Comments (4)
eversC
commented on July 19, 2024
2
--log "/log.json" ${WHITELIST:+"-x"} is using parameter expansion to substitute in -x, though I need to check why that's happening as the result doesn't seem correct.
I'll try and replicate and get back to you with more detail
from circleci-orbs.
nwang92
commented on July 19, 2024
1
Will there be any upcoming releases with this fix?
from circleci-orbs.
andriisoldatenko
commented on July 19, 2024
more logs:
#!/usr/bin/env bash
set -xe
DOCKER_TAR_DIR="/docker-tars"
if [ -z "ap-airflow-buster-onbuild:latest" ] && [ -z "$(ls -A "$DOCKER_TAR_DIR" 2>/dev/null)" ]; then
echo "image_file or image parameters or docker tarballs must be present"
exit 255
fi
REPORT_DIR=/clair-reports
mkdir $REPORT_DIR
DB=$(docker run -p 5432:5432 -d arminc/clair-db:latest)
CLAIR=$(docker run -p 6060:6060 --link "$DB":postgres -d arminc/clair-local-scan:latest)
CLAIR_SCANNER=$(docker run -v /var/run/docker.sock:/var/run/docker.sock -d ovotech/clair-scanner@sha256:8a4f920b4e7e40dbcec4a6168263d45d3385f2970ee33e5135dd0e3b75d39c75 tail -f /dev/null)
clair_ip=$(docker exec -it "$CLAIR" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
scanner_ip=$(docker exec -it "$CLAIR_SCANNER" hostname -i | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
if [ -n "cve-whitelist.yaml" ]; then
cat "cve-whitelist.yaml"
docker cp "cve-whitelist.yaml" "$CLAIR_SCANNER:/whitelist.yml"
WHITELIST="-w /whitelist.yml"
fi
function scan() {
local image=$1
# replace forward-slashes and colons with underscores
munged_image=$(echo "$image" | sed 's/\//_/g' | sed 's/:/_/g')
sanitised_image_filename="${munged_image}.json"
local ret=0
local docker_cmd=(docker exec -it "$CLAIR_SCANNER" clair-scanner \
--ip "$scanner_ip" \
--clair=http://"$clair_ip":6060 \
-t "High" \
--report "/$sanitised_image_filename" \
--log "/log.json" \
-w /whitelist.yml -x \
--reportAll=true \
--exit-when-no-features=false \
"$image")
# if verbose output is disabled, analyse status code for more fine-grained output
if [ "false" == "true" ];then
"${docker_cmd[@]}" > /dev/null 2>&1 || ret=$?
else
"${docker_cmd[@]}" 2>&1 || ret=$?
fi
if [ $ret -eq 0 ]; then
echo "No unapproved vulnerabilities"
elif [ $ret -eq 1 ]; then
echo "Unapproved vulnerabilities found"
if [ "true" == "true" ];then
EXIT_STATUS=1
fi
elif [ $ret -eq 5 ]; then
echo "Image was not scanned, not supported."
if [ "true" == "true" ];then
EXIT_STATUS=1
fi
else
echo "Unknown clair-scanner return code $ret."
EXIT_STATUS=1
fi
docker cp "$CLAIR_SCANNER:/$sanitised_image_filename" "$REPORT_DIR/$sanitised_image_filename" || true
}
EXIT_STATUS=0
for entry in "$DOCKER_TAR_DIR"/*.tar; do
[ -e "$entry" ] || continue
images=$(docker load -i "$entry" | sed -e 's/Loaded image: //g')
for image in $images; do
scan "$image"
done
done
if [ -n "" ]; then
images=$(cat "")
for image in $images; do
scan "$image"
done
fi
if [ -n "ap-airflow-buster-onbuild:latest" ]; then
image="ap-airflow-buster-onbuild:latest"
scan "$image"
fi
exit $EXIT_STATUS
from circleci-orbs.
matthewtuck
commented on July 19, 2024
Will there be any upcoming releases with this fix?
It looks like 1.4.48 is the best release that isn't horribly broken.
from circleci-orbs.
Related Issues (20)
- Terraform Orb - Provide a working directory parameter HOT 1
- Terraform Orb - Allow multiple var_file parameters HOT 3
- [terraform] Support lock-timeout option HOT 1
- [terraform] Support arbitrary arguments HOT 2
- [terraform] terrraform/apply doesn't work if no github credentials set and auto-approve is set to false
- [terraform] No error on failed github comment
- Dockerhub authentication
- Make "out" param optional
- Init/apply is broken for remote backends HOT 1
- terraform version check fails for TF 0.13.5 HOT 2
- Update terraform orb for 0.14 HOT 2
- ovotech/[email protected] issue HOT 1
- Terraform Orb: Github comment contains logs of refreshing state HOT 4
- terraform/default executor: Refreshing state included in plan HOT 1
- ovotech/terraform-v2@2 being broken HOT 4
- Please help with example config for Azure remote backend
- helm-ci support for dependencies
- Plan comparison fails for move actions HOT 1
- Authenticate with GCP with OIDC token
- optionally specify fmt-check step name
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from circleci-orbs.