sam-heilbron commented 1 year ago

Description

Improve the clarity and functionality of the security scan cli

Context

Breaking Changes

I removed some exported functions which technically make this a breaking change. These functions shouldn't have been consumed since the entry points to this code should either be the CLI, or the main functions, but to follow semver, this was a breaking change.

CLI Changes

Previously the CLI that was available supported the following commands: echo-inputs: Prints out all the state of all inputs (including inputted, defaults, and derived) for debugging purposes gen-releases: cache github releases for inputted repository. This is its own command to protect against rate-limiting by github by trying to pull releases too much. gen-security-scan-md: pull down security scan files from gcloud bucket and generate docs markdown file run-security-scan: runs trivy scans on images from repo specified

There were a few drawbacks of this options:

Some of them weren't consumed by any projects
All of the options were defined at the global level, even though certain commands only required a subset of those options. This made the code challenging to reason through and the cli less usable
All the commands were in a single file

As a result, I:

Remove the commands that weren't in use (echo-inputs, gen-releases)
Move the options to only the command that it was relevant to
Split each command up into its own file
Added a new command: scan-version which supported the new functionality I wanted to add

Scan-Version

We have a batch job which scans an entire repo for CVEs and identifies those vulnerabilities for all issues and all versions.

Once we identify a CVE, we work to fix it locally. It is then helpful to be able to easily run a scan against that local version to confirm that the vulnerability is resolved. This command makes it easy to run a single command and verify the changes, instead of needing to run trivy manually for each image and version combination.

Testing

Gloo Edge

https://github.com/solo-io/gloo/pull/7490

VERSION=1.13.0-rc1 make scan-version

PATH=/Users/samheilbron/go/src/github.com/solo-io/gloo/_output/.bin:$PATH GO111MODULE=on go run github.com/solo-io/go-utils/securityscanutils/cli scan-version -v \
                -r quay.io/solo-io\
                -t 1.13.0-rc1\
                --images gloo,gloo-envoy-wrapper,discovery,ingress,sds,certgen,access-logger,kubectl
{"level":"info","ts":"2022-12-05T13:37:06.137-0500","caller":"commands/scan_version.go:73","msg":"Starting ScanVersion with version=1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:07.340-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.202382497s in quay.io/solo-io/gloo:1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:07.340-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: quay.io/solo-io/gloo:1.13.0-rc1, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T13:37:08.713-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.372851805s in quay.io/solo-io/gloo-envoy-wrapper:1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:08.713-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: quay.io/solo-io/gloo-envoy-wrapper:1.13.0-rc1, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T13:37:09.975-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.262385305s in quay.io/solo-io/discovery:1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:09.975-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: quay.io/solo-io/discovery:1.13.0-rc1, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T13:37:11.238-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.262496832s in quay.io/solo-io/ingress:1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:11.238-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: quay.io/solo-io/ingress:1.13.0-rc1, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T13:37:12.494-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.255905841s in quay.io/solo-io/sds:1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:12.494-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: quay.io/solo-io/sds:1.13.0-rc1, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T13:37:13.625-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.130851418s in quay.io/solo-io/certgen:1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:13.625-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: quay.io/solo-io/certgen:1.13.0-rc1, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T13:37:14.899-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.274032312s in quay.io/solo-io/access-logger:1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:14.899-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: quay.io/solo-io/access-logger:1.13.0-rc1, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T13:37:16.049-0500","caller":"securityscanutils/trivy_scanner.go:83","msg":"Trivy returned 0 after 1.150438335s on quay.io/solo-io/kubectl:1.13.0-rc1"}
{"level":"debug","ts":"2022-12-05T13:37:16.049-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: quay.io/solo-io/kubectl:1.13.0-rc1, ScanCompleted: true, VulnerabilityFound: false, Error: <nil>"}
{"level":"info","ts":"2022-12-05T13:37:16.050-0500","caller":"commands/scan_version.go:31","msg":"Vulernabilities found! Affected images: [quay.io/solo-io/gloo:1.13.0-rc1 quay.io/solo-io/gloo-envoy-wrapper:1.13.0-rc1 quay.io/solo-io/discovery:1.13.0-rc1 quay.io/solo-io/ingress:1.13.0-rc1 quay.io/solo-io/sds:1.13.0-rc1 quay.io/solo-io/certgen:1.13.0-rc1 quay.io/solo-io/access-logger:1.13.0-rc1]. Formatted results: _output/scans/1.13.0-rc1"}

Developer Portal

Does not currently use the CLI so it is not affected by these changes.

Gloo Mesh

https://github.com/solo-io/gloo-mesh-enterprise/pull/6300

VERSION=2.0.24 make scan-version

GOPRIVATE=github.com/solo-io GO111MODULE=on go run github.com/solo-io/go-utils/securityscanutils/cli scan-version -v \
                -r gcr.io/gloo-mesh\
                -t 2.0.24\
                --images gloo-mesh-agent,gloo-mesh-apiserver,gloo-mesh-istiod-agent,gloo-mesh-mgmt-server,gloo-mesh-ui
{"level":"info","ts":"2022-12-05T14:43:53.559-0500","caller":"commands/scan_version.go:73","msg":"Starting ScanVersion with version=2.0.24"}
{"level":"debug","ts":"2022-12-05T14:43:56.391-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 2.830649126s in gcr.io/gloo-mesh/gloo-mesh-agent:2.0.24"}
{"level":"debug","ts":"2022-12-05T14:43:56.391-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: gcr.io/gloo-mesh/gloo-mesh-agent:2.0.24, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T14:43:58.173-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.78209948s in gcr.io/gloo-mesh/gloo-mesh-apiserver:2.0.24"}
{"level":"debug","ts":"2022-12-05T14:43:58.173-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: gcr.io/gloo-mesh/gloo-mesh-apiserver:2.0.24, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T14:43:59.925-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.751780972s in gcr.io/gloo-mesh/gloo-mesh-istiod-agent:2.0.24"}
{"level":"debug","ts":"2022-12-05T14:43:59.925-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: gcr.io/gloo-mesh/gloo-mesh-istiod-agent:2.0.24, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T14:44:01.460-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.53509241s in gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.0.24"}
{"level":"debug","ts":"2022-12-05T14:44:01.460-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.0.24, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"debug","ts":"2022-12-05T14:44:02.977-0500","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 1.516674322s in gcr.io/gloo-mesh/gloo-mesh-ui:2.0.24"}
{"level":"debug","ts":"2022-12-05T14:44:02.977-0500","caller":"commands/scan_version.go:100","msg":"Scanned Image: gcr.io/gloo-mesh/gloo-mesh-ui:2.0.24, ScanCompleted: true, VulnerabilityFound: true, Error: <nil>"}
{"level":"info","ts":"2022-12-05T14:44:02.977-0500","caller":"commands/scan_version.go:31","msg":"Vulernabilities found! Affected images: [gcr.io/gloo-mesh/gloo-mesh-agent:2.0.24 gcr.io/gloo-mesh/gloo-mesh-apiserver:2.0.24 gcr.io/gloo-mesh/gloo-mesh-istiod-agent:2.0.24 gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.0.24 gcr.io/gloo-mesh/gloo-mesh-ui:2.0.24]. Formatted results: _output/scans/2.0.24"}

solo-changelog-bot[bot] commented 1 year ago

Issues linked to changelog: https://github.com/solo-io/go-utils/issues/469

nfuden commented 1 year ago

Why would one run a scan for a version locally? Wouldnt it be easier to just run an existing github action? Otherwise I generally like the approach