def test_ecr_scan(image, ecr_client):
"""
Run ECR Scan Tool on an image being tested, and raise Error if vulnerabilities found
1. Start Scan.
2. For 5 minutes (Run DescribeImages):
(We run this for 5 minutes because the Scan is expected to complete in about 2 minutes, though no
analysis has been performed on exactly how long the Scan takes for a DLC image. Therefore we also
have a 3 minute buffer beyond the expected amount of time taken.)
3.1. If imageScanStatus == COMPLETE: exit loop
3.2. If imageScanStatus == IN_PROGRESS or AttributeNotFound(imageScanStatus): continue loop
3.3. If imageScanStatus == FAILED: raise RuntimeError
4. If DescribeImages.imageScanStatus != COMPLETE: raise TimeOutError
5. assert imageScanFindingsSummary.findingSeverityCounts.HIGH/CRITICAL == 0
:param image: str Image URI for image to be tested
:param ecr_client: boto3 Client for ECR
"""
scan_status = None
start_time = time()
ecr_utils.start_ecr_image_scan(ecr_client, image)
while (time() - start_time) <= 600:
scan_status, scan_status_description = ecr_utils.get_ecr_image_scan_status(ecr_client, image)
if scan_status == "FAILED" or scan_status not in [None, "IN_PROGRESS", "COMPLETE"]:
raise RuntimeError(scan_status_description)
if scan_status == "COMPLETE":
break
sleep(1)
if scan_status != "COMPLETE":
raise TimeoutError(f"ECR Scan is still in {scan_status} state. Exiting.")
severity_counts = ecr_utils.get_ecr_image_scan_severity_count(ecr_client, image)
assert not (
severity_counts.get("HIGH", 0) or severity_counts.get("CRITICAL", 0)
), f"Found vulnerabilities in image {image}: {str(severity_counts)}"
def run_scan(ecr_client, image):
scan_status = None
start_time = time()
ecr_utils.start_ecr_image_scan(ecr_client, image)
while (time() - start_time) <= 600:
scan_status, scan_status_description = ecr_utils.get_ecr_image_scan_status(ecr_client, image)
if scan_status == "FAILED" or scan_status not in [None, "IN_PROGRESS", "COMPLETE"]:
raise ECRScanFailureException(f"ECR Scan failed for {image} with description: {scan_status_description}")
if scan_status == "COMPLETE":
break
sleep(1)
if scan_status != "COMPLETE":
raise TimeoutError(f"ECR Scan is still in {scan_status} state. Exiting.")
def test_ecr_scan(image, ecr_client, sts_client, region):
"""
Run ECR Scan Tool on an image being tested, and raise Error if vulnerabilities found
1. Start Scan.
2. For 5 minutes (Run DescribeImages):
(We run this for 5 minutes because the Scan is expected to complete in about 2 minutes, though no
analysis has been performed on exactly how long the Scan takes for a DLC image. Therefore we also
have a 3 minute buffer beyond the expected amount of time taken.)
3.1. If imageScanStatus == COMPLETE: exit loop
3.2. If imageScanStatus == IN_PROGRESS or AttributeNotFound(imageScanStatus): continue loop
3.3. If imageScanStatus == FAILED: raise RuntimeError
4. If DescribeImages.imageScanStatus != COMPLETE: raise TimeOutError
5. assert imageScanFindingsSummary.findingSeverityCounts.HIGH/CRITICAL == 0
:param image: str Image URI for image to be tested
:param ecr_client: boto3 Client for ECR
:param sts_client: boto3 Client for STS
:param region: str Name of region where test is executed
"""
test_account_id = sts_client.get_caller_identity().get("Account")
image_account_id = get_account_id_from_image_uri(image)
if image_account_id != test_account_id:
image = _reupload_image_to_test_ecr(image, ecr_client, region,
test_account_id)
minimum_sev_threshold = "HIGH"
scan_status = None
start_time = time()
ecr_utils.start_ecr_image_scan(ecr_client, image)
while (time() - start_time) <= 600:
scan_status, scan_status_description = ecr_utils.get_ecr_image_scan_status(
ecr_client, image)
if scan_status == "FAILED" or scan_status not in [
None, "IN_PROGRESS", "COMPLETE"
]:
raise RuntimeError(scan_status_description)
if scan_status == "COMPLETE":
break
sleep(1)
if scan_status != "COMPLETE":
raise TimeoutError(
f"ECR Scan is still in {scan_status} state. Exiting.")
severity_counts = ecr_utils.get_ecr_image_scan_severity_count(
ecr_client, image)
scan_results = ecr_utils.get_ecr_image_scan_results(
ecr_client, image, minimum_vulnerability=minimum_sev_threshold)
assert all(
count == 0 for sev, count in severity_counts.items()
if CVESeverity[sev] >= CVESeverity[minimum_sev_threshold]), (
f"Found vulnerabilities in image {image}: {str(severity_counts)}\n"
f"Vulnerabilities: {json.dumps(scan_results, indent=4)}")