def save_image_new(self, imageId, report=None):
# setup dir structure
self.make_image_structure(imageId)
if not report:
report = load_image_new(imageId)
# store the reports
self.save_image_report(imageId, report['image_report'])
self.save_analysis_report(imageId, report['analysis_report'])
self.save_analyzer_manifest(imageId, report['analyzer_manifest'])
self.save_gates_report(imageId, report['gates_report'])
self.save_gates_eval_report(imageId, report['gates_eval_report'])
# populate the analyzer_outputs
for module_name in report['analysis_report'].keys():
for module_value in report['analysis_report'][module_name].keys():
for module_type in ['base', 'extra', 'user']:
if module_type in report['analysis_report'][module_name][
module_value]:
adata = report['analysis_report'][module_name][
module_value][module_type]
if adata:
self.save_analysis_output(imageId,
module_name,
module_value,
adata,
module_type=module_type)
# populate gates outputs
for gname in report['gates_report'].keys():
self.save_gate_output(imageId, gname,
report['gates_report'][gname])
# populate image metadata
thedir = os.path.join(self.imagerootdir, imageId, "image_output",
"image_info")
if not os.path.exists(thedir):
os.makedirs(thedir)
thefile = os.path.join(thedir, "image.meta")
anchore_utils.write_kvfile_fromdict(thefile,
report['image_report']['meta'])
thefile = os.path.join(thedir, "Dockerfile")
anchore_utils.write_plainfile_fromstr(
thefile, report['image_report']['dockerfile_contents'])
return (True)
def execute_gates(imageId, policies, refresh=True):
import random
success = True
anchore_config = contexts['anchore_config']
imagename = imageId
gatesdir = '/'.join([anchore_config["scripts_dir"], "gates"])
workingdir = '/'.join([anchore_config['anchore_data_dir'], 'querytmp'])
outputdir = workingdir
_logger.info(imageId + ": evaluating policies...")
for d in [outputdir, workingdir]:
if not os.path.exists(d):
os.makedirs(d)
imgfile = '/'.join(
[workingdir, "queryimages." + str(random.randint(0, 99999999))])
anchore_utils.write_plainfile_fromstr(imgfile, imageId)
try:
gmanifest, failedgates = anchore_utils.generate_gates_manifest()
if failedgates:
_logger.error(
"some gates failed to run - check the gate(s) modules for errors: "
+ str(','.join(failedgates)))
success = False
else:
success = True
for gatecheck in policies.keys():
# get all commands that match the gatecheck
gcommands = []
for gkey in gmanifest.keys():
if gmanifest[gkey]['gatename'] == gatecheck:
gcommands.append(gkey)
# assemble the params from the input policy for this gatecheck
params = []
for trigger in policies[gatecheck].keys():
if 'params' in policies[gatecheck][trigger] and policies[
gatecheck][trigger]['params']:
params.append(policies[gatecheck][trigger]['params'])
if not params:
params = ['all']
if gcommands:
for command in gcommands:
cmd = [command] + [
imgfile, anchore_config['image_data_store'],
outputdir
] + params
_logger.debug("running gate command: " +
str(' '.join(cmd)))
(rc, sout, cmdstring) = anchore_utils.run_command(cmd)
if rc:
_logger.error("FAILED")
_logger.error("\tCMD: " + str(cmdstring))
_logger.error("\tEXITCODE: " + str(rc))
_logger.error("\tOUTPUT: " + str(sout))
success = False
else:
_logger.debug("")
_logger.debug("\tCMD: " + str(cmdstring))
_logger.debug("\tEXITCODE: " + str(rc))
_logger.debug("\tOUTPUT: " + str(sout))
_logger.debug("")
else:
_logger.warn(
"WARNING: gatecheck (" + str(gatecheck) +
") line in policy, but no gates were found that match this gatecheck"
)
except Exception as err:
_logger.error("gate evaluation failed - exception: " + str(err))
finally:
if imgfile and os.path.exists(imgfile):
try:
os.remove(imgfile)
except:
_logger.error("could not remove tempfile: " + str(imgfile))
if success:
report = generate_gates_report(imageId)
contexts['anchore_db'].save_gates_report(imageId, report)
_logger.info(imageId + ": evaluated.")
return (success)
def execute_gates(self, image, refresh=True):
self._logger.debug("gate policy evaluation for image " +
str(image.meta['imagename']) + ": begin")
success = True
imagename = image.meta['imageId']
gatesdir = '/'.join([self.config["scripts_dir"], "gates"])
workingdir = '/'.join([self.config['anchore_data_dir'], 'querytmp'])
outputdir = workingdir
self._logger.info(image.meta['shortId'] + ": evaluating policies ...")
for d in [outputdir, workingdir]:
if not os.path.exists(d):
os.makedirs(d)
imgfile = '/'.join(
[workingdir, "queryimages." + str(random.randint(0, 99999999))])
anchore_utils.write_plainfile_fromstr(imgfile, image.meta['imageId'])
if self.policy_override:
#policy_data = anchore_utils.read_plainfile_tolist(self.policy_override)
try:
policy = anchore_policy.read_policy(name='default',
file=self.policy_override)
policy_data = policy['default']
except Exception as err:
policy_data = []
policies = anchore_policy.structure_policy(policy_data)
else:
policies = self.get_image_policies(image)
try:
gmanifest, failedgates = anchore_utils.generate_gates_manifest()
if failedgates:
self._logger.error(
"some gates failed to run - check the gate(s) modules for errors: "
+ str(','.join(failedgates)))
success = False
else:
success = True
for gatecheck in policies.keys():
# get all commands that match the gatecheck
gcommands = []
for gkey in gmanifest.keys():
if gmanifest[gkey]['gatename'] == gatecheck:
gcommands.append(gkey)
# assemble the params from the input policy for this gatecheck
params = []
for trigger in policies[gatecheck].keys():
if 'params' in policies[gatecheck][
trigger] and policies[gatecheck][trigger][
'params']:
params.append(
policies[gatecheck][trigger]['params'])
if not params:
params = ['all']
if gcommands:
for command in gcommands:
cmd = [command] + [
imgfile, self.config['image_data_store'],
outputdir
] + params
self._logger.debug("running gate command: " +
str(' '.join(cmd)))
(rc, sout,
cmdstring) = anchore_utils.run_command(cmd)
if rc:
self._logger.error("FAILED")
self._logger.error("\tCMD: " + str(cmdstring))
self._logger.error("\tEXITCODE: " + str(rc))
self._logger.error("\tOUTPUT: " + str(sout))
success = False
else:
self._logger.debug("")
self._logger.debug("\tCMD: " + str(cmdstring))
self._logger.debug("\tEXITCODE: " + str(rc))
self._logger.debug("\tOUTPUT: " + str(sout))
self._logger.debug("")
else:
self._logger.warn(
"WARNING: gatecheck (" + str(gatecheck) +
") line in policy, but no gates were found that match this gatecheck"
)
except Exception as err:
self._logger.error("gate evaluation failed - exception: " +
str(err))
finally:
if imgfile and os.path.exists(imgfile):
try:
os.remove(imgfile)
except:
self._logger.error("could not remove tempfile: " +
str(imgfile))
if success:
report = self.generate_gates_report(image)
self.anchoreDB.save_gates_report(image.meta['imageId'], report)
self._logger.info(image.meta['shortId'] + ": evaluated.")
self._logger.debug("gate policy evaluation for image " +
str(image.meta['imagename']) + ": end")
return (success)
def execute_gates(imageId, policies, refresh=True):
import random
success = True
anchore_config = contexts['anchore_config']
imagename = imageId
gatesdir = '/'.join([anchore_config["scripts_dir"], "gates"])
workingdir = '/'.join([anchore_config['anchore_data_dir'], 'querytmp'])
outputdir = workingdir
_logger.info(imageId + ": evaluating policies...")
for d in [outputdir, workingdir]:
if not os.path.exists(d):
os.makedirs(d)
imgfile = '/'.join([workingdir, "queryimages." + str(random.randint(0, 99999999))])
anchore_utils.write_plainfile_fromstr(imgfile, imageId)
try:
gmanifest, failedgates = anchore_utils.generate_gates_manifest()
if failedgates:
_logger.error("some gates failed to run - check the gate(s) modules for errors: " + str(','.join(failedgates)))
success = False
else:
success = True
for gatecheck in policies.keys():
# get all commands that match the gatecheck
gcommands = []
for gkey in gmanifest.keys():
if gmanifest[gkey]['gatename'] == gatecheck:
gcommands.append(gkey)
# assemble the params from the input policy for this gatecheck
params = []
for trigger in policies[gatecheck].keys():
if 'params' in policies[gatecheck][trigger] and policies[gatecheck][trigger]['params']:
params.append(policies[gatecheck][trigger]['params'])
if not params:
params = ['all']
if gcommands:
for command in gcommands:
cmd = [command] + [imgfile, anchore_config['image_data_store'], outputdir] + params
_logger.debug("running gate command: " + str(' '.join(cmd)))
(rc, sout, cmdstring) = anchore_utils.run_command(cmd)
if rc:
_logger.error("FAILED")
_logger.error("\tCMD: " + str(cmdstring))
_logger.error("\tEXITCODE: " + str(rc))
_logger.error("\tOUTPUT: " + str(sout))
success = False
else:
_logger.debug("")
_logger.debug("\tCMD: " + str(cmdstring))
_logger.debug("\tEXITCODE: " + str(rc))
_logger.debug("\tOUTPUT: " + str(sout))
_logger.debug("")
else:
_logger.warn("WARNING: gatecheck ("+str(gatecheck)+") line in policy, but no gates were found that match this gatecheck")
except Exception as err:
_logger.error("gate evaluation failed - exception: " + str(err))
finally:
if imgfile and os.path.exists(imgfile):
try:
os.remove(imgfile)
except:
_logger.error("could not remove tempfile: " + str(imgfile))
if success:
report = generate_gates_report(imageId)
contexts['anchore_db'].save_gates_report(imageId, report)
_logger.info(imageId + ": evaluated.")
return(success)