Send notifications for previously unscannable layers in QSS
Following this change, if an image was previously indexed unsuccessfully, then we will send notifications once successfully indexed
This commit is contained in:
Joseph Schorr
parent
2a6632cff4
commit
6871eb95b1
2 changed files with 42 additions and 51 deletions
|
|
@ -68,8 +68,10 @@ class LayerAnalyzer(object):
|
|||
return True, set_secscan_status(layer, False, self._target_version)
|
||||
|
||||
# Analyze the image.
|
||||
logger.info('Analyzing layer %s', layer.docker_image_id)
|
||||
previously_security_indexed_successfully = layer.security_indexed
|
||||
previous_security_indexed_engine = layer.security_indexed_engine
|
||||
|
||||
logger.info('Analyzing layer %s', layer.docker_image_id)
|
||||
(analyzed_version, should_requeue) = self._api.analyze_layer(layer)
|
||||
|
||||
# If analysis failed, then determine whether we need to requeue.
|
||||
|
|
@ -89,13 +91,17 @@ class LayerAnalyzer(object):
|
|||
analyzed_version)
|
||||
set_status = set_secscan_status(layer, True, analyzed_version)
|
||||
|
||||
# If we are the one who've done the job successfully first, and this is a *new* layer,
|
||||
# as indicated by having a version of -1, get the vulnerabilities and
|
||||
# send notifications to the repos that have a tag on that layer. We don't always send
|
||||
# notifications as if we are re-indexing a layer for a newer feature set in the security
|
||||
# scanner, notifications will be spammy.
|
||||
# If we are the one who've done the job successfully first, then we need to decide if we should
|
||||
# send notifications. Notifications are sent if:
|
||||
# 1) This is a new layer
|
||||
# 2) This is an existing layer that previously did not index properly
|
||||
# We don't always send notifications as if we are re-indexing a successful layer for a newer
|
||||
# feature set in the security scanner, notifications will be spammy.
|
||||
is_new_image = previous_security_indexed_engine == IMAGE_NOT_SCANNED_ENGINE_VERSION
|
||||
is_existing_image_unindexed = not is_new_image and not previously_security_indexed_successfully
|
||||
if (features.SECURITY_NOTIFICATIONS and set_status and
|
||||
previous_security_indexed_engine == IMAGE_NOT_SCANNED_ENGINE_VERSION):
|
||||
(is_new_image or is_existing_image_unindexed)):
|
||||
|
||||
# Get the tags of the layer we analyzed.
|
||||
repository_map = defaultdict(list)
|
||||
event = ExternalNotificationEvent.get(name='vulnerability_found')
|
||||
|
|
|
|||
Reference in a new issue