def scan_cve(self, image, scan_args):
'''
Wrapper function for scanning a container or image
'''
# Mount the temporary image/container to the dir
DM = DockerMount(self.mnt_dir, mnt_mkdir=True)
_tmp_mnt_dir = DM.mount(image)
# Remeber actual mounted fs in 'rootfs'
chroot = os.path.join(_tmp_mnt_dir, 'rootfs')
# Figure out which RHEL dist is in the chroot
dist = self.helper._get_dist(chroot)
# Fetch the CVE input data for the dist
fetch = getInputCVE(self.tmp_dir)
# TODO
# This should probably be in a try/except
fetch._fetch_single(dist)
# Scan the chroot
sys.stdout.write(self.helper._scan_cve(chroot, dist, scan_args))
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir)
def scan_cve(self, image, scan_args):
'''
Wrapper function for scanning a container or image
'''
# Mount the temporary image/container to the dir
DM = DockerMount(self.mnt_dir, mnt_mkdir=True)
_tmp_mnt_dir = DM.mount(image)
# Remeber actual mounted fs in 'rootfs'
chroot = os.path.join(_tmp_mnt_dir, 'rootfs')
# Figure out which RHEL dist is in the chroot
dist = self.helper._get_dist(chroot)
# Fetch the CVE input data for the dist
fetch = getInputCVE(self.tmp_dir)
# TODO
# This should probably be in a try/except
fetch._fetch_single(dist)
# Scan the chroot
sys.stdout.write(self.helper._scan_cve(chroot, dist, scan_args))
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir)
def scan(self):
logging.debug("Scanning chroot {0}".format(self.image_name))
hostname = open("/etc/hostname").read().rstrip()
os.environ["OSCAP_PROBE_ARCHITECTURE"] = platform.processor()
os.environ["OSCAP_PROBE_ROOT"] = os.path.join(self.dest, "rootfs")
os.environ["OSCAP_PROBE_OS_NAME"] = platform.system()
os.environ["OSCAP_PROBE_OS_VERSION"] = platform.release()
os.environ["OSCAP_PROBE_"
"PRIMARY_HOST_NAME"] = "{0}:{1}".format(hostname,
self.image_name)
# We only support RHEL 6|7 in containers right now
osc = getInputCVE("/tmp")
if "Red Hat Enterprise Linux" in self.os_release:
if "7." in self.os_release:
self.chroot_cve_file = os.path.join(
self.ac.workdir, osc.dist_cve_name.format("7"))
if "6." in self.os_release:
self.chroot_cve_file = os.path.join(
self.ac.workdir, osc.dist_cve_name.format("6"))
cmd = ['oscap', 'oval', 'eval', '--report',
os.path.join(self.report_dir,
self.image_name + '.html'),
'--results',
os.path.join(self.report_dir,
self.image_name + '.xml'), self.chroot_cve_file]
logging.debug(
"Starting evaluation with command '%s'.",
" ".join(cmd))
try:
self.result = subprocess.check_output(cmd)
except Exception:
pass
def scan(self):
logging.debug("Scanning chroot {0}".format(self.image_name))
hostname = open("/etc/hostname").read().rstrip()
os.environ["OSCAP_PROBE_ARCHITECTURE"] = platform.processor()
os.environ["OSCAP_PROBE_ROOT"] = os.path.join(self.dest, "rootfs")
os.environ["OSCAP_PROBE_OS_NAME"] = platform.system()
os.environ["OSCAP_PROBE_OS_VERSION"] = platform.release()
os.environ["OSCAP_PROBE_"
"PRIMARY_HOST_NAME"] = "{0}:{1}".format(
hostname, self.image_name)
from oscap_docker_python.get_cve_input import getInputCVE
# We only support RHEL 6|7 in containers right now
osc = getInputCVE("/tmp")
if "Red Hat Enterprise Linux" in self.os_release:
if "7." in self.os_release:
self.chroot_cve_file = os.path.join(
self.ac.workdir, osc.dist_cve_name.format("7"))
if "6." in self.os_release:
self.chroot_cve_file = os.path.join(
self.ac.workdir, osc.dist_cve_name.format("6"))
cmd = [
'oscap', 'oval', 'eval', '--report',
os.path.join(self.report_dir,
self.image_name + '.html'), '--results',
os.path.join(self.report_dir, self.image_name + '.xml'),
self.chroot_cve_file
]
logging.debug("Starting evaluation with command '%s'.", " ".join(cmd))
try:
self.result = subprocess.check_output(cmd).decode("utf-8")
except Exception:
pass
def scan_cve(self, scan_args):
'''
Wrapper function for scanning cve of a mounted container
'''
tmp_dir = tempfile.mkdtemp()
# Figure out which RHEL dist is in the chroot
dist = get_dist(self.mountpoint, self.oscap_binary,
self.config["Config"].get("Env", []) or [])
if dist is None:
sys.stderr.write("{0} is not based on RHEL\n".format(
self.image_name or self.container_name))
return None
# Fetch the CVE input data for the dist
fetch = getInputCVE(tmp_dir)
cve_file = fetch._fetch_single(dist)
print("CVEs downloaded in " + cve_file)
args = ("oval", "eval")
for a in scan_args:
args += (a, )
args += (cve_file, )
scan_result = oscap_chroot(
self.mountpoint,
self.oscap_binary,
args,
self.image_name or self.container_name,
self.config["Config"].get("Env", [])
or [] # because Env can exists but be None
)
print(scan_result.stdout)
print(scan_result.stderr, file=sys.stderr)
# cleanup
print("Cleaning temporary files ...")
shutil.rmtree(tmp_dir)
self._end()
return scan_result.returncode
def _do_work(self, image_list):
from oscap_docker_python.get_cve_input import getInputCVE
self.scan_list = image_list
cve_get = getInputCVE(self.image_tmp)
if self.ac.fetch_cve_url != "":
cve_get.url = self.ac.fetch_cve_url
if self.ac.fetch_cve:
cve_get.fetch_dist_data()
threads = []
mnt_dir = tempfile.mkdtemp()
for image in image_list:
if image in self.cs.dead_cids:
raise ImageScannerClientError("Scan not completed. Cannot "
"scan the dead "
"container {0}".format(image))
cids = self._get_cids_for_image(self.cs, image)
t = threading.Thread(target=self.search_containers,
name=image,
args=(
image,
cids,
self.output,
mnt_dir,
))
threads.append(t)
logging.info("Number of containers to scan: {0}".format(len(threads)))
if isinstance(threading.current_thread(), threading._MainThread):
signal.signal(signal.SIGINT, self.signal_handler)
self.threads_complete = 0
self.cur_scan_threads = 0
while len(threads) > 0:
if self.cur_scan_threads < self.procs:
new_thread = threads.pop()
new_thread.start()
self.cur_scan_threads += 1
while self.cur_scan_threads > 0:
time.sleep(1)
pass
os.rmdir(mnt_dir)
if self.failed_scan is not None:
raise ImageScannerClientError(self.failed_scan)
self.output.report_summary()
def scan_cve(self, image, scan_args):
'''
Wrapper function for scanning a container or image
'''
mnt_dir = self._ensure_mnt_dir()
# Mount the temporary image/container to the dir
DM = DockerMount(mnt_dir, mnt_mkdir=True)
try:
_tmp_mnt_dir = DM.mount(image)
except MountError as e:
sys.stderr.write(str(e) + "\n")
return None
try:
chroot = self._find_chroot_path(_tmp_mnt_dir)
# Figure out which RHEL dist is in the chroot
name, conf = self.helper._get_target_name_and_config(image)
dist = get_dist(chroot, self.helper.oscap_binary,
conf.get("Env", []) or [])
if dist is None:
sys.stderr.write("{0} is not based on RHEL\n".format(image))
return None
# Fetch the CVE input data for the dist
fetch = getInputCVE(self.tmp_dir)
fetch._fetch_single(dist)
# Scan the chroot
scan_result = self.helper._scan_cve(chroot, image, dist, scan_args)
print(scan_result.stdout)
print(scan_result.stderr, file=sys.stderr)
finally:
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir, DM)
self._remove_mnt_dir(mnt_dir)
return scan_result.returncode
def _do_work(self, image_list):
from oscap_docker_python.get_cve_input import getInputCVE
self.scan_list = image_list
cve_get = getInputCVE(self.image_tmp)
if self.ac.fetch_cve_url != "":
cve_get.url = self.ac.fetch_cve_url
if self.ac.fetch_cve:
cve_get.fetch_dist_data()
threads = []
mnt_dir = tempfile.mkdtemp()
for image in image_list:
if image in self.cs.dead_cids:
raise ImageScannerClientError("Scan not completed. Cannot "
"scan the dead "
"container {0}".format(image))
cids = self._get_cids_for_image(self.cs, image)
t = threading.Thread(target=self.search_containers, name=image,
args=(image, cids, self.output, mnt_dir,))
threads.append(t)
logging.info("Number of containers to scan: {0}".format(len(threads)))
if isinstance(threading.current_thread(), threading._MainThread):
signal.signal(signal.SIGINT, self.signal_handler)
self.threads_complete = 0
self.cur_scan_threads = 0
while len(threads) > 0:
if self.cur_scan_threads < self.procs:
new_thread = threads.pop()
new_thread.start()
self.cur_scan_threads += 1
while self.cur_scan_threads > 0:
time.sleep(1)
pass
os.rmdir(mnt_dir)
if self.failed_scan is not None:
raise ImageScannerClientError(self.failed_scan)
self.output.report_summary()
def scan_cve(self, image, scan_args):
'''
Wrapper function for scanning a container or image
'''
mnt_dir = self._ensure_mnt_dir()
# Mount the temporary image/container to the dir
DM = DockerMount(mnt_dir, mnt_mkdir=True)
try:
_tmp_mnt_dir = DM.mount(image)
except MountError as e:
sys.stderr.write(str(e) + "\n")
return None
# Remeber actual mounted fs in 'rootfs'
chroot = os.path.join(_tmp_mnt_dir, 'rootfs')
try:
# Figure out which RHEL dist is in the chroot
dist = self.helper._get_dist(chroot)
if dist is None:
sys.stderr.write("{0} is not based on RHEL\n".format(image))
return None
# Fetch the CVE input data for the dist
fetch = getInputCVE(self.tmp_dir)
fetch._fetch_single(dist)
# Scan the chroot
sys.stdout.write(self.helper._scan_cve(chroot, dist, scan_args))
finally:
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir)
self._remove_mnt_dir(mnt_dir)
def scan_cve(self, image, scan_args):
'''
Wrapper function for scanning a container or image
'''
mnt_dir = self._ensure_mnt_dir()
# Mount the temporary image/container to the dir
DM = DockerMount(mnt_dir, mnt_mkdir=True)
try:
_tmp_mnt_dir = DM.mount(image)
except MountError as e:
sys.stderr.write(str(e) + "\n")
return None
# Remeber actual mounted fs in 'rootfs'
chroot = os.path.join(_tmp_mnt_dir, 'rootfs')
try:
# Figure out which RHEL dist is in the chroot
dist = self.helper._get_dist(chroot)
if dist is None:
sys.stderr.write("{0} is not based on RHEL\n".format(image))
return None
# Fetch the CVE input data for the dist
fetch = getInputCVE(self.tmp_dir)
fetch._fetch_single(dist)
# Scan the chroot
sys.stdout.write(self.helper._scan_cve(chroot, dist, scan_args))
finally:
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir)
self._remove_mnt_dir(mnt_dir)