def test_analyze_manifest_list(self):
list_image_manifest_url = self.reg_url + \
'org/image-name/manifests/sha256:d0fec089e611891a03f3282f10115bb186ed46093c3f083eceb250cee64b63eb'
with open('tests/test_data/manifest.list.v2.json') as f:
list_manifest = json.load(f)
with open('tests/test_data/manifest.list.v2-image.json') as f:
list_image_manifest = json.load(f)
with open('tests/test_data/origin_vulnerabilities_list.json') as f:
list_origin_data = json.load(f)
responses.add(responses.GET, '%s/%s?features&vulnerabilities' %
(self.v1_analyze_url, list_origin_data['Layer']['Name']),
json=list_origin_data)
responses.replace(responses.GET, self.manifest_url,
json=list_manifest, status=200)
responses.add(responses.GET, list_image_manifest_url,
json=list_image_manifest, status=200)
layers = [e['digest'] for e in list_image_manifest['layers']]
responses.add(responses.DELETE, '%s/%s' %
(self.v1_analyze_url, layers[0]))
for layer in layers:
responses.add(responses.GET, '%s/%s' %
(self.v1_analyze_url, layer))
with patch('sys.argv', ['claircli', '-d', '-c',
self.clair_url, self.name]):
cli = ClairCli()
cli.run()
image = Image(self.name)
self.assert_called_with_url()
for index, layer in enumerate(image.images[0].layers, start=5):
self.assertEqual(
responses.calls[index].request.url, self.v1_analyze_url)
req_body = json.loads(responses.calls[index].request.body)
self.assertEqual(req_body['Layer']['Name'], layer)
self.html = Report.get_report_path('{}/{}@{}'.format(self.reg, self.repo, image.manifest['manifests'][0]['digest']), '.html')
self.assertTrue(isfile(self.html))
def test_analyze_images_in_secure_registry(self):
reg_url = 'https://%s/v2/' % self.reg
token = 'just-some-auth-token-which-is-really-long'
auth = 'Basic %s' % token
headers = {'WWW-Authenticate': auth}
manifest_url = reg_url + 'org/image-name/manifests/version'
responses.reset()
responses.add(responses.GET,
manifest_url,
json=self.manifest,
status=200,
headers=headers)
self.layers = [e['digest'] for e in self.manifest['layers']]
responses.add(responses.DELETE,
'%s/%s' % (self.v1_analyze_url, self.layers[0]))
responses.add(responses.POST, self.v1_analyze_url)
responses.add(responses.GET,
'%s/%s?features&vulnerabilities' %
(self.v1_analyze_url, self.layers[-1]),
json=self.origin_data)
with patch(
'sys.argv',
[
'claircli',
'-c',
self.clair_url,
'-k',
self.reg + ':' + token,
# Include a check for ignored arguments
'-k',
'1234',
'-k',
'ab:',
'-k',
':',
self.name
]):
cli = ClairCli()
cli.run()
for index, url in enumerate([
manifest_url,
]):
self.assertEqual(responses.calls[index].request.url, url)
for index, layer in enumerate(self.layers, start=2):
self.assertEqual(responses.calls[index].request.url,
self.v1_analyze_url)
req_body = json.loads(responses.calls[index].request.body)
self.assertEqual(req_body['Layer']['Name'], layer)
self.assertTrue(isfile(self.html))
self.assertEqual(0, len(RemoteRegistry.insec_regs))
self.assertIn(self.reg, RemoteRegistry.tokens)
self.assertIn('', RemoteRegistry.tokens[self.reg])
self.assertEqual(auth, RemoteRegistry.tokens[self.reg][''])
self.assertIn(self.repo, RemoteRegistry.tokens[self.reg])
self.assertEqual(auth, RemoteRegistry.tokens[self.reg][self.repo])
def test_batch_analyze_remote_images(self):
with patch('sys.argv', ['claircli.py', 'batch-analyze', '-c', self.clair_url, self.name]):
cli = ClairCli()
cli.run()
self.assert_called_with_url()
for index, layer in enumerate(self.layers, start=4):
self.assertEqual(
responses.calls[index].request.url, self.v1_analyze_url)
req_body = json.loads(responses.calls[index].request.body)
self.assertEqual(req_body['Layer']['Name'], layer)
self.assertTrue(isfile(self.html))
def test_analyze_images_in_insecure_registry(self):
reg_url = 'http://%s/v2/' % self.reg
token_url = reg_url + 'token'
auth = 'Bearer realm="%s",service="%s"' % (token_url, self.reg)
headers = {'WWW-Authenticate': auth}
params = {
'service': self.reg,
'client_id': 'claircli',
'scope': 'repository:%s:pull' % self.repo
}
token_url = token_url + '?' + urlencode(params)
manifest_url = reg_url + 'org/image-name/manifests/version'
responses.reset()
responses.add(responses.GET,
reg_url,
json={'message': 'authentication required'},
status=401,
headers=headers)
responses.add(responses.GET,
token_url,
json={'token': 'test-token'},
status=200)
responses.add(responses.GET,
manifest_url,
json=self.manifest,
status=200)
self.layers = [e['digest'] for e in self.manifest['layers']]
responses.add(responses.DELETE,
'%s/%s' % (self.v1_analyze_url, self.layers[0]))
responses.add(responses.POST, self.v1_analyze_url)
responses.add(responses.GET,
'%s/%s?features&vulnerabilities' %
(self.v1_analyze_url, self.layers[-1]),
json=self.origin_data)
with patch(
'sys.argv',
['claircli', '-c', self.clair_url, '-i', self.reg, self.name]):
cli = ClairCli()
cli.run()
for index, url in enumerate([reg_url, token_url, manifest_url]):
self.assertEqual(responses.calls[index].request.url, url)
for index, layer in enumerate(self.layers, start=4):
self.assertEqual(responses.calls[index].request.url,
self.v1_analyze_url)
req_body = json.loads(responses.calls[index].request.body)
self.assertEqual(req_body['Layer']['Name'], layer)
self.assertTrue(isfile(self.html))
self.assertIn(self.reg, RemoteRegistry.insec_regs)
def test_batch_analyze_local_images(self, mock_docker):
mock_docker_client(mock_docker)
with open('tests/test_data/manifest.json') as file_:
manifest = json.load(file_)
layers = [e.replace('/layer.tar', '') for e in manifest[0]['Layers']]
responses.add(responses.DELETE, '%s/%s' % (self.v1_analyze_url, layers[0]))
responses.add(responses.GET, '%s/%s?features&vulnerabilities' %
(self.v1_analyze_url, layers[-1]), json=self.origin_data)
with patch('sys.argv', ['claircli.py', 'batch-analyze', '-l', 'localhost', '-c', self.clair_url, self.name]):
cli = ClairCli()
cli.run()
for index, layer in enumerate(layers, start=1):
self.assertEqual(
responses.calls[index].request.url, self.v1_analyze_url)
req_body = json.loads(responses.calls[index].request.body)
self.assertEqual(req_body['Layer']['Name'], layer)
self.assertTrue(isfile(self.html))
def test_read_white_list(self):
white_list = ClairCli.read_white_list('tests/test_data/example-whitelist.yaml')
# self.assertEqual(white_list.get('common'), {'CVE-2017-6055': 'XML', 'CVE-2017-5586': 'OpenText'})
self.assertEqual(white_list.get('alpine'), {'CVE-2017-6055': 'XML', 'CVE-2017-5586': 'OpenText', 'CVE-2017-3261': 'SE'})
self.assertEqual(white_list.get('ubuntu'), {'CVE-2017-6055': 'XML', 'CVE-2017-5586': 'OpenText', 'CVE-2017-5230': 'XSX'})