Attempt to trick GitLab into parsing and displaying the report

7a7a39d0 · Jean-Paul Calderone · 91a327d7 · 7a7a39d0 · 7a7a39d0
Commit 7a7a39d0 authored 4 years ago by Jean-Paul Calderone
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,11 +12,15 @@ vulnerability-scan:
  stage: "test"
  script:
    - "ci-tools/vulnerability-scan security-report.json"
+    - "ci-tools/vulnix-to-clair <security-report.json >clair-security-report.json"
  artifacts:
+    reports:
+      container_scanning: "clair-security-report.json"
    paths:
      - "security-report.json"
    expose_as: "security report"
 system-tests:
  stage: "test"
  timeout: "3 hours"

--- a/ci-tools/vulnix-to-clair
+++ b/ci-tools/vulnix-to-clair
+#!/usr/bin/env python3
+# Input is like:
+# [
+#  {
+#   "name": "avahi-0.7",
+#   "pname": "avahi",
+#   "version": "0.7",
+#   "derivation": "/nix/store/p06dfxm12cbnzp4v0s28s97qwyirkqcy-avahi-0.7.drv",
+#   "affected_by": [
+#    "CVE-2021-26720"
+#   ],
+#   "whitelisted": [],
+#   "cvssv3_basescore": {
+#    "CVE-2021-26720": 7.8
+#   }
+#  },
+# ]
+#
+# Output is like:
+#
+# {
+#     "image": "image",
+#     "vulnerabilities": [
+#         {
+#             "featurename": "apt",
+#             "featureversion": "1.4.8",
+#             "vulnerability": "CVE-2019-3462",
+#             "namespace": "debian:9",
+#             "description": "TEST",
+#             "link": "https://security-tracker.debian.org/tracker/CVE-2019-3462",
+#             "severity": "Critical",
+#             "fixedby": "1.4.9"
+#         },
+#         {
+#             "featurename": "libxslt",
+#             "featureversion": "1.1.29-2.1",
+#             "vulnerability": "CVE-2017-16997",
+#             "namespace": "debian:9",
+#             "description": "TEST",
+#             "link": "https://security-tracker.debian.org/tracker/CVE-2017-16997",
+#             "severity": "Critical",
+#             "fixedby": "2.24-11+deb9u4"
+#         }
+#     ]
+# }
+from json import load, dump
+from sys import stdin, stdout
+def main():
+    report = load(stdin)
+    dump(clair_format(report), stdout)
+def clair_format(vulnerabilities):
+    return {
+        "image": "<none>",
+        "vulnerabilities": list(
+            clair_vulnerability(vulnix_vulnerability, affected_by)
+            for vulnix_vulnerability
+            in vulnerabilities
+            for affected_by
+            in vulnix_vulnerability["affected_by"]
+        ),
+    }
+def clair_vulnerability(vulnix_vuln, affected_by):
+    basescore = vulnix_vuln["cvssv3_basescore"][affected_by]
+    adjusted = int(round(basescore))
+    return {
+        "featurename": vulnix_vuln["pname"],
+        "featureversion": vulnix_vuln["version"],
+        "vulnerability": affected_by,
+        "namespace": vulnix_vuln["derivation"],
+        "description": "",
+        "link": "https://nvd.nist.gov/vuln/detail/{}".format(affected_by),
+        "severity": SEVERITIES[adjusted],
+        "fixedby": "",
+    }
+# Approximations only
+SEVERITIES = [
+    "Low",
+    "Low",
+    "Low",
+    "Low",
+    "Medium",
+    "Medium",
+    "High",
+    "High",
+    "High",
+    "Critical",
+    "Critical"
+]
+if __name__ == '__main__':
+    main()