)
    if manifest is None:
      raise NotFound()

    return _security_info(manifest, parsed_args.vulnerabilities)
initial import for Open Source 🎉 2019-11-12 16:09:47 +00:00			`""" List and manage repository vulnerabilities and other security information. """`

			`import logging`
			`import features`

			`from app import app, secscan_api`
			`from auth.decorators import process_basic_auth_no_pass`
			`from data.registry_model import registry_model`
			`from data.registry_model.datatypes import SecurityScanStatus`
			`from endpoints.api import (require_repo_read, path_param,`
			`RepositoryParamResource, resource, nickname, show_if, parse_args,`
			`query_param, truthy_bool, disallow_for_app_repositories)`
			`from endpoints.exception import NotFound, DownstreamIssue`
			`from endpoints.api.manifest import MANIFEST_DIGEST_ROUTE`
			`from util.secscan.api import APIRequestFailure`


			`logger = logging.getLogger(__name__)`

			`def _security_info(manifest_or_legacy_image, include_vulnerabilities=True):`
			`""" Returns a dict representing the result of a call to the security status API for the given`
			`manifest or image.`
			`"""`
			`status = registry_model.get_security_status(manifest_or_legacy_image)`
			`if status is None:`
			`raise NotFound()`

			`if status != SecurityScanStatus.SCANNED:`
			`return {`
			`'status': status.value,`
			`}`

			`try:`
			`if include_vulnerabilities:`
			`data = secscan_api.get_layer_data(manifest_or_legacy_image, include_vulnerabilities=True)`
			`else:`
			`data = secscan_api.get_layer_data(manifest_or_legacy_image, include_features=True)`
			`except APIRequestFailure as arf:`
			`raise DownstreamIssue(arf.message)`

			`if data is None:`
			`# If no data was found but we reached this point, then it indicates we have incorrect security`
			`# status for the manifest or legacy image. Mark the manifest or legacy image as unindexed`
			`# so it automatically gets re-indexed.`
			`if app.config.get('REGISTRY_STATE', 'normal') == 'normal':`
			`registry_model.reset_security_status(manifest_or_legacy_image)`

			`return {`
			`'status': SecurityScanStatus.QUEUED.value,`
			`}`

			`return {`
			`'status': status.value,`
			`'data': data,`
			`}`


			`@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/security')`
			`@show_if(features.SECURITY_SCANNER)`
			`@path_param('repository', 'The full path of the repository. e.g. namespace/name')`
			`@path_param('imageid', 'The image ID')`
			`class RepositoryImageSecurity(RepositoryParamResource):`
			`""" Operations for managing the vulnerabilities in a repository image. """`

			`@process_basic_auth_no_pass`
			`@require_repo_read`
			`@nickname('getRepoImageSecurity')`
			`@disallow_for_app_repositories`
			`@parse_args()`
			`@query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,`
			`default=False)`
			`def get(self, namespace, repository, imageid, parsed_args):`
			`""" Fetches the features and vulnerabilities (if any) for a repository image. """`
			`repo_ref = registry_model.lookup_repository(namespace, repository)`
			`if repo_ref is None:`
			`raise NotFound()`

			`legacy_image = registry_model.get_legacy_image(repo_ref, imageid)`
			`if legacy_image is None:`
			`raise NotFound()`

			`return _security_info(legacy_image, parsed_args.vulnerabilities)`


			`@resource(MANIFEST_DIGEST_ROUTE + '/security')`
			`@show_if(features.SECURITY_SCANNER)`
			`@path_param('repository', 'The full path of the repository. e.g. namespace/name')`
			`@path_param('manifestref', 'The digest of the manifest')`
			`class RepositoryManifestSecurity(RepositoryParamResource):`
			`""" Operations for managing the vulnerabilities in a repository manifest. """`

			`@process_basic_auth_no_pass`
			`@require_repo_read`
			`@nickname('getRepoManifestSecurity')`
			`@disallow_for_app_repositories`
			`@parse_args()`
			`@query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,`
			`default=False)`
			`def get(self, namespace, repository, manifestref, parsed_args):`
			`repo_ref = registry_model.lookup_repository(namespace, repository)`
			`if repo_ref is None:`
			`raise NotFound()`

			`manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref, allow_dead=True)`
			`if manifest is None:`
			`raise NotFound()`

			`return _security_info(manifest, parsed_args.vulnerabilities)`