From b13569b07a3ffb4f8a43cca19a85040830715ca3 Mon Sep 17 00:00:00 2001 From: Bitnami Bot Date: Fri, 23 Feb 2024 15:58:34 +0100 Subject: [PATCH] [bitnami/kubescape] Release 3.0.3-debian-12-r4 (#63355) Signed-off-by: Bitnami Containers --- bitnami/kubescape/3/debian-12/Dockerfile | 4 +- .../opt/bitnami/scripts/libkubescape.sh | 185 +++++++++++++----- 2 files changed, 141 insertions(+), 48 deletions(-) diff --git a/bitnami/kubescape/3/debian-12/Dockerfile b/bitnami/kubescape/3/debian-12/Dockerfile index 779807749163..ff07d1e5363d 100644 --- a/bitnami/kubescape/3/debian-12/Dockerfile +++ b/bitnami/kubescape/3/debian-12/Dockerfile @@ -7,10 +7,10 @@ ARG TARGETARCH LABEL com.vmware.cp.artifact.flavor="sha256:c50c90cfd9d12b445b011e6ad529f1ad3daea45c26d20b00732fae3cd71f6a83" \ org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \ - org.opencontainers.image.created="2024-02-21T12:13:05Z" \ + org.opencontainers.image.created="2024-02-23T14:32:42Z" \ org.opencontainers.image.description="Application packaged by VMware, Inc" \ org.opencontainers.image.licenses="Apache-2.0" \ - org.opencontainers.image.ref.name="3.0.3-debian-12-r3" \ + org.opencontainers.image.ref.name="3.0.3-debian-12-r4" \ org.opencontainers.image.title="kubescape" \ org.opencontainers.image.vendor="VMware, Inc." \ org.opencontainers.image.version="3.0.3" diff --git a/bitnami/kubescape/3/debian-12/rootfs/opt/bitnami/scripts/libkubescape.sh b/bitnami/kubescape/3/debian-12/rootfs/opt/bitnami/scripts/libkubescape.sh index a5f99ac4c490..9d672b92a516 100644 --- a/bitnami/kubescape/3/debian-12/rootfs/opt/bitnami/scripts/libkubescape.sh +++ b/bitnami/kubescape/3/debian-12/rootfs/opt/bitnami/scripts/libkubescape.sh @@ -16,34 +16,133 @@ # Load Kubescape environment variables . /opt/bitnami/scripts/kubescape-env.sh -kubescape_oss_assessment() { - local project="${2:?missing project argument}" +######################## +# Prints the usage instructions for the oss_assessment custom action +# Arguments: +# None +# Returns: +# None +######################### +kubescape_oss_assessment_usage() { + echo """ +Usage: + docker run --rm -it bitnami/kubescape: oss-assessment scan [project] [flags] + +Examples: + + Scan command is for scanning an existing cluster or kubernetes manifest files based on pre-defined frameworks + + # Scan git repository + docker run --rm -it bitnami/kubescape oss-assessment + + # Scan remote Kubernetes cluster. + docker run --rm -it -v /path/to/.kubeconfig:/.kubeconfig bitnami/kubescape oss-assessment --kubeconfig /.kubeconfig + + # Scan and save the results into a file + docker run --rm -it -v /path/to/output:/output bitnami/kubescape oss-assessment --output /output/report.json + + # Disable kubescape logs + docker run --rm -it bitnami/kubescape oss-assessment 'repository_url' --log-level error + + # Enable debug logs + docker run --rm -it -e BITNAMI_DEBUG=true bitnami/kubescape oss-assessment 'repository_url' --log-level error + + # Disable all logs and export result using docker output + docker run --rm -it bitnami/kubescape oss-assessment 'repository_url' --silent > report.json + + # NOTE: When using volumes, permission changes may be required because of the container running as user 1001 + +Flags: + --kubeconfig string Paths to a kubeconfig. Required to scan Kubernetes cluster. + -h, --help Print help for oss-assessment action + -o, --output string Output file. Print output to file and not stdout + -l, --log-level string Log level for the kubescape scan and kubescape scan image commands. + -r, --retries Number of retries for each 'kubescape scan image' command. + -s, --silent Do not display any logs in stdout, only the resulting report. + + # NOTE: Additionally, other 'kubescape scan' flags can be added, run 'kubescape scan -h' for additional information. + """ +} + +######################## +# Runs a kubescape scan and enriches it with Vulnerabilities information for images available in Tanzu Application Catalog +# Arguments: +# - project_url (optional) +# - Supported kubescape flags +# Returns: +# None +######################### +kubescape_oss_assessment() { + + local cmd="kubescape" + local scan_args=("scan" "--format=json") + local scan_image_args=("scan" "image" "--format=json") + local silent="false" + local output="" + local retries="3" + + # Handle input + while [[ $# -gt 0 ]]; do + key="$1" + case $key in + oss-assessment) + shift + ;; + -h|--help) + kubescape_oss_assessment_usage + exit 0 + ;; + -o|--output) + output="$2" + shift 2 + ;; + -s|--silent) + silent="true" + shift + ;; + -r|--retries) + retries="$2" + shift 2 + ;; + *) + scan_args+=("$1") + shift + ;; + esac + done + + # Check that Tanzu Application Catalog file exists if [[ -f "${TANZU_APPLICATION_CATALOG_FILE}" ]]; then TAC_PRODUCTS=$(jq -r '.[].product.key' "$TANZU_APPLICATION_CATALOG_FILE") else error "The Bitnami Catalog JSON file is missing: ${TANZU_APPLICATION_CATALOG_FILE}" fi - # By default, all logging outputs are omitted so the command only prints the command result. - # TODO: Add options -o/--output and -l/--logger, so users can either configure a output file and/or custom log level - - debug "Running kubescape scan" # Run Kubescape scan for the provided project and add custom field 'security' - KUBESCAPE_OUTPUT="$(kubescape scan "$project" --format=json 2> /dev/null | jq '.security = []')" - - debug "Searching images available in Tanzu Application Catalog" + info "Running command '${cmd} ${scan_args[*]}'" + if is_boolean_yes "$silent"; then + KUBESCAPE_OUTPUT="$(${cmd} "${scan_args[@]}" 2> /dev/null | jq '.security = []' || true)" + else + KUBESCAPE_OUTPUT="$(${cmd} "${scan_args[@]}" | jq '.security = []' || true)" + fi + if [[ -n "$KUBESCAPE_OUTPUT" ]]; then + ! is_boolean_yes "$silent" && debug "Result:\n$KUBESCAPE_OUTPUT" + else + error "Failed to execute command 'kubescape scan'." + exit 1 + fi + # Search for images available in Tanzu Application Catalog + ! is_boolean_yes "$silent" && info "Searching images available in Tanzu Application Catalog" local -a matching_images readarray -t project_images < <(echo "$KUBESCAPE_OUTPUT" | jq -r '.resources[]?.object?.spec?.template?.spec?.containers[]?.image') for image in "${project_images[@]}"; do - debug "Found image: $image" - # Search for applications available in the Tanzu Application Catalog + ! is_boolean_yes "$silent" && info "Found image: $image" for tac_image in $TAC_PRODUCTS; do - # If application is available in TAC, run vulnerability scan for the image and append its result to the Kubescape output if [[ $image =~ $tac_image ]]; then - debug "Found Tanzu Application Catalog image matching! Adding image '${image}' to the scanning list" + ! is_boolean_yes "$silent" && info "Found Tanzu Application Catalog image matching! Adding image '${image}' to the scanning list" matching_images+=("$image") break fi @@ -52,45 +151,39 @@ kubescape_oss_assessment() { # Filter out duplicated images read -r -a unique_matching_images <<< "$(echo "${matching_images[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ')" + ! is_boolean_yes "$silent" && info "Scanning images ${unique_matching_images[*]}" + images_scanned=0 - # For each image available in TAC, add a vulnerability report to the original project scan + # For each image available in Tanzu Application Catalog, add a vulnerability report to the original project scan for image in "${unique_matching_images[@]}"; do - local registry - local tag - local repository - local skip="no" - - debug "Running 'kubescape scan image ${image}'" - - registry="$(echo "$image" | grep '/' | cut -d/ -f1 | grep '\.' || true)" - tag="$(echo "$image" | grep ':' | cut -d: -f2 || echo "latest")" - repository="$(echo "$image" | cut -d: -f1 | sed "s|^$registry/||")" - - # Skip images that require authentication - if [[ -n "$registry" ]]; then - # Skip older quay.io images - # Ref. https://github.com/kubescape/kubescape/issues/1605 - if [[ "$registry" == "quay.io" ]]; then - # Older images can be detected by the presence of 'signatures' key in the manifest - if [[ "$(curl -sL "https://${registry}/v2/${repository}/manifests/${tag}" | jq '.signatures')" != "null" ]]; then - debug "Skipping image '${image}'. Reason: Old quai.io image. Ref: https://github.com/kubescape/kubescape/issues/1605" - skip="yes" - fi + ! is_boolean_yes "$silent" && info "Running command '${cmd} ${scan_image_args[*]} ${image}'" + KUBESCAPE_IMAGE_OUTPUT="" + for ((i = 1; i <= retries; i += 1)); do + KUBESCAPE_IMAGE_OUTPUT="$(${cmd} "${scan_image_args[@]}" "${image}" 2> /dev/null || echo '')" + if [[ -n "$KUBESCAPE_IMAGE_OUTPUT" ]]; then + debug "Result: $KUBESCAPE_IMAGE_OUTPUT" + break + else + ! is_boolean_yes "$silent" && warn "Image scan failed. Retrying... ${i}/${retries}" fi + done - # Skip if registry requires authentication - HTTP_CODE="$(curl -sL -o /dev/null --write-out "%{http_code}" "https://${registry}")" - if [[ ${HTTP_CODE} -lt 200 || ${HTTP_CODE} -gt 299 ]]; then - debug "Skipping image '${image}'. Reason: Failed to connect to 'https://${registry}' (code ${HTTP_CODE})" - skip="yes" - fi - fi - if ! is_boolean_yes "$skip"; then - KUBESCAPE_IMAGE_VULNS="$(kubescape scan image "$image" --format=json --logger error | jq --arg image "$image" '{imageID: $image, vulnerabilities: [.matches[].vulnerability | {id, severity}]}')" + if [[ -n "$KUBESCAPE_IMAGE_OUTPUT" ]]; then + KUBESCAPE_IMAGE_VULNS="$(jq --arg image "$image" '{imageID: $image, vulnerabilities: [.matches[].vulnerability | {id, severity}]}' <(echo "$KUBESCAPE_IMAGE_OUTPUT"))" KUBESCAPE_OUTPUT="$(jq '.security += [input]' <(echo "$KUBESCAPE_OUTPUT") <(echo "$KUBESCAPE_IMAGE_VULNS"))" + info "Image successfully scanned." + images_scanned="$((images_scanned + 1))" + else + warn "Failed to scan image '${image}' after several attempts." fi done - debug "OSS Assessment report successfully generated" - echo "$KUBESCAPE_OUTPUT" + info "Report contains ${images_scanned}/${#unique_matching_images[@]} images available in Tanzu Application Catalog" + + ! is_boolean_yes "$silent" && info "OSS Assessment report successfully generated" + if [[ -n "$output" ]]; then + echo "$KUBESCAPE_OUTPUT" > "$output" + else + echo "$KUBESCAPE_OUTPUT" + fi }