provides the ability to scan image vulnerabilities locally through sc…

…ripts Signed-off-by: zhzhuang-zju <m17799853869@163.com>
karmada-io · Jan 10, 2024 · e164bac · e164bac
1 parent dde3533
commit e164bac
Show file tree

Hide file tree

Showing 2 changed files with 153 additions and 0 deletions.
diff --git a/hack/verify-vuln.sh b/hack/verify-vuln.sh
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# Copyright 2023 The Karmada Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# This script starts a images scanning with trivy, and returns whether the provided vulnerability has been resolved
+# Parameters: [skip-image-generation] if you want to skip the image generation step to make scanning faster
+# Parameters: [vulns](optional) vulnerability names, multiple can be separated by commas, like 'CVE-2023-45142,CVE-2023-451333'.
+# This script depends on utils in: ${REPO_ROOT}/hack/vuln-scan-local.sh
+
+function usage() {
+    echo "Usage:"
+    echo "    hack/verify-vuln.sh [skip-image-generation] [vulns][-h]"
+    echo "Args:"
+    echo "    skip-image-generation: whether to skip image generation"
+    echo "    vulns: (optional) vulnerability names, multiple can be separated by commas, like 'CVE-2023-45142,CVE-2023-451333'"
+    echo "    h: print help information"
+}
+
+while getopts 'h' OPT; do
+    case $OPT in
+        h)
+          usage
+          exit 0
+          ;;
+        ?)
+          usage
+          exit 1
+          ;;
+    esac
+done
+
+
+REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
+cd "${REPO_ROOT}"
+
+vulns=$2
+IFS=,
+vuln_arrary=($vulns)
+
+echo "start image scan"
+res=$(hack/vuln-scan-local.sh $1)
+for vuln in $vuln_arrary
+do
+  if [[ $res == *$vuln* ]]
+  then
+  	echo "Images still have a security vulnerability $vuln, detail:"
+  	echo "$(echo $res |grep "Fixed Version" | head -n 1 )"
+  	echo "$(echo $res |grep $vuln | head -n 1 )"
+  	exit 1
+  fi
+done
+
+echo "Congratulations! All images have not been scanned for security vulnerabilities $2."
diff --git a/hack/vuln-scan-local.sh b/hack/vuln-scan-local.sh
@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# Copyright 2023 The Karmada Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# This script starts a images scanning with trivy
+# Parameters: [skip-image-generation] if you want to skip the image generation step to make scanning faster
+# This script depends on utils in: ${REPO_ROOT}/hack/util.sh
+# 1. used to locally scan Karmada component image vulnerabilities with trivy
+
+function usage() {
+    echo "Usage:"
+    echo "    hack/vuln-scan-local.sh [skip-image-generation] [-h]"
+    echo "Args:"
+    echo "    skip-image-generation: whether to skip image generation"
+    echo "    h: print help information"
+}
+
+while getopts 'h' OPT; do
+    case $OPT in
+        h)
+          usage
+          exit 0
+          ;;
+        ?)
+          usage
+          exit 1
+          ;;
+    esac
+done
+
+
+REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
+cd "${REPO_ROOT}"
+source "hack/util.sh"
+
+echo -n "Preparing: 'trivy' existence check - "
+if util::cmd_exist trivy ; then
+	echo "pass"
+else
+	echo "start installing trivy"
+	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.1
+fi
+
+export VERSION=${VERSION:-"latest"}
+export REGISTRY=${REGISTRY:-"docker.io/karmada"}
+IMAGE_ARRAR=(
+	karmada-controller-manager
+  karmada-scheduler
+  karmada-descheduler
+  karmada-webhook
+  karmada-agent
+  karmada-scheduler-estimator
+  karmada-interpreter-webhook-example
+  karmada-aggregated-apiserver
+  karmada-search
+  karmada-operator
+  karmada-metrics-adapter
+)
+
+if ! $1; then
+	echo "start generating image"
+	make images GOOS="linux" --directory=.
+fi
+echo "start image scan"
+for image in ${IMAGE_ARRAR[@]}
+do
+  imageRef="$REGISTRY/$image:$VERSION"
+  echo "---------------------------- the image scanning result of Image <<$imageRef>> ----------------------------"
+  trivy image --format table --ignore-unfixed --vuln-type os,library --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL -q $imageRef
+done