Skip to content

Commit

Permalink
ci: check analysis status in vuln scan script (#960) (#963)
Browse files Browse the repository at this point in the history 
Some images may fail to be scanned for various reasons. At the moment
this leads to a silent failure where the fixable_total is reported as
zero. This change checks the analysisStatus and treats any non-success
status as a failure.
  • Loading branch information
@sdowell
sdowell authored Oct 24, 2023
1 parent 41565d9 commit 678b7c9
Showing 1 changed file with 23 additions and 7 deletions.
30 changes: 23 additions & 7 deletions scripts/vulnerabilities.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,19 +37,26 @@ source "${scripts_dir}/lib/manifests.sh"
read -r -a images <<< "$(config_sync_images)"
[[ ${#images[@]} -eq 0 ]] && exit 1
fixable_total=0
scan_failure_total=0
declare -A vuln_map

echo -n "Scanning" >&2

# Sum the fixable vulnerabilities with severity CRITICAL, HIGH, or MEDIUM
for image in "${images[@]}"; do
echo -n "."
vulnerabilities=$(gcloud beta container images describe --show-package-vulnerability --format json --verbosity error "${image}" |
jq -r '.package_vulnerability_summary.vulnerabilities')
fixable=$(echo "${vulnerabilities}" |
jq -r 'select(.vulnerability != {}) | map(map(select(.vulnerability.packageIssue[].fixAvailable == true)) | length) + [0] | add')
vuln_map[${image}]=${fixable}
fixable_total=$((fixable_total + fixable))
results=$(gcloud beta container images describe --show-package-vulnerability --format json --verbosity error "${image}")
status=$(echo "${results}" | jq -r '.discovery_summary.discovery[].discovery.analysisStatus')
if [[ "${status}" != "FINISHED_SUCCESS" ]]; then
vuln_map[${image}]="${status}"
scan_failure_total=$((scan_failure_total + 1))
else
vulnerabilities=$(echo "${results}" | jq -r '.package_vulnerability_summary.vulnerabilities')
fixable=$(echo "${vulnerabilities}" |
jq -r 'select(.vulnerability != {}) | map(map(select(.vulnerability.packageIssue[].fixAvailable == true)) | length) + [0] | add')
vuln_map[${image}]=${fixable}
fixable_total=$((fixable_total + fixable))
fi
done

echo # done scanning
Expand All @@ -62,7 +69,16 @@ echo # done scanning
) | sort
) | column -ts $'\t'

exit_code=0

if [[ "${fixable_total}" != "0" ]]; then
echo "ERROR: ${fixable_total} vulnerabilities are fixable" >&2
exit 1
exit_code=1
fi

if [[ "${scan_failure_total}" != "0" ]]; then
echo "ERROR: ${scan_failure_total} images failed to be scanned" >&2
exit_code=1
fi

exit "${exit_code}"

0 comments on commit 678b7c9

Please sign in to comment.