-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocess_acs_rhsa_export.sh
executable file
·83 lines (67 loc) · 3.27 KB
/
process_acs_rhsa_export.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/bash -e
if [ $# -eq 0 ]
then
echo "Usage: $0 <CSV from ACS>"
exit 1
fi
INPUT_FILE="${1}"
API="https://catalog.redhat.com/api/containers/v1/repositories/registry/registry.access.redhat.com/repository"
echo "Parsing ACS input CSV"
mkdir metadata
while read -r line
do
clusterName=$(echo "${line}" | awk -F\, '{print $1}')
clusterId=$(echo "${line}" | awk -F\, '{print $2}')
namespace=$(echo "${line}" | awk -F\, '{print $3}')
namespaceId=$(echo "${line}" | awk -F\, '{print $4}')
deployment_name=$(echo "${line}" | awk -F\, '{print $5}')
image_name=$(echo "${line}" | awk -F\, '{print $6}')
cve=$(echo "${line}" | awk -F\, '{print $7}' | tr -d '"')
cvss=$(echo "${line}" | awk -F\, '{print $8}')
if [[ "${image_name}" =~ "@" ]]; then
image_repo=$(echo "${image_name}" | awk -F\@ '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
else
image_repo=$(echo "${image_name}" | awk -F\: '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
fi
# Script doesn't currently use these fields
#severity=$(echo "${line}" | awk -F\, '{print $9}')
#component=$(echo "${line}" | awk -F\, '{print $10}')
#version=$(echo "${line}" | awk -F\, '{print $11}')
#fixedBy=$(echo "${line}" | awk -F\, '{print $12}')
#echo "clusterName: ${clusterName}"
#echo "clusterId: ${clusterId}"
#echo "namespace: ${namespace}"
#echo "namespaceId: ${namespaceId}"
#echo "image_name: ${image_name}"
#echo "image_repo: ${image_repo}"
#echo "cve: ${cve}"
#echo "cvss: ${cvss}"
if [[ ! "${cve}" =~ "RHSA" ]]; then
continue
fi
#echo "Processing: ${cve}"
#image_repo="openshift-logging/elasticsearch6-rhel8"
image_metadata_file="metadata/$(echo ${image_repo} | sed 's|/|_|g')_images.json"
#Map the image to an operator to determine what the latest image digest is
#OPERATOR_MAPPING=$(grep -Hl "${image_repo}" operator_images/*.txt)
LATEST_DIGEST=$(grep "${image_repo}" operator_images/*.txt | awk -F\= '{print $1}' | awk -F\@ '{print $NF}')
# pull all past images if we don't have the file already
if [ ! -e "${image_metadata_file}" ]; then
#echo "Pulling metadata file for ${image_repo}"
curl -s "${API}/${image_repo}/images?page_size=500&page=0" > "${image_metadata_file}"
fi
# find the one that matches the latest image digest in the operator bundle
#echo "Vulns in the newest version of ${image_repo}"
#echo ${LATEST_DIGEST}
#echo $image_metadata_file
#jq -c -r ".data[] | select((.repositories[0].manifest_list_digest == \"${LATEST_DIGEST}\") and .parsed_data.architecture == \"amd64\")" ${image_metadata_file} > "${image_metadata_file}.short"
#jq -c -r ".data[] | select((.repositories[0].manifest_list_digest == \"${LATEST_DIGEST}\") and .parsed_data.architecture == \"amd64\") | .repositories[0].content_advisory_ids" "${image_metadata_file}"
VULNS=$(jq -c -r ".data[] | select((.repositories[0].manifest_list_digest == \"${LATEST_DIGEST}\") and .parsed_data.architecture == \"amd64\") | .repositories[0].content_advisory_ids" "${image_metadata_file}" | tr -d '\n')
if [[ "${VULNS}" =~ "${cve}" ]]; then
echo "${cve} NOT resolved in lastest releast of ${image_repo}"
else
echo "${cve} resolved in lastest releast of ${image_repo}"
fi
done < <(tail -n +2 ${INPUT_FILE})
# Skip first line of ACS CSV export which has column names
exit 0