-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocess_operator_scan.sh
executable file
·65 lines (52 loc) · 2.09 KB
/
process_operator_scan.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/bin/bash
# Script to process results of the scan.sh script
source ./functions.sh
INPUT_FILE="${1}"
OUTPUT_FILE="$(echo ${INPUT_FILE} | sed 's|\.csv||')_annotated.csv"
# Contains CVE/image pairings from ACS export
TMP_CVES="/tmp/cves.txt"
# Container cve-analyser results
CVE_ANALYSER_RESULTS="/tmp/cve_analyser.txt"
COLS=$(head -1 ${INPUT_FILE})
echo "${COLS}, \"RedHat CVSS Score\", \"RedHat Disposition\"" > "${OUTPUT_FILE}"
while read -r line
do
image_name=$(echo "${line}" | awk -F\, '{print $1}'| tr -d '"')
cve=$(echo "${line}" | awk -F\, '{print $2}' | tr -d '"')
cvss=$(echo "${line}" | awk -F\, '{print $3}')
if [[ "${image_name}" =~ "@" ]]; then
image_repo=$(echo "${image_name}" | awk -F\@ '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
else
image_repo=$(echo "${image_name}" | awk -F\: '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
fi
image=$(echo "${image_repo}" | awk -F\/ '{print $NF}')
#echo "--------------------------------------------------------------"
#echo "$line"
#echo "Image Name: $image_name"
#echo "CVE: $cve"
#echo "CVSS: $cvss"
#echo "Image Repo: $image_repo"
#echo "Image: $image"
echo "Processing cve: ${cve}"
if [[ "${cve}" =~ "RHSA" ]]
then
#echo "${line}, todo, skipping" >> "${OUTPUT_FILE}"
#continue
RST=$(process_rhsa ${image_repo} ${cve})
else
# Convert image with digest to image with tag and process with cve-analyser
image_tag=$(digest_to_tag ${image_name})
# Map rh-acs repo to advanced-cluster-security which is where they actually live
if [[ "${image_repo}" =~ "rh-acs" ]]
then
image_repo=$(echo ${image_repo} | sed 's|rh-acs|advanced-cluster-security|g')
fi
image_with_tag="$(echo "${image_repo}" | sed 's|@.*||'):${image_tag}"
# TODO: Upgrade cve-analyser to accept CLI pair instead of file only, faster
echo "${cve},${image_with_tag}" > "${TMP_CVES}"
RST=$(cve-analyser "${TMP_CVES}" | awk -F\, '{print $NF}')
#echo "RST: ${RST}"
echo "${cve}, ${image_repo}, ${RST}"
fi
echo "${line}, todo, ${RST}" >> "${OUTPUT_FILE}"
done < <(tail -n +2 ${INPUT_FILE})