search

jenkinsci / deepsecurity-smartcheck-plugin

Jenkins plugin that requests image scans from Deep Security Smart Check
Apache License 2.0
3 stars 2 forks source link

Deep Security Smart Check Scan Report is not working #4

Open winggundamth opened 4 years ago

winggundamth commented 4 years ago

After scan finished. I go to summary report and found below sceenshot

Selection_227

I dig some code and found that report is read output from docker run deepsecurity/smartcheck-scan-action and write to artifact result file. So this is cause of the problem because stdout from docker run is not json valid format. It show others plain text output too. I'm not sure where to open this issue between this smartcheck Jenkins plugin or https://github.com/deep-security/smartcheck-scan-action

Please find sample result json stdout below

info: Logging in...
info: Logged in
info: Creating scan...
info: Scan started.
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: scan finished with status: completed-with-findings
{
    "id": "a61daa1f-63bb-4b40-934d-175faaf309e7",
    "href": "/api/scans/a61daa1f-63bb-4b40-934d-175faaf309e7",
    "name": "registry.example.com/bookinfo/productpage:dev",
    "source": {
        "registry": "registry.example.com",
        "repository": "bookinfo/productpage",
        "tag": "dev",
        "type": "docker",
        "insecureSkipVerify": false
    },
    "status": "completed-with-findings",
    "details": {
        "requested": "2020-05-28T11:16:15Z",
        "started": "2020-05-28T11:16:16Z",
        "updated": "2020-05-28T11:16:58Z",
        "completed": "2020-05-28T11:16:58Z",
        "digest": "sha256:f9a8250150f088dae37db50d8d1575a60047f37a7a14fadee4ca2efe686a5e04",
        "os": "linux",
        "architecture": "amd64",
        "results": [
            {
                "id": "sha256:cbdbe7a5bc2a134ca8ec91be58565ec07d037386d1f1d8385412d224deafca08",
                "createdBy": "/bin/sh -c #(nop) ADD file:b91adb67b670d3a6ff9463e48b7def903ed516be66fc4282d22c53e41512be49 in / ",
                "createdAt": "2020-04-24T01:05:03Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:26ebcd19a4e3221ee54d309346df0869af0d74a25920287f70b0ee1da1bf75de",
                "createdBy": "/bin/sh -c apk add --no-cache ca-certificates",
                "createdAt": "2020-04-24T01:10:57Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:35acdcbeccf10aebe0958173e6cb658cc153db5b0494c9b2b0fe40b342374542",
                "createdBy": "/bin/sh -c set -ex \t&& apk add --no-cache --virtual .fetch-deps \t\tgnupg \t\ttar \t\txz \t\t&& wget -O python.tar.xz \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz\" \t&& wget -O python.tar.xz.asc \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc\" \t&& export GNUPGHOME=\"$(mktemp -d)\" \t&& gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys \"$GPG_KEY\" \t&& gpg --batch --verify python.tar.xz.asc python.tar.xz \t&& { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \t&& rm -rf \"$GNUPGHOME\" python.tar.xz.asc \t&& mkdir -p /usr/src/python \t&& tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \t&& rm python.tar.xz \t\t&& apk add --no-cache --virtual .build-deps  \t\tbluez-dev \t\tbzip2-dev \t\tcoreutils \t\tdpkg-dev dpkg \t\texpat-dev \t\tfindutils \t\tgcc \t\tgdbm-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibnsl-dev \t\tlibtirpc-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl-dev \t\tpax-utils \t\treadline-dev \t\tsqlite-dev \t\ttcl-dev \t\ttk \t\ttk-dev \t\tutil-linux-dev \t\txz-dev \t\tzlib-dev \t&& apk del --no-network .fetch-deps \t\t&& cd /usr/src/python \t&& gnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\" \t&& ./configure \t\t--build=\"$gnuArch\" \t\t--enable-loadable-sqlite-extensions \t\t--enable-optimizations \t\t--enable-option-checking=fatal \t\t--enable-shared \t\t--with-system-expat \t\t--with-system-ffi \t\t--without-ensurepip \t&& make -j \"$(nproc)\" \t\tEXTRA_CFLAGS=\"-DTHREAD_STACK_SIZE=0x100000\" \t&& make install \t\t&& find /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \t\t| tr ',' '\\n' \t\t| sort -u \t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t\t| xargs -rt apk add --no-cache --virtual .python-rundeps \t&& apk del --no-network .build-deps \t\t&& find /usr/local -depth \t\t\\( \t\t\t\\( -type d -a \\( -name test -o -name tests -o -name idle_test \\) \\) \t\t\t-o \t\t\t\\( -type f -a \\( -name '*.pyc' -o -name '*.pyo' \\) \\) \t\t\\) -exec rm -rf '{}' + \t&& rm -rf /usr/src/python \t\t&& python3 --version",
                "createdAt": "2020-04-24T01:34:28Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:647f327f91ddb1dd668d2647783c6138710571d7c6f8b87f7e550cbeb619bc26",
                "createdBy": "/bin/sh -c cd /usr/local/bin \t&& ln -s idle3 idle \t&& ln -s pydoc3 pydoc \t&& ln -s python3 python \t&& ln -s python3-config python-config",
                "createdAt": "2020-04-24T01:34:30Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:9add0a120de2565c11f584ee700dbbfc335a3f1d8f5590152463f99146391425",
                "createdBy": "/bin/sh -c set -ex; \t\twget -O get-pip.py \"$PYTHON_GET_PIP_URL\"; \techo \"$PYTHON_GET_PIP_SHA256 *get-pip.py\" | sha256sum -c -; \t\tpython get-pip.py \t\t--disable-pip-version-check \t\t--no-cache-dir \t\t\"pip==$PYTHON_PIP_VERSION\" \t; \tpip --version; \t\tfind /usr/local -depth \t\t\\( \t\t\t\\( -type d -a \\( -name test -o -name tests -o -name idle_test \\) \\) \t\t\t-o \t\t\t\\( -type f -a \\( -name '*.pyc' -o -name '*.pyo' \\) \\) \t\t\\) -exec rm -rf '{}' +; \trm -f get-pip.py",
                "createdAt": "2020-04-29T17:38:10Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:849dbde68abc162cbf7821a798c68298ecea2a4e25d676c1abc41d6532ac6cb5",
                "createdBy": "WORKDIR /usr/src/app",
                "createdAt": "2020-05-28T05:19:29Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:7249eb61dcd124483687d5f709ea7016d6ec66a90ffd0e3a692f92639e8eff33",
                "createdBy": "COPY /opt/venv /opt/venv # buildkit",
                "createdAt": "2020-05-28T05:25:22Z",
                "contents": "/api/scans/a61daa1f-63bb-4b40-934d-175faaf309e7/layers/sha256:7249eb61dcd124483687d5f709ea7016d6ec66a90ffd0e3a692f92639e8eff33/contents",
                "findings": {
                    "contents": {
                        "total": {
                            "high": 11
                        },
                        "unresolved": {
                            "high": 11
                        }
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:2915a4a2b503e3a0bbf480ab152854505aa7aeeb0f5e097d917757adf775769e",
                "createdBy": "COPY src/ /usr/src/app/ # buildkit",
                "createdAt": "2020-05-28T05:25:23Z",
                "contents": "/api/scans/a61daa1f-63bb-4b40-934d-175faaf309e7/layers/sha256:2915a4a2b503e3a0bbf480ab152854505aa7aeeb0f5e097d917757adf775769e/contents",
                "findings": {
                    "contents": {
                        "total": {
                            "high": 1
                        },
                        "unresolved": {
                            "high": 1
                        }
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            }
        ]
    },
    "findings": {
        "contents": {
            "total": {
                "high": 12
            },
            "unresolved": {
                "high": 12
            }
        },
        "vulnerabilities": {
            "total": {},
            "unresolved": {},
            "fixAvailable": {}
        },
        "checklists": {
            "unresolved": {},
            "total": {}
        },
        "scanners": {
            "malware": {
                "status": "ok",
                "updated": "2020-05-28T00:30:05Z",
                "versions": {
                    "icrc": "1589300",
                    "trendX": "111200",
                    "blacklist": "25100"
                }
            },
            "vulnerabilities": {
                "status": "ok",
                "updated": "2020-05-28T01:08:08Z"
            },
            "vulnerabilityPatterns": {
                "status": "ok"
            }
        }
    }
}info: Content findings exceeded threshold { high: 12 }
johan1252 commented 4 years ago

Hi @winggundamth,

I was able to reproduce this only when using the kubernetes plugin (1.25.7). Verified that behaviour is correct when using Jenkins slaves outside of the kubernetes plugin.

The expected behaviour is: Stdout (no JSON is printed to STDOUT):

16:51:21  info: Logging in...
16:51:21  info: Logged in
16:51:21  info: Creating scan...
16:51:21  info: Scan started.
16:51:26  info: Checking scan status...
16:51:32  info: Checking scan status...
16:51:37  info: Checking scan status...
16:51:37  info: scan finished with status: completed-with-findings
16:51:37  info: Malware found: 1
16:51:37  Status code was: 2
16:51:37  Build root directory: /var/jenkins_home/jobs/Developer/jobs/test/jobs/test/builds/80
16:51:37  Workspace remote: /builds/workspace/Developer/test/test
16:51:37  Archiving artifacts: scan-results.json

Archived file scan-results.json:

{
    "id": "5dd061a8-d21e-424c-bb7f-9b9f2a6a98f6",
    "href": "/api/scans/5dd061a8-d21e-424c-bb7f-9b9f2a6a98f6",
....

contains only valid JSON

image

At this time it looks like multiple features are not supported when running with the kubernetes plugin. If you are interested in having this support you could look into creating a PR for the kubernetes plugin to fix these issues.