Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add flyctl support for scanning images with scantron #3725

Merged
merged 28 commits into from
Jul 19, 2024
Merged

Add flyctl support for scanning images with scantron #3725

merged 28 commits into from
Jul 19, 2024

Conversation

timflyio
Copy link
Contributor

@timflyio timflyio commented Jul 10, 2024
edited

Change Summary

What and Why: Add support for fetching SBOMs and vuln scans from scantron and presenting them to the user. This allows users to quickly determine if they may be affected by security issues.

How: add new commands "scan sbom" and "scan vulns", which query scantron fro sboms and scan data, and present them to the user.

Related to: scantron

Documentation

  • Fresh Produce
  • In superfly/docs, or asked for help from docs team
  • n/a

@timflyio timflyio marked this pull request as ready for review July 12, 2024 22:52
@btoews btoews requested review from btoews and removed request for btoews July 12, 2024 22:53
@timflyio timflyio requested a review from btoews July 12, 2024 22:54
btoews
btoews approved these changes Jul 13, 2024
View reviewed changes
Copy link
Member

@btoews btoews left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice code and awesome functionality. Maybe instead of asking people to download your branch to run this, we could just hide the registry subcommand and temporarily ship it as a hidden feature.

internal/command/registry/args.go Outdated Show resolved Hide resolved
internal/command/registry/auth.go Show resolved Hide resolved
internal/command/registry/filter.go Outdated Show resolved Hide resolved
internal/command/registry/filter.go Show resolved Hide resolved
internal/command/registry/scantron.go Show resolved Hide resolved
internal/command/registry/vulnsummary.go Outdated Show resolved Hide resolved
internal/command/registry/vulnsummary.go Outdated Show resolved Hide resolved
internal/command/registry/args.go Outdated Show resolved Hide resolved
internal/command/registry/vulnsummary.go Outdated Show resolved Hide resolved
@timflyio
address some comments
9fdd347 
- fetch images concurrently
- prefer sets (maps) over lists for performance and clarity
@timflyio
use a single org token and provide spinners
106d6ff
@timflyio
concurrent image lookup and refactoring of args processing
355f899
@timflyio
remove need for looking up each AppCompact
7df90fc 
- Allow flaps client without AppCompact by passing OrgSlug.
- Refactor code to skip looking up AppCompact and use OrgSlug instead when scanning all apps in an org
@timflyio
gofmt
42b832e
@timflyio
forgot to commit flapsutil changes earlier.
26f92db
@timflyio
fix lint
893dfa3
@timflyio
use registry_token and throw out attenuation which is no longer needed
e15fac3
btoews
btoews approved these changes Jul 18, 2024
View reviewed changes
Copy link
Member

@btoews btoews left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's ship this and ask folks to kick the tires

internal/command/registry/command.go Show resolved Hide resolved
@btoews
Copy link
Member

btoews commented Jul 18, 2024

One more thing I just noticed is that the registry returns the same response for

  • image digest doesn't exist
  • image repository doesn't exist
  • not authorized to access image

When scantron gets that response, it returns a 500. Flyctl should probably collect these errors and report them, but not fail the whole vulnsummary command.

@btoews
Copy link
Member

btoews commented Jul 18, 2024

I also got a 400 scanning another org with this log line in scantron

level=warning msg="bad digest" client="172.16.1.98:41518" error="unsupported digest algorithm: " method=GET path=//@

@timflyio timflyio merged commit 15415f5 into master Jul 19, 2024
34 checks passed
@timflyio timflyio deleted the tim-scantron branch July 19, 2024 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@btoews btoews btoews approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@timflyio @btoews