def test_have_vulnerabilities_for(test_data_env):
_init_distro_mappings()
sync_feeds(test_data_env)
failz = DistroNamespace(name='somecrzy', version='8', like_distro='debian')
passes = DistroNamespace(name='debian', version='8', like_distro='debian')
assert not vulnerabilities.have_vulnerabilities_for(failz), 'Should not have vulns for ' + failz.namespace_name
assert vulnerabilities.have_vulnerabilities_for(passes), 'Should have vulns for ' + passes.namespace_name
def test_namespace_support(test_data_env):
_init_distro_mappings()
sync_feeds(test_data_env)
# Not exhaustive, only for the feeds directly in the test data set
expected = [
DistroNamespace(name='alpine', version='3.6', like_distro='alpine'),
DistroNamespace(name='centos', version='7', like_distro='centos'),
DistroNamespace(name='centos', version='7.1', like_distro='centos'),
DistroNamespace(name='centos', version='7.3', like_distro='centos'),
DistroNamespace(name='ol', version='7.3', like_distro='centos'),
DistroNamespace(name='rhel', version='7.1', like_distro='centos'),
DistroNamespace(name='debian', version='9', like_distro='debian'),
DistroNamespace(name='ubuntu', version='16.10', like_distro='ubuntu')
]
fail = [
DistroNamespace(name='alpine', version='3.1', like_distro='alpine'),
DistroNamespace(name='alpine', version='3.1.1', like_distro='alpine'),
DistroNamespace(name='busybox', version='3', like_distro='busybox'),
DistroNamespace(name='linuxmint', version='16', like_distro='debian'),
DistroNamespace(name='redhat', version='6', like_distro='centos'),
DistroNamespace(name='ubuntu', version='1.0', like_distro='ubuntu'),
DistroNamespace(name='centos', version='1.0', like_distro='ubuntu'),
DistroNamespace(name='debian', version='1.0', like_distro='ubuntu'),
DistroNamespace(name='rhel', version='1.0', like_distro='ubuntu'),
DistroNamespace(name='busybox', version='1.0', like_distro='busybox'),
DistroNamespace(name='alpine', version='11.0', like_distro='ubuntu'),
DistroNamespace(name='fedora', version='25', like_distro='fedora'),
DistroNamespace(name='mageia', version='5', like_distro='mandriva,fedora')
]
for i in expected:
if not vulnerabilities.have_vulnerabilities_for(i):
raise Exception('Bad failure: {}'.format(i.namespace_name))
for i in fail:
if vulnerabilities.have_vulnerabilities_for(i):
raise Exception('Should not have data for {}'.format(i.namespace_name))
def evaluate(self, image_obj, context):
if not have_vulnerabilities_for(DistroNamespace.for_obj(image_obj)):
self._fire(
msg=
"Feed data unavailable, cannot perform CVE scan for distro: " +
str(image_obj.distro_namespace))
def get_image_vulnerabilities(user_id, image_id, force_refresh=False):
"""
Return the vulnerability listing for the specified image and load from catalog if not found and specifically asked
to do so.
Example json output:
{
"multi" : {
"url_column_index" : 7,
"result" : {
"rows" : [],
"rowcount" : 0,
"colcount" : 8,
"header" : [
"CVE_ID",
"Severity",
"*Total_Affected",
"Vulnerable_Package",
"Fix_Available",
"Fix_Images",
"Rebuild_Images",
"URL"
]
},
"querycommand" : "/usr/lib/python2.7/site-packages/anchore/anchore-modules/multi-queries/cve-scan.py /ebs_data/anchore/querytmp/queryimages.7026386 /ebs_data/anchore/data /ebs_data/anchore/querytmp/query.59057288 all",
"queryparams" : "all",
"warns" : [
"0005b136f0fb (prom/prometheus:master) cannot perform CVE scan: no CVE data is currently available for the detected base distro type (busybox:unknown_version,busybox:v1.26.2)"
]
}
}
:param user_id: user id of image to evaluate
:param image_id: image id to evaluate
:param force_refresh: if true, flush and recompute vulnerabilities rather than returning current values
:return:
"""
# Has image?
db = get_session()
try:
img = db.query(Image).get((image_id, user_id))
vulns = []
if not img:
abort(404)
else:
if force_refresh:
log.info('Forcing refresh of vulnerabiltiies for {}/{}'.format(user_id, image_id))
try:
current_vulns = img.vulnerabilities()
log.info('Removing {} current vulnerabilities for {}/{} to rescan'.format(len(current_vulns), user_id, image_id))
for v in current_vulns:
db.delete(v)
db.flush()
vulns = vulnerabilities_for_image(img)
log.info('Adding {} vulnerabilities from rescan to {}/{}'.format(len(vulns), user_id, image_id))
for v in vulns:
db.add(v)
db.commit()
except Exception as e:
log.exception('Error refreshing cve matches for image {}/{}'.format(user_id, image_id))
db.rollback()
abort(Response('Error refreshing vulnerability listing for image.', 500))
db = get_session()
db.refresh(img)
else:
vulns = img.vulnerabilities()
# Has vulnerabilities?
warns = []
if not vulns:
vulns = []
ns = DistroNamespace.for_obj(img)
if not have_vulnerabilities_for(ns):
warns = ['No vulnerability data available for image distro: {}'.format(ns.namespace_name)]
rows = []
for vuln in vulns:
# if vuln.vulnerability.fixed_in:
# fixes_in = filter(lambda x: x.name == vuln.pkg_name or x.name == vuln.package.normalized_src_pkg,
# vuln.vulnerability.fixed_in)
# fix_available_in = fixes_in[0].version if fixes_in else 'None'
# else:
# fix_available_in = 'None'
rows.append([
vuln.vulnerability_id,
vuln.vulnerability.severity,
1,
vuln.pkg_name + '-' + vuln.package.fullversion,
str(vuln.fixed_in()),
vuln.pkg_image_id,
'None', # Always empty this for now
vuln.vulnerability.link
]
)
vuln_listing = {
'multi': {
'url_column_index': 7,
'result': {
'header': TABLE_STYLE_HEADER_LIST,
'rowcount': len(rows),
'colcount': len(TABLE_STYLE_HEADER_LIST),
'rows': rows
},
'warns': warns
}
}
report = LegacyVulnerabilityReport.from_dict(vuln_listing)
resp = ImageVulnerabilityListing(user_id=user_id, image_id=image_id, legacy_report=report)
return resp.to_dict()
except HTTPException:
db.rollback()
raise
except Exception as e:
log.exception('Error checking image {}, {} for vulnerabiltiies. Rolling back'.format(user_id, image_id))
db.rollback()
abort(500)
finally:
db.close()
def get_image_vulnerabilities(user_id,
image_id,
force_refresh=False,
vendor_only=True):
"""
Return the vulnerability listing for the specified image and load from catalog if not found and specifically asked
to do so.
Example json output:
{
"multi" : {
"url_column_index" : 7,
"result" : {
"rows" : [],
"rowcount" : 0,
"colcount" : 8,
"header" : [
"CVE_ID",
"Severity",
"*Total_Affected",
"Vulnerable_Package",
"Fix_Available",
"Fix_Images",
"Rebuild_Images",
"URL"
]
},
"querycommand" : "/usr/lib/python2.7/site-packages/anchore/anchore-modules/multi-queries/cve-scan.py /ebs_data/anchore/querytmp/queryimages.7026386 /ebs_data/anchore/data /ebs_data/anchore/querytmp/query.59057288 all",
"queryparams" : "all",
"warns" : [
"0005b136f0fb (prom/prometheus:master) cannot perform CVE scan: no CVE data is currently available for the detected base distro type (busybox:unknown_version,busybox:v1.26.2)"
]
}
}
:param user_id: user id of image to evaluate
:param image_id: image id to evaluate
:param force_refresh: if true, flush and recompute vulnerabilities rather than returning current values
:param vendor_only: if true, filter out the vulnerabilities that vendors will explicitly not address
:return:
"""
# Has image?
db = get_session()
try:
img = db.query(Image).get((image_id, user_id))
vulns = []
if not img:
abort(404)
else:
if force_refresh:
log.info('Forcing refresh of vulnerabiltiies for {}/{}'.format(
user_id, image_id))
try:
vulns = rescan_image(img, db_session=db)
db.commit()
except Exception as e:
log.exception(
'Error refreshing cve matches for image {}/{}'.format(
user_id, image_id))
db.rollback()
abort(
Response(
'Error refreshing vulnerability listing for image.',
500))
db = get_session()
db.refresh(img)
vulns = img.vulnerabilities()
# Has vulnerabilities?
warns = []
if not vulns:
vulns = []
ns = DistroNamespace.for_obj(img)
if not have_vulnerabilities_for(ns):
warns = [
'No vulnerability data available for image distro: {}'.
format(ns.namespace_name)
]
rows = []
for vuln in vulns:
# if vuln.vulnerability.fixed_in:
# fixes_in = filter(lambda x: x.name == vuln.pkg_name or x.name == vuln.package.normalized_src_pkg,
# vuln.vulnerability.fixed_in)
# fix_available_in = fixes_in[0].version if fixes_in else 'None'
# else:
# fix_available_in = 'None'
# Skip the vulnerability if the vendor_only flag is set to True and the issue won't be addressed by the vendor
if vendor_only and vuln.fix_has_no_advisory():
continue
rows.append([
vuln.vulnerability_id,
vuln.vulnerability.severity,
1,
vuln.pkg_name + '-' + vuln.package.fullversion,
str(vuln.fixed_in()),
vuln.pkg_image_id,
'None', # Always empty this for now
vuln.vulnerability.link,
vuln.pkg_type,
'vulnerabilities',
vuln.vulnerability.namespace_name,
vuln.pkg_name,
vuln.package.fullversion,
])
vuln_listing = {
'multi': {
'url_column_index': 7,
'result': {
'header': TABLE_STYLE_HEADER_LIST,
'rowcount': len(rows),
'colcount': len(TABLE_STYLE_HEADER_LIST),
'rows': rows
},
'warns': warns
}
}
cpe_vuln_listing = []
try:
all_cpe_matches = db.query(
ImageCpe,
CpeVulnerability).filter(ImageCpe.image_id == image_id).filter(
ImageCpe.name == CpeVulnerability.name).filter(
ImageCpe.version == CpeVulnerability.version)
if not all_cpe_matches:
all_cpe_matches = []
cpe_hashes = {}
for image_cpe, vulnerability_cpe in all_cpe_matches:
cpe_vuln_el = {
'vulnerability_id': vulnerability_cpe.vulnerability_id,
'severity': vulnerability_cpe.severity,
'link': vulnerability_cpe.link,
'pkg_type': image_cpe.pkg_type,
'pkg_path': image_cpe.pkg_path,
'name': image_cpe.name,
'version': image_cpe.version,
'cpe': image_cpe.get_cpestring(),
'feed_name': vulnerability_cpe.feed_name,
'feed_namespace': vulnerability_cpe.namespace_name,
}
cpe_hash = hashlib.sha256(
utils.ensure_bytes(json.dumps(cpe_vuln_el))).hexdigest()
if not cpe_hashes.get(cpe_hash, False):
cpe_vuln_listing.append(cpe_vuln_el)
cpe_hashes[cpe_hash] = True
except Exception as err:
log.warn("could not fetch CPE matches - exception: " + str(err))
report = LegacyVulnerabilityReport.from_dict(vuln_listing)
resp = ImageVulnerabilityListing(user_id=user_id,
image_id=image_id,
legacy_report=report,
cpe_report=cpe_vuln_listing)
return resp.to_dict()
except HTTPException:
db.rollback()
raise
except Exception as e:
log.exception(
'Error checking image {}, {} for vulnerabiltiies. Rolling back'.
format(user_id, image_id))
db.rollback()
abort(500)
finally:
db.close()
def evaluate(self, image_obj, context):
if not have_vulnerabilities_for(DistroNamespace.for_obj(image_obj)):
self._fire(msg="UNSUPPORTEDDISTRO cannot perform CVE scan: " +
str(image_obj.distro_namespace))
