def filter_and_display_upload_results(
upload_results: typing.Sequence[UploadResult],
cve_threshold=7,
ignore_if_triaged=True,
) -> typing.Iterable[typing.Tuple[UploadResult, int]]:
# we only require the analysis_results for now
results_without_components = []
results_below_cve_thresh = []
results_above_cve_thresh = []
for upload_result in upload_results:
result = upload_result.result
components = result.components()
if not components:
results_without_components.append(upload_result)
continue
greatest_cve = -1
for component in components:
vulnerabilities = filter(lambda v: not v.historical(),
component.vulnerabilities())
if ignore_if_triaged:
vulnerabilities = filter(lambda v: not v.has_triage(),
vulnerabilities)
greatest_cve_candidate = highest_major_cve_severity(
vulnerabilities)
if greatest_cve_candidate > greatest_cve:
greatest_cve = greatest_cve_candidate
if greatest_cve >= cve_threshold:
results_above_cve_thresh.append((upload_result, greatest_cve))
continue
else:
results_below_cve_thresh.append((upload_result, greatest_cve))
continue
if results_without_components:
warning(
f'Protecode did not identify components for {len(results_without_components)}:\n'
)
for result in results_without_components:
print(result.result.display_name())
print('')
def render_results_table(
upload_results: typing.Sequence[typing.Tuple[UploadResult, int]]):
header = ('Component Name', 'Greatest CVE')
results = sorted(upload_results, key=lambda e: e[1])
result = tabulate.tabulate(
map(lambda r: (r[0].result.display_name(), r[1]), results),
headers=header,
tablefmt='fancy_grid',
)
print(result)
if results_below_cve_thresh:
info(
f'The following components were below configured cve threshold {cve_threshold}'
)
render_results_table(upload_results=results_below_cve_thresh)
print('')
if results_above_cve_thresh:
warning('The following components have critical vulnerabilities:')
render_results_table(upload_results=results_above_cve_thresh)
return results_above_cve_thresh
def filter_and_display_upload_results(
upload_results: typing.Sequence[UploadResult],
cvss_version: CVSSVersion,
cve_threshold=7,
ignore_if_triaged=True,
) -> typing.Iterable[typing.Tuple[UploadResult, int]]:
# we only require the analysis_results for now
results_without_components = []
results_below_cve_thresh = []
results_above_cve_thresh = []
for upload_result in upload_results:
container_image = upload_result.container_image
if isinstance(upload_result, UploadResult):
result = upload_result.result
else:
result = upload_result
components = result.components()
if not components:
results_without_components.append(upload_result)
continue
greatest_cve = -1
for component in components:
vulnerabilities = filter(lambda v: not v.historical(),
component.vulnerabilities())
if ignore_if_triaged:
vulnerabilities = filter(lambda v: not v.has_triage(),
vulnerabilities)
greatest_cve_candidate = highest_major_cve_severity(
vulnerabilities,
cvss_version,
)
if greatest_cve_candidate > greatest_cve:
greatest_cve = greatest_cve_candidate
if greatest_cve >= cve_threshold:
try:
# XXX HACK: just one any image ref
image_ref = container_image.image_reference()
gcr_cve = -1
for r in ccc.grafeas.filter_vulnerabilities(
image_ref,
cvss_threshold=cve_threshold,
):
gcr_cve = max(gcr_cve, r.vulnerability.cvss_score)
info(
f'gcr says max CVSS=={gcr_cve} (-1 means no vulnerability was found)'
)
# TODO: skip if < threshold - just report for now
except ccc.grafeas.VulnerabilitiesRetrievalFailed as vrf:
warning('failed to retrieve vulnerabilies from gcr')
print(vrf)
results_above_cve_thresh.append((upload_result, greatest_cve))
continue
else:
results_below_cve_thresh.append((upload_result, greatest_cve))
continue
if results_without_components:
warning(
f'Protecode did not identify components for {len(results_without_components)}:\n'
)
for result in results_without_components:
print(result.result.display_name())
print('')
def render_results_table(
upload_results: typing.Sequence[typing.Tuple[UploadResult, int]]):
header = ('Component Name', 'Greatest CVE')
results = sorted(upload_results, key=lambda e: e[1])
def to_result(result):
if isinstance(result, UploadResult):
return result.result
return result
result = tabulate.tabulate(
map(lambda r: (to_result(r[0]).display_name(), r[1]), results),
headers=header,
tablefmt='fancy_grid',
)
print(result)
if results_below_cve_thresh:
info(
f'The following components were below configured cve threshold {cve_threshold}'
)
render_results_table(upload_results=results_below_cve_thresh)
print('')
if results_above_cve_thresh:
warning('The following components have critical vulnerabilities:')
render_results_table(upload_results=results_above_cve_thresh)
return results_above_cve_thresh