Skip to content

Commit f1ae85e

Browse files
daynewleedaynewlee
authored
ROX-12577 Scanner: load Istio dump (#955)
1 parent ff0992c commit f1ae85e

File tree

17 files changed

+209
-31
lines changed

17 files changed

+209
-31
lines changed

.openshift-ci/build/build-bundle.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,11 +40,13 @@ get_genesis_dump() {
4040
mkdir -p /tmp/vuln-dump
4141
gsutil cp gs://stackrox-scanner-ci-vuln-dump/nvd-definitions.zip /tmp/vuln-dump/nvd-definitions.zip
4242
gsutil cp gs://stackrox-scanner-ci-vuln-dump/k8s-definitions.zip /tmp/vuln-dump/k8s-definitions.zip
43+
gsutil cp gs://stackrox-scanner-ci-vuln-dump/istio-definitions.zip /tmp/vuln-dump/istio-definitions.zip
4344
gsutil cp gs://stackrox-scanner-ci-vuln-dump/repo2cpe.zip /tmp/vuln-dump/repo2cpe.zip
4445
fi
4546

4647
unzip -d "$ROOT/image/scanner/dump" /tmp/vuln-dump/nvd-definitions.zip
4748
unzip -d "$ROOT/image/scanner/dump" /tmp/vuln-dump/k8s-definitions.zip
49+
unzip -d "$ROOT/image/scanner/dump" /tmp/vuln-dump/istio-definitions.zip
4850
unzip -d "$ROOT/image/scanner/dump" /tmp/vuln-dump/repo2cpe.zip
4951
}
5052

.openshift-ci/build/generate-genesis-dump.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ generate_genesis_dump() {
2727
mkdir -p /tmp/vuln-dump
2828
zip /tmp/genesis-dump/genesis-dump.zip 'nvd/*' --copy --out /tmp/vuln-dump/nvd-definitions.zip
2929
zip /tmp/genesis-dump/genesis-dump.zip 'k8s/*' --copy --out /tmp/vuln-dump/k8s-definitions.zip
30+
zip /tmp/genesis-dump/genesis-dump.zip 'istio/*' --copy --out /tmp/vuln-dump/istio-definitions.zip
3031
zip /tmp/genesis-dump/genesis-dump.zip 'rhelv2/repository-to-cpe.json' --copy --out /tmp/vuln-dump/repo2cpe.zip
3132
}
3233

cmd/updater/diffdumps/cmd.go

Lines changed: 71 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ import (
1515
"github.com/pkg/errors"
1616
log "github.com/sirupsen/logrus"
1717
"github.com/spf13/cobra"
18+
"github.com/stackrox/istio-cves/types"
1819
"github.com/stackrox/k8s-cves/pkg/validation"
1920
"github.com/stackrox/rox/pkg/utils"
2021
"github.com/stackrox/scanner/cmd/updater/common"
@@ -24,11 +25,14 @@ import (
2425
"github.com/stackrox/scanner/ext/vulnsrc/alpine"
2526
"github.com/stackrox/scanner/ext/vulnsrc/ubuntu"
2627
"github.com/stackrox/scanner/pkg/vulndump"
28+
"github.com/stackrox/scanner/pkg/vulnloader/istioloader"
2729
"github.com/stackrox/scanner/pkg/vulnloader/k8sloader"
2830
"github.com/stackrox/scanner/pkg/vulnloader/nvdloader"
2931
namespaces "github.com/stackrox/scanner/pkg/wellknownnamespaces"
3032
)
3133

34+
type generateDiffFunc func(outputDir string, baseF, headF *zip.File) error
35+
3236
func generateK8sDiff(outputDir string, baseF, headF *zip.File) error {
3337
headReader, err := headF.Open()
3438
if err != nil {
@@ -69,9 +73,57 @@ func generateK8sDiff(outputDir string, baseF, headF *zip.File) error {
6973
return nil
7074
}
7175

76+
func generateIstioDiff(outputDir string, baseF, headF *zip.File) error {
77+
headReader, err := headF.Open()
78+
if err != nil {
79+
return errors.Wrap(err, "opening file")
80+
}
81+
defer utils.IgnoreError(headReader.Close)
82+
istioDump, err := istioloader.LoadYAMLFileFromReader(headReader)
83+
if err != nil {
84+
return errors.Wrap(err, "reading Istio dump")
85+
}
86+
87+
var baseIstioDump types.Vuln
88+
if baseF != nil {
89+
baseReader, err := baseF.Open()
90+
if err != nil {
91+
return errors.Wrap(err, "opening file")
92+
}
93+
defer utils.IgnoreError(baseReader.Close)
94+
baseIstioDump, err = istioloader.LoadYAMLFileFromReader(baseReader)
95+
if err != nil {
96+
return errors.Wrap(err, "reading base Istio dump")
97+
}
98+
}
99+
100+
outF, err := os.Create(filepath.Join(outputDir, filepath.Base(headF.Name)))
101+
if err != nil {
102+
return errors.Wrap(err, "creating Istio output file")
103+
}
104+
defer utils.IgnoreError(outF.Close)
105+
106+
if !reflect.DeepEqual(baseIstioDump, istioDump) {
107+
log.Infof("Istio CVE file %q is in the diff", headF.Name)
108+
if _, err := io.Copy(outF, headReader); err != nil {
109+
return errors.Wrap(err, "copying Istio CVE file")
110+
}
111+
}
112+
113+
return nil
114+
}
115+
72116
func generateK8sDiffs(outputDir string, baseZipR *zip.ReadCloser, headZipR *zip.ReadCloser) error {
73-
k8sSubDir := filepath.Join(outputDir, vulndump.K8sDirName)
74-
if err := os.MkdirAll(k8sSubDir, 0755); err != nil {
117+
return generateDiffsHelper(outputDir, baseZipR, headZipR, vulndump.K8sDirName, generateK8sDiff)
118+
}
119+
120+
func generateIstioDiffs(outputDir string, baseZipR *zip.ReadCloser, headZipR *zip.ReadCloser) error {
121+
return generateDiffsHelper(outputDir, baseZipR, headZipR, vulndump.IstioDirName, generateIstioDiff)
122+
}
123+
124+
func generateDiffsHelper(outputDir string, baseZipR *zip.ReadCloser, headZipR *zip.ReadCloser, dirName string, generateDiffs generateDiffFunc) error {
125+
subDir := filepath.Join(outputDir, dirName)
126+
if err := os.MkdirAll(subDir, 0755); err != nil {
75127
return errors.Wrap(err, "creating subdir for Kubernetes")
76128
}
77129

@@ -84,7 +136,7 @@ func generateK8sDiffs(outputDir string, baseZipR *zip.ReadCloser, headZipR *zip.
84136
continue
85137
}
86138

87-
if filepath.Dir(name) == vulndump.K8sDirName && filepath.Ext(name) == ".yaml" {
139+
if filepath.Dir(name) == dirName && filepath.Ext(name) == ".yaml" {
88140
baseFiles[name] = baseF
89141
}
90142
}
@@ -98,12 +150,12 @@ func generateK8sDiffs(outputDir string, baseZipR *zip.ReadCloser, headZipR *zip.
98150
continue
99151
}
100152

101-
// Only look at YAML files in the k8s/ folder.
102-
if filepath.Dir(name) != vulndump.K8sDirName || filepath.Ext(name) != ".yaml" {
153+
// Only look at YAML files in the <dirName> folder.
154+
if filepath.Dir(name) != dirName || filepath.Ext(name) != ".yaml" {
103155
continue
104156
}
105-
if err := generateK8sDiff(k8sSubDir, baseFiles[name], headF); err != nil {
106-
return errors.Wrapf(err, "generating Kubernetes diff for file %q", headF.Name)
157+
if err := generateDiffs(subDir, baseFiles[name], headF); err != nil {
158+
return errors.Wrapf(err, "generating diffs for file %q", headF.Name)
107159
}
108160
}
109161
return nil
@@ -343,6 +395,7 @@ func generateOSVulnsDiff(outputDir string, baseZipR, headZipR *zip.ReadCloser, c
343395
type config struct {
344396
SkipFixableCentOSVulns bool `json:"skipFixableCentOSVulns"`
345397
IgnoreKubernetesVulns bool `json:"ignoreKubernetesVulns"`
398+
IgnoreIstioVulns bool `json:"ignoreIstioVulns"`
346399
SkipUbuntuLinuxKernelVulns bool `json:"skipUbuntuLinuxKernelVulns"`
347400
SkipSeverityComparison bool `json:"skipSeverityComparison"`
348401
SkipRHELv2Vulns bool `json:"skipRHELv2Vulns"`
@@ -409,6 +462,16 @@ func Command() *cobra.Command {
409462
log.Info("Done generating Kubernetes diff")
410463
}
411464

465+
if cfg.IgnoreIstioVulns {
466+
log.Info("Skipping Istio diff")
467+
} else {
468+
log.Info("Generating Istio diff...")
469+
if err := generateIstioDiffs(stagingDir, baseZipR, headZipR); err != nil {
470+
return errors.Wrap(err, "creating Istio diff")
471+
}
472+
log.Info("Done generating Isio diff")
473+
}
474+
412475
log.Info("Generating NVD diff...")
413476
if err := generateNVDDiffs(stagingDir, baseManifest.Until, headZipR); err != nil {
414477
return errors.Wrap(err, "creating NVD diff")
@@ -440,7 +503,7 @@ func Command() *cobra.Command {
440503
}
441504

442505
log.Info("Zipping up the dump...")
443-
err = vulndump.WriteZip(stagingDir, outFile, cfg.IgnoreKubernetesVulns, cfg.SkipRHELv2Vulns)
506+
err = vulndump.WriteZip(stagingDir, outFile, cfg.IgnoreKubernetesVulns, cfg.SkipRHELv2Vulns, cfg.IgnoreIstioVulns)
444507
if err != nil {
445508
return errors.Wrap(err, "writing final zip")
446509
}

cmd/updater/generatedump/cmd.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ func generateDumpWithAllVulns(outFile string) error {
8383
}
8484

8585
log.Info("Zipping up the files...")
86-
if err := vulndump.WriteZip(dumpDir, outFile, false, false); err != nil {
86+
if err := vulndump.WriteZip(dumpDir, outFile, false, false, false); err != nil {
8787
return errors.Wrap(err, "creating ZIP of the vuln dump")
8888
}
8989
log.Info("Done writing the zip with the entire vuln dump!")

e2etests/testcase_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1990,7 +1990,7 @@ var testCases = []testCase{
19901990
},
19911991
AddedBy: "sha256:36e8e9714b9a509fae9e515ff16237928c3d809f5ae228b14d2f7d7605c02623",
19921992
Location: "jars/jackson-databind-2.9.10.4.jar",
1993-
FixedBy: "2.12.6.1",
1993+
FixedBy: "2.14.0",
19941994
},
19951995
},
19961996
unexpectedFeatures: []apiV1.Feature{

go.mod

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,7 @@ require (
129129
github.com/sergi/go-diff v1.2.0 // indirect
130130
github.com/soheilhy/cmux v0.1.5 // indirect
131131
github.com/spf13/pflag v1.0.5 // indirect
132+
github.com/stackrox/istio-cves v0.0.0-20221007013142-0bde9b541ec8
132133
github.com/tkuchiki/go-timezone v0.2.2 // indirect
133134
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
134135
github.com/transparency-dev/merkle v0.0.1 // indirect

go.sum

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -997,6 +997,8 @@ github.com/stackrox/docker-registry-client v0.0.0-20220204234128-07f109db0819 h1
997997
github.com/stackrox/docker-registry-client v0.0.0-20220204234128-07f109db0819/go.mod h1:tEU0CD7y2mq9HAWFZY48THyKPFy6oMv19UT5bnTvrRo=
998998
github.com/stackrox/dotnet-scraper v0.0.0-20201023051640-72ef543323dd h1:vEjp7Q66zd4W72//Uk3uyVN50Mh/nFLbN9pb7CVK7mE=
999999
github.com/stackrox/dotnet-scraper v0.0.0-20201023051640-72ef543323dd/go.mod h1:HILeV3i/EyJz844GcrC3+oU7oZONhjfujaIYBMJ/bZE=
1000+
github.com/stackrox/istio-cves v0.0.0-20221007013142-0bde9b541ec8 h1:rUIvoAHokPcd92aJT2gJwVeyE8tMuaqS5l5s3cEgXFY=
1001+
github.com/stackrox/istio-cves v0.0.0-20221007013142-0bde9b541ec8/go.mod h1:ZF7mH4kH1G+82HxR3uFDHvyLG8eCOdrh1RDyQcTGkBA=
10001002
github.com/stackrox/k8s-cves v0.0.0-20220818200547-7d0d1420c58d h1:88Iui7fSMKgXvpyfBlbP3qosrqyv3qMgOJ6JJ4V4tFQ=
10011003
github.com/stackrox/k8s-cves v0.0.0-20220818200547-7d0d1420c58d/go.mod h1:GJwFpFwCxiYhgpJWrAkM+v9Z9gpgtyWxkRdK4JjsOIg=
10021004
github.com/stackrox/nvdtools v0.0.0-20220608171543-e758756071a0 h1:hLexaI/zJBDP4OlxN1za3IJM7cfH+Kie7F/wdWn3xGA=

0 commit comments

Comments
 (0)