Security Scan CLI Enhancements (#505)

* cleanup commands

* update readme

* flag handling

* flag handling

* add changelog

* breaking change

* fmt

* use contextutils

* simplify rseponse message

* goimports -w

.gitignore

@@ -12,3 +12,5 @@ vendor
 
 # junit
 junit.xml
+
+_output

changelog/v0.23.0/cvectl.yaml

@@ -0,0 +1,7 @@
+changelog:
+  - type: BREAKING_CHANGE
+    issueLink: https://github.com/solo-io/go-utils/issues/469
+    resolvesIssue: false
+    description: >
+      Add scan-version command to CVE CLI which allows for easier scans of a single version (tag)
+      of multiple images.

cliutils/flags.go

@@ -0,0 +1,50 @@
+package cliutils
+
+import (
+	errors "github.com/rotisserie/eris"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type HideableFlag interface {
+	MarkHidden(string) error
+}
+
+// MustMarkHidden panics if the call to MarkHidden() fails.
+func MustMarkHidden(flags HideableFlag, name string) {
+	if err := flags.MarkHidden(name); err != nil {
+		panic(err)
+	}
+}
+
+// MustMarkFlagRequired panics if the call to MarkFlagRequired() fails.
+func MustMarkFlagRequired(flaggish interface{}, name string) {
+	if err := MarkFlagRequired(flaggish, name); err != nil {
+		panic(err)
+	}
+}
+
+// MarkFlagRequired returns an error if the call to MarkFlagRequired() fails.
+func MarkFlagRequired(flaggish interface{}, name string) error {
+	switch v := flaggish.(type) {
+	case *cobra.Command:
+		if err := v.MarkFlagRequired(name); err != nil {
+			return err
+		}
+	case *pflag.FlagSet:
+		if err := cobra.MarkFlagRequired(v, name); err != nil {
+			return err
+		}
+
+	default:
+		return errors.Errorf("Unknown flag type: %v", v)
+	}
+	return nil
+}
+
+// MustMarkPersistentFlagRequired panics if the call to MarkPersistentFlagRequired() fails.
+func MustMarkPersistentFlagRequired(cmd *cobra.Command, name string) {
+	if err := cmd.MarkPersistentFlagRequired(name); err != nil {
+		panic(err)
+	}
+}

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.1.1
 	github.com/Netflix/go-expect v0.0.0-20180928190340-9d1f4485533b
 	github.com/avast/retry-go v2.2.0+incompatible
+	github.com/fatih/color v1.7.0
 	github.com/fgrosse/zaptest v1.1.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-git/go-git/v5 v5.4.1
@@ -31,8 +32,10 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/rotisserie/eris v0.1.1
 	github.com/rs/zerolog v1.18.0
+	github.com/sirupsen/logrus v1.4.2
 	github.com/spf13/afero v1.2.2
 	github.com/spf13/cobra v1.1.3
+	github.com/spf13/pflag v1.0.5
 	github.com/yuin/goldmark v1.4.1
 	go.opencensus.io v0.23.0
 	go.uber.org/zap v1.10.0
@@ -79,6 +82,7 @@ require (
 	github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect
 	github.com/kr/pty v1.1.5 // indirect
 	github.com/mattn/go-colorable v0.0.9 // indirect
 	github.com/mattn/go-isatty v0.0.4 // indirect
@@ -96,7 +100,6 @@ require (
 	github.com/shurcooL/githubv4 v0.0.0-20191127044304-8f68eb5628d0 // indirect
 	github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/src-d/gcfg v1.4.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/zenazn/goji v0.9.1-0.20160507202103-64eb34159fe5 // indirect

go.sum

@@ -122,6 +122,7 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fgrosse/zaptest v1.1.0 h1:sK9hP0/xBoNX5qfFo3KWFluDXfc809APomI1QXuYELA=
 github.com/fgrosse/zaptest v1.1.0/go.mod h1:vMnRSul6kW7kIUXZgnZZcDwyTn8k49ODfAULL8nmL5w=
@@ -306,6 +307,7 @@ github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -431,6 +433,7 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5I
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=

securityscanutils/README.md

@@ -13,37 +13,22 @@ below shows the output the said CLI's `help` command.
 The `GITHUB_TOKEN` environment variable must be set for security scanning to work.
 
 ```bash
-go-utils/securityscan/cli % go run ./run_scan.go help                                                                                                                                            
+go-utils/securityscan % go run ./cli/main.go help
+
+CLI for identifying CVEs in images
+
 Usage:
-   [command]
+  cvectl [command]
 
 Available Commands:
-  echo-inputs          Prints out all the state of all inputs (including inputted, defaults, and derived) for debugging purposes
-  gen-releases         cache github releases for inputted repository. This is its own command to protect against rate-limiting by github by trying to pull releases too much.
-  gen-security-scan-md pull down security scan files from gcloud bucket and generate docs markdown file
-  help                 Help about any command
-  run-security-scan    runs trivy scans on images from repo specified
+  format-results Pull down security scan files from gcloud bucket and generate docs markdown file
+  help           Help about any command
+  scan-repo      Run Trivy scans against images for the repo specified and upload scan results to a google cloud bucket
+  scan-version   Run Trivy scans against images for a single version
 
 Flags:
-  -c, --CachedReleasesFile string   The name of the file that contains a list of all releases from the given repository. This file is generated by the 'gen-releases' command, and used by the others.
-  -i, --CreateIssues                If true, open/update a Github Issue for each version that has images that have vulnerabilities. Defaults to true. (default true)
-  -p, --GenerateCachedReleases      If true, then populate the file specified by the CachedReleasesFile flag with all releases from Github. If false, then the command assumes that the file has already been created and populated.  Should be set to false for testing to avoid rate-limiting by Github. Defaults to true. (default true)
-  -f, --ImageFile string            Different release versions may have different images to scan.
-                                    To deal with this, the run-security-scan command expects a file input that maps version constraints to images
-                                    to be scanned if a version matches that constraint. Constraints must be mutually exclusive.
-                                    The file is expected to be a csv, where the first element of each line is the constraint, and every subsequent element
-                                    in that line is an image to be scanned if that constraint is matched.
-                                    Read https://github.com/Masterminds/semver#checking-version-constraints for more about how to use semver constraints.
-      --ImageRepo string            The repository where images to scan are located. Defaults to 'quay.io/solo-io' (default "quay.io/solo-io")
-  -m, --MinScannedVersion string    The minimum version of images to scan. If set, will scan every image from this to the present, and will scan all images otherwise
-      --RepoOwner string            The owner of the repository to scan. Defaults to 'solo-io' (default "solo-io")
-  -r, --TargetRepo string           The repository to scan
-  -w, --TargetRepoWritten string    Specify the human readable name of the repository to scan for output purposes.
-  -u, --UploadToGithub              Setting this to true will upload any generated sarif files to the github repository endpoint, 
-                                    e.g. https://github.com/solo-io/gloo/security/code-scanning
-                                    read more here: https://docs.github.com/en/rest/reference/code-scanning.
-                                    Defaults to false.
-  -h, --help                        help for this command
-
-Use " [command] --help" for more information about a command.
+  -h, --help      help for cvectl
+  -v, --verbose   Enable verbose logging
+
+Use "cvectl [command] --help" for more information about a command.
 ```

securityscanutils/cli/run_scan.go → securityscanutils/cli/main.go

@@ -4,13 +4,14 @@ import (
 	"context"
 	"log"
 
-	"github.com/solo-io/go-utils/securityscanutils"
+	"github.com/solo-io/go-utils/securityscanutils/commands"
 )
 
 func main() {
 	ctx := context.Background()
-	app := securityscanutils.RootApp(ctx)
-	if err := app.Execute(); err != nil {
+
+	cmd := commands.RootCommand(ctx)
+	if err := cmd.Execute(); err != nil {
 		log.Fatalf("unable to run: %v\n", err)
 	}
 }