def save_image_new(self, imageId, report=None): # setup dir structure self.make_image_structure(imageId) if not report: report = load_image_new(imageId) # store the reports self.save_image_report(imageId, report['image_report']) self.save_analysis_report(imageId, report['analysis_report']) self.save_analyzer_manifest(imageId, report['analyzer_manifest']) self.save_gates_report(imageId, report['gates_report']) self.save_gates_eval_report(imageId, report['gates_eval_report']) # populate the analyzer_outputs for module_name in report['analysis_report'].keys(): for module_value in report['analysis_report'][module_name].keys(): for module_type in ['base', 'extra', 'user']: if module_type in report['analysis_report'][module_name][ module_value]: adata = report['analysis_report'][module_name][ module_value][module_type] if adata: self.save_analysis_output(imageId, module_name, module_value, adata, module_type=module_type) # populate gates outputs for gname in report['gates_report'].keys(): self.save_gate_output(imageId, gname, report['gates_report'][gname]) # populate image metadata thedir = os.path.join(self.imagerootdir, imageId, "image_output", "image_info") if not os.path.exists(thedir): os.makedirs(thedir) thefile = os.path.join(thedir, "image.meta") anchore_utils.write_kvfile_fromdict(thefile, report['image_report']['meta']) thefile = os.path.join(thedir, "Dockerfile") anchore_utils.write_plainfile_fromstr( thefile, report['image_report']['dockerfile_contents']) return (True)
def execute_gates(imageId, policies, refresh=True): import random success = True anchore_config = contexts['anchore_config'] imagename = imageId gatesdir = '/'.join([anchore_config["scripts_dir"], "gates"]) workingdir = '/'.join([anchore_config['anchore_data_dir'], 'querytmp']) outputdir = workingdir _logger.info(imageId + ": evaluating policies...") for d in [outputdir, workingdir]: if not os.path.exists(d): os.makedirs(d) imgfile = '/'.join( [workingdir, "queryimages." + str(random.randint(0, 99999999))]) anchore_utils.write_plainfile_fromstr(imgfile, imageId) try: gmanifest, failedgates = anchore_utils.generate_gates_manifest() if failedgates: _logger.error( "some gates failed to run - check the gate(s) modules for errors: " + str(','.join(failedgates))) success = False else: success = True for gatecheck in policies.keys(): # get all commands that match the gatecheck gcommands = [] for gkey in gmanifest.keys(): if gmanifest[gkey]['gatename'] == gatecheck: gcommands.append(gkey) # assemble the params from the input policy for this gatecheck params = [] for trigger in policies[gatecheck].keys(): if 'params' in policies[gatecheck][trigger] and policies[ gatecheck][trigger]['params']: params.append(policies[gatecheck][trigger]['params']) if not params: params = ['all'] if gcommands: for command in gcommands: cmd = [command] + [ imgfile, anchore_config['image_data_store'], outputdir ] + params _logger.debug("running gate command: " + str(' '.join(cmd))) (rc, sout, cmdstring) = anchore_utils.run_command(cmd) if rc: _logger.error("FAILED") _logger.error("\tCMD: " + str(cmdstring)) _logger.error("\tEXITCODE: " + str(rc)) _logger.error("\tOUTPUT: " + str(sout)) success = False else: _logger.debug("") _logger.debug("\tCMD: " + str(cmdstring)) _logger.debug("\tEXITCODE: " + str(rc)) _logger.debug("\tOUTPUT: " + str(sout)) _logger.debug("") else: _logger.warn( "WARNING: gatecheck (" + str(gatecheck) + ") line in policy, but no gates were found that match this gatecheck" ) except Exception as err: _logger.error("gate evaluation failed - exception: " + str(err)) finally: if imgfile and os.path.exists(imgfile): try: os.remove(imgfile) except: _logger.error("could not remove tempfile: " + str(imgfile)) if success: report = generate_gates_report(imageId) contexts['anchore_db'].save_gates_report(imageId, report) _logger.info(imageId + ": evaluated.") return (success)
def execute_gates(self, image, refresh=True): self._logger.debug("gate policy evaluation for image " + str(image.meta['imagename']) + ": begin") success = True imagename = image.meta['imageId'] gatesdir = '/'.join([self.config["scripts_dir"], "gates"]) workingdir = '/'.join([self.config['anchore_data_dir'], 'querytmp']) outputdir = workingdir self._logger.info(image.meta['shortId'] + ": evaluating policies ...") for d in [outputdir, workingdir]: if not os.path.exists(d): os.makedirs(d) imgfile = '/'.join( [workingdir, "queryimages." + str(random.randint(0, 99999999))]) anchore_utils.write_plainfile_fromstr(imgfile, image.meta['imageId']) if self.policy_override: #policy_data = anchore_utils.read_plainfile_tolist(self.policy_override) try: policy = anchore_policy.read_policy(name='default', file=self.policy_override) policy_data = policy['default'] except Exception as err: policy_data = [] policies = anchore_policy.structure_policy(policy_data) else: policies = self.get_image_policies(image) try: gmanifest, failedgates = anchore_utils.generate_gates_manifest() if failedgates: self._logger.error( "some gates failed to run - check the gate(s) modules for errors: " + str(','.join(failedgates))) success = False else: success = True for gatecheck in policies.keys(): # get all commands that match the gatecheck gcommands = [] for gkey in gmanifest.keys(): if gmanifest[gkey]['gatename'] == gatecheck: gcommands.append(gkey) # assemble the params from the input policy for this gatecheck params = [] for trigger in policies[gatecheck].keys(): if 'params' in policies[gatecheck][ trigger] and policies[gatecheck][trigger][ 'params']: params.append( policies[gatecheck][trigger]['params']) if not params: params = ['all'] if gcommands: for command in gcommands: cmd = [command] + [ imgfile, self.config['image_data_store'], outputdir ] + params self._logger.debug("running gate command: " + str(' '.join(cmd))) (rc, sout, cmdstring) = anchore_utils.run_command(cmd) if rc: self._logger.error("FAILED") self._logger.error("\tCMD: " + str(cmdstring)) self._logger.error("\tEXITCODE: " + str(rc)) self._logger.error("\tOUTPUT: " + str(sout)) success = False else: self._logger.debug("") self._logger.debug("\tCMD: " + str(cmdstring)) self._logger.debug("\tEXITCODE: " + str(rc)) self._logger.debug("\tOUTPUT: " + str(sout)) self._logger.debug("") else: self._logger.warn( "WARNING: gatecheck (" + str(gatecheck) + ") line in policy, but no gates were found that match this gatecheck" ) except Exception as err: self._logger.error("gate evaluation failed - exception: " + str(err)) finally: if imgfile and os.path.exists(imgfile): try: os.remove(imgfile) except: self._logger.error("could not remove tempfile: " + str(imgfile)) if success: report = self.generate_gates_report(image) self.anchoreDB.save_gates_report(image.meta['imageId'], report) self._logger.info(image.meta['shortId'] + ": evaluated.") self._logger.debug("gate policy evaluation for image " + str(image.meta['imagename']) + ": end") return (success)
def execute_gates(imageId, policies, refresh=True): import random success = True anchore_config = contexts['anchore_config'] imagename = imageId gatesdir = '/'.join([anchore_config["scripts_dir"], "gates"]) workingdir = '/'.join([anchore_config['anchore_data_dir'], 'querytmp']) outputdir = workingdir _logger.info(imageId + ": evaluating policies...") for d in [outputdir, workingdir]: if not os.path.exists(d): os.makedirs(d) imgfile = '/'.join([workingdir, "queryimages." + str(random.randint(0, 99999999))]) anchore_utils.write_plainfile_fromstr(imgfile, imageId) try: gmanifest, failedgates = anchore_utils.generate_gates_manifest() if failedgates: _logger.error("some gates failed to run - check the gate(s) modules for errors: " + str(','.join(failedgates))) success = False else: success = True for gatecheck in policies.keys(): # get all commands that match the gatecheck gcommands = [] for gkey in gmanifest.keys(): if gmanifest[gkey]['gatename'] == gatecheck: gcommands.append(gkey) # assemble the params from the input policy for this gatecheck params = [] for trigger in policies[gatecheck].keys(): if 'params' in policies[gatecheck][trigger] and policies[gatecheck][trigger]['params']: params.append(policies[gatecheck][trigger]['params']) if not params: params = ['all'] if gcommands: for command in gcommands: cmd = [command] + [imgfile, anchore_config['image_data_store'], outputdir] + params _logger.debug("running gate command: " + str(' '.join(cmd))) (rc, sout, cmdstring) = anchore_utils.run_command(cmd) if rc: _logger.error("FAILED") _logger.error("\tCMD: " + str(cmdstring)) _logger.error("\tEXITCODE: " + str(rc)) _logger.error("\tOUTPUT: " + str(sout)) success = False else: _logger.debug("") _logger.debug("\tCMD: " + str(cmdstring)) _logger.debug("\tEXITCODE: " + str(rc)) _logger.debug("\tOUTPUT: " + str(sout)) _logger.debug("") else: _logger.warn("WARNING: gatecheck ("+str(gatecheck)+") line in policy, but no gates were found that match this gatecheck") except Exception as err: _logger.error("gate evaluation failed - exception: " + str(err)) finally: if imgfile and os.path.exists(imgfile): try: os.remove(imgfile) except: _logger.error("could not remove tempfile: " + str(imgfile)) if success: report = generate_gates_report(imageId) contexts['anchore_db'].save_gates_report(imageId, report) _logger.info(imageId + ": evaluated.") return(success)