Merge changes from topic "OAM-318"

* changes:
  Create script for SBOM and Vulnerabilities analysis of the solution docker images
  Create script for SBOM and Vulnerabilities analysis of the solution docker images
  Create script for SBOM and Vulnerabilities analysis of the solution docker images

diff --git a/.gitignore b/.gitignore
index ec257e8..e33e69d 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -74,6 +74,10 @@ package-lock.json
 # nodered
 *.backup
 
+# container-analyis
+*.sbom.spdx.json
+*.vulnerabilities.vex.json
+
 # documentation
 .tox
 docs/_build/

diff --git a/code/container-analysis/README.md b/code/container-analysis/README.md
new file mode 100644 (file)
index 0000000..d48fd6a
--- /dev/null
+++ b/code/container-analysis/README.md
@@ -0,0 +1,31 @@
+# Container Analysis
+
+This directory contains a script to output Software Bill of Materials (SBOM)tree and vulnerabilities of running docker images.
+
+## Prerequisites
+
+The script depend on the [Syft](https://github.com/anchore/syft) project and the [Grype](https://github.com/anchore/grype) project.
+
+### Installing syft
+
+```
+curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+```
+
+### Installing grype
+
+```
+curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+```
+
+## Usage
+
+Once your docker containers are up and running just use:
+
+```
+./container-analysis.sh
+```
+
+Note: It takes time ...
+
+You will find the results in the 'out' folder.
\ No newline at end of file

diff --git a/code/container-analysis.sh b/code/container-analysis/container-analysis.sh
similarity index 66%
rename from code/container-analysis.sh
rename to code/container-analysis/container-analysis.sh
index 087675c..880d7a0 100755 (executable)
--- a/code/container-analysis.sh
+++ b/code/container-analysis/container-analysis.sh
@@ -27,32 +27,35 @@
 
 SYFT=$(which syft)
 if [ -z "$SYFT" ]; then
-    echo "unable to find syft. please install."
+    echo "Unable to find syft. Please install."
     exit 1
 fi
 
 GRYPE=$(which grype)
 if [ -z "$GRYPE" ]; then
-    echo "unable to find grype. please install."
+    echo "Unable to find grype. Please install."
     exit 1
 fi
 
-excluded_images=(nexus3.onap.org:10001/onap/dmaap/dmaap-mr:1.1.18 nexus3.onap.org:10001/onap/dmaap/kafka111:1.0.4 nexus3.onap.org:10001/onap/dmaap/zookeeper:6.0.3 nexus3.onap.org:10001/onap/org.onap.dcaegen2.collectors.ves.vescollector:1.10.1)
+mkdir -p out
+
+excluded_images=()
 
 image_names=($(docker ps --format '{{.Image}}' | tr ' ' '\n' | sort -u | tr '\n' ' '))
 
+# avoid doublicates
 for ele in "${excluded_images[@]}"; do
-image_names=(${image_names[@]/*${ele}*/})
+ image_names=(${image_names[@]/*${ele}*/})
 done
 
 echo "Analysing following images: ${image_names[*]}"
 
 for image in "${image_names[@]}"; do
-image_name_no_repo="${image##*/}"
-echo "Creating SBOM for ${image} in ${image_name_no_repo}.sbom.spdx.json..."
-${SYFT} -q ${image} -o spdx-json --file ${image_name_no_repo}.sbom.spdx.json
-echo "Creating Vulnerabilities for ${image} in ${image_name_no_repo}.vulnerabilities.vex.json..."
-${GRYPE} -q ${image} -o embedded-cyclonedx-vex-json --file ${image_name_no_repo}.vulnerabilities.vex.json
+  image_name_no_repo="${image##*/}"
+  echo "Creating SBOM for ${image} in ${image_name_no_repo}.sbom.spdx.json..."
+  ${SYFT} -q ${image} -o spdx-json --file out/${image_name_no_repo}.sbom.spdx.json
+  echo "Creating Vulnerabilities for ${image} in ${image_name_no_repo}.vulnerabilities.vex.json..."
+  ${GRYPE} -q ${image} -o embedded-cyclonedx-vex-json --file out/${image_name_no_repo}.vulnerabilities.vex.json
 done
 
 echo "Done!"