zot/pkg/extensions/search/cve/cve.go

package cveinfo

import (
	"flag"
	"fmt"
	"path"
	"strings"

	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
	"github.com/aquasecurity/trivy/pkg/commands/artifact"
	"github.com/aquasecurity/trivy/pkg/commands/operation"
	"github.com/aquasecurity/trivy/pkg/report"
	"github.com/aquasecurity/trivy/pkg/types"
	"github.com/urfave/cli/v2"
	"zotregistry.io/zot/pkg/extensions/search/common"
	"zotregistry.io/zot/pkg/log"
	"zotregistry.io/zot/pkg/storage"
)

func getRoutePrefix(name string) string {
	names := strings.SplitN(name, "/", 2) //nolint:gomnd

	if len(names) != 2 { // nolint: gomnd
		// it means route is of global storage e.g "centos:latest"
		if len(names) == 1 {
			return "/"
		}
	}

	return fmt.Sprintf("/%s", names[0])
}

// UpdateCVEDb ...
func UpdateCVEDb(dbDir string, log log.Logger) error {
	return operation.DownloadDB("dev", dbDir, false, false, false)
}

// NewTrivyContext set some trivy configuration value and return a context.
func NewTrivyContext(dir string) *TrivyCtx {
	trivyCtx := &TrivyCtx{}

	app := &cli.App{}

	flagSet := &flag.FlagSet{}

	var cacheDir string

	flagSet.StringVar(&cacheDir, "cache-dir", dir, "")

	var vuln string

	flagSet.StringVar(&vuln, "vuln-type", strings.Join([]string{types.VulnTypeOS, types.VulnTypeLibrary}, ","), "")

	var severity string

	flagSet.StringVar(&severity, "severity", strings.Join(dbTypes.SeverityNames, ","), "")

	flagSet.StringVar(&trivyCtx.Input, "input", "", "")

	var securityCheck string

	flagSet.StringVar(&securityCheck, "security-checks", types.SecurityCheckVulnerability, "")

	var reportFormat string

	flagSet.StringVar(&reportFormat, "format", "table", "")

	ctx := cli.NewContext(app, flagSet, nil)

	trivyCtx.Ctx = ctx

	return trivyCtx
}

func ScanImage(ctx *cli.Context) (report.Report, error) {
	return artifact.TrivyImageRun(ctx)
}

func GetCVEInfo(storeController storage.StoreController, log log.Logger) (*CveInfo, error) {
	cveController := CveTrivyController{}
	layoutUtils := common.NewBaseOciLayoutUtils(storeController, log)

	subCveConfig := make(map[string]*TrivyCtx)

	if storeController.DefaultStore != nil {
		imageStore := storeController.DefaultStore

		rootDir := imageStore.RootDir()

		ctx := NewTrivyContext(rootDir)

		cveController.DefaultCveConfig = ctx
	}

	if storeController.SubStore != nil {
		for route, storage := range storeController.SubStore {
			rootDir := storage.RootDir()

			ctx := NewTrivyContext(rootDir)

			subCveConfig[route] = ctx
		}
	}

	cveController.SubCveConfig = subCveConfig

	return &CveInfo{
		Log: log, CveTrivyController: cveController, StoreController: storeController,
		LayoutUtils: layoutUtils,
	}, nil
}

func (cveinfo CveInfo) GetTrivyContext(image string) *TrivyCtx {
	// Split image to get route prefix
	prefixName := getRoutePrefix(image)

	var trivyCtx *TrivyCtx

	var ok bool

	var rootDir string

	// Get corresponding CVE trivy config, if no sub cve config present that means its default
	trivyCtx, ok = cveinfo.CveTrivyController.SubCveConfig[prefixName]
	if ok {
		imgStore := cveinfo.StoreController.SubStore[prefixName]

		rootDir = imgStore.RootDir()
	} else {
		trivyCtx = cveinfo.CveTrivyController.DefaultCveConfig

		imgStore := cveinfo.StoreController.DefaultStore

		rootDir = imgStore.RootDir()
	}

	trivyCtx.Input = path.Join(rootDir, image)

	return trivyCtx
}

func (cveinfo CveInfo) GetImageListForCVE(repo, cvid string, imgStore storage.ImageStore,
	trivyCtx *TrivyCtx,
) ([]*string, error) {
	tags := make([]*string, 0)

	tagList, err := imgStore.GetImageTags(repo)
	if err != nil {
		cveinfo.Log.Error().Err(err).Msg("unable to get list of image tag")

		return tags, err
	}

	rootDir := imgStore.RootDir()

	for _, tag := range tagList {
		image := fmt.Sprintf("%s:%s", repo, tag)

		trivyCtx.Input = path.Join(rootDir, image)

		isValidImage, _ := cveinfo.LayoutUtils.IsValidImageFormat(image)
		if !isValidImage {
			cveinfo.Log.Debug().Str("image", repo+":"+tag).Msg("image media type not supported for scanning")

			continue
		}

		cveinfo.Log.Info().Str("image", repo+":"+tag).Msg("scanning image")

		report, err := ScanImage(trivyCtx.Ctx)
		if err != nil {
			cveinfo.Log.Error().Err(err).Str("image", repo+":"+tag).Msg("unable to scan image")

			continue
		}

		for _, result := range report.Results {
			for _, vulnerability := range result.Vulnerabilities {
				if vulnerability.VulnerabilityID == cvid {
					copyImgTag := tag
					tags = append(tags, &copyImgTag)

					break
				}
			}
		}
	}

	return tags, nil
}
Added search extension and integrated trivy to support image vulnerability scanning 2020-06-24 14:38:42 -05:00			`package cveinfo`

			`import (`
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`"flag"`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`"fmt"`
Added image format validation to validate media type because squashfs image media type not supported for vulnerability scanning 2020-08-19 01:03:16 -05:00			`"path"`
			`"strings"`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`dbTypes "github.com/aquasecurity/trivy-db/pkg/types"`
			`"github.com/aquasecurity/trivy/pkg/commands/artifact"`
			`"github.com/aquasecurity/trivy/pkg/commands/operation"`
Added graphql api feature for image vulnerability scanning 2020-06-26 14:09:10 -05:00			`"github.com/aquasecurity/trivy/pkg/report"`
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`"github.com/aquasecurity/trivy/pkg/types"`
			`"github.com/urfave/cli/v2"`
move references to zotregistry.io and project-zot Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-03 22:50:58 -05:00			`"zotregistry.io/zot/pkg/extensions/search/common"`
			`"zotregistry.io/zot/pkg/log"`
			`"zotregistry.io/zot/pkg/storage"`
Added search extension and integrated trivy to support image vulnerability scanning 2020-06-24 14:38:42 -05:00			`)`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`func getRoutePrefix(name string) string {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`names := strings.SplitN(name, "/", 2) //nolint:gomnd`
Added search extension and integrated trivy to support image vulnerability scanning 2020-06-24 14:38:42 -05:00
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`if len(names) != 2 { // nolint: gomnd`
			`// it means route is of global storage e.g "centos:latest"`
			`if len(names) == 1 {`
			`return "/"`
			`}`
Added search extension and integrated trivy to support image vulnerability scanning 2020-06-24 14:38:42 -05:00			`}`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`return fmt.Sprintf("/%s", names[0])`
Added search extension and integrated trivy to support image vulnerability scanning 2020-06-24 14:38:42 -05:00			`}`
Added graphql api feature for image vulnerability scanning 2020-06-26 14:09:10 -05:00
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`// UpdateCVEDb ...`
			`func UpdateCVEDb(dbDir string, log log.Logger) error {`
			`return operation.DownloadDB("dev", dbDir, false, false, false)`
			`}`

			`// NewTrivyContext set some trivy configuration value and return a context.`
			`func NewTrivyContext(dir string) *TrivyCtx {`
			`trivyCtx := &TrivyCtx{}`

			`app := &cli.App{}`

			`flagSet := &flag.FlagSet{}`

			`var cacheDir string`

			`flagSet.StringVar(&cacheDir, "cache-dir", dir, "")`

			`var vuln string`

			`flagSet.StringVar(&vuln, "vuln-type", strings.Join([]string{types.VulnTypeOS, types.VulnTypeLibrary}, ","), "")`

			`var severity string`

			`flagSet.StringVar(&severity, "severity", strings.Join(dbTypes.SeverityNames, ","), "")`

			`flagSet.StringVar(&trivyCtx.Input, "input", "", "")`

			`var securityCheck string`

			`flagSet.StringVar(&securityCheck, "security-checks", types.SecurityCheckVulnerability, "")`

			`var reportFormat string`

			`flagSet.StringVar(&reportFormat, "format", "table", "")`

			`ctx := cli.NewContext(app, flagSet, nil)`

			`trivyCtx.Ctx = ctx`

			`return trivyCtx`
Added graphql api feature for image vulnerability scanning 2020-06-26 14:09:10 -05:00			`}`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`func ScanImage(ctx *cli.Context) (report.Report, error) {`
			`return artifact.TrivyImageRun(ctx)`
Added graphql api feature for image vulnerability scanning 2020-06-26 14:09:10 -05:00			`}`
Added image format validation to validate media type because squashfs image media type not supported for vulnerability scanning 2020-08-19 01:03:16 -05:00
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`func GetCVEInfo(storeController storage.StoreController, log log.Logger) (*CveInfo, error) {`
			`cveController := CveTrivyController{}`
freeform querry api Signed-off-by: Laurentiu Niculae <themelopeus@gmail.com> 2022-07-12 07:58:04 -05:00			`layoutUtils := common.NewBaseOciLayoutUtils(storeController, log)`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`subCveConfig := make(map[string]*TrivyCtx)`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00
			`if storeController.DefaultStore != nil {`
			`imageStore := storeController.DefaultStore`

			`rootDir := imageStore.RootDir()`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`ctx := NewTrivyContext(rootDir)`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`cveController.DefaultCveConfig = ctx`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`}`

			`if storeController.SubStore != nil {`
			`for route, storage := range storeController.SubStore {`
			`rootDir := storage.RootDir()`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`ctx := NewTrivyContext(rootDir)`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`subCveConfig[route] = ctx`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`}`
			`}`

			`cveController.SubCveConfig = subCveConfig`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`return &CveInfo{`
			`Log: log, CveTrivyController: cveController, StoreController: storeController,`
			`LayoutUtils: layoutUtils,`
			`}, nil`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`}`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`func (cveinfo CveInfo) GetTrivyContext(image string) *TrivyCtx {`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`// Split image to get route prefix`
			`prefixName := getRoutePrefix(image)`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`var trivyCtx *TrivyCtx`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00
			`var ok bool`

			`var rootDir string`

			`// Get corresponding CVE trivy config, if no sub cve config present that means its default`
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`trivyCtx, ok = cveinfo.CveTrivyController.SubCveConfig[prefixName]`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`if ok {`
			`imgStore := cveinfo.StoreController.SubStore[prefixName]`

			`rootDir = imgStore.RootDir()`
			`} else {`
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`trivyCtx = cveinfo.CveTrivyController.DefaultCveConfig`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00
			`imgStore := cveinfo.StoreController.DefaultStore`

			`rootDir = imgStore.RootDir()`
			`}`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`trivyCtx.Input = path.Join(rootDir, image)`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`return trivyCtx`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`}`

Fix problems signaled by new linter version v1.45.2 PR (linter: upgrade linter version #405) triggered lint job which failed with many errors generated by various linters. Configurations were added to golangcilint.yaml and several refactorings were made in order to improve the results of the linter. maintidx linter disabled Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-03-21 12:37:23 -05:00			`func (cveinfo CveInfo) GetImageListForCVE(repo, cvid string, imgStore storage.ImageStore,`
			`trivyCtx *TrivyCtx,`
			`) ([]*string, error) {`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`tags := make([]*string, 0)`

			`tagList, err := imgStore.GetImageTags(repo)`
			`if err != nil {`
			`cveinfo.Log.Error().Err(err).Msg("unable to get list of image tag")`

			`return tags, err`
			`}`

			`rootDir := imgStore.RootDir()`

			`for _, tag := range tagList {`
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`image := fmt.Sprintf("%s:%s", repo, tag)`

			`trivyCtx.Input = path.Join(rootDir, image)`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00
search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`isValidImage, _ := cveinfo.LayoutUtils.IsValidImageFormat(image)`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`if !isValidImage {`
			`cveinfo.Log.Debug().Str("image", repo+":"+tag).Msg("image media type not supported for scanning")`

			`continue`
			`}`

			`cveinfo.Log.Info().Str("image", repo+":"+tag).Msg("scanning image")`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`report, err := ScanImage(trivyCtx.Ctx)`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`if err != nil {`
			`cveinfo.Log.Error().Err(err).Str("image", repo+":"+tag).Msg("unable to scan image")`

			`continue`
			`}`

search: update trivy trivy updated to v0.20.0 trivy-db updated to bec0c6a fanal updated to f7efd1b 2021-10-04 16:27:26 -05:00			`for _, result := range report.Results {`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`for _, vulnerability := range result.Vulnerabilities {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 14:23:31 -05:00			`if vulnerability.VulnerabilityID == cvid {`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181 2021-04-05 19:40:33 -05:00			`copyImgTag := tag`
			`tags = append(tags, &copyImgTag)`

			`break`
			`}`
			`}`
			`}`
			`}`

			`return tags, nil`
			`}`