-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Trivy implementation structure; #136
- Loading branch information
1 parent
c482734
commit c2897fb
Showing
4 changed files
with
109 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| package com.cloudogu.ces.cesbuildlib | ||
|
|
||
| class Trivy implements Serializable { | ||
| def script | ||
| String trivyReportFilename | ||
|
|
||
| Trivy(script, String trivyReportFilename = "${env.WORKSPACE}/.trivy/trivyReport.json") { | ||
| this.script = script | ||
| this.trivyReportFilename = trivyReportFilename | ||
| } | ||
|
|
||
| /** | ||
| * Scans an image for vulnerabilities. | ||
| * Notes: | ||
| * - Use a .trivyignore file for allowed CVEs | ||
| * - This function will generate a JSON formatted report file which can be converted to other formats via saveFormattedTrivyReport() | ||
| * - Evaluate via exit codes: 0 = no vulnerability; 1 = vulnerabilities found; other = function call failed | ||
| * | ||
| * @param imageName The image name; may include version tag | ||
| * @param trivyVersion The version of Trivy used for scanning | ||
| * @param additionalFlags Additional Trivy command flags | ||
| * @param scanLevel The vulnerability level to scan. Can be a member of TrivyScanLevel or a custom String (e.g. 'CRITICAL,LOW') | ||
| * @param strategy The strategy to follow after the scan. Should the build become unstable or failed? Or Should any vulnerability be ignored? (@see TrivyScanStrategy) | ||
| * // TODO: A strategy could be implemented by the user via the exit codes of this function. Should we remove the strategy parameter? | ||
| * @return Returns 0 if the scan was ok (no vulnerability found); returns 1 if any vulnerability was found | ||
| */ | ||
| int scanImage(String imageName, String trivyVersion = "0.57.0", String additionalFlags, String scanLevel = TrivyScanLevel.CRITICAL, String strategy = TrivyScanStrategy.FAIL) { | ||
| // TODO: Run trivy scan inside Docker container, e.g. via Jenkins' Docker.image() function | ||
| // See runTrivyInDocker function: https://github.com/cloudogu/ces-build-lib/blob/c48273409f8f506e31872fe2857650bbfc76a222/vars/findVulnerabilitiesWithTrivy.groovy#L48 | ||
| // TODO: Write result to trivyReportFile in json format (--format json), which can be converted in the saveFormattedTrivyReport function | ||
| // TODO: Include .trivyignore file, if existent. Do not fail if .trivyignore file does not exist. | ||
| } | ||
|
|
||
| /** | ||
| * Save the Trivy scan results as a file with a specific format | ||
| * | ||
| * @param format The format of the output file (@see TrivyScanFormat) | ||
| */ | ||
| void saveFormattedTrivyReport(String format = TrivyScanFormat.HTML) { | ||
| // TODO: DO NOT scan again! Take the trivyReportFile and convert its content | ||
| // See https://aquasecurity.github.io/trivy/v0.52/docs/references/configuration/cli/trivy_convert/ | ||
| } | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| package com.cloudogu.ces.cesbuildlib | ||
|
|
||
| /** | ||
| * Defines the output format for the trivy report. | ||
| */ | ||
| class TrivyScanFormat { | ||
| /** | ||
| * Output as HTML file. | ||
| */ | ||
| static String HTML = "html" | ||
|
|
||
| /** | ||
| * Output as JSON file. | ||
| */ | ||
| static String JSON = "json" | ||
|
|
||
| /** | ||
| * Output as plain text file. | ||
| */ | ||
| static String PLAIN = "plain" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| package com.cloudogu.ces.cesbuildlib | ||
|
|
||
| /** | ||
| * Defines aggregated vulnerability levels | ||
| */ | ||
| class TrivyScanLevel { | ||
| /** | ||
| * Only critical vulnerabilities. | ||
| */ | ||
| static String CRITICAL = "CRITICAL" | ||
|
|
||
| /** | ||
| * High or critical vulnerabilities. | ||
| */ | ||
| static String HIGH = "CRITICAL,HIGH" | ||
|
|
||
| /** | ||
| * Medium or higher vulnerabilities. | ||
| */ | ||
| static String MEDIUM = "CRITICAL,HIGH,MEDIUM" | ||
|
|
||
| /** | ||
| * All vunlerabilities. | ||
| */ | ||
| static String ALL = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| package com.cloudogu.ces.cesbuildlib | ||
|
|
||
| class TrivyScanStrategy { | ||
| /** | ||
| * Strategy: Fail if any vulnerability was found. | ||
| */ | ||
| static String FAIL = "fail" | ||
|
|
||
| /** | ||
| * Strategy: Make build unstable if any vulnerability was found. | ||
| */ | ||
| static String UNSTABLE = "unstable" | ||
|
|
||
| /** | ||
| * Strategy: Ignore any found vulnerability. | ||
| */ | ||
| static String IGNORE = "ignore" | ||
| } |