Skip to content
This repository has been archived by the owner on Oct 10, 2020. It is now read-only.

Provide scanner with image name and info #1194

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Provide scanner with image name and info #1194

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 18 additions & 0 deletions Atomic/scan.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,9 @@ def get_additional_args():
# Create the output directory
os.makedirs(self.results_dir)

# Record target information
self.record_inspect_info()

docker_args = ['docker', 'run', '-t', '--rm', '-v', '/etc/localtime:/etc/localtime',
'-v', '{}:{}'.format(self.chroot_dir, '/scanin'), '-v',
'{}:{}:rw,Z'.format(self.results_dir, '/scanout')]
Expand Down Expand Up @@ -536,3 +539,18 @@ def write_persistent_data(self):

def remediate(self, script, iid, results_dir):
util.check_call([sys.executable, script, '--id', iid, '--results_dir', results_dir])


def record_inspect_info(self):
"""
Writes inspect information for each object passed to the scanner and
stores them in results_dir/inspect_info.json
:return: None
"""

inspect = []
for scan_object in self.scan_list:
inspect.append(scan_object.config)
Copy link
Contributor

@navidshaikh navidshaikh Feb 22, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a map/dictionary is better suited here.
Like

{
 scan_object.name: scan_object.config
}

While most of the time the atomic scanner execute per image, there are options to scan all(images, containers), all_images, all_containers as well. With this approach, all the scan_object configs are going to be appended, and it can become complex to map which config belong to which scan_target.

The approach for map/dictionary for inspect_info.json should help in both cases where a single scan_target or multiple are provided.

For single scan_target, using the map/dict will provide scanner with

  • Image identity (name, as provided in command line)
  • Its config / inspect info

For multiple scan_target, using the map/dict will provide scanner with

  • Image identity (name, as provided in command line)
  • Its config / inspect info
  • And mapping for scan_target:scan_target_config, providing a way to use the information in config and producing correct results intended for scan_targets

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@navidshaikh names can be a PITA if the image has multiple names. how about IDs?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@baude : IDs sounds good. With scan_object.name I meant the identity of the scan_target.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@baude : Thanks for putting this together.

Regarding name of scan_targets I also took a look in the backendutils module, however the scan targets are then transformed into objects.

231                         _, scan_obj = beu.get_backend_and_image_obj(scan_target)

I was wondering if we could shadow the scan_target provided on the command line in the inspect output file.

Given the number of options atomic scan could work with, it can become complex as, if provided --images or say --all, the best choice is to have ID.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about having the SCAN_TARGET env variable in the atomic scanner, with values based on populated scan_target variable?

WDYT?

I'll be happy to collaborate for the PR, if it looks good.


with open(os.path.join(self.results_dir, 'inspect_info.json'), 'w') as f:
json.dump(inspect, f, indent=4, separators=(',', ': '))