Have security scanner analyze only send notifications for *new* layers
Following this change, anytime a layer is indexed by the security scanner, we only send notifications out if the layer previously had a security_indexed_engine value of `-1`, thus ensuring it has *never* been indexed previously. This will allow us to change to version of the security scanner upwards, and have all the images be re-indexed, without firing off notifications in a spammy manner.
This commit is contained in:
Joseph Schorr
parent
5686c80af1
commit
624b2a8385
3 changed files with 53 additions and 5 deletions
|
|
@ -6,7 +6,7 @@ import features
|
|||
from collections import defaultdict
|
||||
|
||||
from endpoints.notificationhelper import spawn_notification
|
||||
from data.database import Image, ExternalNotificationEvent
|
||||
from data.database import Image, ExternalNotificationEvent, IMAGE_NOT_SCANNED_ENGINE_VERSION
|
||||
from data.model.tag import filter_tags_have_repository_event, get_tags_for_image
|
||||
from data.model.image import set_secscan_status, get_image_with_storage_and_parent_base
|
||||
from util.secscan.api import APIRequestFailure
|
||||
|
|
@ -69,6 +69,7 @@ class LayerAnalyzer(object):
|
|||
|
||||
# Analyze the image.
|
||||
logger.info('Analyzing layer %s', layer.docker_image_id)
|
||||
previous_security_indexed_engine = layer.security_indexed_engine
|
||||
(analyzed_version, should_requeue) = self._api.analyze_layer(layer)
|
||||
|
||||
# If analysis failed, then determine whether we need to requeue.
|
||||
|
|
@ -88,9 +89,13 @@ class LayerAnalyzer(object):
|
|||
analyzed_version)
|
||||
set_status = set_secscan_status(layer, True, analyzed_version)
|
||||
|
||||
# If we are the one who've done the job successfully first, get the vulnerabilities and
|
||||
# send notifications to the repos that have a tag on that layer.
|
||||
if features.SECURITY_NOTIFICATIONS and set_status:
|
||||
# If we are the one who've done the job successfully first, and this is a *new* layer,
|
||||
# as indicated by having a version of -1, get the vulnerabilities and
|
||||
# send notifications to the repos that have a tag on that layer. We don't always send
|
||||
# notifications as if we are re-indexing a layer for a newer feature set in the security
|
||||
# scanner, notifications will be spammy.
|
||||
if (features.SECURITY_NOTIFICATIONS and set_status and
|
||||
previous_security_indexed_engine == IMAGE_NOT_SCANNED_ENGINE_VERSION):
|
||||
# Get the tags of the layer we analyzed.
|
||||
repository_map = defaultdict(list)
|
||||
event = ExternalNotificationEvent.get(name='vulnerability_found')
|
||||
|
|
|
|||
Reference in a new issue