def query(anchore_config, image, imagefile, include_allanchore, module): """ Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location. Each query has its own parameters and outputs. Examples using pre-defined queries: 'anchore query --image nginx:latest list-packages all' 'anchore query has-package wget' 'anchore query --image nginx:latest list-files-detail all' 'anchore query cve-scan all' """ global config, imagelist, nav ecode = 0 success = True config = anchore_config if module: if image and imagefile: raise click.BadOptionUsage( 'Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = list(imagedict.keys()) try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load input images") sys.exit(1) try: nav = init_nav_contexts() result = nav.run_query(list(module)) if result: anchore_utils.print_result(config, result) if nav.check_for_warnings(result): ecode = 2 except: anchore_print_err("query operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def query(module): """ Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location. Each query has its own parameters and outputs. Examples using pre-defined queries: Query all images to see which have the package 'wget' installed: 'anchore explore query has-package wget' """ ecode = 0 try: nav, vis = init_nav_vis_contexts() result = nav.run_query(list(module)) if result: anchore_utils.print_result(config, result) if nav.check_for_warnings(result): ecode = 2 except: anchore_print_err("query operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def query(anchore_config, image, imagefile, include_allanchore, module): """ Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location. Each query has its own parameters and outputs. Examples using pre-defined queries: 'anchore query --image nginx:latest list-packages all' 'anchore query has-package wget' 'anchore query --image nginx:latest list-files-detail all' 'anchore query cve-scan all' """ global config, imagelist, nav ecode = 0 success = True config = anchore_config if module: if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load input images") sys.exit(1) try: nav = init_nav_contexts() result = nav.run_query(list(module)) if result: anchore_utils.print_result(config, result) if nav.check_for_warnings(result): ecode = 2 except: anchore_print_err("query operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, whitelist,): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 else: try: # run the gates result = con.run_gates() if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: print str(err) anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_familytree(): """Show image family tree image IDs""" if not nav: sys.exit(1) ecode = 0 try: result = nav.get_familytree() if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_familytree(): """Show image family tree image IDs""" if not nav: sys.exit(1) ecode = 0 try: result = nav.run_query(['show-familytree', 'all']) if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_layers(): """Show image layer IDs""" if not nav: sys.exit(1) ecode = 0 try: result = nav.get_layers() if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_dockerfile(): """Generate (or display actual) image Dockerfile""" if not nav: sys.exit(1) ecode = 0 try: result = nav.run_query(['show-dockerfile', 'all']) if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_layers(): """Show image layer IDs""" if not nav: sys.exit(1) ecode = 0 try: result = nav.run_query(['show-layers', 'all']) if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_dockerfile(): """Generate (or display actual) image Dockerfile""" if not nav: sys.exit(1) ecode = 0 try: result = nav.run_query(['show-dockerfile', 'all']) if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_taghistory(): """Show history of all known repo/tags for image""" if not nav: sys.exit(1) ecode = 0 try: result = nav.get_taghistory() if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def generate_dockerfile(): """Generate (or display actual) image Dockerfile""" if not nav: sys.exit(1) ecode = 0 try: result = nav.get_dockerfile_contents() if result: anchore_utils.print_result(config, result, outputmode='raw') except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def generate_dockerfile(): """Generate (or display actual) image Dockerfile""" if not nav: sys.exit(1) ecode = 0 try: result = nav.get_dockerfile_contents() if result: anchore_utils.print_result(config, result, outputmode='raw') except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_taghistory(): """Show history of all known repo/tags for image""" if not nav: sys.exit(1) ecode = 0 try: result = nav.get_taghistory() if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def report(): """ Show analysis report of the specified image(s). The analysis report includes information on: \b Image Id - The image id (as a hash) Type - The type of image (--imagetype option used when anchore analyze was run) CurrentTags - The current set of repo tags on the image AllTags - The set of all repo tags that have been on the image during analysis passes GateStatus - The overall aggregate gate output status: GO|STOP|WARN Size - The size in bytes of the image on disk Counts - The counts for various attributes of the images such as packages, files, and suid files BaseDiffs - Differences of this image from its base image Report outputs these entries in a table format by default. """ ecode = 0 try: nav = init_nav_contexts() result = nav.generate_reports() #result = generate_reports(imagelist, showall=all, showdetails=details) if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def report(): """ Show analysis report of the specified image(s). The analysis report includes information on: \b Image Id - The image id (as a hash) Type - The type of image (--imagetype option used when anchore analyze was run) CurrentTags - The current set of repo tags on the image AllTags - The set of all repo tags that have been on the image during analysis passes GateStatus - The overall aggregate gate output status: GO|STOP|WARN Size - The size in bytes of the image on disk Counts - The counts for various attributes of the images such as packages, files, and suid files BaseDiffs - Differences of this image from its base image Report outputs these entries in a table format by default. """ ecode = 0 try: nav = init_nav_contexts() result = nav.generate_reports() #result = generate_reports(imagelist, showall=all, showdetails=details) if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_layers(): """Show image layer IDs""" if not nav: sys.exit(1) ecode = 0 try: result = nav.get_layers() if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") #import traceback #traceback.print_exc() ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_analyzer_status(): """Show analyzer status for specified image""" ecode = 0 try: image = contexts['anchore_allimages'][imagelist[0]] analyzer_status = contexts['anchore_db'].load_analyzer_manifest( image.meta['imageId']) result = { image.meta['imageId']: { 'result': { 'header': [ 'Analyzer', 'Status', '*Type', 'LastExec', 'Exitcode', 'Checksum' ], 'rows': [] } } } for script in analyzer_status.keys(): adata = analyzer_status[script] nicetime = datetime.datetime.fromtimestamp( adata['timestamp']).strftime('%Y-%m-%d %H:%M:%S') try: row = [ script.split('/')[-1], adata['status'], adata['atype'], nicetime, str(adata['returncode']), adata['csum'] ] result[image.meta['imageId']]['result']['rows'].append(row) except: pass if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def show_analyzer_status(): """Show analyzer status for specified image""" ecode = 0 try: image=contexts['anchore_allimages'][imagelist[0]] analyzer_status = contexts['anchore_db'].load_analyzer_manifest(image.meta['imageId']) result = {image.meta['imageId']:{'result':{'header':['Analyzer', 'Status', '*Type', 'LastExec', 'Exitcode', 'Checksum'], 'rows':[]}}} for script in analyzer_status.keys(): adata = analyzer_status[script] nicetime = datetime.datetime.fromtimestamp(adata['timestamp']).strftime('%Y-%m-%d %H:%M:%S') try: row = [script.split('/')[-1], adata['status'], adata['atype'], nicetime, str(adata['returncode']), adata['csum']] result[image.meta['imageId']]['result']['rows'].append(row) except: pass if result: anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, show_gatehelp, show_policytemplate, whitelist): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t][ 'params'] and gate_info[g][t]['params'].lower( ) != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p + "=<a,b,c>") outstr += ':'.join( [g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage( 'Cannot use other policy options when --policy <file> is specified.' ) try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1 else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1 else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params']) ]) else: outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']) ]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates: " + str(err)) ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate( anchore_config, force, image, imagefile, include_allanchore, editpolicy, whitelist, ): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(anchore_config, imagelist) except ValueError as err: raise err else: imagelist = ret.keys() except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 else: try: # run the gates result = con.run_gates() if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: print str(err) anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def images(no_trunc): ecode = 0 import datetime try: anchoreDB = contexts['anchore_db'] header = ["Repository", "Tag", "Image ID", "Distro", "Last Analyzed", "Size"] result = {"multi":{'result':{'header':header, 'rows':[]}}} hasData = False for image in anchoreDB.load_all_images_iter(): try: imageId = image[0] imagedata = image[1] meta = imagedata['meta'] name = meta['humanname'] shortId = meta['shortId'] size = meta['sizebytes'] if no_trunc: printId = imageId else: printId = shortId patt = re.match("(.*):(.*)", name) if patt: repo = patt.group(1) tag = patt.group(2) else: repo = "<none>" tag = "<none>" oldtags = ','.join(imagedata['anchore_all_tags']) if meta['usertype']: atype = meta['usertype'] else: atype = "<none>" distrometa = anchore_utils.get_distro_from_imageId(imageId) distro = distrometa['DISTRO'] + "/" + distrometa['DISTROVERS'] amanifest = anchoreDB.load_analyzer_manifest(imageId) latest = 0; if amanifest: for a in amanifest.keys(): ts = amanifest[a]['timestamp'] if ts > latest: latest = ts if latest: timestr = datetime.datetime.fromtimestamp(int(latest)).strftime('%m-%d-%Y %H:%M:%S') else: timestr = "Not Analyzed" row = [repo, tag, printId, distro, timestr, str(round(float(size) / 1024.0 / 1024.0, 2)) + "M"] result['multi']['result']['rows'].append(row) #t.add_row(row) hasData = True except Exception as err: raise err anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 sys.exit(ecode)
def images(no_trunc): ecode = 0 import datetime try: anchoreDB = contexts['anchore_db'] header = [ "Repository", "Tag", "Image ID", "Distro", "Last Analyzed", "Size" ] result = {"multi": {'result': {'header': header, 'rows': []}}} hasData = False for image in anchoreDB.load_all_images_iter(): try: imageId = image[0] imagedata = image[1] meta = imagedata['meta'] name = meta['humanname'] shortId = meta['shortId'] size = meta['sizebytes'] if no_trunc: printId = imageId else: printId = shortId patt = re.match("(.*):(.*)", name) if patt: repo = patt.group(1) tag = patt.group(2) else: repo = "<none>" tag = "<none>" oldtags = ','.join(imagedata['anchore_all_tags']) if meta['usertype']: atype = meta['usertype'] else: atype = "<none>" distrometa = anchore_utils.get_distro_from_imageId(imageId) distro = distrometa['DISTRO'] + "/" + distrometa['DISTROVERS'] amanifest = anchoreDB.load_analyzer_manifest(imageId) latest = 0 if amanifest: for a in amanifest.keys(): ts = amanifest[a]['timestamp'] if ts > latest: latest = ts if latest: timestr = datetime.datetime.fromtimestamp( int(latest)).strftime('%m-%d-%Y %H:%M:%S') else: timestr = "Not Analyzed" row = [ repo, tag, printId, distro, timestr, str(round(float(size) / 1024.0 / 1024.0, 2)) + "M" ] result['multi']['result']['rows'].append(row) #t.add_row(row) hasData = True except Exception as err: raise err anchore_utils.print_result(config, result) except: anchore_print_err("operation failed") ecode = 1 sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, run_bundle, bundlefile, usetag, resultsonly, show_gatehelp, show_policytemplate, whitelist, global_whitelist, show_triggerids, show_whitelisted): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t][ 'params'] and gate_info[g][t]['params'].lower( ) != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p + "=<a,b,c>") outstr += ':'.join( [g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage( 'Cannot use other policy options when --policy <file> is specified.' ) if (policy and run_bundle): raise click.BadOptionUsage( 'Cannot use both --policy and --run_bundle at the same time.') if (run_bundle and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy)): raise click.BadOptionUsage( 'Cannot use other policy options when --run_bundle is specified.') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() inputimagelist = list(imagelist) try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1 else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1 else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params']) ]) else: outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']) ]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 elif run_bundle: try: if not anchore_policy.check(): anchore_print_err( "run-bundle specified, but it appears as though no policy bundles have been synced yet: run 'anchore policybundle sync' to get your latest bundles from anchore.io" ) ecode = 1 else: bundle = anchore_policy.load_policymeta( policymetafile=bundlefile) if not bundle: raise Exception( "could not load stored bundle - run 'anchore policybundle sync' and try again" ) bundleId = bundle['id'] result, ecode = anchore_policy.run_bundle( anchore_config=anchore_config, imagelist=inputimagelist, matchtag=usetag, bundle=bundle) if not resultsonly: if anchore_config.cliargs['json']: import json anchore_print(json.dumps(result)) else: for image in result.keys(): for gate_result in result[image][ 'evaluations']: _logger.info( "BundleId=" + bundleId + " Policy=" + gate_result['policy_name'] + " Whitelists=" + str(gate_result['whitelist_names'])) anchore_utils.print_result( anchore_config, gate_result['results']) else: final_result = {} for image in result.keys(): for gate_result in result[image]['evaluations']: final_result.update(gate_result['results']) anchore_utils.print_result(anchore_config, final_result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy, global_whitelist=global_whitelist, show_triggerIds=show_triggerids, show_whitelisted=show_whitelisted) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, run_bundle, bundlefile, usetag, resultsonly, show_gatehelp, show_policytemplate, whitelist, global_whitelist, show_triggerids, show_whitelisted): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t]['params'] and gate_info[g][t]['params'].lower() != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p+"=<a,b,c>") outstr += ':'.join([g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage('Cannot use other policy options when --policy <file> is specified.') if (policy and run_bundle): raise click.BadOptionUsage('Cannot use both --policy and --run_bundle at the same time.') if (run_bundle and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy)): raise click.BadOptionUsage('Cannot use other policy options when --run_bundle is specified.') if (run_bundle and (usetag and resultsonly)): raise click.BadOptionUsage('Cannot use --resultsonly if --usetag is specified.') if (run_bundle and (usetag and not image)): raise click.BadOptionUsage('Cannot specify --usetag unless gating a single image (using --image)') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() inputimagelist = list(imagelist) try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1; else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1; else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params'])]) else: outstr = ":".join([gate, trigger, str(pol[gate][trigger]['action'])]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 elif run_bundle: try: if not anchore_policy.check(): anchore_print_err("run-bundle specified, but it appears as though no policy bundles have been synced yet: run 'anchore policybundle sync' to get your latest bundles from anchore.io") ecode = 1 else: bundle = anchore_policy.load_policymeta(policymetafile=bundlefile) if not bundle: raise Exception("could not load stored bundle - run 'anchore policybundle sync' and try again") bundleId = bundle['id'] inputimage = inputimagelist[0] allresults = {} for inputimage in inputimagelist: result, image_ecode = anchore_policy.run_bundle(anchore_config=anchore_config, image=inputimage, matchtags=usetag, bundle=bundle, show_whitelisted=show_whitelisted, show_triggerIds=show_triggerids) allresults.update(result) if image_ecode == 1: ecode = 1 elif ecode == 0 and image_ecode > ecode: ecode = image_ecode if not resultsonly: if anchore_config.cliargs['json']: anchore_print(json.dumps(allresults)) else: for image in allresults.keys(): for gate_result in allresults[image]['evaluations']: _logger.info("Image="+image + " BundleId="+bundleId+" Policy="+gate_result['policy_name']+" Whitelists="+str(gate_result['whitelist_names'])) anchore_utils.print_result(anchore_config, gate_result['results']) else: final_result = {} for image in allresults.keys(): for gate_result in allresults[image]['evaluations']: final_result.update(gate_result['results']) anchore_utils.print_result(anchore_config, final_result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy, global_whitelist=global_whitelist, show_triggerIds=show_triggerids, show_whitelisted=show_whitelisted) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)