74 lines
		
	
	
	
		
			2.5 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			74 lines
		
	
	
	
		
			2.5 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| import logging
 | |
| import logging.config
 | |
| import time
 | |
| 
 | |
| import features
 | |
| 
 | |
| from peewee import fn
 | |
| 
 | |
| from app import app, secscan_api
 | |
| from workers.worker import Worker
 | |
| from data.database import Image, UseThenDisconnect
 | |
| from data.model.image import get_image_with_storage_and_parent_base
 | |
| from util.secscan.api import SecurityConfigValidator
 | |
| from util.secscan.analyzer import LayerAnalyzer
 | |
| from util.migrate.allocator import yield_random_entries
 | |
| from endpoints.v2 import v2_bp
 | |
| 
 | |
| BATCH_SIZE = 50
 | |
| INDEXING_INTERVAL = 30
 | |
| 
 | |
| logger = logging.getLogger(__name__)
 | |
| 
 | |
| class SecurityWorker(Worker):
 | |
|   def __init__(self):
 | |
|     super(SecurityWorker, self).__init__()
 | |
|     validator = SecurityConfigValidator(app.config)
 | |
|     if validator.valid():
 | |
|       self._target_version = app.config.get('SECURITY_SCANNER_ENGINE_VERSION_TARGET', 2)
 | |
|       self._analyzer = LayerAnalyzer(app.config, secscan_api)
 | |
| 
 | |
|       # Get the ID of the first image we want to analyze.
 | |
|       self._min_id = (Image
 | |
|                       .select(fn.Min(Image.id))
 | |
|                       .where(Image.security_indexed_engine < self._target_version)
 | |
|                       .scalar())
 | |
| 
 | |
|       self.add_operation(self._index_images, INDEXING_INTERVAL)
 | |
|     else:
 | |
|       logger.warning('Failed to validate security scan configuration')
 | |
| 
 | |
|   def _index_images(self):
 | |
|     def batch_query():
 | |
|       base_query = get_image_with_storage_and_parent_base()
 | |
|       return base_query.where(Image.security_indexed_engine < self._target_version)
 | |
| 
 | |
|     # Get the ID of the last image we can analyze. Will be None if there are no images in the
 | |
|     # database.
 | |
|     max_id = Image.select(fn.Max(Image.id)).scalar()
 | |
|     if max_id is None:
 | |
|       return
 | |
| 
 | |
|     with UseThenDisconnect(app.config):
 | |
|       for candidate, abt in yield_random_entries(batch_query, Image.id, BATCH_SIZE, max_id,
 | |
|                                                  self._min_id):
 | |
|         _, continue_batch = self._analyzer.analyze_recursively(candidate)
 | |
|         if not continue_batch:
 | |
|           logger.info('Another worker pre-empted us for layer: %s', candidate.id)
 | |
|           abt.set()
 | |
| 
 | |
|     # If we reach this point, we analyzed every images up to max_id, next time the worker runs,
 | |
|     # we want to start from the next image.
 | |
|     self._min_id = max_id + 1
 | |
| 
 | |
| if __name__ == '__main__':
 | |
|   app.register_blueprint(v2_bp, url_prefix='/v2')
 | |
| 
 | |
|   if not features.SECURITY_SCANNER:
 | |
|     logger.debug('Security scanner disabled; skipping SecurityWorker')
 | |
|     while True:
 | |
|       time.sleep(100000)
 | |
| 
 | |
|   logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
 | |
|   worker = SecurityWorker()
 | |
|   worker.start()
 |