Generate cve report

.github/workflows/cve-report.yml

@@ -0,0 +1,76 @@
+name: cve-report
+
+on:
+  schedule:
+    - cron: '0 17 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  report:
+    name: Report
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '1.21'
+
+    - name: Prepare git
+      env:
+        GITHUB_USER: 1gtm
+        GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }}
+      run: |
+        set -x
+        git config --global user.name "1gtm"
+        git config --global user.email "[email protected]"
+        git config --global \
+          url."https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com".insteadOf \
+          "https://github.com"
+        # git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git
+
+    # - name: Set up QEMU
+    #   id: qemu
+    #   uses: docker/setup-qemu-action@v3
+
+    # - name: Set up Docker Buildx
+    #   uses: docker/setup-buildx-action@v3
+    #   with:
+    #     platforms: linux/amd64,linux/arm64
+
+    # - name: Log in to the GitHub Container registry
+    #   uses: docker/login-action@v2
+    #   with:
+    #     registry: ghcr.io
+    #     username: ${{ github.actor }}
+    #     password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Install trivy
+      run: |
+        # wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb
+        # sudo dpkg -i trivy_0.18.3_Linux-64bit.deb
+        sudo apt-get install -y --no-install-recommends wget apt-transport-https gnupg lsb-release
+        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+        echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends trivy
+
+    - name: Generate report
+      run: |
+        go run ./cmd/generate-cve-report/main.go
+
+    - name: Update repo
+      run: |
+        git add --all
+        if [[ $(git status --porcelain) ]]; then
+          git commit -s -a -m "update redis images $(date --rfc-3339=date)"
+          git fetch origin
+          # https://git-scm.com/docs/merge-strategies
+          git pull --rebase -s ours origin master
+          git push origin HEAD
+        fi

Makefile

@@ -47,7 +47,7 @@ endif
 ### These variables should not need tweaking.
 ###
 
-SRC_PKGS := apis catalog tests # directories which hold app source (not vendored)
+SRC_PKGS := apis catalog cmd tests # directories which hold app source (not vendored)
 SRC_DIRS := $(SRC_PKGS)
 
 DOCKER_PLATFORMS := linux/amd64 linux/arm linux/arm64

catalog/kubedb/README.md

@@ -0,0 +1,4 @@
+# CVE Report:
+|      IMAGE REF      | CRITICAL |  HIGH   | MEDIUM  |  LOW   | UNKNOWN |
+|---------------------|----------|---------|---------|--------|---------|
+| apache/druid:25.0.0 | 0, 109   | 12, 225 | 27, 102 | 10, 15 | 0, 0    |

cmd/generate-cve-report/main.go

@@ -0,0 +1,216 @@
+/*
+Copyright AppsCode Inc. and Contributors
+
+Licensed under the AppsCode Community License 1.0.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strconv"
+
+	"kubedb.dev/installer/cmd/lib"
+
+	"github.com/olekukonko/tablewriter"
+	"kubeops.dev/scanner/apis/trivy"
+)
+
+func main() {
+	reports, err := GatherReport()
+	if err != nil {
+		panic(err)
+	}
+	data := GenerateMarkdownReport(reports)
+
+	rootDir, err := lib.RootDir()
+	if err != nil {
+		panic(err)
+	}
+
+	readmeFile := filepath.Join(rootDir, "catalog", "kubedb", "README.md")
+	err = os.WriteFile(readmeFile, data, 0o644)
+	if err != nil {
+		panic(err)
+	}
+}
+
+type CVEReport struct {
+	Ref      string
+	Critical Stats
+	High     Stats
+	Medium   Stats
+	Low      Stats
+	Unknown  Stats
+}
+
+type Stats struct {
+	OS    int
+	Other int
+}
+
+func (s Stats) String() string {
+	b, a := "0", "0"
+	if s.OS >= 0 {
+		b = strconv.Itoa(s.OS)
+	}
+	if s.Other >= 0 {
+		a = strconv.Itoa(s.Other)
+	}
+	return fmt.Sprintf("%s, %s", b, a)
+}
+
+func (s Stats) Zero() bool {
+	return s.OS+s.Other == 0
+}
+
+func (r CVEReport) NoCVE() bool {
+	return r.Critical.Zero() &&
+		r.High.Zero() &&
+		r.Medium.Zero() &&
+		r.Low.Zero() &&
+		r.Unknown.Zero()
+}
+
+func (r CVEReport) Headers() []string {
+	return []string{
+		"Image Ref",
+		"Critical",
+		"High",
+		"Medium",
+		"Low",
+		"Unknown",
+	}
+}
+
+func (r CVEReport) Strings() []string {
+	return []string{
+		r.Ref,
+		r.Critical.String(),
+		r.High.String(),
+		r.Medium.String(),
+		r.Low.String(),
+		r.Unknown.String(),
+	}
+}
+
+// "Class": "os-pkgs",
+func GatherReport() ([]CVEReport, error) {
+	images, err := lib.ListImages()
+	if err != nil {
+		return nil, err
+	}
+
+	sh := lib.NewShell()
+
+	reports := make([]CVEReport, 0, len(images))
+	for _, ref := range images {
+		cveReport := CVEReport{
+			Ref:      ref,
+			Critical: Stats{OS: -1, Other: -1},
+			High:     Stats{OS: -1, Other: -1},
+			Medium:   Stats{OS: -1, Other: -1},
+			Low:      Stats{OS: -1, Other: -1},
+			Unknown:  Stats{OS: -1, Other: -1},
+		}
+		if found, err := lib.ImageExists(ref); err != nil {
+			return nil, err
+		} else if found {
+			report, err := lib.Scan(sh, ref)
+			if err != nil {
+				return nil, err
+			}
+			setReport(report, &cveReport)
+		}
+		reports = append(reports, cveReport)
+
+		break
+	}
+
+	return reports, nil
+}
+
+func setReport(report *trivy.SingleReport, result *CVEReport) {
+	for _, rpt := range report.Results {
+		for _, tv := range rpt.Vulnerabilities {
+			switch tv.Severity {
+			case "CRITICAL":
+				if rpt.Class == "os-pkgs" {
+					result.Critical.OS += 1
+				} else {
+					result.Critical.Other += 1
+				}
+			case "HIGH":
+				if rpt.Class == "os-pkgs" {
+					result.High.OS += 1
+				} else {
+					result.High.Other += 1
+				}
+			case "MEDIUM":
+				if rpt.Class == "os-pkgs" {
+					result.Medium.OS += 1
+				} else {
+					result.Medium.Other += 1
+				}
+			case "LOW":
+				if rpt.Class == "os-pkgs" {
+					result.Low.OS += 1
+				} else {
+					result.Low.Other += 1
+				}
+			case "UNKNOWN":
+				if rpt.Class == "os-pkgs" {
+					result.Unknown.OS += 1
+				} else {
+					result.Unknown.Other += 1
+				}
+			}
+		}
+	}
+}
+
+func GenerateMarkdownReport(reports []CVEReport) []byte {
+	var buf bytes.Buffer
+	buf.WriteString("# CVE Report:")
+	buf.WriteRune('\n')
+	buf.Write(generateMarkdownTable(reports))
+
+	return buf.Bytes()
+}
+
+func generateMarkdownTable(reports []CVEReport) []byte {
+	var tr CVEReport
+
+	data := make([][]string, 0, len(reports))
+	for _, r := range reports {
+		data = append(data, r.Strings())
+	}
+	sort.Slice(data, func(i, j int) bool {
+		return data[i][0] < data[j][0]
+	})
+
+	var buf bytes.Buffer
+
+	table := tablewriter.NewWriter(&buf)
+	table.SetHeader(tr.Headers())
+	table.SetBorders(tablewriter.Border{Left: true, Top: false, Right: true, Bottom: false})
+	table.SetCenterSeparator("|")
+	table.AppendBulk(data) // Add Bulk Data
+	table.Render()
+
+	return buf.Bytes()
+}

cmd/lib/image.go

@@ -0,0 +1,89 @@
+/*
+Copyright AppsCode Inc. and Contributors
+
+Licensed under the AppsCode Community License 1.0.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lib
+
+import (
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	shell "gomodules.xyz/go-sh"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"kmodules.xyz/client-go/tools/parser"
+)
+
+func ListImages() ([]string, error) {
+	rootDir, err := RootDir()
+	if err != nil {
+		return nil, err
+	}
+
+	dir := filepath.Join(rootDir, "charts")
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return nil, err
+	}
+
+	sh := shell.NewSession()
+	sh.SetDir(dir)
+	sh.ShowCMD = true
+
+	images := sets.New[string]()
+	for _, entry := range entries {
+		if !entry.IsDir() {
+			continue
+		}
+
+		out, err := sh.Command("helm", "template", entry.Name()).Output()
+		if err != nil {
+			panic(err)
+		}
+
+		helmout, err := parser.ListResources(out)
+		if err != nil {
+			panic(err)
+		}
+
+		for _, ri := range helmout {
+			collectImages(ri.Object.UnstructuredContent(), images)
+		}
+	}
+
+	result := make([]string, 0, images.Len())
+	for _, img := range images.UnsortedList() {
+		if strings.Contains(img, "${") {
+			continue
+		}
+		result = append(result, img)
+	}
+	sort.Strings(result)
+
+	return result, nil
+}
+
+func collectImages(obj map[string]any, images sets.Set[string]) {
+	for k, v := range obj {
+		if k == "image" {
+			if s, ok := v.(string); ok {
+				images.Insert(s)
+			}
+		} else if m, ok := v.(map[string]any); ok {
+			collectImages(m, images)
+		}
+	}
+}