Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / mcp-ci / pipeline-library / 81a3a8db09a20492e7d35a73cf9e7e3c8cd26dc6 / . / src / com / mirantis / mk / DockerImageScanner.groovy
blob: 94e0dea2241d904bc31919318c2df83a692107e5 [file] [log] [blame]
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]1#!groovy
2
Ivan Udovichenko314a0732020-04-13 22:47:26 +0300[diff] [blame]3package com.mirantis.mk
4
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]5import groovy.json.JsonSlurper
6
7def callREST (String uri, String auth,
Ivan Udovichenko45252252020-04-14 22:45:53 +0300[diff] [blame]8 String method = 'GET', String message = null) {
9 String authEnc = auth.bytes.encodeBase64()
10 def req = new URL(uri).openConnection()
11 req.setRequestMethod(method)
12 req.setRequestProperty('Content-Type', 'application/json')
13 req.setRequestProperty('Authorization', "Basic ${authEnc}")
14 if (message) {
15 req.setDoOutput(true)
16 req.getOutputStream().write(message.getBytes('UTF-8'))
17 }
18 Integer responseCode = req.getResponseCode()
19 String responseText = ''
20 if (responseCode == 200 || responseCode == 201) {
21 responseText = req.getInputStream().getText()
22 }
23 req = null
24 return [ 'responseCode': responseCode, 'responseText': responseText ]
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]25}
26
27def getTeam (String image = '') {
28 def team_assignee = ''
29 switch(image) {
30 case ~/^(tungsten|tungsten-operator)\/.*$/:
31 team_assignee = 'OpenContrail'
32 break
33 case ~/^bm\/.*$/:
34 team_assignee = 'BM/OS (KaaS BM)'
35 break
36 case ~/^openstack\/.*$/:
37 team_assignee = 'OpenStack hardening'
38 break
39 case ~/^stacklight\/.*$/:
40 team_assignee = 'Stacklight LMA'
41 break
42 case ~/^ceph\/.*$/:
43 team_assignee = 'Storage'
44 break
45 case ~/^iam\/.*$/:
46 team_assignee = 'KaaS'
47 break
48 case ~/^lcm\/.*$/:
49 team_assignee = 'Kubernetes'
50 break
51 default:
52 team_assignee = 'Release Engineering'
53 break
54 }
55
56 return team_assignee
57}
58
59def updateDictionary (String jira_issue_key, Map dict, String uri, String auth, String jira_user_id) {
60 def response = callREST("${uri}/${jira_issue_key}", auth)
61 if ( response['responseCode'] == 200 ) {
62 def issueJSON = new JsonSlurper().parseText(response["responseText"])
63 if (issueJSON.containsKey('fields')) {
64 if (!dict.containsKey(jira_issue_key)) {
65 dict[jira_issue_key] = [
66 summary : '',
67 description: '',
68 comments: []
69 ]
70 }
71 if (issueJSON['fields'].containsKey('summary')){
72 dict[jira_issue_key].summary = issueJSON['fields']['summary']
73 }
74 if (issueJSON['fields'].containsKey('description')) {
75 dict[jira_issue_key].description = issueJSON['fields']['description']
76 }
77 if (issueJSON['fields'].containsKey('comment') && issueJSON['fields']['comment']['comments']) {
78 issueJSON['fields']['comment']['comments'].each {
79 if (it.containsKey('author') && it['author'].containsKey('accountId') && it['author']['accountId'] == jira_user_id) {
80 dict[jira_issue_key]['comments'].add(it['body'])
81 }
82 }
83 }
84 }
85 }
86 return dict
87}
88
89def cacheLookUp(Map dict, String image_short_name, String image_full_name = '', String cve_id = '' ) {
90 def found_key = ['','']
91 if (!found_key[0] && dict && image_short_name) {
92 dict.each { issue_key_name ->
93 if (!found_key[0]) {
94 def s = dict[issue_key_name.key]['summary'] =~ /\b${image_short_name}\b/
95 if (s) {
96 if (image_full_name) {
97 def d = dict[issue_key_name.key]['description'] =~ /(?m)\b${image_full_name}\b/
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]98 if (d) {
99 found_key = [issue_key_name.key,'']
100 } else {
101 if (dict[issue_key_name.key]['comments']) {
102 def comment_match = false
103 dict[issue_key_name.key]['comments'].each{ comment ->
104 if (!comment_match) {
105 def c = comment =~ /(?m)\b${image_full_name}\b/
106 if (c) {
107 comment_match = true
108 }
109 }
110 }
111 if (!comment_match) {
112 found_key = [issue_key_name.key,'na']
113 } else {
114 found_key = [issue_key_name.key,'']
115 }
116 } else {
117 found_key = [issue_key_name.key,'na']
118 }
119 }
120 }
121 }
122 }
123 }
124 }
125 return found_key
126}
127
Ivan Udovichenko6c870b72020-04-14 11:31:51 +0300[diff] [blame]128def reportJiraTickets(String reportFileContents, String jiraCredentialsID, String jiraUserID) {
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]129
130 def dict = [:]
131
Ivan Udovichenko6c870b72020-04-14 11:31:51 +0300[diff] [blame]132 def common = new com.mirantis.mk.Common()
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]133 def cred = common.getCredentialsById(jiraCredentialsID)
134 def auth = "${cred.username}:${cred.password}"
135 def uri = "${cred.description}/rest/api/2/issue"
136
137 def search_api_url = "${cred.description}/rest/api/2/search"
138
139 def search_json = """
140{
141 "jql": "reporter = ${jiraUserID} and (labels = cve and labels = security) and (status = 'To Do' or status = 'For Triage' or status = Open or status = 'In Progress')"
142}
143"""
144
145 def response = callREST("${search_api_url}", auth, 'POST', search_json)
146
147 def InputJSON = new JsonSlurper().parseText(response["responseText"])
148
149 InputJSON['issues'].each {
150 dict[it['key']] = [
151 summary : '',
152 description: '',
153 comments: []
154 ]
155 }
156
157 InputJSON['issues'].each { jira_issue ->
158 dict = updateDictionary(jira_issue['key'], dict, uri, auth, jiraUserID)
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]159 }
160
Ivan Udovichenko6c870b72020-04-14 11:31:51 +0300[diff] [blame]161 def reportJSON = new JsonSlurper().parseText(reportFileContents)
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]162 def imageDict = [:]
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]163 reportJSON.each{
164 image ->
165 if ("${image.value}".contains('issues')) { return }
166 image.value.each{
167 pkg ->
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]168 pkg.value.each{
169 cve ->
170 if (cve[2] && (cve[1].contains('High') || cve[1].contains('Critical'))) {
Ivan Udovichenkoc774c6e2020-04-15 01:55:41 +0300[diff] [blame]171 if (!imageDict.containsKey(image.key)) {
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]172 imageDict.put(image.key, [:])
173 }
174 if (!imageDict[image.key].containsKey(pkg.key)) {
175 imageDict[image.key].put(pkg.key, [])
176 }
Ivan Udovichenkoc774c6e2020-04-15 01:55:41 +0300[diff] [blame]177 imageDict[image.key][pkg.key].add("${cve[0]} (${cve[2]})")
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]178 }
179 }
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]180 }
181 }
182
183 def jira_summary = ''
184 def jira_description = ''
185 imageDict.each{
186 image ->
187 def image_key = image.key.replaceAll(/(^[a-z0-9-.]+.mirantis.(net|com)\/|:.*$)/, '')
Ivan Udovichenko81a3a8d2020-06-21 21:58:56 +0300[diff] [blame^]188 // Temporary exclude kibana images, due to false positive in PRODX-5468
189 // Remove once RE-193 ticket is resolved
190 if (image_key.startsWith('stacklight/kibana')) { return }
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]191 jira_summary = "[${image_key}] Found CVEs in Docker image"
192 jira_description = "{noformat}${image.key}\\n"
193 image.value.each{
194 pkg ->
195 jira_description += " * ${pkg.key}\\n"
196 pkg.value.each{
197 cve ->
198 jira_description += " - ${cve}\\n"
199 }
200 }
201 jira_description += "{noformat}"
202
203 def team_assignee = getTeam(image_key)
204
205 def post_issue_json = """
206{
207 "fields": {
208 "project": {
209 "key": "PRODX"
210 },
211 "summary": "${jira_summary}",
212 "description": "${jira_description}",
213 "issuetype": {
214 "name": "Bug"
215 },
216 "labels": [
217 "security",
218 "cve"
219 ],
220 "customfield_19000": {
221 "value": "${team_assignee}"
222 },
223 "versions": [
224 {
225 "name": "Backlog"
226 }
227 ]
228 }
229}
230"""
231 def post_comment_json = """
232{
233 "body": "${jira_description}"
234}
235"""
236 def jira_key = cacheLookUp(dict, image_key, image.key)
237 if (jira_key[0] && jira_key[1] == 'na') {
238 def post_comment_response = callREST("${uri}/${jira_key[0]}/comment", auth, 'POST', post_comment_json)
239 if ( post_comment_response['responseCode'] == 201 ) {
240 def issueCommentJSON = new JsonSlurper().parseText(post_comment_response["responseText"])
Ivan Udovichenko99467752020-04-21 02:28:06 +0300[diff] [blame]241 print "\n\nComment was posted to ${jira_key[0]} for ${image_key} and ${image.key}"
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]242 } else {
243 print "\nComment to ${jira_key[0]} Jira issue was not posted"
244 }
245 } else if (!jira_key[0]) {
246 def post_issue_response = callREST("${uri}/", auth, 'POST', post_issue_json)
247 if (post_issue_response['responseCode'] == 201) {
248 def issueJSON = new JsonSlurper().parseText(post_issue_response["responseText"])
249 dict = updateDictionary(issueJSON['key'], dict, uri, auth, jiraUserID)
Ivan Udovichenko99467752020-04-21 02:28:06 +0300[diff] [blame]250 print "\n\nJira issue was created ${issueJSON['key']} for ${image_key} and ${image.key}"
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]251 } else {
252 print "\n${image.key} CVE issues were not published\n"
253 }
254 } else {
Ivan Udovichenko99467752020-04-21 02:28:06 +0300[diff] [blame]255 print "\n\nNothing to process for ${image_key} and ${image.key}"
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]256 }
Ivan Udovichenko894fd8a2020-04-13 17:24:50 +0300[diff] [blame]257 }
Ivan Udovichenko314a0732020-04-13 22:47:26 +0300[diff] [blame]258}
Ivan Udovichenko45252252020-04-14 22:45:53 +0300[diff] [blame]259
260def find_cves_by_severity(String reportJsonContent, String Severity) {
261 def cves = []
262 def reportJSON = new JsonSlurper().parseText(reportJsonContent)
263 reportJSON.each{
264 image ->
265 image.value.each{
266 pkg ->
267 pkg.value.each{
268 cve ->
269 if (cve[2]) {
270 if (cve[1].contains(Severity)) {
271 cves.add("${pkg.key} ${cve[0]} (${cve[2]})")
272 }
273 }
274 }
275 }
276 }
277 return cves
278}