def show(details):
"""
Show list of Anchore data policies.
"""
ecode = 0
try:
policymeta = anchore_policy.load_policymeta()
if details:
anchore_print(policymeta, do_formatting=True)
else:
output = {}
name = policymeta['name']
output[name] = {}
output[name]['id'] = policymeta['id']
output[name]['policies'] = policymeta['policies']
output[name]['whitelists'] = policymeta['whitelists']
output[name]['mappings'] = policymeta['mappings']
anchore_print(output, do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def add(repos):
"""
Adds the specified images/tags to the subscription. Tags are formatted as docker image tags. Values are checked
against the list of available tags from the service. Run 'anchore subscriptions show' to get the list of available
options. Because of this, you must run an initial 'anchore sync catalog' before subscription data is available.
Duplicate entries are prevented and will not result in an error, but will be discarded.
Tag/repo examples: ubuntu, centos:7, nginx:latest
"""
if not working_catalog.has_db():
anchore_print_err('No local analysis db detected. You probably need to run "anchore sync catalog" first to initialize')
exit(5)
repo_list = list(repos)
try:
working_catalog.subscribe(repo_list)
if working_catalog.configuration().cliargs['json']:
anchore_print(working_catalog.subscription.get(), do_formatting=True)
else:
anchore_print('\n'.join(working_catalog.subscription.get()))
except:
anchore_print_err('Failed adding %s to subscription' % repo_list)
exit(1)
def sub(feednames):
"""
Subscribe to the specified feed(s).
"""
ecode = 0
current_user_data = contexts.get('anchore_auth', {}).get('user_info', None)
if not current_user_data:
current_user_tier = 0
else:
current_user_tier = int(current_user_data['tier'])
try:
for feed in feednames:
rc, msg = anchore_feeds.subscribe_anchore_feed(
feed, current_user_tier)
if not rc:
ecode = 1
anchore_print_err(msg)
else:
anchore_print(msg)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def toolbox(anchore_config, ctx, image):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
imagelist = [image]
if ctx.invoked_subcommand not in ['import', 'delete']:
try:
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load any images")
sys.exit(1)
try:
nav = navigator.Navigator(anchore_config=config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'])
except Exception as err:
anchore_print_err('operation failed')
nav = None
ecode = 1
def explore(anchore_config, image, imagefile, include_allanchore):
"""
Explore image content via queries, visualizations and reports for the selected image(s).
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
global config, imagelist, nav, vis
ecode = 0
success = True
config = anchore_config
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
def purge(dontask):
ecode = 0
if not nav:
sys.exit(1)
try:
for i in nav.get_images():
dodelete = False
if dontask:
dodelete = True
else:
try:
answer = raw_input("Really delete image '"+str(i)+"'? (y/N)")
except:
answer = "n"
if 'y' == answer.lower():
dodelete = True
else:
anchore_print("Skipping delete.")
if dodelete:
try:
anchore_print("Deleting image '"+str(i)+"'")
contexts['anchore_db'].delete_image(i)
except Exception as err:
raise err
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def audit(anchore_config, image, imagefile, include_allanchore):
"""
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
global config, imagelist, nav
ecode = 0
success = True
config = anchore_config
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile,
not (image or imagefile),
include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
def toolbox(anchore_config, image):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
imagelist = [image]
try:
ret = anchore_utils.discover_imageIds(anchore_config, imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
try:
nav = navigator.Navigator(anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages'])
except Exception as err:
anchore_print_err('operation failed')
nav = None
ecode = 1
def whoami(anchore_config):
"""
Show user data for current user if available
:param anchore_config:
:return:
"""
ecode = 0
try:
aa = contexts['anchore_auth']
if aa and 'username' in aa and 'password' in aa:
info = {
'Current user':
aa['user_info'] if aa['user_info'] else 'anonymous'
}
anchore_print(info, do_formatting=True)
else:
anchore_print_err(
'No anchore auth context found. Cannot get user info. Try logging in first'
)
ecode = 1
except Exception as err:
anchore_print_err('Cannot get user info')
ecode = 1
sys.exit(ecode)
def export(outfile):
"""Export image anchore data to a JSON file."""
if not nav:
sys.exit(1)
ecode = 0
savelist = list()
for imageId in imagelist:
try:
record = {}
record['image'] = {}
record['image']['imageId'] = imageId
record['image']['imagedata'] = contexts['anchore_db'].load_image_new(imageId)
savelist.append(record)
except Exception as err:
anchore_print_err("could not find record for image ("+str(imageId)+")")
ecode = 1
if ecode == 0:
try:
if outfile == '-':
print json.dumps(savelist, indent=4)
else:
with open(outfile, 'w') as OFH:
OFH.write(json.dumps(savelist))
except Exception as err:
anchore_print_err("operation failed: " + str(err))
ecode = 1
sys.exit(ecode)
def image_import(infile, force):
"""Import image anchore data from a JSON file."""
ecode = 0
try:
with open(infile, 'r') as FH:
savelist = json.loads(FH.read())
except Exception as err:
anchore_print_err("could not load input file: " + str(err))
ecode = 1
if ecode == 0:
for record in savelist:
try:
imageId = record['image']['imageId']
if contexts['anchore_db'].is_image_present(imageId) and not force:
anchore_print("image ("+str(imageId)+") already exists in DB, skipping import.")
else:
imagedata = record['image']['imagedata']
try:
rc = contexts['anchore_db'].save_image_new(imageId, report=imagedata)
if not rc:
contexts['anchore_db'].delete_image(imageId)
raise Exception("save to anchore DB failed")
except Exception as err:
contexts['anchore_db'].delete_image(imageId)
raise err
except Exception as err:
anchore_print_err("could not store image ("+str(imageId)+") from import file: "+ str(err))
ecode = 1
sys.exit(ecode)
def export(outfile):
"""Export image anchore data to a JSON file."""
if not nav:
sys.exit(1)
ecode = 0
savelist = list()
for imageId in imagelist:
try:
record = {}
record['image'] = {}
record['image']['imageId'] = imageId
record['image']['imagedata'] = contexts[
'anchore_db'].load_image_new(imageId)
savelist.append(record)
except Exception as err:
anchore_print_err("could not find record for image (" +
str(imageId) + ")")
ecode = 1
if ecode == 0:
try:
if outfile == '-':
print json.dumps(savelist, indent=4)
else:
with open(outfile, 'w') as OFH:
OFH.write(json.dumps(savelist))
except Exception as err:
anchore_print_err("operation failed: " + str(err))
ecode = 1
sys.exit(ecode)
def query(anchore_config, image, imagefile, include_allanchore, module):
"""
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location.
Each query has its own parameters and outputs.
Examples using pre-defined queries:
'anchore query --image nginx:latest list-packages all'
'anchore query has-package wget'
'anchore query --image nginx:latest list-files-detail all'
'anchore query cve-scan all'
"""
global config, imagelist, nav
ecode = 0
success = True
config = anchore_config
if module:
if image and imagefile:
raise click.BadOptionUsage(
'Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile,
not (image or imagefile),
include_allanchore)
imagelist = list(imagedict.keys())
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
try:
nav = init_nav_contexts()
result = nav.run_query(list(module))
if result:
anchore_utils.print_result(config, result)
if nav.check_for_warnings(result):
ecode = 2
except:
anchore_print_err("query operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def image_import(infile):
"""Import image anchore data from a JSON file."""
ecode = 0
try:
with open(infile, 'r') as FH:
savelist = json.loads(FH.read())
except Exception as err:
anchore_print_err("could not load input file: " + str(err))
ecode = 1
if ecode == 0:
for record in savelist:
try:
imageId = record['image']['imageId']
if contexts['anchore_db'].is_image_present(imageId):
anchore_print("image (" + str(imageId) +
") already exists in DB, skipping import.")
else:
imagedata = record['image']['imagedata']
try:
rc = contexts['anchore_db'].save_image_new(
imageId, report=imagedata)
if not rc:
contexts['anchore_db'].delete_image(imageId)
raise Exception("save to anchore DB failed")
except Exception as err:
contexts['anchore_db'].delete_image(imageId)
raise err
except Exception as err:
anchore_print_err("could not store image (" + str(imageId) +
") from import file: " + str(err))
ecode = 1
sys.exit(ecode)
def audit(anchore_config, ctx, image, imagefile, include_allanchore):
"""
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
global config, imagelist, nav
ecode = 0
success = True
config = anchore_config
#include_allanchore = True
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
#if image or imagefile:
# include_allanchore = False
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = ret
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
def show(details):
"""
Show list of Anchore data policies.
"""
ecode = 0
try:
policymeta = anchore_policy.load_policymeta()
if details:
anchore_print(policymeta, do_formatting=True)
else:
output = {}
name = policymeta['name']
output[name] = {}
output[name]['id'] = policymeta['id']
output[name]['policies'] = policymeta['policies']
output[name]['whitelists'] = policymeta['whitelists']
output[name]['mappings'] = policymeta['mappings']
anchore_print(output, do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def query(module):
"""
Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location.
Each query has its own parameters and outputs.
Examples using pre-defined queries:
Query all images to see which have the package 'wget' installed:
'anchore explore query has-package wget'
"""
ecode = 0
try:
nav, vis = init_nav_vis_contexts()
result = nav.run_query(list(module))
if result:
anchore_utils.print_result(config, result)
if nav.check_for_warnings(result):
ecode = 2
except:
anchore_print_err("query operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def status(conf):
"""
Show anchore system status.
"""
ecode = 0
try:
if conf:
if config.cliargs['json']:
anchore_print(config.data, do_formatting=True)
else:
anchore_print(
yaml.safe_dump(config.data,
indent=True,
default_flow_style=False))
else:
result = {}
if contexts['anchore_db'].check():
result["anchore_db"] = "OK"
else:
result["anchore_db"] = "NOTINITIALIZED"
if anchore_feeds.check():
result["anchore_feeds"] = "OK"
else:
result["anchore_feeds"] = "NOTSYNCED"
afailed = False
latest = 0
for imageId in list(
contexts['anchore_db'].load_all_images().keys()):
amanifest = anchore_utils.load_analyzer_manifest(imageId)
for module_name in list(amanifest.keys()):
try:
if amanifest[module_name]['timestamp'] > latest:
latest = amanifest[module_name]['timestamp']
if amanifest[module_name]['status'] != 'SUCCESS':
analyzer_failed_imageId = imageId
analyzer_failed_name = module_name
afailed = True
except:
pass
if latest == 0:
result["analyzer_status"] = "NODATA"
elif afailed:
result[
"analyzer_status"] = "FAIL (" + analyzer_failed_imageId + ")"
result["analyzer_latest_run"] = time.ctime(latest)
else:
result["analyzer_status"] = "OK"
result["analyzer_latest_run"] = time.ctime(latest)
anchore_print(result, do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def login(anchore_config):
"""
Log into Anchore service using your username/password from anchore.io.
"""
config = anchore_config
ecode = 0
try:
username = raw_input("Username: "******"Password: "******"Failed to log in: check your username/password and try again!"
)
anchore_print("Message from server: " + ret['text'])
else:
contexts['anchore_auth'].update(new_anchore_auth)
anchore_print("Login successful.")
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def toolbox(anchore_config, image):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
imagelist = [image]
try:
ret = anchore_utils.discover_imageIds(anchore_config, imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
try:
nav = navigator.Navigator(anchore_config=config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'])
except Exception as err:
anchore_print_err('operation failed')
nav = None
ecode = 1
def sub(feednames):
"""
Subscribe to the specified feed(s).
"""
ecode = 0
current_user_data = contexts.get('anchore_auth', {}).get('user_info', None)
if not current_user_data:
current_user_tier = 0
else:
current_user_tier = int(current_user_data['tier'])
try:
for feed in feednames:
rc, msg = anchore_feeds.subscribe_anchore_feed(feed, current_user_tier)
if not rc:
ecode = 1
anchore_print_err(msg)
else:
anchore_print(msg)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def feeds(anchore_config):
global config
config = anchore_config
ecode = 0
emsg = ""
success = True
try:
rc, msg = anchore_feeds.check()
if not rc:
anchore_print("initializing feed metadata: ...")
rc, ret = anchore_feeds.sync_feedmeta()
if not rc:
emsg = "could not sync feed metadata from service: " + ret[
'text']
success = False
except Exception as err:
anchore_print_err('operation failed')
sys.exit(1)
if not success:
anchore_print_err(emsg)
sys.exit(1)
def user_images(operation):
"""
Manages fetching and pushing user images. The operations are: 'input', 'output', 'both'.
By default, 'both' is invoked and will execute 'input' then 'output' operations in that order.
Scripts are located as follows, assuming $INSTALL_LOC = distro-specific location where pip installs python packages
input: $INSTALL_LOC/anchore/anchore-modules/inputs/
output: $INSTALL_LOC/anchore/anchore-modules/outputs/
Scripts are executed in lexicographic order by filename and scripts must be marked as executable to be run.
See the README file in each directory for more information.
"""
if operation == 'input' or operation == 'all':
try:
anchore_print('Executing input scripts')
working_catalog.inputs.execute()
anchore_print('Execution of input scripts complete')
except:
anchore_print_err('Failed executing input scripts')
exit(1)
if operation == 'output' or operation == 'all':
try:
anchore_print('Executing output scripts')
working_catalog.outputs.execute()
anchore_print('Execution of output scripts complete')
except:
anchore_print_err('Failed executing output scripts')
exit(1)
def user_images(operation):
"""
Manages fetching and pushing user images. The operations are: 'input', 'output', 'both'.
By default, 'both' is invoked and will execute 'input' then 'output' operations in that order.
Scripts are located as follows, assuming $INSTALL_LOC = distro-specific location where pip installs python packages
input: $INSTALL_LOC/anchore/anchore-modules/inputs/
output: $INSTALL_LOC/anchore/anchore-modules/outputs/
Scripts are executed in lexicographic order by filename and scripts must be marked as executable to be run.
See the README file in each directory for more information.
"""
if operation == 'input' or operation == 'all':
try:
anchore_print('Executing input scripts')
working_catalog.inputs.execute()
anchore_print('Execution of input scripts complete')
except:
anchore_print_err('Failed executing input scripts')
exit(1)
if operation == 'output' or operation == 'all':
try:
anchore_print('Executing output scripts')
working_catalog.outputs.execute()
anchore_print('Execution of output scripts complete')
except:
anchore_print_err('Failed executing output scripts')
exit(1)
def status(anchore_config):
"""
Show state of local anchore images and artifacts.
Returns structure output with the results of checks of local resources and their staleness compared to
the upstream service artifacts for items such as vulnerability data and analysis db entries for subscription images.
The output of this command can be used to determine if/when to run a catalog sync and check if new service data is
available. This command will use the network to check the service status.
"""
assert anchore_config is not None
try:
result = working_catalog.check_status()
for k, v in result.items():
if 'sync' in v:
result[k] = v['sync']
anchore_print(result, do_formatting=True)
except:
anchore_print_err(
'Failed checking catalog configuration. Please check config file: %s'
% anchore_config.config_file)
exit(1)
def list(showgroups):
"""
Show list of Anchore data feeds.
"""
ecode = 0
try:
result = {}
subscribed = {}
available = {}
feedmeta = anchore_feeds.load_anchore_feedmeta()
for feed in feedmeta.keys():
if feedmeta[feed]['subscribed']:
subscribed[feed] = {}
subscribed[feed]['description'] = feedmeta[feed]['description']
if showgroups:
subscribed[feed]['groups'] = feedmeta[feed]['groups'].keys(
)
else:
available[feed] = {}
available[feed]['description'] = feedmeta[feed]['description']
if showgroups:
available[feed]['groups'] = feedmeta[feed]['groups'].keys()
if available:
result['Available'] = available
if subscribed:
result['Subscribed'] = subscribed
anchore_print(result, do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def query(anchore_config, image, imagefile, include_allanchore, module):
"""
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location.
Each query has its own parameters and outputs.
Examples using pre-defined queries:
'anchore query --image nginx:latest list-packages all'
'anchore query has-package wget'
'anchore query --image nginx:latest list-files-detail all'
'anchore query cve-scan all'
"""
global config, imagelist, nav
ecode = 0
success = True
config = anchore_config
if module:
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
try:
nav = init_nav_contexts()
result = nav.run_query(list(module))
if result:
anchore_utils.print_result(config, result)
if nav.check_for_warnings(result):
ecode = 2
except:
anchore_print_err("query operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def toolbox(anchore_config, ctx, image, imageid):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
try:
# set up imagelist of imageIds
if image:
imagelist = [image]
try:
result = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = result
elif imageid:
if len(imageid) != 64 or re.findall("[^0-9a-fA-F]+", imageid):
raise Exception(
"input is not a valid imageId (64 characters, a-f, A-F, 0-9)"
)
imagelist = [imageid]
else:
imagelist = []
if ctx.invoked_subcommand not in [
'import', 'delete', 'kubesync', 'images', 'show'
]:
if not imagelist:
raise Exception(
"for this operation, you must specify an image with '--image' or '--imageid'"
)
else:
try:
nav = navigator.Navigator(
anchore_config=config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'])
except Exception as err:
nav = None
raise err
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
if ecode:
sys.exit(ecode)
def exportdb(outdir):
"""Export all anchore images to JSON files"""
ecode = 0
try:
imgdir = os.path.join(outdir, "images")
feeddir = os.path.join(outdir, "feeds")
storedir = os.path.join(outdir, "storedfiles")
for d in [outdir, imgdir, feeddir, storedir]:
if not os.path.exists(d):
os.makedirs(d)
anchore_print("exporting images...")
imagelist = anchore_utils.get_image_list().keys()
for imageId in imagelist:
thefile = os.path.join(imgdir, imageId+".json")
if not os.path.exists(thefile):
with open(thefile, 'w') as OFH:
OFH.write(json.dumps(contexts['anchore_db'].load_image_new(imageId)))
stored_namespaces = contexts['anchore_db'].load_files_namespaces(imageId)
for namespace in stored_namespaces:
stored_files = contexts['anchore_db'].load_files_tarfile(imageId, namespace)
if os.path.exists(stored_files):
thedir = os.path.join(storedir, imageId, namespace)
if not os.path.exists(thedir):
os.makedirs(thedir)
thefile = os.path.join(thedir, "stored_files.tar.gz")
shutil.copy(stored_files, thefile)
anchore_print("exporting feeds...")
feedmeta = contexts['anchore_db'].load_feedmeta()
thefile = os.path.join(feeddir, "feedmeta.json")
with open(thefile, 'w') as OFH:
OFH.write(json.dumps(feedmeta))
for feed in feedmeta:
feedobj = feedmeta[feed]
for group in feedobj['groups']:
groupobj = feedobj['groups'][group]
datafiles = groupobj.pop('datafiles', [])
for datafile in datafiles:
thedir = os.path.join(feeddir, feed, group)
if not os.path.exists(thedir):
os.makedirs(thedir)
thefile = os.path.join(thedir, datafile)
if not os.path.exists(thefile):
with open(thefile, 'w') as OFH:
OFH.write(json.dumps(contexts['anchore_db'].load_feed_group_data(feed, group, datafile)))
except Exception as err:
anchore_print_err("operation failed: " + str(err))
ecode = 1
sys.exit(ecode)
def status(conf):
"""
Show anchore system status.
"""
ecode = 0
try:
if conf:
if config.cliargs['json']:
anchore_print(config.data, do_formatting=True)
else:
anchore_print(yaml.safe_dump(config.data, indent=True, default_flow_style=False))
else:
result = {}
if contexts['anchore_db'].check():
result["anchore_db"] = "OK"
else:
result["anchore_db"] = "NOTINITIALIZED"
if anchore_feeds.check():
result["anchore_feeds"] = "OK"
else:
result["anchore_feeds"] = "NOTSYNCED"
afailed = False
latest = 0
for imageId in contexts['anchore_db'].load_all_images().keys():
amanifest = anchore_utils.load_analyzer_manifest(imageId)
for module_name in amanifest.keys():
try:
if amanifest[module_name]['timestamp'] > latest:
latest = amanifest[module_name]['timestamp']
if amanifest[module_name]['status'] != 'SUCCESS':
analyzer_failed_imageId = imageId
analyzer_failed_name = module_name
afailed = True
except:
pass
if latest == 0:
result["analyzer_status"] = "NODATA"
elif afailed:
result["analyzer_status"] = "FAIL ("+analyzer_failed_imageId+")"
result["analyzer_latest_run"] = time.ctime(latest)
else:
result["analyzer_status"] = "OK"
result["analyzer_latest_run"] = time.ctime(latest)
anchore_print(result, do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def policybundle(anchore_config):
global config
config = anchore_config
ecode = 0
emsg = ""
success = True
if not success:
anchore_print_err(emsg)
sys.exit(1)
def policybundle(anchore_config):
global config
config = anchore_config
ecode = 0
emsg = ""
success = True
if not success:
anchore_print_err(emsg)
sys.exit(1)
def sync_catalog():
"""
Updates the local catalog with the latest from the Anchore web service. Pulls CVE data, analysis metadata for images
subscribed to as well as updates to subscribed images directly from Docker Hub.
"""
try:
working_catalog.pull()
except:
anchore_print_err('Catalog sync failed')
exit(1)
def sync_catalog():
"""
Updates the local catalog with the latest from the Anchore web service. Pulls CVE data, analysis metadata for images
subscribed to as well as updates to subscribed images directly from Docker Hub.
"""
try:
working_catalog.pull()
except:
anchore_print_err('Catalog sync failed')
exit(1)
def list(showgroups):
"""
Show list of Anchore data feeds.
"""
ecode = 0
try:
result = {}
subscribed = {}
available = {}
unavailable = {}
current_user_data = contexts['anchore_auth']['user_info']
feedmeta = anchore_feeds.load_anchore_feedmeta()
for feed in list(feedmeta.keys()):
if feedmeta[feed]['subscribed']:
subscribed[feed] = {}
subscribed[feed]['description'] = feedmeta[feed]['description']
if showgroups:
subscribed[feed]['groups'] = list(
feedmeta[feed]['groups'].keys())
else:
if current_user_data:
tier = int(current_user_data['tier'])
else:
tier = 0
if int(feedmeta[feed]['access_tier']) > tier:
collection = unavailable
else:
collection = available
collection[feed] = {}
collection[feed]['description'] = feedmeta[feed]['description']
if showgroups and collection == available:
collection[feed]['groups'] = list(
feedmeta[feed]['groups'].keys())
if available:
result['Available'] = available
if subscribed:
result['Subscribed'] = subscribed
if unavailable:
result['Unavailable/Insufficient Access Tier'] = unavailable
anchore_print(result, do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def list(showgroups):
"""
Show list of Anchore data feeds.
"""
ecode = 0
try:
result = {}
subscribed = {}
available = {}
unavailable = {}
current_user_data = contexts['anchore_auth']['user_info']
feedmeta = anchore_feeds.load_anchore_feedmeta()
for feed in feedmeta.keys():
if feedmeta[feed]['subscribed']:
subscribed[feed] = {}
subscribed[feed]['description'] = feedmeta[feed]['description']
if showgroups:
subscribed[feed]['groups'] = feedmeta[feed]['groups'].keys()
else:
if current_user_data:
tier = int(current_user_data['tier'])
else:
tier = 0
if int(feedmeta[feed]['access_tier']) > tier:
collection = unavailable
else:
collection = available
collection[feed] = {}
collection[feed]['description'] = feedmeta[feed]['description']
if showgroups and collection == available:
collection[feed]['groups'] = feedmeta[feed]['groups'].keys()
if available:
result['Available'] = available
if subscribed:
result['Subscribed'] = subscribed
if unavailable:
result['Unavailable/Insufficient Access Tier'] = unavailable
anchore_print(result, do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def init_nav_contexts():
try:
# use the obj from the current click context. This is a bit hacky, but works as long as this method is
# invoked in an execution context of click
anchore_config = click.get_current_context().obj
nav = navigator.Navigator(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'])
return nav
except Exception as err:
anchore_print_err("explore operation failed")
success = False
ecode = 1
if not success:
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def sync(anchore_config):
"""
Synchronization of images and metadata with the Anchore web service and image sources.
The first command run on a new installation of anchore must be 'anchore sync catalog' to initialize the local system.
See the catalog subcommand help for more information.
"""
# Initialize the registry object
global working_catalog
try:
working_catalog = AnchoreCatalog(config=anchore_config)
except:
anchore_print_err('Failed to initialize catalog internal structures. Cannot continue')
exit(1)
def restore(inputfile, destination_root):
"""
Restore an anchore installation from a previously backed up tar file.
"""
ecode = 0
try:
anchore_print('Restoring anchore system from backup file %s ...' % (str(inputfile.name)))
restoredir = config.restore(destination_root, inputfile)
anchore_print("Anchore restored.")
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def backup(outputdir):
"""
Backup an anchore installation to a tarfile.
"""
ecode = 0
try:
anchore_print('Backing up anchore system to directory '+str(outputdir)+' ...')
backupfile = config.backup(outputdir)
anchore_print({"anchore_backup_tarball":str(backupfile)}, do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def toolbox(anchore_config, ctx, image, imageid):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
try:
# set up imagelist of imageIds
if image:
imagelist = [image]
try:
result = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = result
elif imageid:
if len(imageid) != 64 or re.findall("[^0-9a-fA-F]+",imageid):
raise Exception("input is not a valid imageId (64 characters, a-f, A-F, 0-9)")
imagelist = [imageid]
else:
imagelist = []
if ctx.invoked_subcommand not in ['import', 'delete', 'kubesync', 'images', 'show']:
if not imagelist:
raise Exception("for this operation, you must specify an image with '--image' or '--imageid'")
else:
try:
nav = navigator.Navigator(anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages'])
except Exception as err:
nav = None
raise err
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
if ecode:
sys.exit(ecode)
def restore(inputfile, destination_root):
"""
Restore an anchore installation from a previously backed up tar file.
"""
ecode = 0
try:
anchore_print('Restoring anchore system from backup file %s ...' %
(str(inputfile.name)))
restoredir = config.restore(destination_root, inputfile)
anchore_print("Anchore restored.")
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def show(feed):
"""
Show detailed feed information
"""
ecode = 0
try:
feedmeta = anchore_feeds.load_anchore_feedmeta()
if feed in feedmeta:
result = {}
groups = list(feedmeta[feed].get('groups', {}).values())
result['name'] = feed
result['access_tier'] = int(feedmeta[feed].get('access_tier'))
result['description'] = feedmeta[feed].get('description')
result['groups'] = {}
if 'subscribed' not in feedmeta[feed]:
result['subscribed'] = False
else:
result['subscribed'] = feedmeta[feed]['subscribed']
for g in groups:
result['groups'][g['name']] = {
'access_tier':
int(g.get('access_tier')),
'description':
g.get('description'),
'last_update':
datetime.datetime.fromtimestamp(
g.get('last_update')).isoformat()
if 'last_update' in g else 'None',
'prev_update':
datetime.datetime.fromtimestamp(
g.get('prev_update')).isoformat()
if 'prev_update' in g else 'None'
}
anchore_print(result, do_formatting=True)
else:
anchore_print_err(
'Unknown feed name. Valid feeds can be seen withe the "list" command'
)
ecode = 1
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def sync(anchore_config):
"""
Synchronization of images and metadata with the Anchore web service and image sources.
The first command run on a new installation of anchore must be 'anchore sync catalog' to initialize the local system.
See the catalog subcommand help for more information.
"""
# Initialize the registry object
global working_catalog
try:
working_catalog = AnchoreCatalog(config=anchore_config)
except:
anchore_print_err(
'Failed to initialize catalog internal structures. Cannot continue'
)
exit(1)
def show_familytree():
"""Show image family tree image IDs"""
if not nav:
sys.exit(1)
ecode = 0
try:
result = nav.run_query(['show-familytree', 'all'])
if result:
anchore_utils.print_result(config, result)
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def logout(anchore_config):
"""
Log out of Anchore service
"""
ecode = 0
try:
aa = contexts['anchore_auth']
if aa:
anchore_auth.anchore_auth_invalidate(aa)
if 'auth_file' in aa:
os.remove(aa['auth_file'])
print "Logout successful."
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def init_nav_contexts():
try:
# use the obj from the current click context. This is a bit hacky, but works as long as this method is
# invoked in an execution context of click
anchore_config = click.get_current_context().obj
nav = navigator.Navigator(anchore_config=anchore_config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'])
return nav
except Exception as err:
anchore_print_err("explore operation failed")
success = False
ecode = 1
if not success:
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def backup(outputdir):
"""
Backup an anchore installation to a tarfile.
"""
ecode = 0
try:
anchore_print('Backing up anchore system to directory ' +
str(outputdir) + ' ...')
backupfile = config.backup(outputdir)
anchore_print({"anchore_backup_tarball": str(backupfile)},
do_formatting=True)
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def logout(anchore_config):
"""
Log out of Anchore service
"""
ecode = 0
try:
aa = contexts['anchore_auth']
if aa:
anchore_auth.anchore_auth_invalidate(aa)
if 'auth_file' in aa:
os.remove(aa['auth_file'])
print "Logout successful."
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def show_familytree():
"""Show image family tree image IDs"""
if not nav:
sys.exit(1)
ecode = 0
try:
result = nav.get_familytree()
if result:
anchore_utils.print_result(config, result)
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def show_dockerfile():
"""Generate (or display actual) image Dockerfile"""
if not nav:
sys.exit(1)
ecode = 0
try:
result = nav.run_query(['show-dockerfile', 'all'])
if result:
anchore_utils.print_result(config, result)
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def show_dockerfile():
"""Generate (or display actual) image Dockerfile"""
if not nav:
sys.exit(1)
ecode = 0
try:
result = nav.run_query(['show-dockerfile', 'all'])
if result:
anchore_utils.print_result(config, result)
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def show_layers():
"""Show image layer IDs"""
if not nav:
sys.exit(1)
ecode = 0
try:
result = nav.run_query(['show-layers', 'all'])
if result:
anchore_utils.print_result(config, result)
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def generate_dockerfile():
"""Generate (or display actual) image Dockerfile"""
if not nav:
sys.exit(1)
ecode = 0
try:
result = nav.get_dockerfile_contents()
if result:
anchore_utils.print_result(config, result, outputmode='raw')
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def show_taghistory():
"""Show history of all known repo/tags for image"""
if not nav:
sys.exit(1)
ecode = 0
try:
result = nav.get_taghistory()
if result:
anchore_utils.print_result(config, result)
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def visualize():
"""
Visualization provides a graphical representation of the relationship between images.
Output is a set of image files in the tmp dir specified in the anchore config.yaml file or /tmp by default.
"""
ecode = 0
args={}
try:
nav, vis = init_nav_vis_contexts()
vis.run()
except:
anchore_print_err("visualize operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def show_taghistory():
"""Show history of all known repo/tags for image"""
if not nav:
sys.exit(1)
ecode = 0
try:
result = nav.get_taghistory()
if result:
anchore_utils.print_result(config, result)
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def sync(infile, outfile):
"""
Sync (download) latest policies from the Anchore.io service.
"""
ecode = 0
try:
rc, ret = anchore_policy.sync_policymeta(bundlefile=infile, outfile=outfile)
if not rc:
anchore_print_err(ret['text'])
ecode = 1
elif outfile and outfile == '-':
anchore_print(ret['text'])
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
sys.exit(ecode)
def show():
"""Show image summary information"""
ecode = 0
try:
o = collections.OrderedDict()
inimage = imagelist[0]
anchoreDB = contexts['anchore_db']
image = anchoreDB.load_image(inimage)
if image:
mymeta = image['meta']
alltags_current = image['anchore_current_tags']
distrodict = anchore_utils.get_distro_from_imageId(inimage)
distro = distrodict['DISTRO']
distrovers = distrodict['DISTROVERS']
base = image['familytree'][0]
o['IMAGEID'] = mymeta.pop('imageId', "N/A")
o['REPOTAGS'] = alltags_current
o['DISTRO'] = distro
o['DISTROVERS'] = distrovers
o['HUMANNAME'] = mymeta.pop('humanname', "N/A")
o['SHORTID'] = mymeta.pop('shortId', "N/A")
o['PARENTID'] = mymeta.pop('parentId', "N/A")
o['BASEID'] = base
o['IMAGETYPE'] = mymeta.pop('usertype', "N/A")
for k in o.keys():
if type(o[k]) is list:
s = ' '.join(o[k])
else:
s = str(o[k])
print k+"='"+s+"'"
else:
raise Exception("cannot locate input image in anchore DB")
except Exception as err:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def report():
"""
Show analysis report of the specified image(s).
The analysis report includes information on:
\b
Image Id - The image id (as a hash)
Type - The type of image (--imagetype option used when anchore analyze was run)
CurrentTags - The current set of repo tags on the image
AllTags - The set of all repo tags that have been on the image during analysis passes
GateStatus - The overall aggregate gate output status: GO|STOP|WARN
Size - The size in bytes of the image on disk
Counts - The counts for various attributes of the images such as packages, files, and suid files
BaseDiffs - Differences of this image from its base image
Report outputs these entries in a table format by default.
"""
ecode = 0
try:
nav = init_nav_contexts()
result = nav.generate_reports()
#result = generate_reports(imagelist, showall=all, showdetails=details)
if result:
anchore_utils.print_result(config, result)
except:
anchore_print_err("operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)