[DockerImageScanner] Provide NVD info
* change ENGORC to MKE (it was re-named)
* provide getNvdInfo function to get infro from NVD API server
* skip issue filing to MKE namespace if NVD CVSS v3 basescore is below 7
* assign all newly created Jira issues for MKE team to Vikram
RE-1147
RE-1148
Change-Id: Ia73b23b56c25beae74ea033745eca546f4409a9c
diff --git a/src/com/mirantis/mk/DockerImageScanner.groovy b/src/com/mirantis/mk/DockerImageScanner.groovy
index 0f3cb40..49387dd 100644
--- a/src/com/mirantis/mk/DockerImageScanner.groovy
+++ b/src/com/mirantis/mk/DockerImageScanner.groovy
@@ -156,8 +156,34 @@
return defaultJiraAffectedVersion
}
+def getNvdInfo(nvdApiUri, cve) {
+ def cveArr = []
+ def response = callREST("${nvdApiUri}/${cve}", '')
+ if (response['responseCode'] == 200) {
+ def InputJSON = new JsonSlurper().parseText(response["responseText"])
+ if (InputJSON.containsKey('impact')) {
+ def cveImpact = InputJSON['impact']
+ ['V3','V2'].each {
+ if (cveImpact.containsKey('baseMetric' + it)) {
+ if (cveImpact['baseMetric' + it].containsKey('cvss' + it)) {
+ if (cveImpact['baseMetric' + it]['cvss' + it].containsKey('baseScore')) {
+ def cveBaseSeverity = ''
+ if (cveImpact['baseMetric' + it]['cvss' + it].containsKey('baseSeverity')) {
+ cveBaseSeverity = cveImpact['baseMetric'+it]['cvss'+it]['baseSeverity']
+ }
+ cveArr.add([it, cveImpact['baseMetric'+it]['cvss'+it]['baseScore'],cveBaseSeverity])
+ }
-def reportJiraTickets(String reportFileContents, String jiraCredentialsID, String jiraUserID, String productName = '', String ignoreImageListFileContents = '[]', Integer retryTry = 0, String jiraNamespace = 'PRODX') {
+ }
+ }
+ }
+ }
+ }
+ return cveArr
+}
+
+
+def reportJiraTickets(String reportFileContents, String jiraCredentialsID, String jiraUserID, String productName = '', String ignoreImageListFileContents = '[]', Integer retryTry = 0, String nvdApiUri = '', jiraNamespace = 'PRODX') {
def dict = [:]
@@ -255,6 +281,7 @@
def jira_summary = ''
def jira_description = ''
+ def jira_description_nvd_scoring = []
imageDict.each{
image ->
def image_key = image.key.replaceAll(/(^[a-z0-9-.]+.mirantis.(net|com)\/|:.*$)/, '')
@@ -269,7 +296,7 @@
if (image_key.startsWith('lcm/docker/ucp')) {
return
} else if (image_key.startsWith('mirantis/ucp') || image_key.startsWith('mirantiseng/ucp')) {
- jiraNamespace = 'ENGORC'
+ jiraNamespace = 'MKE'
} else if (image_key.startsWith('mirantis/dtr') || image_key.startsWith('mirantiseng/dtr')) {
jiraNamespace = 'ENGDTR'
} else {
@@ -277,15 +304,35 @@
}
jira_summary = "[${image_key}] Found CVEs in Docker image"
jira_description = "${image.key}\n"
+ def filter_mke_severity = false
image.value.each{
pkg ->
jira_description += "__* ${pkg.key}\n"
pkg.value.each{
cve ->
jira_description += "________${cve}\n"
+ if (nvdApiUri) {
+ jira_description_nvd_scoring = getNvdInfo(nvdApiUri, cve)
+ jira_description_nvd_scoring.each {
+ jira_description += 'CVSS ' + it.join(' ') + '\n'
+ // According to Vikram there will be no fixes for
+ // CVEs with CVSS base score below 7
+ if (jiraNamespace == 'MKE' && it[0] == 'V3' && it[1].toInteger() >= 7) {
+ filter_mke_severity = true
+ }
+ }
+ } else {
+ print 'nvdApiUri var is not specified.'
+ }
}
}
+ if (filter_mke_severity) {
+ print "\n\nIgnoring ${image.key} as it does not have CVEs with CVSS base score >7\n"
+ print jira_description
+ return
+ }
+
def team_assignee = getTeam(image_key)
def basicIssueJSON = new JsonSlurper().parseText('{"fields": {}}')
@@ -311,6 +358,12 @@
basicIssueJSON['fields']['components'] = [["name": 'KaaS: LCM']]
}
}
+
+ if (jiraNamespace == 'MKE') {
+ // Assign issues by default to Vikram bir Singh, as it was asked by him
+ basicIssueJSON['fields']['assignee'] = ['accountId': '5ddd4d67b95b180d17cecc67']
+ }
+
def post_issue_json = JsonOutput.toJson(basicIssueJSON)
def jira_comment = jira_description.replaceAll(/\n/, '\\\\n')
def post_comment_json = """