All images other than V2 docker plugin added to scan process

rajch · Mar 7, 2024 · a752f65 · a752f65
1 parent e500408
commit a752f65
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 49 deletions.
diff --git a/reweave/scans/report.md b/reweave/scans/report.md
@@ -1,9 +1,9 @@
 # Vulnerability Report
 
 ```
-Report date: 2024-03-03
+Report date: 2024-03-07
 Unique vulnerability count: 14
-Images version: 2.8.2
+Images version: 2.8.3-beta1
 ```
 
 ## Scanner Details
@@ -23,7 +23,7 @@ Supported DB Schema: 5
 
 ## Vulnerabilities
 
-weave-kube: (14) 
+### weave-kube: (14) 
 
 ```
 NAME           INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
@@ -43,7 +43,7 @@ ssl_client     1.36.1-r15            apk   CVE-2023-42364  Medium
 ssl_client     1.36.1-r15            apk   CVE-2023-42363  Medium
 ```
 
-weave-npc: (12)
+### weave-npc: (12) 
 
 ```
 NAME           INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
@@ -60,3 +60,70 @@ ssl_client     1.36.1-r15            apk   CVE-2023-42365  Medium
 ssl_client     1.36.1-r15            apk   CVE-2023-42364  Medium    
 ssl_client     1.36.1-r15            apk   CVE-2023-42363  Medium
 ```
+
+### weave: (14) 
+
+```
+NAME           INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
+busybox        1.36.1-r15            apk   CVE-2023-42366  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42365  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42364  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42363  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42366  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42365  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42364  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42363  Medium    
+curl           8.5.0-r0              apk   CVE-2024-0853   Medium    
+libuv          1.47.0-r0             apk   CVE-2024-24806  High      
+ssl_client     1.36.1-r15            apk   CVE-2023-42366  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42365  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42364  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42363  Medium
+```
+
+### weaveexec: (14) 
+
+```
+NAME           INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
+busybox        1.36.1-r15            apk   CVE-2023-42366  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42365  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42364  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42363  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42366  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42365  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42364  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42363  Medium    
+curl           8.5.0-r0              apk   CVE-2024-0853   Medium    
+libuv          1.47.0-r0             apk   CVE-2024-24806  High      
+ssl_client     1.36.1-r15            apk   CVE-2023-42366  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42365  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42364  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42363  Medium
+```
+
+### weavedb: (0) 
+
+```
+No vulnerabilities found
+```
+
+### network-tester: (14) 
+
+```
+NAME           INSTALLED   FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
+busybox        1.36.1-r15            apk   CVE-2023-42366  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42365  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42364  Medium    
+busybox        1.36.1-r15            apk   CVE-2023-42363  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42366  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42365  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42364  Medium    
+busybox-binsh  1.36.1-r15            apk   CVE-2023-42363  Medium    
+curl           8.5.0-r0              apk   CVE-2024-0853   Medium    
+libuv          1.47.0-r0             apk   CVE-2024-24806  High      
+ssl_client     1.36.1-r15            apk   CVE-2023-42366  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42365  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42364  Medium    
+ssl_client     1.36.1-r15            apk   CVE-2023-42363  Medium
+```
+
diff --git a/reweave/scans/weave-kube-list-vulns.txt b/reweave/scans/weave-kube-list-vulns.txt
diff --git a/reweave/scans/weave-npc-list-vulns.txt b/reweave/scans/weave-npc-list-vulns.txt
diff --git a/reweave/tools/scan-images.sh b/reweave/tools/scan-images.sh
@@ -5,6 +5,7 @@ set -e
 # required.
 : "${IMAGE_VERSION:=}"
 : "${REGISTRY_USER:=}"
+: "${IMAGE_LIST:=weave-kube weave-npc weave weaveexec weavedb network-tester}"
 
 if [ -z "${IMAGE_VERSION}" ] || [ -z "${REGISTRY_USER}" ] ; then
     >&2 echo "Please provide valid values for IMAGE_VERSION and REGISTRY_USER." 
@@ -13,11 +14,6 @@ fi
 
 echo "Scanning images and collecting data..."
 
-# Currently, we are interested only in the weave-kube and weave-npc
-# images. 
-WEAVE_KUBE_IMAGE="${REGISTRY_USER}/weave-kube:${IMAGE_VERSION}"
-WEAVE_NPC_IMAGE="${REGISTRY_USER}/weave-npc:${IMAGE_VERSION}"
-
 # Get directory of script file
 a="/$0"; a="${a%/*}"; a="${a:-.}"; a="${a##/}/"; BINDIR=$(cd "$a"; pwd)
 
@@ -26,16 +22,20 @@ SCANDIR="${BINDIR}/../scans"
 mkdir -p "${SCANDIR}"
 
 # Scan images
-grype "${WEAVE_KUBE_IMAGE}" --add-cpes-if-none >"${SCANDIR}/weave-kube-list-vulns.txt"
-grype "${WEAVE_NPC_IMAGE}" --add-cpes-if-none >"${SCANDIR}/weave-npc-list-vulns.txt"
+for im in ${IMAGE_LIST};do
+    grype "${REGISTRY_USER}/${im}:${IMAGE_VERSION}" --add-cpes-if-none >"${SCANDIR}/${im}-list-vulns.txt"
+done
 
-UNIQUECOUNT=$(tail -n +2 -q "${SCANDIR}/weave-npc-list-vulns.txt" "${SCANDIR}/weave-kube-list-vulns.txt" | sort -u | wc -l)
+#UNIQUECOUNT=$(tail -n +2 -q "${SCANDIR}/weave-npc-list-vulns.txt" "${SCANDIR}/weave-kube-list-vulns.txt" | sort -u | wc -l)
+UNIQUECOUNT=$(tail -n +2 -q "${SCANDIR}"/*-list-vulns.txt  | sort -u | wc -l)
 BADGECOLOR="blue"
 
 if [ "$UNIQUECOUNT" -gt "0" ]; then
     BADGECOLOR="orange"
 fi
 
+echo "Generating report..."
+
 # Produce report
 printf "# Vulnerability Report\n\n" >  "${SCANDIR}/report.md"
 {
@@ -48,17 +48,23 @@ printf "# Vulnerability Report\n\n" >  "${SCANDIR}/report.md"
     printf "\`\`\`\n"
     grype version
     printf "\`\`\`\n"
-    printf "\n## Vulnerabilities\n\nweave-kube: (%s) \n\n" "$(tail +2 "${SCANDIR}/weave-kube-list-vulns.txt" | wc -l)"
-    printf "\`\`\`\n"
-    cat "${SCANDIR}/weave-kube-list-vulns.txt"
-    printf "\`\`\`\n"
-    printf "\nweave-npc: (%s)\n\n" "$(tail +2 "${SCANDIR}/weave-npc-list-vulns.txt" | wc -l)"
-    printf "\`\`\`\n"
-    cat "${SCANDIR}/weave-npc-list-vulns.txt"
-    printf "\`\`\`\n"
+    printf "\n## Vulnerabilities\n\n"
+    for im in ${IMAGE_LIST};do
+        printf "### ${im}: (%s) \n\n" "$(tail +2 "${SCANDIR}/${im}-list-vulns.txt" | wc -l)"
+        printf "\`\`\`\n"
+        cat "${SCANDIR}/${im}-list-vulns.txt"
+        printf "\`\`\`\n\n"
+    done
+
 } >> "${SCANDIR}/report.md"
 
+rm -f "${SCANDIR}"/*-list-vulns.txt
+
+echo "Generating badge..."
+
 # Produce Vulnerability Count badge json for README
 cat <<EOBADGE > "${SCANDIR}/badge.json"
 {"schemaVersion": 1, "label": "Vulnerabilty count", "message": "${UNIQUECOUNT}", "color": "${BADGECOLOR}"}
-EOBADGE
+EOBADGE
+
+echo "Done."