-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfunctions.sh
executable file
·171 lines (127 loc) · 5.53 KB
/
functions.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#!/bin/bash
export HYDRA_API="https://access.redhat.com/hydra/rest/securitydata"
export CATALOG_API="https://catalog.redhat.com/api/containers/v1/repositories/registry/registry.access.redhat.com/repository"
export SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
export METADATA_DIR="${SCRIPT_DIR}/metadata"
export PAGE_SIZE=500
# Ensure the metadata directory exists
# Used to store fetched files to reduce runtimes
#mkdir "${METADATA_DIR}" || true
function rhsa_to_cve() {
local cve=${1}
if [[ ${1} =~ "RHSA" ]]
then
cve=$(curl -s "https://access.redhat.com/errata/${1}" | grep -E -o -m 1 'CVE-[0-9][0-9][0-9][0-9]-[0-9]+')
if [ ${#cve} -gt 15 ]
then
cve="multiple"
fi
fi
echo "${cve}"
}
export -f rhsa_to_cve
function get_image_history() {
###
local my_image_name="${1}"
#echo "get_image_history: ${my_image_name}"
if [[ ! "${my_image_name}" =~ "@" ]]; then
echo "Image does not appear to contain digest"
return 1
fi
local my_image_repo=$(echo "${my_image_name}" | awk -F\@ '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
local my_image_tag=$(echo "${my_image_name}" | awk -F\@ '{print $NF}')
local my_image=$(echo "${my_image_repo}" | awk -F\/ '{print $NF}')
local my_image_metadata_file="${METADATA_DIR}/$(echo ${my_image_repo} | sed 's|/|_|g')_images.json"
###
local my_tmp_file=$(mktemp)
#echo "repo: ${my_image_repo}"
#echo "tag: ${my_image_tag}"
#echo "image: ${my_image}"
#echo "file: ${my_image_metadata_file}"
#echo "tmp: ${my_tmp_file}"
# Pull the first page
curl -s "${CATALOG_API}/${my_image_repo}/images?page_size=${PAGE_SIZE}&page=0" > "${my_tmp_file}"
# Determine the total number of entries in all pages
local size=$(jq -c -r '.total' "${my_tmp_file}")
#echo "Size: ${size}"
# If the total is more than the page size, we need to pull more pages
if [ $(echo "(${size} - ${PAGE_SIZE}) > 0" | bc -l) -eq 1 ]
then
local remaining=$(echo ${size} - ${PAGE_SIZE} | bc -l)
local remaining_pages=$(((${remaining}+${PAGE_SIZE}-1)/${PAGE_SIZE}))
for i in $(seq 1 ${remaining_pages})
do
curl -s "${CATALOG_API}/${my_image_repo}/images?page_size=${PAGE_SIZE}&page=${i}" > "${my_tmp_file}_${i}"
done
fi
# Merge all pages into one json object
jq '.' ${my_tmp_file}* > "${my_image_metadata_file}"
# Cleanup temp files
rm -f ${my_tmp_file}*
}
export -f get_image_history
function digest_to_tag() {
local my_image_name="${1}"
if [[ ! "${my_image_name}" =~ "@" ]]; then
echo "Image does not appear to contain digest"
return 1
fi
local my_image_repo=$(echo "${my_image_name}" | awk -F\@ '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
local my_image_tag=$(echo "${my_image_name}" | awk -F\@ '{print $NF}')
local my_image=$(echo "${my_image_repo}" | awk -F\/ '{print $NF}')
local my_image_metadata_file="${METADATA_DIR}/$(echo ${my_image_repo} | sed 's|/|_|g')_images.json"
#echo "repo: ${my_image_repo}"
#echo "digest: ${my_image_tag}"
#echo "image: ${my_image}"
#echo "meta_file: ${my_image_metadata_file}"
# pull all past images if we don't have the file already
if [ ! -e "${my_image_metadata_file}" ]; then
get_image_history ${my_image_name}
#curl -s "${CATALOG_API}/${my_image_repo}/images?page_size=500&page=0" > "${my_image_metadata_file}"
fi
jq -r -c ".data[] | select((.repositories[0].manifest_list_digest == \"${my_image_tag}\") and .parsed_data.architecture == \"amd64\") | .repositories[].tags[0].name" "${my_image_metadata_file}"
}
export -f digest_to_tag
# Example of how to call the function above
#image_name="registry.redhat.io/openshift-logging/elasticsearch6-rhel8@sha256:fd46c47dca6d84f0fd403e481b28cafd614e2e9ed7c63f3965e66485bb26d20c"
#tag=$(digest_to_tag ${image_name})
function process_rhsa() {
local my_image_repo="${1}"
local rhsa="${2}"
local my_image_metadata_file="metadata/$(echo ${my_image_repo} | sed 's|/|_|g')_images.json"
#Map the image to an operator to determine what the latest image digest is
#OPERATOR_MAPPING=$(grep -Hl "${my_image_repo}" operator_images/*.txt)
local latest_digest=$(grep "${my_image_repo}" operator_images/*.txt | awk -F\= '{print $1}' | awk -F\@ '{print $NF}')
echo "process_rhsa: ${my_image_repo}"
# pull all past images if we don't have the file already
if [ ! -e "${my_image_metadata_file}" ]; then
get_image_history ${my_image_name}
#curl -s "${CATALOG_API}/${my_image_repo}/images?page_size=500&page=0" > "${my_image_metadata_file}"
fi
# find the one that matches the latest image digest in the operator bundle
local vulns=$(jq -c -r ".data[] | select((.repositories[0].manifest_list_digest == \"${latest_digest}\") and .parsed_data.architecture == \"amd64\") | .repositories[0].content_advisory_ids" "${my_image_metadata_file}")
if [[ "${vulns}" =~ "${rhsa}" ]]; then
echo "NOT resolved in lastest releast of ${my_image_repo}"
else
echo "Resolved in lastest releast of ${my_image_repo}"
fi
}
export -f process_rhsa
#function image_to_operator() {
#
# # Determine which operator the image belongs to
# while read -r line
# do
#
# OPERATOR=$(echo "${line}" | awk -F\ '{print $1}')
# DEFAULT_CHANNEL=$(echo "${line}" | awk -F\ '{print $NF}')
#
# # Skip this process if we already have the mappings file for this operator and channel
# if [ -e "operator_images/${OPERATOR}-${DEFAULT_CHANNEL}-mapping.txt" ]; then
# continue
# fi
#
# done < <(tail -n +2 redhat_operators.list) # Ship column names on first line
#
#}
#export -f image_to_operator