vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Refactor security worker

Browse source
This commit is contained in:
Quentin Machu 2015-11-17 17:42:52 -05:00
parent 206ffc65af
commit 605ed1fc77
6 changed files with 184 additions and 182 deletions
Download patch file Download diff file Expand all files Collapse all files

17
workers/security_notification_worker.py
View file

@ -8,6 +8,7 @@ import features
from app import secscan_notification_queue, secscan_api
from data import model
from data.model.tag import filter_tags_have_repository_event, get_matching_tags
from data.database import (Image, ImageStorage, ExternalNotificationEvent,
Repository, RepositoryNotification, RepositoryTag)
from endpoints.notificationhelper import spawn_notification
@ -31,23 +32,19 @@ class SecurityNotificationWorker(QueueWorker):
tag_map = defaultdict(set)
repository_map = {}
# Find all tags that contain the layer(s) introducing the vulnerability.
# Find all tags that contain the layer(s) introducing the vulnerability,
# in repositories that have the event setup.
content = data['Content']
layer_ids = content.get('NewIntroducingLayersIDs', content.get('IntroducingLayersIDs', []))
for layer_id in layer_ids:
(docker_image_id, storage_uuid) = layer_id.split('.', 2)
tags = model.tag.get_matching_tags(docker_image_id, storage_uuid, RepositoryTag,
Repository, Image, ImageStorage)
# Additionally filter to tags only in repositories that have the event setup.
matching = list(tags
.switch(RepositoryTag)
.join(Repository)
.join(RepositoryNotification)
.where(RepositoryNotification.event == event))
matching = get_matching_tags(docker_image_id, storage_uuid, RepositoryTag, Repository,
Image, ImageStorage)
tags = list(filter_tags_have_repository_event(matching, event))
check_map = {}
for tag in matching:
for tag in tags:
# Verify that the tag's root image has the vulnerability.
tag_layer_id = '%s.%s' % (tag.image.docker_image_id, tag.image.storage.uuid)
logger.debug('Checking if layer %s is vulnerable to %s', tag_layer_id, cve_id)