2016-02-17 19:48:50 +00:00
|
|
|
""" List and manage repository vulnerabilities and other security information. """
|
2015-10-23 19:20:28 +00:00
|
|
|
|
|
|
|
import logging
|
|
|
|
import features
|
|
|
|
|
2015-11-10 20:01:33 +00:00
|
|
|
from app import secscan_api
|
2018-09-21 17:54:33 +00:00
|
|
|
from auth.decorators import process_basic_auth_no_pass
|
2018-08-23 20:36:04 +00:00
|
|
|
from data.registry_model import registry_model
|
|
|
|
from data.registry_model.datatypes import SecurityScanStatus
|
2016-04-11 20:20:11 +00:00
|
|
|
from endpoints.api import (require_repo_read, path_param,
|
2015-10-23 19:20:28 +00:00
|
|
|
RepositoryParamResource, resource, nickname, show_if, parse_args,
|
2017-03-22 18:30:13 +00:00
|
|
|
query_param, truthy_bool, disallow_for_app_repositories)
|
2016-04-11 20:20:11 +00:00
|
|
|
from endpoints.exception import NotFound, DownstreamIssue
|
2017-02-02 22:51:18 +00:00
|
|
|
from endpoints.api.manifest import MANIFEST_DIGEST_ROUTE
|
2016-02-24 21:01:27 +00:00
|
|
|
from util.secscan.api import APIRequestFailure
|
2015-10-23 19:20:28 +00:00
|
|
|
|
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2018-08-23 20:36:04 +00:00
|
|
|
def _security_info(manifest_or_legacy_image, include_vulnerabilities=True):
|
2017-02-02 22:51:18 +00:00
|
|
|
""" Returns a dict representing the result of a call to the security status API for the given
|
2018-08-23 20:36:04 +00:00
|
|
|
manifest or image.
|
2017-02-02 22:51:18 +00:00
|
|
|
"""
|
2018-08-23 20:36:04 +00:00
|
|
|
status = registry_model.get_security_status(manifest_or_legacy_image)
|
|
|
|
if status is None:
|
|
|
|
raise NotFound()
|
|
|
|
|
|
|
|
if status != SecurityScanStatus.SCANNED:
|
2017-02-02 22:51:18 +00:00
|
|
|
return {
|
2018-08-23 20:36:04 +00:00
|
|
|
'status': status.value,
|
2017-02-02 22:51:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
try:
|
|
|
|
if include_vulnerabilities:
|
2018-08-23 20:36:04 +00:00
|
|
|
data = secscan_api.get_layer_data(manifest_or_legacy_image, include_vulnerabilities=True)
|
2017-02-02 22:51:18 +00:00
|
|
|
else:
|
2018-08-23 20:36:04 +00:00
|
|
|
data = secscan_api.get_layer_data(manifest_or_legacy_image, include_features=True)
|
2017-02-02 22:51:18 +00:00
|
|
|
except APIRequestFailure as arf:
|
2017-07-21 17:20:31 +00:00
|
|
|
raise DownstreamIssue(arf.message)
|
2017-02-02 22:51:18 +00:00
|
|
|
|
|
|
|
if data is None:
|
|
|
|
raise NotFound()
|
|
|
|
|
|
|
|
return {
|
2018-08-23 20:36:04 +00:00
|
|
|
'status': status.value,
|
2017-02-02 22:51:18 +00:00
|
|
|
'data': data,
|
|
|
|
}
|
|
|
|
|
2015-11-12 20:42:45 +00:00
|
|
|
|
2016-02-17 19:48:50 +00:00
|
|
|
@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/security')
|
2017-05-01 17:14:20 +00:00
|
|
|
@show_if(features.SECURITY_SCANNER)
|
2015-10-23 19:20:28 +00:00
|
|
|
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
|
2015-11-11 20:52:30 +00:00
|
|
|
@path_param('imageid', 'The image ID')
|
2016-02-17 19:48:50 +00:00
|
|
|
class RepositoryImageSecurity(RepositoryParamResource):
|
2015-11-11 20:52:30 +00:00
|
|
|
""" Operations for managing the vulnerabilities in a repository image. """
|
2015-10-23 19:20:28 +00:00
|
|
|
|
2018-09-21 17:54:33 +00:00
|
|
|
@process_basic_auth_no_pass
|
2015-10-23 19:20:28 +00:00
|
|
|
@require_repo_read
|
2016-02-17 19:48:50 +00:00
|
|
|
@nickname('getRepoImageSecurity')
|
2017-03-22 18:30:13 +00:00
|
|
|
@disallow_for_app_repositories
|
2016-01-26 21:27:36 +00:00
|
|
|
@parse_args()
|
2016-02-17 19:48:50 +00:00
|
|
|
@query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
|
|
|
|
default=False)
|
2016-01-26 21:27:36 +00:00
|
|
|
def get(self, namespace, repository, imageid, parsed_args):
|
2016-12-07 16:50:22 +00:00
|
|
|
""" Fetches the features and vulnerabilities (if any) for a repository image. """
|
2018-08-23 20:36:04 +00:00
|
|
|
repo_ref = registry_model.lookup_repository(namespace, repository)
|
|
|
|
if repo_ref is None:
|
|
|
|
raise NotFound()
|
|
|
|
|
|
|
|
legacy_image = registry_model.get_legacy_image(repo_ref, imageid)
|
|
|
|
if legacy_image is None:
|
2015-10-23 19:20:28 +00:00
|
|
|
raise NotFound()
|
|
|
|
|
2018-08-23 20:36:04 +00:00
|
|
|
return _security_info(legacy_image, parsed_args.vulnerabilities)
|
|
|
|
|
2017-02-02 22:51:18 +00:00
|
|
|
|
|
|
|
@resource(MANIFEST_DIGEST_ROUTE + '/security')
|
2017-05-01 17:14:20 +00:00
|
|
|
@show_if(features.SECURITY_SCANNER)
|
2017-02-02 22:51:18 +00:00
|
|
|
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
|
|
|
|
@path_param('manifestref', 'The digest of the manifest')
|
|
|
|
class RepositoryManifestSecurity(RepositoryParamResource):
|
|
|
|
""" Operations for managing the vulnerabilities in a repository manifest. """
|
2015-10-23 19:20:28 +00:00
|
|
|
|
2018-09-21 17:54:33 +00:00
|
|
|
@process_basic_auth_no_pass
|
2017-02-02 22:51:18 +00:00
|
|
|
@require_repo_read
|
|
|
|
@nickname('getRepoManifestSecurity')
|
2017-03-22 18:30:13 +00:00
|
|
|
@disallow_for_app_repositories
|
2017-02-02 22:51:18 +00:00
|
|
|
@parse_args()
|
|
|
|
@query_param('vulnerabilities', 'Include vulnerabilities informations', type=truthy_bool,
|
|
|
|
default=False)
|
|
|
|
def get(self, namespace, repository, manifestref, parsed_args):
|
2018-08-23 20:36:04 +00:00
|
|
|
repo_ref = registry_model.lookup_repository(namespace, repository)
|
|
|
|
if repo_ref is None:
|
2016-02-24 21:01:27 +00:00
|
|
|
raise NotFound()
|
2015-10-23 19:20:28 +00:00
|
|
|
|
2018-08-23 20:36:04 +00:00
|
|
|
manifest = registry_model.lookup_manifest_by_digest(repo_ref, manifestref, allow_dead=True)
|
|
|
|
if manifest is None:
|
|
|
|
raise NotFound()
|
2017-02-02 22:51:18 +00:00
|
|
|
|
2018-08-23 20:36:04 +00:00
|
|
|
return _security_info(manifest, parsed_args.vulnerabilities)
|