def image(): img = Image( id=image_id, user_id=user, ) img.get_packages_by_type = mock_get_packages_by_type return img
def image(monkeypatch): monkeypatch.setattr(Image, 'analysis_artifacts', MockAnalysisArtifacts(), raising=True) img = Image() img.id = image_id img.digest = digest img.user_id = user return img
def _create_image(artifact_key): monkeypatch.setattr( Image, "analysis_artifacts", MockAnalysisArtifacts(artifact_key), raising=True, ) img = Image() img.id = image_id img.digest = digest img.user_id = user return img
def image(monkeypatch): monkeypatch.setattr(Image, "analysis_artifacts", MockAnalysisArtifacts(), raising=True) return Image( id=image_id, user_id=user, )
def _create_image(dockerfile_mode="actual"): img = Image() img.id = image_id img.user_id = user img.dockerfile_contents = dockerfile_contents img.dockerfile_mode = dockerfile_mode return img
def image(monkeypatch): monkeypatch.setattr(Image, "analysis_artifacts", MockAnalysisArtifacts(), raising=True) files_json = { "/fake_private_key": { "fullpath": "/fake_private_key", "name": "/fake_private_key", "mode": 33188, "permissions": "0o644", "linkdst_fullpath": None, "linkdst": None, "size": 22, "entry_type": "file", "is_packaged": False, "md5_checksum": "f1779b586f2fda64f084fa4cda2749f4", "sha256_checksum": "9e6be7f96d6c88338eecb2396e4e7c27d3387fe45e5aa740614e1e292ce65aa7", "sha1_checksum": "9fada773ed59c05a2c5352e8eee8afa0fda3483e", "othernames": [], "suid": None, }, "/fake_api_key": { "fullpath": "/fake_api_key", "name": "/fake_api_key", "mode": 33188, "permissions": "0o644", "linkdst_fullpath": None, "linkdst": None, "size": 32, "entry_type": "file", "is_packaged": False, "md5_checksum": "8e67b4af0e9b6598c901f06a74835632", "sha256_checksum": "77db45a31c74cf01bb130ab4bc4869d2d03b576c48977f96ae81d4e4912f334b", "sha1_checksum": "9d819cb21d51d3720fc74e0ee2d8242c7e5bdcf2", "othernames": [], "suid": None, }, } fs = FilesystemAnalysis( compressed_file_json=zlib.compress(json.dumps(files_json).encode()), compression_algorithm="gzip", ) return Image(id=image_id, user_id=user, fs=fs)
def image(): return Image( id=image_id, user_id="user", size=141455360, distro_name="debian", distro_version="10", like_distro="debian", docker_data_json={ "Architecture": "amd64", "RepoDigests": [ "docker.io/library/nginx@sha256:34f3f875e745861ff8a37552ed7eb4b673544d2c56c7cc58f9a9bec5b4b3530e" ], "RepoTags": ["docker.io/library/nginx:latest"], }, layers_json=[ "sha256:bb79b6b2107fea8e8a47133a660b78e3a546998fcf0427be39ac9a0af4a97e90", "sha256:5a9f1c0027a73bc0e66a469f90e47a59e23ab3472126ed28e6a4e7b1a98d1eb5", "sha256:b5c20b2b484f5ca9bc9d98dc79f8f1381ee0c063111ea0ddf42d1ae5ea942d50", "sha256:166a2418f7e86fa48d87bf6807b4e5b35f078acb2ad1cbf10444a7025913c24f", "sha256:1966ea362d2394e7c5c508ebf3695f039dd3825bd1e7a07449ae530aea3c4cd1", ], )
def alpine_image(): img = Image() img.distro_name = "alpine" img.distro_version = "3.10" img.id = "abc123abc123" img.analysis_artifacts = [] img.digest = "sha256:abc123abc123" img.created_at = datetime.datetime.utcnow() img.last_modified = img.created_at img.cpes = [] img.docker_data_json = {} img.dockerfile_contents = "" img.dockerfile_mode = "guessed" img.docker_history_json = [] img.packages = [] img.gems = [] img.npms = [] img.state = "analyzed" img.size = "1000" img.user_id = "admin" return img
def image(monkeypatch): monkeypatch.setattr(Image, "analysis_artifacts", MockAnalysisArtifacts(), raising=True) files_json = { "/bin": { "fullpath": "/bin", "name": "/bin", "mode": 16877, "permissions": "0o755", "linkdst_fullpath": None, "linkdst": None, "size": 0, "entry_type": "dir", "is_packaged": True, "md5_checksum": "79f65df590b25155a587461aeb79eeb1", "sha256_checksum": "a4a080992560315f59b75c62e458181c00fe5c3b962f5b2b64297badbfbc12c7", "sha1_checksum": "a523ce63d9556ba950ebb81609faf00de04dd1a7", "othernames": [], "suid": None, }, "/bin/arch": { "fullpath": "/bin/arch", "name": "/bin/arch", "mode": 41471, "permissions": "0o777", "linkdst_fullpath": "/bin/busybox", "linkdst": "/bin/busybox", "size": 12, "entry_type": "slink", "is_packaged": False, "md5_checksum": "87ac152a3e02d3a6a84d129422611f85", "sha256_checksum": "480bddf71ef05659c5405f65f139e49b99122175f0163d281d471f0a368aad7c", "sha1_checksum": "8d05b5d4a9ea76ec570b17e1f77ccd65a55937d9", "othernames": [], "suid": None, }, "/usr/bin/test": { "fullpath": "/usr/bin/test", "name": "/usr/bin/test", "mode": 3072, "permissions": "0o777", "linkdst_fullpath": "/bin/busybox", "linkdst": "/bin/busybox", "size": 12, "entry_type": "slink", "is_packaged": False, "md5_checksum": "DIRECTORY_OR_OTHER", "sha256_checksum": "DIRECTORY_OR_OTHER", "sha1_checksum": "DIRECTORY_OR_OTHER", "othernames": [], "suid": None, }, "/usr/share/apk/keys": { "fullpath": "/usr/share/apk/keys", "name": "/usr/share/apk/keys", "mode": 3072, "permissions": "0o755", "linkdst_fullpath": None, "linkdst": None, "size": 0, "entry_type": "dir", "is_packaged": True, "md5_checksum": "DIRECTORY_OR_OTHER", "sha256_checksum": "DIRECTORY_OR_OTHER", "sha1_checksum": "DIRECTORY_OR_OTHER", "othernames": [], "suid": None, }, "/fake_private_key": { "fullpath": "/fake_aws_key", "name": "/fake_aws_key", "mode": 33188, "permissions": "0o644", "linkdst_fullpath": None, "linkdst": None, "size": 22, "entry_type": "file", "is_packaged": False, "md5_checksum": "f1779b586f2fda64f084fa4cda2749f4", "sha256_checksum": "9e6be7f96d6c88338eecb2396e4e7c27d3387fe45e5aa740614e1e292ce65aa7", "sha1_checksum": "9fada773ed59c05a2c5352e8eee8afa0fda3483e", "othernames": [], "suid": None, }, "/fake_api_key": { "fullpath": "/fake_api_key", "name": "/fake_api_key", "mode": 33188, "permissions": "0o644", "linkdst_fullpath": None, "linkdst": None, "size": 32, "entry_type": "file", "is_packaged": False, "md5_checksum": "8e67b4af0e9b6598c901f06a74835632", "sha256_checksum": "77db45a31c74cf01bb130ab4bc4869d2d03b576c48977f96ae81d4e4912f334b", "sha1_checksum": "9d819cb21d51d3720fc74e0ee2d8242c7e5bdcf2", "othernames": [], "suid": None, }, } fs = FilesystemAnalysis( compressed_file_json=zlib.compress(json.dumps(files_json).encode()), compression_algorithm="gzip", ) return Image(id="image_id", user_id="user", fs=fs)
def image(packages): return Image(id="image_id", user_id="user", packages=packages)
def test_tag_mapping(self): test_rules = [ { # All allowed "rule": matcher_for_tag(), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/nginx:latest", "match": True, }, { # All allowed, none provided "rule": matcher_for_tag(), "id": "0", "digest": "sha256:123abc", "tag": "*/*:*", "match": True, }, { # Case where tag not provided for eval, but rule requires it "rule": matcher_for_tag(tag="latest"), "id": "0", "digest": "sha256:123abc", "tag": "*/*:*", "match": False, }, { # Registry match failure "rule": matcher_for_tag(registry="gcr.io"), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/nginx:latest", "match": False, }, { # Repo match failure "rule": matcher_for_tag(repository="mysql"), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/nginx:latest", "match": False, }, { # Tag match failure "rule": matcher_for_tag(registry="docker.io", repository="mysql", tag="latest"), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/mysql:alpine", "match": False, }, { # Wildcard sub match "rule": matcher_for_tag(tag="*-dev"), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/nginx:1.8-dev", "match": True, }, { # Registry only match "rule": matcher_for_tag(registry="docker.io"), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/nginx:latest", "match": True, }, { # Registry & repo match "rule": matcher_for_tag(registry="docker.io", repository="nginx"), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/nginx:latest", "match": True, }, { # Docker name handling should happen upstream "rule": matcher_for_tag(registry="docker.io", repository="library/nginx"), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/nginx:latest", "match": False, }, { # Exact match "rule": matcher_for_tag(registry="docker.io", repository="library/nginx", tag="latest"), "id": "0", "digest": "sha256:123abc", "tag": "docker.io/library/nginx:latest", "match": True, }, ] for test in test_rules: rule = PolicyMappingRule(test["rule"]) test_img = Image() test_img.id = test["id"] test_img.digest = test["digest"] m = rule.matches(test_img, tag=test["tag"]) self.assertEqual( test["match"], m, "Failed on: {} with tag {}".format(test["rule"], test["tag"]), )
def test_id_mapping(self): test_rules = [ { # id only specified "rule": matcher_for_id(id="0"), "tag": "docker.io/nginx:latest", "id": "0", "digest": "sha256:123abc", "match": True, }, { # Registry fail "rule": matcher_for_id(registry="gcr.io", id="0"), "tag": "docker.io/nginx:latest", "id": "0", "digest": "sha256:123abc", "match": False, }, { # Repository fail "rule": matcher_for_id(repository="mysql", id="0"), "tag": "docker.io/nginx:latest", "id": "0", "digest": "sha256:123abc", "match": False, }, { # Case where no tag provided so default wildcard set "rule": matcher_for_id(repository="mysql", id="0"), "tag": "*/*:*", "id": "0", "digest": "sha256:123abc", "match": False, }, { # ID fail "rule": matcher_for_id(id="1"), "tag": "docker.io/nginx:latest", "id": "0", "digest": "sha256:123abd", "match": False, }, { # Repository fail "rule": matcher_for_id(repository="mysql", id="0"), "tag": "docker.io/nginx:latest", "id": "0", "digest": "sha256:123abd", "match": False, }, { # Repository wildcard "rule": matcher_for_id(id="0"), "tag": "*/*:*", "id": "0", "digest": "sha256:123abc", "match": True, }, { # Repository wildcard, fail on digest match "rule": matcher_for_id(id="1"), "tag": "*/*:*", "id": "0", "digest": "sha256:123abc", "match": False, }, ] for test in test_rules: rule = PolicyMappingRule(test["rule"]) test_img = Image() test_img.id = test["id"] test_img.digest = test["digest"] m = rule.matches(test_img, tag=test["tag"]) self.assertEqual( test["match"], m, "Failed on: {} with id {}".format(test["rule"], test["id"]), )
def get_vulnerabilities( self, image: Image ) -> typing.List[ImagePackageVulnerability]: distro_matches = image.vulnerabilities() return distro_matches
def test_tag_mapping(self): test_rules = [ { # All allowed 'rule': matcher_for_tag(), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/nginx:latest', 'match': True }, { # All allowed, none provided 'rule': matcher_for_tag(), 'id': '0', 'digest': 'sha256:123abc', 'tag': '*/*:*', 'match': True }, { # Case where tag not provided for eval, but rule requires it 'rule': matcher_for_tag(tag='latest'), 'id': '0', 'digest': 'sha256:123abc', 'tag': '*/*:*', 'match': False }, { # Registry match failure 'rule': matcher_for_tag(registry='gcr.io'), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/nginx:latest', 'match': False }, { # Repo match failure 'rule': matcher_for_tag(repository='mysql'), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/nginx:latest', 'match': False }, { # Tag match failure 'rule': matcher_for_tag(registry='docker.io', repository='mysql', tag='latest'), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/mysql:alpine', 'match': False }, { # Wildcard sub match 'rule': matcher_for_tag(tag='*-dev'), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/nginx:1.8-dev', 'match': True }, { # Registry only match 'rule': matcher_for_tag(registry='docker.io'), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/nginx:latest', 'match': True }, { # Registry & repo match 'rule': matcher_for_tag(registry='docker.io', repository='nginx'), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/nginx:latest', 'match': True }, { # Docker name handling should happen upstream 'rule': matcher_for_tag(registry='docker.io', repository='library/nginx'), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/nginx:latest', 'match': False }, { # Exact match 'rule': matcher_for_tag(registry='docker.io', repository='library/nginx', tag='latest'), 'id': '0', 'digest': 'sha256:123abc', 'tag': 'docker.io/library/nginx:latest', 'match': True } ] for test in test_rules: rule = PolicyMappingRule(test['rule']) test_img = Image() test_img.id = test['id'] test_img.digest = test['digest'] m = rule.matches(test_img, tag=test['tag']) self.assertEqual( test['match'], m, 'Failed on: {} with tag {}'.format(test['rule'], test['tag']))
def test_id_mapping(self): test_rules = [ { # id only specified 'rule': matcher_for_id(id='0'), 'tag': 'docker.io/nginx:latest', 'id': '0', 'digest': 'sha256:123abc', 'match': True }, { # Registry fail 'rule': matcher_for_id(registry='gcr.io', id='0'), 'tag': 'docker.io/nginx:latest', 'id': '0', 'digest': 'sha256:123abc', 'match': False }, { # Repository fail 'rule': matcher_for_id(repository='mysql', id='0'), 'tag': 'docker.io/nginx:latest', 'id': '0', 'digest': 'sha256:123abc', 'match': False }, { # Case where no tag provided so default wildcard set 'rule': matcher_for_id(repository='mysql', id='0'), 'tag': '*/*:*', 'id': '0', 'digest': 'sha256:123abc', 'match': False }, { # ID fail 'rule': matcher_for_id(id='1'), 'tag': 'docker.io/nginx:latest', 'id': '0', 'digest': 'sha256:123abd', 'match': False }, { # Repository fail 'rule': matcher_for_id(repository='mysql', id='0'), 'tag': 'docker.io/nginx:latest', 'id': '0', 'digest': 'sha256:123abd', 'match': False }, { # Repository wildcard 'rule': matcher_for_id(id='0'), 'tag': '*/*:*', 'id': '0', 'digest': 'sha256:123abc', 'match': True }, { # Repository wildcard, fail on digest match 'rule': matcher_for_id(id='1'), 'tag': '*/*:*', 'id': '0', 'digest': 'sha256:123abc', 'match': False } ] for test in test_rules: rule = PolicyMappingRule(test['rule']) test_img = Image() test_img.id = test['id'] test_img.digest = test['digest'] m = rule.matches(test_img, tag=test['tag']) self.assertEqual( test['match'], m, 'Failed on: {} with id {}'.format(test['rule'], test['id']))
def image(): return Image(id=image_id, user_id=user)