9221a515de
when the storage engine doesn't support direct download url
74 lines
2.5 KiB
Python
74 lines
2.5 KiB
Python
import logging
|
|
import logging.config
|
|
|
|
import features
|
|
import time
|
|
|
|
from peewee import fn
|
|
|
|
from app import app, secscan_api
|
|
from workers.worker import Worker
|
|
from data.database import Image, UseThenDisconnect
|
|
from data.model.image import get_image_with_storage_and_parent_base
|
|
from util.secscan.api import SecurityConfigValidator
|
|
from util.secscan.analyzer import LayerAnalyzer
|
|
from util.migrate.allocator import yield_random_entries
|
|
from endpoints.v2 import v2_bp
|
|
|
|
BATCH_SIZE = 50
|
|
INDEXING_INTERVAL = 30
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
class SecurityWorker(Worker):
|
|
def __init__(self):
|
|
super(SecurityWorker, self).__init__()
|
|
validator = SecurityConfigValidator(app.config)
|
|
if validator.valid():
|
|
self._target_version = app.config.get('SECURITY_SCANNER_ENGINE_VERSION_TARGET', 2)
|
|
self._analyzer = LayerAnalyzer(app.config, secscan_api)
|
|
|
|
# Get the ID of the first image we want to analyze.
|
|
self._min_id = (Image
|
|
.select(fn.Min(Image.id))
|
|
.where(Image.security_indexed_engine < self._target_version)
|
|
.scalar())
|
|
|
|
self.add_operation(self._index_images, INDEXING_INTERVAL)
|
|
else:
|
|
logger.warning('Failed to validate security scan configuration')
|
|
|
|
def _index_images(self):
|
|
def batch_query():
|
|
base_query = get_image_with_storage_and_parent_base()
|
|
return base_query.where(Image.security_indexed_engine < self._target_version)
|
|
|
|
# Get the ID of the last image we can analyze. Will be None if there are no images in the
|
|
# database.
|
|
max_id = Image.select(fn.Max(Image.id)).scalar()
|
|
if max_id is None:
|
|
return
|
|
|
|
with UseThenDisconnect(app.config):
|
|
for candidate, abt in yield_random_entries(batch_query, Image.id, BATCH_SIZE, max_id,
|
|
self._min_id):
|
|
_, continue_batch = self._analyzer.analyze_recursively(candidate)
|
|
if not continue_batch:
|
|
logger.info('Another worker pre-empted us for layer: %s', candidate.id)
|
|
abt.set()
|
|
|
|
# If we reach this point, we analyzed every images up to max_id, next time the worker runs,
|
|
# we want to start from the next image.
|
|
self._min_id = max_id + 1
|
|
|
|
if __name__ == '__main__':
|
|
app.register_blueprint(v2_bp, url_prefix='/v2')
|
|
|
|
if not features.SECURITY_SCANNER:
|
|
logger.debug('Security scanner disabled; skipping SecurityWorker')
|
|
while True:
|
|
time.sleep(100000)
|
|
|
|
logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
|
|
worker = SecurityWorker()
|
|
worker.start()
|