Skip to content
Snippets Groups Projects
Commit 3139487e authored by Jean-Paul Calderone's avatar Jean-Paul Calderone
Browse files

nope - that's ultimate only

parent 7a7a39d0
No related branches found
No related tags found
3 merge requests!85Update production to staging,!71Bring Staging up to current Develop version,!64Run vulnerability scan on CI
Pipeline #326 passed
......@@ -12,10 +12,7 @@ vulnerability-scan:
stage: "test"
script:
- "ci-tools/vulnerability-scan security-report.json"
- "ci-tools/vulnix-to-clair <security-report.json >clair-security-report.json"
artifacts:
reports:
container_scanning: "clair-security-report.json"
paths:
- "security-report.json"
expose_as: "security report"
......
#!/usr/bin/env python3
# Input is like:
# [
# {
# "name": "avahi-0.7",
# "pname": "avahi",
# "version": "0.7",
# "derivation": "/nix/store/p06dfxm12cbnzp4v0s28s97qwyirkqcy-avahi-0.7.drv",
# "affected_by": [
# "CVE-2021-26720"
# ],
# "whitelisted": [],
# "cvssv3_basescore": {
# "CVE-2021-26720": 7.8
# }
# },
# ]
#
# Output is like:
#
# {
# "image": "image",
# "vulnerabilities": [
# {
# "featurename": "apt",
# "featureversion": "1.4.8",
# "vulnerability": "CVE-2019-3462",
# "namespace": "debian:9",
# "description": "TEST",
# "link": "https://security-tracker.debian.org/tracker/CVE-2019-3462",
# "severity": "Critical",
# "fixedby": "1.4.9"
# },
# {
# "featurename": "libxslt",
# "featureversion": "1.1.29-2.1",
# "vulnerability": "CVE-2017-16997",
# "namespace": "debian:9",
# "description": "TEST",
# "link": "https://security-tracker.debian.org/tracker/CVE-2017-16997",
# "severity": "Critical",
# "fixedby": "2.24-11+deb9u4"
# }
# ]
# }
from json import load, dump
from sys import stdin, stdout
def main():
report = load(stdin)
dump(clair_format(report), stdout)
def clair_format(vulnerabilities):
return {
"image": "<none>",
"vulnerabilities": list(
clair_vulnerability(vulnix_vulnerability, affected_by)
for vulnix_vulnerability
in vulnerabilities
for affected_by
in vulnix_vulnerability["affected_by"]
),
}
def clair_vulnerability(vulnix_vuln, affected_by):
basescore = vulnix_vuln["cvssv3_basescore"][affected_by]
adjusted = int(round(basescore))
return {
"featurename": vulnix_vuln["pname"],
"featureversion": vulnix_vuln["version"],
"vulnerability": affected_by,
"namespace": vulnix_vuln["derivation"],
"description": "",
"link": "https://nvd.nist.gov/vuln/detail/{}".format(affected_by),
"severity": SEVERITIES[adjusted],
"fixedby": "",
}
# Approximations only
SEVERITIES = [
"Low",
"Low",
"Low",
"Low",
"Medium",
"Medium",
"High",
"High",
"High",
"Critical",
"Critical"
]
if __name__ == '__main__':
main()
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment