2020-05-26 14:37:28 +00:00
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
2020-07-30 23:06:27 +00:00
|
|
|
"sync"
|
|
|
|
|
2020-07-24 01:29:05 +00:00
|
|
|
"github.com/anchore/grype/grype"
|
2021-10-01 17:03:50 +00:00
|
|
|
"github.com/anchore/grype/grype/db"
|
2020-07-30 23:06:27 +00:00
|
|
|
"github.com/anchore/grype/grype/event"
|
2020-09-21 21:12:21 +00:00
|
|
|
"github.com/anchore/grype/grype/grypeerr"
|
2020-09-22 20:10:23 +00:00
|
|
|
"github.com/anchore/grype/grype/match"
|
2020-12-09 17:03:40 +00:00
|
|
|
"github.com/anchore/grype/grype/pkg"
|
2020-07-24 01:29:05 +00:00
|
|
|
"github.com/anchore/grype/grype/presenter"
|
2020-08-06 12:27:09 +00:00
|
|
|
"github.com/anchore/grype/grype/vulnerability"
|
2020-07-24 01:29:05 +00:00
|
|
|
"github.com/anchore/grype/internal"
|
2020-07-30 23:06:27 +00:00
|
|
|
"github.com/anchore/grype/internal/bus"
|
2021-10-01 17:03:50 +00:00
|
|
|
"github.com/anchore/grype/internal/config"
|
2020-07-24 01:29:05 +00:00
|
|
|
"github.com/anchore/grype/internal/format"
|
2021-10-01 17:03:50 +00:00
|
|
|
"github.com/anchore/grype/internal/log"
|
2020-07-30 23:06:27 +00:00
|
|
|
"github.com/anchore/grype/internal/ui"
|
2020-07-24 18:24:16 +00:00
|
|
|
"github.com/anchore/grype/internal/version"
|
2021-10-01 17:03:50 +00:00
|
|
|
"github.com/anchore/stereoscope"
|
2020-11-17 19:04:16 +00:00
|
|
|
"github.com/anchore/syft/syft/source"
|
2021-10-01 17:03:50 +00:00
|
|
|
"github.com/pkg/profile"
|
2020-05-26 14:37:28 +00:00
|
|
|
"github.com/spf13/cobra"
|
2021-10-01 17:03:50 +00:00
|
|
|
"github.com/spf13/pflag"
|
2020-05-26 17:31:50 +00:00
|
|
|
"github.com/spf13/viper"
|
2020-07-30 23:06:27 +00:00
|
|
|
"github.com/wagoodman/go-partybus"
|
2020-05-26 14:37:28 +00:00
|
|
|
)
|
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
var persistentOpts = config.CliOnlyOptions{}
|
2020-11-17 19:04:16 +00:00
|
|
|
|
2021-03-25 17:18:13 +00:00
|
|
|
var (
|
2021-03-30 17:15:57 +00:00
|
|
|
rootCmd = &cobra.Command{
|
2021-03-25 17:18:13 +00:00
|
|
|
Use: fmt.Sprintf("%s [IMAGE]", internal.ApplicationName),
|
|
|
|
Short: "A vulnerability scanner for container images and filesystems",
|
|
|
|
Long: format.Tprintf(`
|
2020-09-25 18:18:03 +00:00
|
|
|
Supports the following image sources:
|
|
|
|
{{.appName}} yourrepo/yourimage:tag defaults to using images from a Docker daemon
|
2021-03-30 17:15:57 +00:00
|
|
|
{{.appName}} path/to/yourproject a Docker tar, OCI tar, OCI directory, or generic filesystem directory
|
2020-09-25 18:18:03 +00:00
|
|
|
|
|
|
|
You can also explicitly specify the scheme to use:
|
|
|
|
{{.appName}} docker:yourrepo/yourimage:tag explicitly use the Docker daemon
|
|
|
|
{{.appName}} docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
|
|
|
|
{{.appName}} oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Podman or otherwise)
|
|
|
|
{{.appName}} oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
|
|
|
|
{{.appName}} dir:path/to/yourproject read directly from a path on disk (any directory)
|
2020-11-17 19:04:16 +00:00
|
|
|
{{.appName}} sbom:path/to/syft.json read Syft JSON from path on disk
|
2021-04-13 20:08:02 +00:00
|
|
|
{{.appName}} registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
|
2020-11-17 19:04:16 +00:00
|
|
|
|
|
|
|
You can also pipe in Syft JSON directly:
|
|
|
|
syft yourimage:tag -o json | {{.appName}}
|
|
|
|
|
2020-05-26 14:37:28 +00:00
|
|
|
`, map[string]interface{}{
|
2021-03-25 17:18:13 +00:00
|
|
|
"appName": internal.ApplicationName,
|
|
|
|
}),
|
|
|
|
Args: validateRootArgs,
|
2021-10-01 17:03:50 +00:00
|
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
2021-03-25 17:18:13 +00:00
|
|
|
if appConfig.Dev.ProfileCPU {
|
2021-10-01 17:03:50 +00:00
|
|
|
defer profile.Start(profile.CPUProfile).Stop()
|
|
|
|
} else if appConfig.Dev.ProfileMem {
|
|
|
|
defer profile.Start(profile.MemProfile).Stop()
|
2021-03-25 17:18:13 +00:00
|
|
|
}
|
2020-07-16 19:12:19 +00:00
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
return rootExec(cmd, args)
|
2021-03-25 17:18:13 +00:00
|
|
|
},
|
2021-10-01 17:03:50 +00:00
|
|
|
ValidArgsFunction: dockerImageValidArgsFunction,
|
2021-03-25 17:18:13 +00:00
|
|
|
}
|
|
|
|
)
|
2020-05-26 14:37:28 +00:00
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
func init() {
|
|
|
|
setGlobalCliOptions()
|
|
|
|
setRootFlags(rootCmd.Flags())
|
2020-11-17 19:04:16 +00:00
|
|
|
}
|
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
func setGlobalCliOptions() {
|
|
|
|
// setup global CLI options (available on all CLI commands)
|
|
|
|
rootCmd.PersistentFlags().StringVarP(&persistentOpts.ConfigPath, "config", "c", "", "application config file")
|
2020-05-26 14:37:28 +00:00
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
flag := "quiet"
|
|
|
|
rootCmd.PersistentFlags().BoolP(
|
|
|
|
flag, "q", false,
|
|
|
|
"suppress all logging output",
|
2020-07-21 16:34:39 +00:00
|
|
|
)
|
2021-10-01 17:03:50 +00:00
|
|
|
if err := viper.BindPFlag(flag, rootCmd.PersistentFlags().Lookup(flag)); err != nil {
|
2020-05-26 17:31:50 +00:00
|
|
|
fmt.Printf("unable to bind flag '%s': %+v", flag, err)
|
2020-05-26 14:37:28 +00:00
|
|
|
os.Exit(1)
|
|
|
|
}
|
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
rootCmd.PersistentFlags().CountVarP(&persistentOpts.Verbosity, "verbose", "v", "increase verbosity (-v = info, -vv = debug)")
|
|
|
|
}
|
|
|
|
|
|
|
|
func setRootFlags(flags *pflag.FlagSet) {
|
|
|
|
flags.StringP(
|
|
|
|
"scope", "s", source.SquashedScope.String(),
|
|
|
|
fmt.Sprintf("selection of layers to analyze, options=%v", source.AllScopes),
|
|
|
|
)
|
|
|
|
|
|
|
|
flags.StringP(
|
|
|
|
"output", "o", "",
|
2021-03-30 17:15:57 +00:00
|
|
|
fmt.Sprintf("report output formatter, formats=%v", presenter.AvailableFormats),
|
2020-05-26 17:31:50 +00:00
|
|
|
)
|
2020-09-21 21:12:21 +00:00
|
|
|
|
2021-10-05 19:57:36 +00:00
|
|
|
flags.StringP(
|
|
|
|
"file", "", "",
|
|
|
|
"file to write the report output to (default is STDOUT)",
|
|
|
|
)
|
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
flags.StringP("template", "t", "", "specify the path to a Go template file ("+
|
2021-04-09 13:08:05 +00:00
|
|
|
"requires 'template' output to be selected)")
|
2021-03-30 17:15:57 +00:00
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
flags.StringP(
|
|
|
|
"fail-on", "f", "",
|
2020-09-21 21:12:21 +00:00
|
|
|
fmt.Sprintf("set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=%v", vulnerability.AllSeverities),
|
|
|
|
)
|
2021-10-01 17:03:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func bindRootConfigOptions(flags *pflag.FlagSet) error {
|
|
|
|
if err := viper.BindPFlag("scope", flags.Lookup("scope")); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := viper.BindPFlag("output", flags.Lookup("output")); err != nil {
|
|
|
|
return err
|
2020-09-21 21:12:21 +00:00
|
|
|
}
|
2021-10-01 17:03:50 +00:00
|
|
|
|
2021-10-05 19:57:36 +00:00
|
|
|
if err := viper.BindPFlag("file", flags.Lookup("file")); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
if err := viper.BindPFlag("output-template-file", flags.Lookup("template")); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := viper.BindPFlag("fail-on-severity", flags.Lookup("fail-on")); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func rootExec(_ *cobra.Command, args []string) error {
|
|
|
|
// we may not be provided an image if the user is piping in SBOM input
|
|
|
|
var userInput string
|
|
|
|
if len(args) > 0 {
|
|
|
|
userInput = args[0]
|
|
|
|
}
|
|
|
|
|
2021-10-05 19:57:36 +00:00
|
|
|
reporter, closer, err := reportWriter()
|
|
|
|
defer func() {
|
|
|
|
if err := closer(); err != nil {
|
|
|
|
log.Warnf("unable to write to report destination: %+v", err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
return eventLoop(
|
|
|
|
startWorker(userInput, appConfig.FailOnSeverity),
|
|
|
|
setupSignals(),
|
|
|
|
eventSubscription,
|
|
|
|
stereoscope.Cleanup,
|
2021-10-05 19:57:36 +00:00
|
|
|
ui.Select(appConfig.CliOptions.Verbosity > 0, appConfig.Quiet, reporter)...,
|
2021-10-01 17:03:50 +00:00
|
|
|
)
|
2020-05-26 14:37:28 +00:00
|
|
|
}
|
|
|
|
|
2020-09-21 21:12:21 +00:00
|
|
|
// nolint:funlen
|
|
|
|
func startWorker(userInput string, failOnSeverity *vulnerability.Severity) <-chan error {
|
2020-07-30 23:06:27 +00:00
|
|
|
errs := make(chan error)
|
|
|
|
go func() {
|
|
|
|
defer close(errs)
|
|
|
|
|
2021-03-30 17:15:57 +00:00
|
|
|
presenterConfig, err := presenter.ValidatedConfig(appConfig.Output, appConfig.OutputTemplateFile)
|
|
|
|
if err != nil {
|
|
|
|
errs <- err
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
if appConfig.CheckForAppUpdate {
|
|
|
|
isAvailable, newVersion, err := version.IsUpdateAvailable()
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf(err.Error())
|
|
|
|
}
|
|
|
|
if isAvailable {
|
|
|
|
log.Infof("New version of %s is available: %s", internal.ApplicationName, newVersion)
|
|
|
|
|
|
|
|
bus.Publish(partybus.Event{
|
|
|
|
Type: event.AppUpdateAvailable,
|
|
|
|
Value: newVersion,
|
|
|
|
})
|
|
|
|
} else {
|
|
|
|
log.Debugf("No new %s update available", internal.ApplicationName)
|
|
|
|
}
|
2020-07-24 18:24:16 +00:00
|
|
|
}
|
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
var provider vulnerability.Provider
|
2020-08-07 17:05:58 +00:00
|
|
|
var metadataProvider vulnerability.MetadataProvider
|
2021-04-16 18:26:32 +00:00
|
|
|
var dbStatus *db.Status
|
2020-12-09 17:03:40 +00:00
|
|
|
var packages []pkg.Package
|
2020-12-11 00:08:50 +00:00
|
|
|
var context pkg.Context
|
2020-07-30 23:06:27 +00:00
|
|
|
var wg = &sync.WaitGroup{}
|
2020-05-26 14:37:28 +00:00
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
wg.Add(2)
|
2020-05-26 14:37:28 +00:00
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
2020-12-11 00:08:50 +00:00
|
|
|
log.Debug("loading DB")
|
2021-10-06 13:49:42 +00:00
|
|
|
provider, metadataProvider, dbStatus, err = grype.LoadVulnerabilityDB(appConfig.DB.ToCuratorConfig(), appConfig.DB.AutoUpdate)
|
2020-07-30 23:06:27 +00:00
|
|
|
if err != nil {
|
|
|
|
errs <- fmt.Errorf("failed to load vulnerability db: %w", err)
|
|
|
|
}
|
2021-05-25 21:04:41 +00:00
|
|
|
if dbStatus == nil {
|
|
|
|
errs <- fmt.Errorf("unable to determine DB status")
|
|
|
|
}
|
2020-07-30 23:06:27 +00:00
|
|
|
}()
|
2020-06-19 14:12:29 +00:00
|
|
|
|
2020-07-30 23:06:27 +00:00
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
2020-12-11 00:08:50 +00:00
|
|
|
log.Debugf("gathering packages")
|
2021-04-13 20:08:02 +00:00
|
|
|
packages, context, err = pkg.Provide(userInput, appConfig.ScopeOpt, appConfig.Registry.ToOptions())
|
2020-07-30 23:06:27 +00:00
|
|
|
if err != nil {
|
|
|
|
errs <- fmt.Errorf("failed to catalog: %w", err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
wg.Wait()
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-09-29 19:44:36 +00:00
|
|
|
allMatches := grype.FindVulnerabilitiesForPackage(provider, context.Distro, packages...)
|
|
|
|
remainingMatches, ignoredMatches := match.ApplyIgnoreRules(allMatches, appConfig.Ignore)
|
|
|
|
|
|
|
|
if count := len(ignoredMatches); count > 0 {
|
|
|
|
log.Infof("Ignoring %d matches due to user-provided ignore rules", count)
|
|
|
|
}
|
2020-07-30 23:06:27 +00:00
|
|
|
|
2020-09-21 21:12:21 +00:00
|
|
|
// determine if there are any severities >= to the max allowable severity (which is optional).
|
|
|
|
// note: until the shared file lock in sqlittle is fixed the sqlite DB cannot be access concurrently,
|
|
|
|
// implying that the fail-on-severity check must be done before sending the presenter object.
|
2021-09-29 19:44:36 +00:00
|
|
|
if hitSeverityThreshold(failOnSeverity, remainingMatches, metadataProvider) {
|
2020-09-21 21:12:21 +00:00
|
|
|
errs <- grypeerr.ErrAboveSeverityThreshold
|
|
|
|
}
|
|
|
|
|
2021-05-26 14:03:23 +00:00
|
|
|
bus.Publish(partybus.Event{
|
|
|
|
Type: event.VulnerabilityScanningFinished,
|
2021-09-29 19:44:36 +00:00
|
|
|
Value: presenter.GetPresenter(presenterConfig, remainingMatches, ignoredMatches, packages, context, metadataProvider, appConfig, dbStatus),
|
2021-05-26 14:03:23 +00:00
|
|
|
})
|
2020-07-30 23:06:27 +00:00
|
|
|
}()
|
|
|
|
return errs
|
|
|
|
}
|
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
func validateRootArgs(cmd *cobra.Command, args []string) error {
|
|
|
|
// the user must specify at least one argument OR wait for input on stdin IF it is a pipe
|
|
|
|
if len(args) == 0 && !internal.IsPipedInput() {
|
|
|
|
// return an error with no message for the user, which will implicitly show the help text (but no specific error)
|
|
|
|
return fmt.Errorf("")
|
2020-11-17 19:04:16 +00:00
|
|
|
}
|
2021-03-30 17:15:57 +00:00
|
|
|
|
2021-10-01 17:03:50 +00:00
|
|
|
return cobra.MaximumNArgs(1)(cmd, args)
|
2020-05-26 14:37:28 +00:00
|
|
|
}
|
2020-09-14 16:06:29 +00:00
|
|
|
|
2020-09-21 21:12:21 +00:00
|
|
|
// hitSeverityThreshold indicates if there are any severities >= to the max allowable severity (which is optional)
|
2020-09-22 20:10:23 +00:00
|
|
|
func hitSeverityThreshold(thresholdSeverity *vulnerability.Severity, matches match.Matches, metadataProvider vulnerability.MetadataProvider) bool {
|
2020-09-21 21:12:21 +00:00
|
|
|
if thresholdSeverity != nil {
|
|
|
|
var maxDiscoveredSeverity vulnerability.Severity
|
2020-09-22 20:10:23 +00:00
|
|
|
for m := range matches.Enumerate() {
|
2021-05-18 17:33:24 +00:00
|
|
|
metadata, err := metadataProvider.GetMetadata(m.Vulnerability.ID, m.Vulnerability.Namespace)
|
2020-09-21 21:12:21 +00:00
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
severity := vulnerability.ParseSeverity(metadata.Severity)
|
|
|
|
if severity > maxDiscoveredSeverity {
|
|
|
|
maxDiscoveredSeverity = severity
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if maxDiscoveredSeverity >= *thresholdSeverity {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|