Merge pull request #2236 from coreos-inc/qss-notification

Send notifications for previously unscannable layers in QSS
This commit is contained in:
josephschorr 2016-12-14 11:56:25 -05:00 committed by GitHub
commit fde81c1b58
2 changed files with 42 additions and 51 deletions

View file

@ -10,7 +10,7 @@ from util.secscan.api import SecurityScannerAPI, AnalyzeLayerException
from util.secscan.analyzer import LayerAnalyzer
from util.secscan.notifier import process_notification_data
from data import model
from data.database import Image
from data.database import Image, IMAGE_NOT_SCANNED_ENGINE_VERSION
from workers.security_notification_worker import SecurityNotificationWorker
from endpoints.v2 import v2_bp
@ -271,8 +271,7 @@ class TestSecurityScanner(unittest.TestCase):
self.assertEquals(False, layer.security_indexed)
self.assertEquals(1, layer.security_indexed_engine)
def test_analyze_layer_success_events(self):
def assert_analyze_layer_notify(self, security_indexed_engine, security_indexed, expect_notification):
layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
self.assertFalse(layer.security_indexed)
self.assertEquals(-1, layer.security_indexed_engine)
@ -284,6 +283,11 @@ class TestSecurityScanner(unittest.TestCase):
repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
model.notification.create_repo_notification(repo, 'vulnerability_found', 'quay_notification', {}, {'level': 100})
# Update the layer's state before analyzing.
layer.security_indexed_engine = security_indexed_engine
layer.security_indexed = security_indexed
layer.save()
with HTTMock(analyze_layer_success_mock, get_layer_success_mock, response_content):
analyzer = LayerAnalyzer(app.config, self.api)
analyzer.analyze_recursively(layer)
@ -291,9 +295,11 @@ class TestSecurityScanner(unittest.TestCase):
layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
self.assertAnalyzed(layer, True, 1)
# Ensure an event was written for the tag.
# Ensure an event was written for the tag (if necessary).
time.sleep(1)
queue_item = notification_queue.get()
if expect_notification:
self.assertIsNotNone(queue_item)
body = json.loads(queue_item.body)
@ -301,46 +307,25 @@ class TestSecurityScanner(unittest.TestCase):
self.assertEquals('CVE-2014-9471', body['event_data']['vulnerability']['id'])
self.assertEquals('Low', body['event_data']['vulnerability']['priority'])
self.assertTrue(body['event_data']['vulnerability']['has_fix'])
else:
self.assertIsNone(queue_item)
# Ensure its security indexed engine was updated.
updated_layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
self.assertEquals(updated_layer.id, layer.id)
self.assertTrue(updated_layer.security_indexed_engine > 0)
def test_analyze_layer_success_events(self):
# Not previously indexed at all => Notification
self.assert_analyze_layer_notify(IMAGE_NOT_SCANNED_ENGINE_VERSION, False, True)
def test_analyze_layer_success_no_notification(self):
layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
self.assertFalse(layer.security_indexed)
self.assertEquals(-1, layer.security_indexed_engine)
# Ensure there are no existing events.
self.assertIsNone(notification_queue.get())
# Set the security_indexed_engine of the layer to 0 to ensure it is marked as having been
# indexed (in some form) before this call.
layer.security_indexed_engine = 0
layer.save()
# Add a repo event for the layer.
repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
model.notification.create_repo_notification(repo, 'vulnerability_found', 'quay_notification', {}, {'level': 100})
with HTTMock(analyze_layer_success_mock, get_layer_success_mock, response_content):
analyzer = LayerAnalyzer(app.config, self.api)
analyzer.analyze_recursively(layer)
layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
self.assertAnalyzed(layer, True, 1)
# Ensure no event was written for the tag, as the layer was being re-indexed.
time.sleep(1)
self.assertIsNone(notification_queue.get())
# Ensure its security indexed engine was updated.
updated_layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
self.assertEquals(updated_layer.id, layer.id)
self.assertTrue(updated_layer.security_indexed_engine > 0)
# Previously successfully indexed => No notification
self.assert_analyze_layer_notify(0, True, False)
def test_analyze_layer_failed_then_success_notification(self):
# Previously failed to index => Notification
self.assert_analyze_layer_notify(0, False, True)
def _get_notification_data(self, new_layer_ids, old_layer_ids, new_severity='Low'):
return {

View file

@ -68,8 +68,10 @@ class LayerAnalyzer(object):
return True, set_secscan_status(layer, False, self._target_version)
# Analyze the image.
logger.info('Analyzing layer %s', layer.docker_image_id)
previously_security_indexed_successfully = layer.security_indexed
previous_security_indexed_engine = layer.security_indexed_engine
logger.info('Analyzing layer %s', layer.docker_image_id)
(analyzed_version, should_requeue) = self._api.analyze_layer(layer)
# If analysis failed, then determine whether we need to requeue.
@ -89,13 +91,17 @@ class LayerAnalyzer(object):
analyzed_version)
set_status = set_secscan_status(layer, True, analyzed_version)
# If we are the one who've done the job successfully first, and this is a *new* layer,
# as indicated by having a version of -1, get the vulnerabilities and
# send notifications to the repos that have a tag on that layer. We don't always send
# notifications as if we are re-indexing a layer for a newer feature set in the security
# scanner, notifications will be spammy.
# If we are the one who've done the job successfully first, then we need to decide if we should
# send notifications. Notifications are sent if:
# 1) This is a new layer
# 2) This is an existing layer that previously did not index properly
# We don't always send notifications as if we are re-indexing a successful layer for a newer
# feature set in the security scanner, notifications will be spammy.
is_new_image = previous_security_indexed_engine == IMAGE_NOT_SCANNED_ENGINE_VERSION
is_existing_image_unindexed = not is_new_image and not previously_security_indexed_successfully
if (features.SECURITY_NOTIFICATIONS and set_status and
previous_security_indexed_engine == IMAGE_NOT_SCANNED_ENGINE_VERSION):
(is_new_image or is_existing_image_unindexed)):
# Get the tags of the layer we analyzed.
repository_map = defaultdict(list)
event = ExternalNotificationEvent.get(name='vulnerability_found')