scan

package
v0.0.0-test Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 11, 2024 License: Apache-2.0 Imports: 38 Imported by: 44

Documentation

Index

Constants

View Source 
const (
	AppFileName = "apps_pkg"

	WPVerFileSuffix = "wp-includes/version.php"

	ComposerFile = "/composer.lock"
)
View Source 
const (
	V1 = "v1"
	V2 = "v2"
)
View Source 
const (
	DpkgStatus    = "var/lib/dpkg/status"
	DpkgStatusDir = "var/lib/dpkg/status.d/" // used by distroless images

)

Variables

View Source 
var OSPkgFiles utils.Set = utils.NewSet(

	DpkgStatus,
	DpkgStatusDir,
	apkPackages,
	"etc/lsb-release",
	"etc/os-release",
	"usr/lib/os-release",
	"etc/centos-release",
	"etc/redhat-release",
	"etc/system-release",
	"etc/fedora-release",
	"etc/apt/sources.list",
).Union(RPMPkgFiles)
View Source 
var RPMPkgFiles utils.Set = utils.NewSet(
	"var/lib/rpm/Packages",
	"usr/lib/sysimage/rpm/Packages",
	"var/lib/rpm/Packages.db",
	"usr/lib/sysimage/rpm/Packages.db",
	"var/lib/rpm/rpmdb.sqlite",
	"usr/lib/sysimage/rpm/rpmdb.sqlite",
)
View Source 
var (

	// ReadPrimeConfig indicate if the controller pod read the prime config before
	ReadPrimeConfig bool
)

Functions

func CountVulTrait 

func CountVulTrait(traits []*VulTrait) (int, int, int)

func DeepCopyRESTBenchCheck 

func DeepCopyRESTBenchCheck(orig api.RESTBenchCheck) api.RESTBenchCheck

func DownloadFromUrl 

func DownloadFromUrl(url, fileName string) error

--

func FillVul 

func FillVul(vul *share.ScanVulnerability)

This is use when grpc structure is returned

func FillVulTraits 

func FillVulTraits(cvedb CVEDBType, baseOS string, vts []*VulTrait, showTag string, includeFiltered bool) []*api.RESTVulnerability

func GatherVulTrait 

func GatherVulTrait(traits []*VulTrait) ([]string, []string, []string, []string, []FixedVulInfo, []FixedVulInfo)

func GetAwsFuncPackages 

func GetAwsFuncPackages(fileName string) ([]*share.ScanAppPackage, error)

func GetCISFolder 

func GetCISFolder(platform, flavor, cloudPlatform string)

func GetCVERecord 

func GetCVERecord(name, dbKey, baseOS string) *api.RESTVulnerability

func GetComplianceFilterMap 

func GetComplianceFilterMap() map[string]int

func GetComplianceMeta 

func GetComplianceMeta(version string) ([]api.RESTBenchMeta, map[string]api.RESTBenchMeta)

version V2 Return the Tags map[string]share.TagDetails version V1 Return the Tags []string for backward compatible

func GetCosignSignatureTagFromDigest 

func GetCosignSignatureTagFromDigest(digest string) string

GetCosignSignatureTagFromDigest takes an image digest and returns the default tag used by Cosign to store signature data for the given digest.

Example transition

Given Image Digest: sha256:5e9473a466b637e566f32ede17c23d8b2fd7e575765a9ebd5169b9dbc8bb5d16

Resulting Signature Tag: sha256-5e9473a466b637e566f32ede17c23d8b2fd7e575765a9ebd5169b9dbc8bb5d16.sig

func GetDpkgStatus 

func GetDpkgStatus(fullpath, kernel string) ([]byte, error)

func GetImageBenchMeta 

func GetImageBenchMeta() ([]api.RESTBenchMeta, map[string]api.RESTBenchMeta)

Image just return v1

func GetK8sCISMeta 

func GetK8sCISMeta(remediationFolder string, cis_bench_items map[string]api.RESTBenchCheck)

func GetRpmPackages 

func GetRpmPackages(fullpath, kernel string) ([]byte, error)

func GetScannerDB 

func GetScannerDB() *share.CLUSScannerDB

func GetSecretBenchMessage 

func GetSecretBenchMessage(stype, loc, evidence string) string

func GetSetIDBenchMessage 

func GetSetIDBenchMessage(stype, loc, evidence string) string

func ImageBench2REST 

func ImageBench2REST(cmds []string, secrets []*share.ScanSecretLog, setids []*share.ScanSetIdPermLog, complianceProfileFilter map[string][]string) []*api.RESTBenchItem

func InitComplianceMeta 

func InitComplianceMeta(platform, flavor, cloudPlatform string)

func InitImageBenchMeta 

func InitImageBenchMeta() ([]api.RESTBenchMeta, map[string]api.RESTBenchMeta)

func IsAppsPkgFile 

func IsAppsPkgFile(filename, fullpath string) bool

func IsJava 

func IsJava(filename string) bool

func IsRlangPackage 

func IsRlangPackage(filename string) bool

func LoadConfig 

func LoadConfig(primeConfig string, params *UpdateConfigParams, updateCompliance bool) bool

func NormalizeImageCmd 

func NormalizeImageCmd(cmd string) string

func ParseImageCmds 

func ParseImageCmds(cmds []string) (bool, bool, bool)

func ParseImageName 

func ParseImageName(image string) (string, string, string, error)

Not a strict parsing, if the input is wrong, we just cannot get the image.

func ParseRegistryURI 

func ParseRegistryURI(ur string) (string, error)

func Perf_getRandomCVEs 

func Perf_getRandomCVEs(count int) []string

load simulation

func PrepareBackup 

func PrepareBackup()

func PrepareBenchMeta 

func PrepareBenchMeta(items map[string]api.RESTBenchCheck, metaMap map[string]api.RESTBenchMeta)

func ScanErrorToStr 

func ScanErrorToStr(e share.ScanErrorCode) string

func ScanModule2REST 

func ScanModule2REST(m *share.ScanModule) *api.RESTScanModule

func ScanRepoResult2REST 

func ScanRepoResult2REST(result *share.ScanResult, tagMap map[string][]string) *api.RESTScanRepoReport

func ScanSecrets2REST 

func ScanSecrets2REST(s *share.ScanSecretLog) *api.RESTScanSecret

func ScanSetIdPerm2REST 

func ScanSetIdPerm2REST(p *share.ScanSetIdPermLog) *api.RESTScanSetIdPerm

func ScanVul2REST 

func ScanVul2REST(cvedb CVEDBType, baseOS string, vul *share.ScanVulnerability) *api.RESTVulnerability

Functions can be used in both controllers and scanner

func SetScannerDB 

func SetScannerDB(newDB *share.CLUSScannerDB)

func UnquoteChar 

func UnquoteChar(s string, quote byte) (value rune, multibyte bool, tail string, err error)

func UpdateComplianceConfigs 

func UpdateComplianceConfigs()

Types

type AppPackage 

type AppPackage struct {
	AppName    string `json:"app_name"`
	ModuleName string `json:"module_name"`
	Version    string `json:"version"`
	FileName   string `json:"file_name"`
}

type BuildInfo 

type BuildInfo struct {
	// GoVersion is the version of the Go toolchain that built the binary
	// (for example, "go1.19.2").
	GoVersion string

	// Path is the package path of the main package for the binary
	// (for example, "golang.org/x/tools/cmd/stringer").
	Path string

	// Main describes the module that contains the main package for the binary.
	Main Module

	// Deps describes all the dependency modules, both direct and indirect,
	// that contributed packages to the build of this binary.
	Deps []*Module

	// Settings describes the build settings used to build the binary.
	Settings []BuildSetting
}

BuildInfo represents the build information read from a Go binary.

func (*BuildInfo) String 

func (bi *BuildInfo) String() string

type BuildSetting 

type BuildSetting struct {
	// Key and Value describe the build setting.
	// Key must not contain an equals sign, space, tab, or newline.
	// Value must not contain newlines ('\n').
	Key, Value string
}

A BuildSetting is a key-value pair describing one setting that influenced a build.

Defined keys include:

  • -buildmode: the buildmode flag used (typically "exe")
  • -compiler: the compiler toolchain flag used (typically "gc")
  • CGO_ENABLED: the effective CGO_ENABLED environment variable
  • CGO_CFLAGS: the effective CGO_CFLAGS environment variable
  • CGO_CPPFLAGS: the effective CGO_CPPFLAGS environment variable
  • CGO_CXXFLAGS: the effective CGO_CPPFLAGS environment variable
  • CGO_LDFLAGS: the effective CGO_CPPFLAGS environment variable
  • GOARCH: the architecture target
  • GOAMD64/GOARM64/GO386/etc: the architecture feature level for GOARCH
  • GOOS: the operating system target
  • vcs: the version control system for the source tree where the build ran
  • vcs.revision: the revision identifier for the current commit or checkout
  • vcs.time: the modification time associated with vcs.revision, in RFC3339 format
  • vcs.modified: true or false indicating whether the source tree had local modifications

type CISBenchmarkConfig 

type CISBenchmarkConfig struct {
	Groups []Group `yaml:"groups"`
}

type CISCheck 

type CISCheck struct {
	ID          string                      `yaml:"id"`
	Description string                      `yaml:"description"`
	Type        string                      `yaml:"type"`
	Category    string                      `yaml:"category"`
	Scored      bool                        `yaml:"scored"`
	Profile     string                      `yaml:"profile"`
	Automated   bool                        `yaml:"automated"`
	Tags        map[string]share.TagDetails `yaml:"tags,omitempty"`
	Remediation string                      `yaml:"remediation"`
}

type CISCheckWithTags 

type CISCheckWithTags struct {
	ID   string                      `yaml:"id"`
	Tags map[string]share.TagDetails `yaml:"tags,omitempty"`
}

type CVEDBType 

type CVEDBType map[string]*share.ScanVulnerability

type CacheRecord 

type CacheRecord struct {
	Layer   string    `json:"layerID,omitempty"`
	Size    uint64    `json:"size,omitempty"`
	RefCnt  uint32    `json:"ref_cnt,omitempty"`
	RefLast time.Time `json:"ref_last,omitempty"`
}

type CacherData 

type CacherData struct {
	CacheRecords  []CacheRecord `json:"cache_records,omitempty"`
	MissCnt       uint64        `json:"cache_misses,omitempty"`
	HitCnt        uint64        `json:"cache_hits,omitempty"`
	CurRecordSize uint64        `json:"current_record_size"`
}

type ComposerLock 

type ComposerLock struct {
	Packages    []ComposerPackage `json:"packages"`
	DevPackages []ComposerPackage `json:"packages-dev"`
}

type ComposerPackage 

type ComposerPackage struct {
	Name    string `json:"name"`
	Version string `json:"version"`
}

type Config 

type Config struct {
	Version string
}

type FixedVulInfo 

type FixedVulInfo struct {
	PubTS int64
}

type Group 

type Group struct {
	CISChecks []CISCheck `yaml:"checks"`
}

type ImageInfo 

type ImageInfo struct {
	Layers           []string
	ID               string
	Digest           string
	Author           string
	Signed           bool
	RunAsRoot        bool
	Created          time.Time
	Envs             []string
	Cmds             []string
	Labels           map[string]string
	Sizes            map[string]int64
	RepoTags         []string
	IsSignatureImage bool
	RawManifest      []byte
	SignatureDigest  string
}

type Module 

type Module struct {
	Path    string  // module path
	Version string  // module version
	Sum     string  // checksum
	Replace *Module // replaced by this module
}

A Module describes a single module included in a build.

type Option 

type Option func(*Config)

func WithVersion 

func WithVersion(version string) Option

type PrimeCISBenchmarkConfig 

type PrimeCISBenchmarkConfig struct {
	CISChecksWithTags []CISCheckWithTags `yaml:"checks"`
}

type RPMPackage 

type RPMPackage struct {
	Name    string `json:"n"`
	Epoch   int    `json:"e"`
	Version string `json:"v"`
	Release string `json:"r"`
}

type RegClient 

type RegClient struct {
	*registry.Registry
}

func NewRegClient 

func NewRegClient(url, token, username, password, proxy string, trace httptrace.HTTPTrace) *RegClient

If token is given, the Authorization header will be added with token appended.

func (*RegClient) Alive 

func (rc *RegClient) Alive() (uint, error)

func (*RegClient) GetImageInfo 

func (rc *RegClient) GetImageInfo(ctx context.Context, name, tag string, manifestReqType registry.ManifestRequestType) (*ImageInfo, share.ScanErrorCode)

type ScanApps 

type ScanApps struct {
	// contains filtered or unexported fields
}

func NewScanApps 

func NewScanApps(v2 bool) *ScanApps

func (*ScanApps) Data 

func (s *ScanApps) Data() map[string][]AppPackage

func (*ScanApps) DerivePkg 

func (s *ScanApps) DerivePkg(data map[string][]byte) []AppPackage

func (*ScanApps) ExtractAppPkg 

func (s *ScanApps) ExtractAppPkg(filename, fullpath string)

type ScanUtil 

type ScanUtil struct {
	// contains filtered or unexported fields
}

func NewScanUtil 

func NewScanUtil(sys *system.SystemTools) *ScanUtil

Scan normally doesn't require contaiener runtime socket, except for local image scan

func (*ScanUtil) GetAppPackages 

func (s *ScanUtil) GetAppPackages(path string) ([]AppPackage, []byte, share.ScanErrorCode)

func (*ScanUtil) GetRunningPackages 

func (s *ScanUtil) GetRunningPackages(id string, objType share.ScanObjectType, pid int, kernel string, pidHost bool) ([]byte, share.ScanErrorCode)

type UpdateConfigParams 

type UpdateConfigParams struct {
	Metas     *[]api.RESTBenchMeta
	MetaMap   map[string]api.RESTBenchMeta
	MetasV2   *[]api.RESTBenchMeta
	MetaMapV2 map[string]api.RESTBenchMeta
	FilterMap map[string]int
}

type VPFInterface 

type VPFInterface interface {
	GetUpdatedTime() time.Time

	FilterVulREST(vuls []*api.RESTVulnerability, idns []api.RESTIDName, showTag string) []*api.RESTVulnerability
	FilterVulTraits(traits []*VulTrait, idns []api.RESTIDName) utils.Set
	FilterVuls(vuls []*share.ScanVulnerability, idns []api.RESTIDName) []*share.ScanVulnerability
	// contains filtered or unexported methods
}

func MakeVulnerabilityProfileFilter 

func MakeVulnerabilityProfileFilter(vf *api.RESTVulnerabilityProfile) VPFInterface

type VulTrait 

type VulTrait struct {
	Name string
	// contains filtered or unexported fields
}

These are the unique attributes of vul. that can be different in different workload, other info can get from cvedb

func ExtractVulnerability 

func ExtractVulnerability(vuls []*share.ScanVulnerability) []*VulTrait

func (VulTrait) GetPubTS 

func (v VulTrait) GetPubTS() int64

func (VulTrait) IsFiltered 

func (v VulTrait) IsFiltered() bool

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.