Documentation ¶
Index ¶
- Constants
- Variables
- func BuildHarborVulnerabilityReport(scanID string, imageRepository string, imageDigest string, ...) (harbor.VulnerabilityReport, error)
- func GenerateScanID(repository string, digest string) (string, error)
- func GetAnchoreVulnReport(scanID string, digest string, clientConfig *client.Config, ...) (anchore.ImageVulnerabilityReport, error)
- func GetEnvBoolean(varName string, defaultValue bool) (bool, error)
- func GetUsernamePassword(authorizationInput string) (string, string, error)
- func InitCaches(configuration CacheConfiguration) error
- func IsImageAnalysed(imageDigest, scanID string, clientConfig *client.Config) (bool, error)
- func NewScannerAdapter(cfg *AdapterConfig) (adapter.ScannerAdapter, error)
- func ScanIDToRegistryDigest(scanID string) (string, string, error)
- func ScanToAnchoreRequest(req harbor.ScanRequest) (*anchore.ImageScanRequest, error)
- func ToHarborDescription(anchoreVuln *anchore.Vulnerability) (string, error)
- func ToHarborScanResult(repo string, srs anchore.ImageVulnerabilityReport, ...) (harbor.VulnerabilityReport, error)
- type AdapterConfig
- type CacheConfiguration
- type ConcurrentCache
- type HarborScannerAdapter
- func (s *HarborScannerAdapter) EnsureRegistryCredentials(registryURL string, repository string, username string, password string) error
- func (s *HarborScannerAdapter) GetHarborVulnerabilityReport(scanID string, includeDescriptions bool) (*harbor.VulnerabilityReport, error)
- func (s *HarborScannerAdapter) GetMetadata() (harbor.ScannerAdapterMetadata, error)
- func (s *HarborScannerAdapter) GetRawVulnerabilityReport(scanID string) (harbor.RawReport, error)
- func (s *HarborScannerAdapter) Scan(req harbor.ScanRequest) (harbor.ScanResponse, error)
- type ImageState
- type LockingTTLCache
- type MemoryResultStore
- func (m *MemoryResultStore) GetResult(scanID string) (VulnerabilityResult, bool)
- func (m *MemoryResultStore) HasResult(scanID string) bool
- func (m *MemoryResultStore) PopResult(scanID string) (VulnerabilityResult, bool)
- func (m *MemoryResultStore) RequestAnalysisStatus(scanID string, buildFn func() (bool, error)) VulnerabilityResult
- func (m *MemoryResultStore) RequestCreateScan(scanID string, buildFn func() (bool, error)) VulnerabilityResult
- func (m *MemoryResultStore) RequestRawResult(scanID string, buildFn func() (*anchore.ImageVulnerabilityReport, error)) VulnerabilityResult
- func (m *MemoryResultStore) RequestResult(scanID string, buildFn func() (*harbor.VulnerabilityReport, error)) VulnerabilityResult
- func (m *MemoryResultStore) SafeUpdateResult(scanID string, result VulnerabilityResult)
- func (m *MemoryResultStore) Start()
- type ResultStore
- type TimestampedEntry
- type VulnerabilityResult
Constants ¶
const ( DescriptionFormatString = "" /* 172-byte string literal not displayed */ DigestRegex = "^sha256:[a-zA-Z0-9]{64}" )
const ( DefaultTimeoutSeconds = 60 DefaultListenAddr = ":8080" DefaultLogLevel = log.InfoLevel ListenAddrEnvVar = "SCANNER_ADAPTER_LISTEN_ADDR" LogLevelEnvVar = "SCANNER_ADAPTER_LOG_LEVEL" LogFormatEnvVar = "SCANNER_ADAPTER_LOG_FORMAT" APIKeyEnvVar = "SCANNER_ADAPTER_APIKEY" FullVulnDescriptionsEnvVar = "SCANNER_ADAPTER_FULL_VULN_DESCRIPTIONS" TLSKeyEnvVar = "SCANNER_ADAPTER_TLS_KEY_FILE" TLSCertEnvVar = "SCANNER_ADAPTER_TLS_CERT_FILE" FilterVendorIgnoredVulns = "SCANNER_ADAPTER_FILTER_VENDOR_IGNORED" TLSVerifyEnvVarName = "SCANNER_ADAPTER_TLS_VERIFY" RegistryValidateCredsEnvVarName = "SCANNER_ADAPTER_REGISTRY_VALIDATE_CREDS" RegistryTLSVerifyEnvVarName = "SCANNER_ADAPTER_REGISTRY_TLS_VERIFY" EndpointEnvVarName = "ANCHORE_ENDPOINT" UsernameEnvVarName = "ANCHORE_USERNAME" PasswordEnvVarName = "ANCHORE_PASSWORD" AuthConfigFile = "ANCHORE_AUTHFILE_PATH" TimeoutEnvVarName = "ANCHORE_CLIENT_TIMEOUT_SECONDS" DescriptionCacheEnabledEnvVarName = "SCANNER_ADAPTER_DESCRIPTION_CACHE_ENABLED" DescriptionCacheItemCount = "SCANNER_ADAPTER_DESCRIPTION_CACHE_COUNT" DescriptionCacheTTL = "SCANNER_ADAPTER_DESCRIPTION_CACHE_TTL" DefaultDescriptionCacheEnabled = true DefaultDescriptionCacheTTL = 60 * 60 * 24 DefaultDescriptionCacheItemCount = 10000 ReportCacheEnabledEnvVarName = "SCANNER_ADAPTER_REPORT_CACHE_ENABLED" ReportCacheItemCount = "SCANNER_ADAPTER_REPORT_CACHE_COUNT" ReportCacheTTL = "SCANNER_ADAPTER_REPORT_CACHE_TTL" DefaultReportCacheEnabled = true DefaultReportCacheTTL = 180 DefaultReportCacheItemCount = 100 DBUpdateCacheEnabledEnvVarName = "SCANNER_ADAPTER_DB_UPDATE_CACHE_ENABLED" DBUpdateCacheTTL = "SCANNER_ADAPTER_DB_UPDATE_CACHE_TTL" DefaultDBUpdateCacheEnabled = true DefaultDBUpdateCacheTTL = 60 UseAnchoreConfigCredsEnvVarName = "SCANNER_ADAPTER_IGNORE_HARBOR_CREDS" UseAnchoreConfigCredsDefault = false )
Variables ¶
var DefaultCacheConfig = CacheConfiguration{ VulnDescriptionCacheEnabled: DefaultDescriptionCacheEnabled, VulnDescriptionCacheMaxCount: DefaultDescriptionCacheItemCount, VulnDescriptionCacheTTL: DefaultDescriptionCacheTTL, DBUpdateCacheEnabled: DefaultDBUpdateCacheEnabled, DBUpdatedCacheTTL: DefaultDBUpdateCacheTTL, VulnReportCacheEnabled: DefaultReportCacheEnabled, VulnReportCacheMaxCount: DefaultReportCacheItemCount, VulnReportCacheTTL: DefaultReportCacheTTL, }
DefaultCacheConfig Initialized to defaults
Functions ¶
func BuildHarborVulnerabilityReport ¶ added in v1.1.0
func BuildHarborVulnerabilityReport( scanID string, imageRepository string, imageDigest string, includeDescriptions bool, clientConfig *client.Config, filterVendorIgnoredVulns bool, ) (harbor.VulnerabilityReport, error)
BuildHarborVulnerabilityReport Construct the harbor-formatted vulnerability report from an analyzed image in Anchore
func GenerateScanID ¶ added in v1.2.0
GenerateScanID Create a scan id from the input image properties
func GetAnchoreVulnReport ¶ added in v1.1.0
func GetEnvBoolean ¶
Simple env var handler to ensure consistent behavior for booleans
func GetUsernamePassword ¶
GetUsernamePassword Returns the username and password from an authorizatino header input value (Harbor sends a single value The expected authorization value is of format "Basic b64(username:password)"
func InitCaches ¶
func InitCaches(configuration CacheConfiguration) error
func IsImageAnalysed ¶ added in v1.2.0
func NewScannerAdapter ¶
func NewScannerAdapter(cfg *AdapterConfig) (adapter.ScannerAdapter, error)
NewScannerAdapter constructs new HarborScannerAdapter with the given Config.
func ScanIDToRegistryDigest ¶ added in v1.2.0
ScanIDToRegistryDigest Inverse of GenerateScanId, gets the image components from the input ID
func ScanToAnchoreRequest ¶
func ScanToAnchoreRequest(req harbor.ScanRequest) (*anchore.ImageScanRequest, error)
func ToHarborDescription ¶
func ToHarborDescription(anchoreVuln *anchore.Vulnerability) (string, error)
ToHarborDescription Convert the Anchore Vulnerability record to a harbor description string
func ToHarborScanResult ¶ added in v1.1.0
func ToHarborScanResult( repo string, srs anchore.ImageVulnerabilityReport, vulnDescriptions map[string]string, ) (harbor.VulnerabilityReport, error)
Types ¶
type AdapterConfig ¶
type AdapterConfig struct { ListenAddr string // Address to listen on, e.g ":8080" or "127.0.0.1:80" APIKey string // Key for auth, used as a Bearer token LogFormat string LogLevel log.Level FullVulnerabilityDescriptions bool // If true, the scanner adapter will query anchore to get vuln descriptions, else will use cvss string and defer to the link url TLSKeyFile string // Path to key file TLSCertFile string // Path to cert file FilterVendorIgnoredVulns bool TLSVerify bool // Enable TLS verification on api calls to the adapter RegistryTLSVerify bool // Enable TLS verification on Anchore's calls to the registry on the data path RegistryValidateCreds bool // Validate registry credentials when adding them to Anchore via the Anchore API AnchoreClientConfig client.Config // Credentials and client configuration CacheConfig CacheConfiguration UseAnchoreConfiguredCreds bool // If true, the adapter will ignore the dynamic credentials that are provided by harbor for each scan and will instead expect that the admin has configured Anchore with credentials out-of-band. Default is False. }
func GetConfig ¶
func GetConfig() (AdapterConfig, error)
Load the service configuration, from environment variables since there are no secrets here. If not set, uses default listen addr :8080
type CacheConfiguration ¶
type ConcurrentCache ¶
type HarborScannerAdapter ¶
type HarborScannerAdapter struct {
Configuration *AdapterConfig
}
func (*HarborScannerAdapter) EnsureRegistryCredentials ¶
func (s *HarborScannerAdapter) EnsureRegistryCredentials( registryURL string, repository string, username string, password string, ) error
EnsureRegistryCredentials Add credentials to Anchore for authorizing the image fetch
func (*HarborScannerAdapter) GetHarborVulnerabilityReport ¶
func (s *HarborScannerAdapter) GetHarborVulnerabilityReport( scanID string, includeDescriptions bool, ) (*harbor.VulnerabilityReport, error)
GetHarborVulnerabilityReport Return a vulnerability report in Harbor format if available for the requested ScanId. If not ready yet, returns empty result.
func (*HarborScannerAdapter) GetMetadata ¶
func (s *HarborScannerAdapter) GetMetadata() (harbor.ScannerAdapterMetadata, error)
func (*HarborScannerAdapter) GetRawVulnerabilityReport ¶
func (s *HarborScannerAdapter) GetRawVulnerabilityReport(scanID string) (harbor.RawReport, error)
GetRawVulnerabilityReport Get an adapter-native (Anchore) formatted vulnerability report for the requested ScanId
func (*HarborScannerAdapter) Scan ¶
func (s *HarborScannerAdapter) Scan(req harbor.ScanRequest) (harbor.ScanResponse, error)
type ImageState ¶ added in v1.1.0
type ImageState int64
const ( NotFound ImageState = 0 AnalysisFailed ImageState = 1 Analyzing ImageState = 2 Analyzed ImageState = 3 )
func GetImageState ¶ added in v1.1.0
func GetImageState(imageDigest string, clientConfig *client.Config) (ImageState, error)
type LockingTTLCache ¶
type LockingTTLCache struct { Cache *lru.Cache // The data store, stores TimestampedEntry values Lock sync.Mutex // Lock for concurrency TTL time.Duration // TTL for values Enabled bool // If true, use the cache, else always bypass }
var DescriptionCache *LockingTTLCache
DescriptionCache for vulnerability description text since those must be retrieved from the Anchore APIs separately This can be removed if/when the Anchore API vulnerability response includes descriptions directly
var ReportCache *LockingTTLCache
ReportCache for the vulnerability response from the Anchore API
var UpdateTimestampCache *LockingTTLCache
UpdateTimestampCache for storing vuln db update timestamps to minimize the calls to get the db timestamp since it isn't part of the vulnerability response
func (*LockingTTLCache) Add ¶
func (c *LockingTTLCache) Add(key string, obj interface{})
Cache a vuln report
func (*LockingTTLCache) Get ¶
func (c *LockingTTLCache) Get(key string) (interface{}, bool)
type MemoryResultStore ¶ added in v1.1.0
type MemoryResultStore struct { Results map[string]VulnerabilityResult // contains filtered or unexported fields }
func (*MemoryResultStore) GetResult ¶ added in v1.2.0
func (m *MemoryResultStore) GetResult(scanID string) (VulnerabilityResult, bool)
func (*MemoryResultStore) HasResult ¶ added in v1.1.0
func (m *MemoryResultStore) HasResult(scanID string) bool
func (*MemoryResultStore) PopResult ¶ added in v1.1.0
func (m *MemoryResultStore) PopResult(scanID string) (VulnerabilityResult, bool)
func (*MemoryResultStore) RequestAnalysisStatus ¶ added in v1.2.0
func (m *MemoryResultStore) RequestAnalysisStatus( scanID string, buildFn func() (bool, error), ) VulnerabilityResult
func (*MemoryResultStore) RequestCreateScan ¶ added in v1.2.0
func (m *MemoryResultStore) RequestCreateScan( scanID string, buildFn func() (bool, error), ) VulnerabilityResult
func (*MemoryResultStore) RequestRawResult ¶ added in v1.2.0
func (m *MemoryResultStore) RequestRawResult( scanID string, buildFn func() (*anchore.ImageVulnerabilityReport, error), ) VulnerabilityResult
func (*MemoryResultStore) RequestResult ¶ added in v1.1.0
func (m *MemoryResultStore) RequestResult( scanID string, buildFn func() (*harbor.VulnerabilityReport, error), ) VulnerabilityResult
func (*MemoryResultStore) SafeUpdateResult ¶ added in v1.2.0
func (m *MemoryResultStore) SafeUpdateResult(scanID string, result VulnerabilityResult)
func (*MemoryResultStore) Start ¶ added in v1.1.0
func (m *MemoryResultStore) Start()
type ResultStore ¶ added in v1.1.0
type ResultStore interface { HasResult( scanID string, ) bool // Check if a result is available RequestCreateScan( scanID string, buildFn func() (bool, error), ) VulnerabilityResult // Request a result to be created and add image for analysis RequestAnalysisStatus( scanID string, buildFn func() (bool, error), ) VulnerabilityResult // Request a result to be created and add image for analysis RequestResult( scanID string, buildFn func() (*harbor.VulnerabilityReport, error), ) VulnerabilityResult // Request a result to be created RequestRawResult( scanID string, buildFn func() (*anchore.ImageVulnerabilityReport, error), ) VulnerabilityResult SafeUpdateResult( scanID string, result VulnerabilityResult, ) // Update a result in the store GetResult( scanID string, ) (VulnerabilityResult, bool) // Get a result if it exists PopResult( scanID string, ) (VulnerabilityResult, bool) // Returns a result and true if found, false if not (e.g. like hash map interface) }
func NewResultStore ¶ added in v1.1.0
func NewResultStore() ResultStore
type TimestampedEntry ¶
A simple struct to track the cache time for the entry as well as the value itself
type VulnerabilityResult ¶ added in v1.1.0
type VulnerabilityResult struct { ScanID string ScanCreated bool AnalysisComplete bool ReportBuildInProgress bool IsComplete bool Result *harbor.VulnerabilityReport RawResult *anchore.ImageVulnerabilityReport Error error }