From a8ea4196bd44c23714c80b2b8aab6ba455b44301 Mon Sep 17 00:00:00 2001 From: Drew Viles <drew@hudson-viles.uk> Date: Fri, 13 Sep 2024 12:53:07 +0100 Subject: [PATCH] adding metadata prefix option to signing --- pkg/providers/scanner/openstack.go | 9 +++++++-- pkg/providers/scanner/openstack_test.go | 6 +++++- pkg/provisoner/openstack.go | 6 ++++-- pkg/util/flags/scan.go | 2 ++ 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/pkg/providers/scanner/openstack.go b/pkg/providers/scanner/openstack.go index b8d3ce8..ba2c44c 100644 --- a/pkg/providers/scanner/openstack.go +++ b/pkg/providers/scanner/openstack.go @@ -15,6 +15,7 @@ import ( "github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/floatingips" "log" "os" + "strings" "time" ) @@ -131,8 +132,12 @@ func (s *OpenStackScannerClient) CheckResults() error { } // TagImage Tags the image with the passed or failed property. -func (s *OpenStackScannerClient) TagImage() error { - err := s.imageClient.TagImage(s.Img.Properties, s.Img.ID, s.MetaTag, "security_scan") +func (s *OpenStackScannerClient) TagImage(metadataPrefix string) error { + tag := "security_scan" + if metadataPrefix != "" { + tag = strings.Join([]string{metadataPrefix, tag}, ":") + } + err := s.imageClient.TagImage(s.Img.Properties, s.Img.ID, s.MetaTag, tag) if err != nil { return err } diff --git a/pkg/providers/scanner/openstack_test.go b/pkg/providers/scanner/openstack_test.go index 1852257..774ab01 100644 --- a/pkg/providers/scanner/openstack_test.go +++ b/pkg/providers/scanner/openstack_test.go @@ -58,7 +58,11 @@ func TestCheckResults(t *testing.T) { } func TestTagImage(t *testing.T) { - + //c := mock.MockOpenStackComputeClient{} + //i := mock.MockOpenStackImageClient{} + //n := mock.MockOpenStackNetworkClient{} + //ss3 := mock.MockS3Interface{} + //s := NewOpenStackScanner(&c, &i, &n, ss3, trivy.HIGH, &images.Image{}) } func TestUploadResultsToS3(t *testing.T) { diff --git a/pkg/provisoner/openstack.go b/pkg/provisoner/openstack.go index 30dee52..7c567fa 100644 --- a/pkg/provisoner/openstack.go +++ b/pkg/provisoner/openstack.go @@ -171,7 +171,9 @@ func (s *OpenStackScanProvisioner) Prepare() error { var err error o := s.Opts - o.OpenStackFlags.FlavorName = o.FlavorName + if o.ScanFlavorName != "" { + o.OpenStackFlags.FlavorName = o.ScanFlavorName + } cloudProvider := ostack.NewCloudsProvider(o.OpenStackFlags.CloudName) @@ -302,7 +304,7 @@ func (s *OpenStackScanProvisioner) scanServer(sc *scanner.OpenStackScannerClient // If the image is not set to auto delete, tag the image with the check result. if !o.AutoDeleteImage { - err = sc.TagImage() + err = sc.TagImage(s.Opts.OpenStackCoreFlags.MetadataPrefix) if err != nil { return err } diff --git a/pkg/util/flags/scan.go b/pkg/util/flags/scan.go index a7f2aef..931464e 100644 --- a/pkg/util/flags/scan.go +++ b/pkg/util/flags/scan.go @@ -30,6 +30,7 @@ type ScanOptions struct { ScanSingleOptions ScanMultipleOptions + ScanFlavorName string AutoDeleteImage bool SkipCVECheck bool MaxSeverityScore float64 @@ -66,6 +67,7 @@ func (o *ScanOptions) SetOptionsFromViper() { } func (o *ScanOptions) AddFlags(cmd *cobra.Command) { + StringVarWithViper(cmd, &o.ScanFlavorName, viperScanPrefix, "flavor-name", "", "--DEPRECATED-- USE THE CONFIG FILE. The flavor to use for the scan. This overrides the one supplied by the openstack config.") BoolVarWithViper(cmd, &o.AutoDeleteImage, viperScanPrefix, "auto-delete-image", false, "--DEPRECATED-- USE THE CONFIG FILE. If true, the image will be deleted if a vulnerability check does not succeed - recommended when building new images.") BoolVarWithViper(cmd, &o.SkipCVECheck, viperScanPrefix, "skip-cve-check", false, "--DEPRECATED-- USE THE CONFIG FILE. If true, the image will be allowed even if a vulnerability is detected.") Float64VarWithViper(cmd, &o.MaxSeverityScore, viperScanPrefix, "max-severity-score", 7.0, "--DEPRECATED-- USE THE CONFIG FILE. Can be anything from 0.1 to 10.0. Anything equal to or above this value will cause a failure. (Unless skip-cve-check is supplied)")