def _scan(self, chroot, target, scan_args):
'''
Scan a container or image
'''
name, conf = self._get_target_name_and_config(target)
return oscap_chroot(chroot, self.oscap_binary, scan_args, name,
conf.get("Env", []) or [])
def _scan_cve(self, chroot, target, dist, scan_args):
'''
Scan a chroot for cves
'''
cve_input = getInputCVE.dist_cve_name.format(dist)
args = ("oval", "eval")
for a in scan_args:
args += (a, )
args += (os.path.join(self.cve_input_dir, cve_input), )
name, conf = self._get_target_name_and_config(target)
return oscap_chroot(chroot, self.oscap_binary, args, name,
conf.get("Env", []) or [])
def scan(self, scan_args):
'''
Wrapper function forwarding oscap args for an offline scan
'''
scan_result = oscap_chroot(
"/proc/{0}/root".format(self.pid),
self.oscap_binary, scan_args,
self.image_name or self.container_name,
self.config["Config"].get("Env", []) or [] # because Env can exists but be None
)
print(scan_result.stdout)
print(scan_result.stderr, file=sys.stderr)
self._end()
return scan_result.returncode
def scan_cve(self, scan_args):
'''
Wrapper function for scanning cve of a mounted container
'''
tmp_dir = tempfile.mkdtemp()
# Figure out which RHEL dist is in the chroot
dist = get_dist(self.mountpoint, self.oscap_binary,
self.config["Config"].get("Env", []) or [])
if dist is None:
sys.stderr.write("{0} is not based on RHEL\n".format(
self.image_name or self.container_name))
return None
# Fetch the CVE input data for the dist
fetch = getInputCVE(tmp_dir)
cve_file = fetch._fetch_single(dist)
print("CVEs downloaded in " + cve_file)
args = ("oval", "eval")
for a in scan_args:
args += (a, )
args += (cve_file, )
scan_result = oscap_chroot(
self.mountpoint,
self.oscap_binary,
args,
self.image_name or self.container_name,
self.config["Config"].get("Env", [])
or [] # because Env can exists but be None
)
print(scan_result.stdout)
print(scan_result.stderr, file=sys.stderr)
# cleanup
print("Cleaning temporary files ...")
shutil.rmtree(tmp_dir)
self._end()
return scan_result.returncode