2020-05-26 14:37:28 +00:00
|
|
|
package cmd
|
|
|
|
|
|
|
|
|
|
import (
|
2020-09-14 16:06:29 +00:00
|
|
|
"context"
|
2020-05-26 14:37:28 +00:00
|
|
|
"fmt"
|
|
|
|
|
"os"
|
2020-07-16 19:12:19 +00:00
|
|
|
"runtime/pprof"
|
2020-09-14 16:06:29 +00:00
|
|
|
"strings"
|
2020-07-30 23:06:27 +00:00
|
|
|
"sync"
|
|
|
|
|
|
2020-07-24 01:29:05 +00:00
|
|
|
"github.com/anchore/grype/grype"
|
2020-07-30 23:06:27 +00:00
|
|
|
"github.com/anchore/grype/grype/event"
|
2020-07-24 01:29:05 +00:00
|
|
|
"github.com/anchore/grype/grype/presenter"
|
2020-08-06 12:27:09 +00:00
|
|
|
"github.com/anchore/grype/grype/vulnerability"
|
2020-07-24 01:29:05 +00:00
|
|
|
"github.com/anchore/grype/internal"
|
2020-07-30 23:06:27 +00:00
|
|
|
"github.com/anchore/grype/internal/bus"
|
2020-07-24 01:29:05 +00:00
|
|
|
"github.com/anchore/grype/internal/format"
|
2020-07-30 23:06:27 +00:00
|
|
|
"github.com/anchore/grype/internal/ui"
|
2020-07-24 18:24:16 +00:00
|
|
|
"github.com/anchore/grype/internal/version"
|
2020-08-06 12:27:09 +00:00
|
|
|
"github.com/anchore/syft/syft"
|
|
|
|
|
"github.com/anchore/syft/syft/distro"
|
|
|
|
|
"github.com/anchore/syft/syft/pkg"
|
2020-07-24 01:26:03 +00:00
|
|
|
"github.com/anchore/syft/syft/scope"
|
2020-09-14 16:06:29 +00:00
|
|
|
"github.com/docker/docker/api/types"
|
|
|
|
|
"github.com/docker/docker/api/types/filters"
|
|
|
|
|
"github.com/docker/docker/client"
|
2020-05-26 14:37:28 +00:00
|
|
|
"github.com/spf13/cobra"
|
2020-05-26 17:31:50 +00:00
|
|
|
"github.com/spf13/viper"
|
2020-07-30 23:06:27 +00:00
|
|
|
"github.com/wagoodman/go-partybus"
|
2020-05-26 14:37:28 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var rootCmd = &cobra.Command{
|
|
|
|
|
Use: fmt.Sprintf("%s [IMAGE]", internal.ApplicationName),
|
2020-07-24 01:26:03 +00:00
|
|
|
Short: "A vulnerability scanner for container images and filesystems", // TODO: add copy, add path-based scans
|
2020-05-26 17:31:50 +00:00
|
|
|
Long: format.Tprintf(`Supports the following image sources:
|
2020-05-26 14:37:28 +00:00
|
|
|
{{.appName}} yourrepo/yourimage:tag defaults to using images from a docker daemon
|
2020-07-24 18:03:25 +00:00
|
|
|
{{.appName}} dir://path/to/yourrepo do a directory scan
|
2020-05-26 17:31:50 +00:00
|
|
|
{{.appName}} docker://yourrepo/yourimage:tag explicitly use a docker daemon
|
2020-05-26 14:37:28 +00:00
|
|
|
{{.appName}} tar://path/to/yourimage.tar use a tarball from disk
|
|
|
|
|
`, map[string]interface{}{
|
|
|
|
|
"appName": internal.ApplicationName,
|
|
|
|
|
}),
|
2020-08-03 16:02:44 +00:00
|
|
|
Args: cobra.MaximumNArgs(1),
|
2020-05-26 17:31:50 +00:00
|
|
|
Run: func(cmd *cobra.Command, args []string) {
|
2020-07-16 19:12:19 +00:00
|
|
|
if appConfig.Dev.ProfileCPU {
|
|
|
|
|
f, err := os.Create("cpu.profile")
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Errorf("unable to create CPU profile: %+v", err)
|
|
|
|
|
} else {
|
|
|
|
|
err := pprof.StartCPUProfile(f)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Errorf("unable to start CPU profile: %+v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-08-03 16:02:44 +00:00
|
|
|
if len(args) == 0 {
|
|
|
|
|
err := cmd.Help()
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Errorf(err.Error())
|
|
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
|
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
2020-07-21 16:34:39 +00:00
|
|
|
err := runDefaultCmd(cmd, args)
|
2020-07-16 19:12:19 +00:00
|
|
|
|
|
|
|
|
if appConfig.Dev.ProfileCPU {
|
|
|
|
|
pprof.StopCPUProfile()
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-21 16:34:39 +00:00
|
|
|
if err != nil {
|
|
|
|
|
log.Errorf(err.Error())
|
|
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
2020-05-26 17:31:50 +00:00
|
|
|
},
|
2020-09-14 16:06:29 +00:00
|
|
|
ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
|
|
|
|
|
// Since we use ValidArgsFunction, Cobra will call this AFTER having parsed all flags and arguments provided
|
|
|
|
|
dockerImageRepoTags, err := ListLocalDockerImages(toComplete)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// Indicates that an error occurred and completions should be ignored
|
|
|
|
|
return []string{"completion failed"}, cobra.ShellCompDirectiveError
|
|
|
|
|
}
|
|
|
|
|
if len(dockerImageRepoTags) == 0 {
|
|
|
|
|
return []string{"no docker images found"}, cobra.ShellCompDirectiveError
|
|
|
|
|
}
|
|
|
|
|
// ShellCompDirectiveDefault indicates that the shell will perform its default behavior after completions have
|
|
|
|
|
// been provided (without implying other possible directives)
|
|
|
|
|
return dockerImageRepoTags, cobra.ShellCompDirectiveDefault
|
|
|
|
|
},
|
2020-05-26 14:37:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func init() {
|
2020-05-26 17:31:50 +00:00
|
|
|
// setup CLI options specific to scanning an image
|
2020-05-26 14:37:28 +00:00
|
|
|
|
2020-05-26 17:31:50 +00:00
|
|
|
// scan options
|
|
|
|
|
flag := "scope"
|
|
|
|
|
rootCmd.Flags().StringP(
|
2020-08-06 12:27:09 +00:00
|
|
|
"scope", "s", scope.SquashedScope.String(),
|
2020-07-21 16:34:39 +00:00
|
|
|
fmt.Sprintf("selection of layers to analyze, options=%v", scope.Options),
|
|
|
|
|
)
|
2020-05-26 17:31:50 +00:00
|
|
|
if err := viper.BindPFlag(flag, rootCmd.Flags().Lookup(flag)); err != nil {
|
|
|
|
|
fmt.Printf("unable to bind flag '%s': %+v", flag, err)
|
2020-05-26 14:37:28 +00:00
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-26 17:31:50 +00:00
|
|
|
// output & formatting options
|
|
|
|
|
flag = "output"
|
|
|
|
|
rootCmd.Flags().StringP(
|
2020-07-25 15:38:08 +00:00
|
|
|
flag, "o", presenter.TablePresenter.String(),
|
2020-06-18 14:12:23 +00:00
|
|
|
fmt.Sprintf("report output formatter, options=%v", presenter.Options),
|
2020-05-26 17:31:50 +00:00
|
|
|
)
|
|
|
|
|
if err := viper.BindPFlag(flag, rootCmd.Flags().Lookup(flag)); err != nil {
|
|
|
|
|
fmt.Printf("unable to bind flag '%s': %+v", flag, err)
|
|
|
|
|
os.Exit(1)
|
|
|
|
|
}
|
2020-05-26 14:37:28 +00:00
|
|
|
}
|
|
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
func startWorker(userInput string) <-chan error {
|
|
|
|
|
errs := make(chan error)
|
|
|
|
|
go func() {
|
|
|
|
|
defer close(errs)
|
|
|
|
|
|
|
|
|
|
if appConfig.CheckForAppUpdate {
|
|
|
|
|
isAvailable, newVersion, err := version.IsUpdateAvailable()
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Errorf(err.Error())
|
|
|
|
|
}
|
|
|
|
|
if isAvailable {
|
|
|
|
|
log.Infof("New version of %s is available: %s", internal.ApplicationName, newVersion)
|
|
|
|
|
|
|
|
|
|
bus.Publish(partybus.Event{
|
|
|
|
|
Type: event.AppUpdateAvailable,
|
|
|
|
|
Value: newVersion,
|
|
|
|
|
})
|
|
|
|
|
} else {
|
|
|
|
|
log.Debugf("No new %s update available", internal.ApplicationName)
|
|
|
|
|
}
|
2020-07-24 18:24:16 +00:00
|
|
|
}
|
|
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
var provider vulnerability.Provider
|
2020-08-07 17:05:58 +00:00
|
|
|
var metadataProvider vulnerability.MetadataProvider
|
2020-07-30 23:06:27 +00:00
|
|
|
var catalog *pkg.Catalog
|
2020-08-07 17:05:58 +00:00
|
|
|
var theScope *scope.Scope
|
2020-07-30 23:06:27 +00:00
|
|
|
var theDistro *distro.Distro
|
|
|
|
|
var err error
|
|
|
|
|
var wg = &sync.WaitGroup{}
|
2020-05-26 14:37:28 +00:00
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
wg.Add(2)
|
2020-05-26 14:37:28 +00:00
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
2020-08-07 17:05:58 +00:00
|
|
|
provider, metadataProvider, err = grype.LoadVulnerabilityDb(appConfig.Db.ToCuratorConfig(), appConfig.Db.AutoUpdate)
|
2020-07-30 23:06:27 +00:00
|
|
|
if err != nil {
|
|
|
|
|
errs <- fmt.Errorf("failed to load vulnerability db: %w", err)
|
|
|
|
|
}
|
|
|
|
|
}()
|
2020-06-19 14:12:29 +00:00
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
2020-08-07 17:05:58 +00:00
|
|
|
catalog, theScope, theDistro, err = syft.Catalog(userInput, appConfig.ScopeOpt)
|
2020-07-30 23:06:27 +00:00
|
|
|
if err != nil {
|
|
|
|
|
errs <- fmt.Errorf("failed to catalog: %w", err)
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
|
|
|
|
|
wg.Wait()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-17 10:02:17 +00:00
|
|
|
matches := grype.FindVulnerabilitiesForCatalog(provider, *theDistro, catalog)
|
2020-07-30 23:06:27 +00:00
|
|
|
|
|
|
|
|
bus.Publish(partybus.Event{
|
|
|
|
|
Type: event.VulnerabilityScanningFinished,
|
2020-09-17 10:02:17 +00:00
|
|
|
Value: presenter.GetPresenter(appConfig.PresenterOpt, matches, catalog, *theScope, metadataProvider),
|
2020-07-30 23:06:27 +00:00
|
|
|
})
|
|
|
|
|
}()
|
|
|
|
|
return errs
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func runDefaultCmd(_ *cobra.Command, args []string) error {
|
|
|
|
|
userInput := args[0]
|
|
|
|
|
errs := startWorker(userInput)
|
|
|
|
|
ux := ui.Select(appConfig.CliOptions.Verbosity > 0, appConfig.Quiet)
|
|
|
|
|
return ux(errs, eventSubscription)
|
2020-05-26 14:37:28 +00:00
|
|
|
}
|
2020-09-14 16:06:29 +00:00
|
|
|
|
|
|
|
|
func ListLocalDockerImages(prefix string) ([]string, error) {
|
|
|
|
|
var repoTags = make([]string, 0)
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return repoTags, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Only want to return tagged images
|
|
|
|
|
imageListArgs := filters.NewArgs()
|
|
|
|
|
imageListArgs.Add("dangling", "false")
|
|
|
|
|
images, err := cli.ImageList(ctx, types.ImageListOptions{All: false, Filters: imageListArgs})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return repoTags, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, image := range images {
|
|
|
|
|
// image may have multiple tags
|
|
|
|
|
for _, tag := range image.RepoTags {
|
|
|
|
|
if strings.HasPrefix(tag, prefix) {
|
|
|
|
|
repoTags = append(repoTags, tag)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return repoTags, nil
|
|
|
|
|
}
|
