From e164bacc0b1cedccb714a80d07e446938a949b30 Mon Sep 17 00:00:00 2001 From: zhzhuang-zju Date: Wed, 10 Jan 2024 09:49:43 +0800 Subject: [PATCH] provides the ability to scan image vulnerabilities locally through scripts Signed-off-by: zhzhuang-zju --- hack/verify-vuln.sh | 68 +++++++++++++++++++++++++++++++++ hack/vuln-scan-local.sh | 85 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 153 insertions(+) create mode 100755 hack/verify-vuln.sh create mode 100755 hack/vuln-scan-local.sh diff --git a/hack/verify-vuln.sh b/hack/verify-vuln.sh new file mode 100755 index 000000000000..6cae1bb817b8 --- /dev/null +++ b/hack/verify-vuln.sh @@ -0,0 +1,68 @@ +#!/usr/bin/env bash +# Copyright 2023 The Karmada Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +# This script starts a images scanning with trivy, and returns whether the provided vulnerability has been resolved +# Parameters: [skip-image-generation] if you want to skip the image generation step to make scanning faster +# Parameters: [vulns](optional) vulnerability names, multiple can be separated by commas, like 'CVE-2023-45142,CVE-2023-451333'. +# This script depends on utils in: ${REPO_ROOT}/hack/vuln-scan-local.sh + +function usage() { + echo "Usage:" + echo " hack/verify-vuln.sh [skip-image-generation] [vulns][-h]" + echo "Args:" + echo " skip-image-generation: whether to skip image generation" + echo " vulns: (optional) vulnerability names, multiple can be separated by commas, like 'CVE-2023-45142,CVE-2023-451333'" + echo " h: print help information" +} + +while getopts 'h' OPT; do + case $OPT in + h) + usage + exit 0 + ;; + ?) + usage + exit 1 + ;; + esac +done + + +REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. +cd "${REPO_ROOT}" + +vulns=$2 +IFS=, +vuln_arrary=($vulns) + +echo "start image scan" +res=$(hack/vuln-scan-local.sh $1) +for vuln in $vuln_arrary +do + if [[ $res == *$vuln* ]] + then + echo "Images still have a security vulnerability $vuln, detail:" + echo "$(echo $res |grep "Fixed Version" | head -n 1 )" + echo "$(echo $res |grep $vuln | head -n 1 )" + exit 1 + fi +done + +echo "Congratulations! All images have not been scanned for security vulnerabilities $2." diff --git a/hack/vuln-scan-local.sh b/hack/vuln-scan-local.sh new file mode 100755 index 000000000000..bd1119ee3ba4 --- /dev/null +++ b/hack/vuln-scan-local.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash +# Copyright 2023 The Karmada Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +# This script starts a images scanning with trivy +# Parameters: [skip-image-generation] if you want to skip the image generation step to make scanning faster +# This script depends on utils in: ${REPO_ROOT}/hack/util.sh +# 1. used to locally scan Karmada component image vulnerabilities with trivy + +function usage() { + echo "Usage:" + echo " hack/vuln-scan-local.sh [skip-image-generation] [-h]" + echo "Args:" + echo " skip-image-generation: whether to skip image generation" + echo " h: print help information" +} + +while getopts 'h' OPT; do + case $OPT in + h) + usage + exit 0 + ;; + ?) + usage + exit 1 + ;; + esac +done + + +REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. +cd "${REPO_ROOT}" +source "hack/util.sh" + +echo -n "Preparing: 'trivy' existence check - " +if util::cmd_exist trivy ; then + echo "pass" +else + echo "start installing trivy" + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.48.1 +fi + +export VERSION=${VERSION:-"latest"} +export REGISTRY=${REGISTRY:-"docker.io/karmada"} +IMAGE_ARRAR=( + karmada-controller-manager + karmada-scheduler + karmada-descheduler + karmada-webhook + karmada-agent + karmada-scheduler-estimator + karmada-interpreter-webhook-example + karmada-aggregated-apiserver + karmada-search + karmada-operator + karmada-metrics-adapter +) + +if ! $1; then + echo "start generating image" + make images GOOS="linux" --directory=. +fi +echo "start image scan" +for image in ${IMAGE_ARRAR[@]} +do + imageRef="$REGISTRY/$image:$VERSION" + echo "---------------------------- the image scanning result of Image <<$imageRef>> ----------------------------" + trivy image --format table --ignore-unfixed --vuln-type os,library --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL -q $imageRef +done