-
Notifications
You must be signed in to change notification settings - Fork 538
feat(ospkg): add RapidFort curated image scanner #10452
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
bd7352a
aa61dbd
3d7f0b3
4391500
a4fa9bd
54658b7
0903124
1a285f5
fbf27cb
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| package rapidfort | ||
|
|
||
| import ( | ||
| "context" | ||
|
|
||
| dbTypes "github.com/aquasecurity/trivy-db/pkg/types" | ||
| ) | ||
|
|
||
| // IsVulnerable exports isVulnerable for testing. | ||
| func (s *Scanner) IsVulnerable(ctx context.Context, installedVersion string, isRFPackage bool, adv dbTypes.Advisory) bool { | ||
| return s.isVulnerable(ctx, installedVersion, isRFPackage, adv) | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| package rapidfort | ||
|
|
||
| import ( | ||
| "strings" | ||
|
|
||
| "github.com/aquasecurity/trivy/pkg/detector/ospkg/driver" | ||
| ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" | ||
| ) | ||
|
|
||
| const ( | ||
| // maintainerLabel is the Docker image config label used by RapidFort curated images. | ||
| maintainerLabel = "maintainer" | ||
|
|
||
| // rapidfortIdentifier is the string that must appear in the maintainer label value. | ||
| rapidfortIdentifier = "rapidfort" | ||
| ) | ||
|
|
||
| // Provider creates a RapidFort driver if the image has a RapidFort maintainer label. | ||
| func Provider(osFamily ftypes.OSType, _ []ftypes.Package, labels map[string]string) driver.Driver { | ||
| if !isRapidFortImage(labels) { | ||
| return nil | ||
| } | ||
| switch osFamily { | ||
| case ftypes.Ubuntu, ftypes.Alpine, ftypes.RedHat: | ||
| return NewScanner(osFamily) | ||
| } | ||
| return nil | ||
| } | ||
|
|
||
| // isRapidFortImage returns true when the image config labels identify this as a | ||
| // RapidFort curated image (maintainer label contains "rapidfort", case-insensitive). | ||
| func isRapidFortImage(labels map[string]string) bool { | ||
| val, ok := labels[maintainerLabel] | ||
| if !ok { | ||
| return false | ||
| } | ||
| return strings.Contains(strings.ToLower(val), rapidfortIdentifier) | ||
| } | ||
|
Comment on lines
+30
to
+38
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are there any ways to detect that scanned image is RapidFort image? (e.g. os-release file, etc.)? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No, as of now this is the only reliable way to identify Rapidfort image. Post in future, if there's any other reliable way introduced we will make sure to integrate it here as well.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also, we checked some images (Docker Hub: curl, redis-official, apache-official, elasticsearch-official, cassandra-official, grafana-official, couchdb-official). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In the case of |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about Debian?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Debian is in progress, and will be out in next release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean your release?
Should we add Debian support for Trivy right away?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code for integration of Debian in Trivy is already done by us, and once the advisory data is published we'll share that PR with you as well.
Integrating Debian for RapidFort images without proper security advisory data wouldn't be right.