Update quay sec code to fix problems identified in previous review

- Change get_repository_images_recursive to operate over a single docker image and storage uuid - Move endpoints/sec to endpoints/secscan - Change notification system to work with new Quay-sec format Fixes #768
2015-11-09 17:12:22 -05:00 · 2015-11-09 17:12:22 -05:00 · a69c9e12fd
commit a69c9e12fd
parent 16c364a90c
7 changed files with 146 additions and 79 deletions
--- a/util/secscan/secscanendpoint.py
+++ b/util/secscan/secscanendpoint.py
@ -1,7 +1,6 @@
 import features
 import logging
 import requests
-import json

 from urlparse import urljoin

@ -36,7 +35,33 @@ class SecurityScanEndpoint(object):

    return None

-  def call_api(self, relative_url, *args, **kwargs):
+  def check_layer_vulnerable(self, layer_id, cve_id):
+    """ Checks with Clair whether the given layer is vulnerable to the given CVE. """
+    try:
+      body = {
+        'LayersIDs': [layer_id]
+      }
+      response = self.call_api('vulnerabilities/%s/affected-layers', body, cve_id)
+    except requests.exceptions.RequestException:
+      logger.exception('Got exception when trying to call Clair endpoint')
+      return False
+
+    if response.status_code != 200:
+      return False
+
+    try:
+      response_data = response.json()
+    except ValueError:
+      logger.exception('Got exception when trying to parse Clair response')
+      return False
+
+    if (not layer_id in response_data or
+        not response_data[layer_id].get('Vulnerable', False)):
+      return False
+
+    return True
+
+  def call_api(self, relative_url, body=None, *args, **kwargs):
    """ Issues an HTTP call to the sec API at the given relative URL. """
    security_config = self.security_config
    api_url = urljoin(security_config['ENDPOINT'], '/' + security_config['API_VERSION']) + '/'
@ -46,5 +71,9 @@ class SecurityScanEndpoint(object):
    timeout = security_config.get('API_TIMEOUT_SECONDS', 1)
    logger.debug('Looking up sec information: %s', url)

-    return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
-                      verify=self.certificate)
+    if body is not None:
+      return client.post(url, json=body, params=kwargs, timeout=timeout, cert=self.keys,
+                         verify=self.certificate)
+    else:
+      return client.get(url, params=kwargs, timeout=timeout, cert=self.keys,
+                        verify=self.certificate)