2015-10-23 19:20:28 +00:00
|
|
|
""" List and manage repository vulnerabilities and other sec information. """
|
|
|
|
|
|
|
|
import logging
|
|
|
|
import features
|
|
|
|
import json
|
2015-10-26 19:13:58 +00:00
|
|
|
import requests
|
2015-10-23 19:20:28 +00:00
|
|
|
|
2015-11-10 20:01:33 +00:00
|
|
|
from app import secscan_api
|
2015-10-23 19:20:28 +00:00
|
|
|
from data import model
|
|
|
|
from endpoints.api import (require_repo_read, NotFound, DownstreamIssue, path_param,
|
|
|
|
RepositoryParamResource, resource, nickname, show_if, parse_args,
|
|
|
|
query_param)
|
|
|
|
|
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2015-10-26 19:13:58 +00:00
|
|
|
|
2015-11-12 20:42:45 +00:00
|
|
|
class SCAN_STATUS(object):
|
|
|
|
""" Security scan status enum """
|
|
|
|
SCANNED = 'scanned'
|
|
|
|
FAILED = 'failed'
|
|
|
|
QUEUED = 'queued'
|
|
|
|
|
|
|
|
|
2015-10-23 19:20:28 +00:00
|
|
|
def _call_security_api(relative_url, *args, **kwargs):
|
|
|
|
""" Issues an HTTP call to the sec API at the given relative URL. """
|
|
|
|
try:
|
2015-11-11 20:52:30 +00:00
|
|
|
response = secscan_api.call(relative_url, None, *args, **kwargs)
|
2015-10-23 19:20:28 +00:00
|
|
|
except requests.exceptions.Timeout:
|
|
|
|
raise DownstreamIssue(payload=dict(message='API call timed out'))
|
|
|
|
except requests.exceptions.ConnectionError:
|
|
|
|
raise DownstreamIssue(payload=dict(message='Could not connect to downstream service'))
|
|
|
|
|
|
|
|
if response.status_code == 404:
|
|
|
|
raise NotFound()
|
|
|
|
|
|
|
|
try:
|
|
|
|
response_data = json.loads(response.text)
|
|
|
|
except ValueError:
|
|
|
|
raise DownstreamIssue(payload=dict(message='Non-json response from downstream service'))
|
|
|
|
|
|
|
|
if response.status_code / 100 != 2:
|
2015-10-26 19:13:58 +00:00
|
|
|
logger.warning('Got %s status code to call: %s', response.status_code, response.text)
|
2015-10-23 19:20:28 +00:00
|
|
|
raise DownstreamIssue(payload=dict(message=response_data['Message']))
|
|
|
|
|
|
|
|
return response_data
|
|
|
|
|
|
|
|
|
2015-11-12 20:42:45 +00:00
|
|
|
def _get_status(repo_image):
|
2015-11-13 06:06:18 +00:00
|
|
|
if repo_image.security_indexed_engine is not None and repo_image.security_indexed_engine >= 0:
|
2015-11-12 20:42:45 +00:00
|
|
|
return SCAN_STATUS.SCANNED if repo_image.security_indexed else SCAN_STATUS.FAILED
|
|
|
|
|
|
|
|
return SCAN_STATUS.QUEUED
|
|
|
|
|
|
|
|
|
2015-10-23 19:20:28 +00:00
|
|
|
@show_if(features.SECURITY_SCANNER)
|
2015-11-11 20:52:30 +00:00
|
|
|
@resource('/v1/repository/<repopath:repository>/image/<imageid>/vulnerabilities')
|
2015-10-23 19:20:28 +00:00
|
|
|
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
|
2015-11-11 20:52:30 +00:00
|
|
|
@path_param('imageid', 'The image ID')
|
|
|
|
class RepositoryImageVulnerabilities(RepositoryParamResource):
|
|
|
|
""" Operations for managing the vulnerabilities in a repository image. """
|
2015-10-23 19:20:28 +00:00
|
|
|
|
|
|
|
@require_repo_read
|
2015-11-11 20:52:30 +00:00
|
|
|
@nickname('getRepoImageVulnerabilities')
|
2015-10-23 19:20:28 +00:00
|
|
|
@parse_args
|
|
|
|
@query_param('minimumPriority', 'Minimum vulnerability priority', type=str,
|
|
|
|
default='Low')
|
2015-11-11 20:52:30 +00:00
|
|
|
def get(self, args, namespace, repository, imageid):
|
2015-10-23 19:20:28 +00:00
|
|
|
""" Fetches the vulnerabilities (if any) for a repository tag. """
|
2015-11-11 20:52:30 +00:00
|
|
|
repo_image = model.image.get_repo_image(namespace, repository, imageid)
|
|
|
|
if repo_image is None:
|
2015-10-23 19:20:28 +00:00
|
|
|
raise NotFound()
|
|
|
|
|
2015-11-11 20:52:30 +00:00
|
|
|
if not repo_image.security_indexed:
|
|
|
|
logger.debug('Image %s under repository %s/%s not security indexed',
|
|
|
|
repo_image.docker_image_id, namespace, repository)
|
2015-10-23 19:20:28 +00:00
|
|
|
return {
|
2015-11-12 20:42:45 +00:00
|
|
|
'status': _get_status(repo_image),
|
2015-10-23 19:20:28 +00:00
|
|
|
}
|
|
|
|
|
2015-11-11 20:52:30 +00:00
|
|
|
layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)
|
|
|
|
data = _call_security_api('layers/%s/vulnerabilities', layer_id,
|
2015-10-23 19:20:28 +00:00
|
|
|
minimumPriority=args.minimumPriority)
|
|
|
|
|
|
|
|
return {
|
2015-11-12 20:42:45 +00:00
|
|
|
'status': _get_status(repo_image),
|
2015-10-23 19:20:28 +00:00
|
|
|
'data': data,
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@show_if(features.SECURITY_SCANNER)
|
|
|
|
@resource('/v1/repository/<repopath:repository>/image/<imageid>/packages')
|
|
|
|
@path_param('repository', 'The full path of the repository. e.g. namespace/name')
|
|
|
|
@path_param('imageid', 'The image ID')
|
|
|
|
class RepositoryImagePackages(RepositoryParamResource):
|
|
|
|
""" Operations for listing the packages added/removed in an image. """
|
|
|
|
|
|
|
|
@require_repo_read
|
|
|
|
@nickname('getRepoImagePackages')
|
|
|
|
def get(self, namespace, repository, imageid):
|
|
|
|
""" Fetches the packages added/removed in the given repo image. """
|
|
|
|
repo_image = model.image.get_repo_image(namespace, repository, imageid)
|
|
|
|
if repo_image is None:
|
|
|
|
raise NotFound()
|
|
|
|
|
|
|
|
if not repo_image.security_indexed:
|
|
|
|
return {
|
2015-11-12 20:42:45 +00:00
|
|
|
'status': _get_status(repo_image),
|
2015-10-23 19:20:28 +00:00
|
|
|
}
|
|
|
|
|
2015-11-11 20:52:30 +00:00
|
|
|
layer_id = '%s.%s' % (repo_image.docker_image_id, repo_image.storage.uuid)
|
|
|
|
data = _call_security_api('layers/%s/packages', layer_id)
|
2015-10-23 19:20:28 +00:00
|
|
|
|
|
|
|
return {
|
2015-11-12 20:42:45 +00:00
|
|
|
'status': _get_status(repo_image),
|
2015-10-23 19:20:28 +00:00
|
|
|
'data': data,
|
|
|
|
}
|
|
|
|
|