workers.securityworker: find eligible tag images

2017-03-06 14:36:53 -05:00 · 2017-03-06 14:36:53 -05:00 · 904b902295
commit 904b902295
parent 16ccc946f3
2 changed files with 18 additions and 4 deletions
--- a/data/model/tag.py
+++ b/data/model/tag.py
@ -2,7 +2,7 @@ import logging

 from uuid import uuid4

-from peewee import IntegrityError
+from peewee import IntegrityError, JOIN_LEFT_OUTER
 from data.model import (image, db_transaction, DataModelException, _basequery,
                        InvalidManifestException, TagAlreadyCreatedException, StaleTagException)
 from data.database import (RepositoryTag, Repository, Image, ImageStorage, Namespace, TagManifest,
@ -13,6 +13,20 @@ from data.database import (RepositoryTag, Repository, Image, ImageStorage, Names
 logger = logging.getLogger(__name__)


+def get_tags_images_eligible_for_scan(clair_version):
+  Parent = Image.alias()
+  ParentImageStorage = ImageStorage.alias()
+
+  return _tag_alive(Image
+                    .select(Image, ImageStorage, Parent, ParentImageStorage, RepositoryTag)
+                    .join(RepositoryTag, on=(RepositoryTag.image == Image.id))
+                    .join(ImageStorage, on=(Image.storage == ImageStorage.id))
+                    .switch(Image)
+                    .join(Parent, JOIN_LEFT_OUTER, on=(Image.parent == Parent.id))
+                    .join(ParentImageStorage, JOIN_LEFT_OUTER, on=(ParentImageStorage.id == Parent.storage))
+                    .where(Image.security_indexed_engine < clair_version))
+
+
 def _tag_alive(query, now_ts=None):
  if now_ts is None:
    now_ts = get_epoch_timestamp()
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@ -6,8 +6,8 @@ import features
 from app import app, secscan_api, prometheus
 from workers.worker import Worker
 from data.database import UseThenDisconnect
-from data.model.image import (get_images_eligible_for_scan, get_max_id_for_sec_scan,
-                              get_min_id_for_sec_scan, get_image_id)
+from data.model.image import get_max_id_for_sec_scan, get_min_id_for_sec_scan, get_image_id
+from data.model.tag import get_tags_images_eligible_for_scan
 from util.secscan.api import SecurityConfigValidator
 from util.secscan.analyzer import LayerAnalyzer, PreemptedException
 from util.migrate.allocator import yield_random_entries
@ -43,7 +43,7 @@ class SecurityWorker(Worker):

  def _index_images(self):
    def batch_query():
-      return get_images_eligible_for_scan(self._target_version)
+      return get_tags_images_eligible_for_scan(self._target_version)

    # Get the ID of the last image we can analyze. Will be None if there are no images in the
    # database.