search

microsoft / ApplicationInspector

A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
MIT License
4.24k stars 353 forks source link

publish official docker image #100

Open exfly opened 4 years ago

guyacosta commented 4 years ago

Great idea. Will look into which API's would be affected and let you know.

jusso-dev commented 4 years ago

The biggest initial issue you are going to have with this is how to consume the output, because it writes either the JSON or HTML output relative to where the program has run. Ie. in this case, inside the container.

You would either need to write a REST API layer to expose the results over HTTP OR Write another positional argument layer to write the output to some form of online reachable storage bucket, either Azure Blob Storage or an S3 bucket.

*EDIT - there's one more option, the Docker image mandates the use of volumes so the output can be consumed remotely

eoftedal commented 4 years ago

Yeah, the last option is the one I would prefer. Mount the current folder as a volume, and scan that and push the report into the same folder.

eoftedal commented 4 years ago

Dockerfile:

FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster

RUN apt-get update && apt install unzip

WORKDIR /app

ENV VERSION=1.0.26

RUN curl -L https://github.com/microsoft/ApplicationInspector/releases/download/v${VERSION}/ApplicationInspector_linux_${VERSION}.zip -o /app/appinspect.zip && \
    unzip appinspect.zip && \
    mv /app/ApplicationInspector_${VERSION}/ /app/ApplicationInspector

ENTRYPOINT ["dotnet", "/app/ApplicationInspector/AppInspector.dll"]

Build image: docker build -t appinspect . Run scan (from folder you want to scan): docker run -v $(pwd):/data appinspect analyze -s /data

jusso-dev commented 4 years ago

EDIT** Have to use buster as there is not "apt-get" in alpine, and have changed the useradd command. Also, remove dependencies that are not needed after build.

I like the above, but I think this is better from a security stand-point

FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster

RUN apt-get update && apt install unzip

WORKDIR /app

ENV VERSION=1.0.26

RUN curl -L https://github.com/microsoft/ApplicationInspector/releases/download/v${VERSION}/ApplicationInspector_linux_${VERSION}.zip -o /app/appinspect.zip && \
    unzip appinspect.zip && \
    mv /app/ApplicationInspector_${VERSION}/ /app/ApplicationInspector

RUN rm appinspect.zip 
RUN apt-get remove unzip -y

RUN useradd --create-home --shell /bin/bash appinspector
USER appinspector

ENTRYPOINT ["dotnet", "/app/ApplicationInspector/AppInspector.dll"]
jusso-dev commented 4 years ago

So this is actually blocked by issue #133 due to the following error:

"Analyze command running 100% source files processed Preparing report A runtime error has occured. Please see log file for more information."

You cannot open a browser in Docker.

Att: @guyacosta

guyacosta commented 4 years ago

133 is fixed with commit #145. I have a non-public Azure Function that exposes the AppInspector analyze functionality. I like the option to submit an online storage source and target with an auth token etc. I'm getting some tasks out of the way to focus on more enhancements like full Docker support but believe this option is low hanging as there is less ramp etc. I'll see what I can do this week for it.

guyacosta commented 4 years ago

We've discussed this last option and decided to let this get handled by user developers to mount a source and destination drive. We still plan to provide Docker support which is coming soon.

gfs commented 4 years ago

@jusso-dev

Try this:

FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster

RUN dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI

ENTRYPOINT ["appinspector"]
jusso-dev commented 4 years ago

That’ll work @gfs, once I have a Dockerfile that works, do you want me to submit a pull request, along with instructions on how to use it?

gfs commented 4 years ago

We are working on a dockerfile that can be used in our pipeline to push an image to docker hub. That will need to not take a dependency on the dotnet tool installer since it will be built in the devops pipeline.

Once we have that up and running you should be able to pull an image directly from docker hub.

SamBalg commented 4 years ago

@gfs We are also working on similar requirement. Is your docker image ready ?

gfs commented 4 years ago

@daalcant is working on the pipeline components.

In the meantime you can use the short dockerfile I posted above.

SamBalg commented 4 years ago

Trying to spin up a docker containers with a docker-compose file , which spins up Redis and AppInspector, is there a way I can directly call AppInspector Image in the compose file ? Also where will it store the scan results?

gfs commented 4 years ago

You could build the image locally with a name and refer to it in your compose file depending on your configuration.

You'll need to define mount points in your compose file and provide the correct arguments to application inspector to output to them.

-------- Original Message --------

On Mar 23, 2020, 11:23 AM, SamBalg < notifications@github.com> wrote:

Trying to spin up a docker containers with a docker-compose file , which spins up Redis and AppInspector, is there a way I can directly call AppInspector Image in the compose file ? Also where will it store the scan results?

You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "[https://github.com](<a href=)/microsoft/ApplicationInspector/issues/100#issuecomment-602775270">https://github.com/microsoft/ApplicationInspector/issues/100#issuecomment-602775270", "url": "[https://github.com](<a href=)/microsoft/ApplicationInspector/issues/100#issuecomment-602775270">https://github.com/microsoft/ApplicationInspector/issues/100#issuecomment-602775270", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

gfs commented 4 years ago

You can also check the official documentation here: https://docs.docker.com/compose/gettingstarted/#step-3-define-services-in-a-compose-file

For an example of using docker compose with building a Dockerfile.

james-garriss commented 11 months ago

Would like to see this issue revisited. It would be helpful to release a Dockerfile using current containers and/or an image on Docker Hub. It would also be helpful to have a GitHub Action so that it can be used as part of CI/CD pipelines on GitHub.

gfs commented 11 months ago

Thanks for the feedback. It’s looking unlikely we will publish a docker image to a registry.

However, it is trivial to include appinspector in a docker file - as long as you have the .net SDK up can use the tool install mechanism already documented in the readme and wiki.

There is also already an app inspector action - you can this as well for designing a docker file that leverages app inspector.

https://github.com/microsoft/ApplicationInspector-Action