vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

securityscanner: add a min image id option

Browse source 
This will enable us to force some instances of the securityworker to
scan only new images.
This commit is contained in:
Jimmy Zelinskie 2017-03-03 13:55:25 -05:00
parent aa2f88d321
commit 4ed0cdda14
4 changed files with 12 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config.py
View file

@ -313,6 +313,9 @@ class DefaultConfig(object):
# The number of seconds between indexing intervals in the security scanner # The number of seconds between indexing intervals in the security scanner
SECURITY_SCANNER_INDEXING_INTERVAL = 30 SECURITY_SCANNER_INDEXING_INTERVAL = 30
# If specified, the security scanner will only index images newer than the provided ID.
SECURITY_SCANNER_INDEXING_MIN_ID = None
# If specified, the endpoint to be used for all POST calls to the security scanner. # If specified, the endpoint to be used for all POST calls to the security scanner.
SECURITY_SCANNER_ENDPOINT_BATCH = None SECURITY_SCANNER_ENDPOINT_BATCH = None

9
data/model/image.py
View file

@ -495,10 +495,13 @@ def get_image_id():
return Image.id return Image.id
def get_images_eligible_for_scan(clair_version): def get_images_eligible_for_scan(clair_version, min_id=None):
""" Returns a query that gives all images eligible for a clair scan """ """ Returns a query that gives all images eligible for a clair scan """
return (get_image_with_storage_and_parent_base() query = (get_image_with_storage_and_parent_base()
.where(Image.security_indexed_engine < clair_version)) .where(Image.security_indexed_engine < clair_version))
if min_id is not None:
query = query.where(Image.id >= min_id)
return query
def get_image_with_storage_and_parent_base(): def get_image_with_storage_and_parent_base():

4
test/test_secscan.py
View file

@ -589,11 +589,11 @@ class TestSecurityScanner(unittest.TestCase):
# Ensure no images are available for scanning. # Ensure no images are available for scanning.
self.assertIsNone(model.image.get_min_id_for_sec_scan(expected_version)) self.assertIsNone(model.image.get_min_id_for_sec_scan(expected_version))
self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version)) == 0) self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version, None)) == 0)
# Check for a higher version. # Check for a higher version.
self.assertIsNotNone(model.image.get_min_id_for_sec_scan(expected_version + 1)) self.assertIsNotNone(model.image.get_min_id_for_sec_scan(expected_version + 1))
self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version + 1)) > 0) self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version + 1, None)) > 0)
def test_notification_worker(self): def test_notification_worker(self):
layer1 = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True) layer1 = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)

2
workers/securityworker.py
View file

@ -42,7 +42,7 @@ class SecurityWorker(Worker):
def _index_images(self): def _index_images(self):
def batch_query(): def batch_query():
return get_images_eligible_for_scan(self._target_version) return get_images_eligible_for_scan(self._target_version, app.config.get('SECURITY_SCANNER_INDEXING_MIN_ID', None))
# Get the ID of the last image we can analyze. Will be None if there are no images in the # Get the ID of the last image we can analyze. Will be None if there are no images in the
# database. # database.