From: Martin Skorupski Date: Mon, 27 Mar 2023 15:07:58 +0000 (+0000) Subject: Merge changes from topic "OAM-318" X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=0b06d8c2c317761231705f03a1fbb8470e99a64e;hp=d6013345acc29b162ffb13d9b5b2bef61ec033ca;p=oam.git Merge changes from topic "OAM-318" * changes: Create script for SBOM and Vulnerabilities analysis of the solution docker images Create script for SBOM and Vulnerabilities analysis of the solution docker images Create script for SBOM and Vulnerabilities analysis of the solution docker images --- diff --git a/.gitignore b/.gitignore index ec257e8..e33e69d 100644 --- a/.gitignore +++ b/.gitignore @@ -74,6 +74,10 @@ package-lock.json # nodered *.backup +# container-analyis +*.sbom.spdx.json +*.vulnerabilities.vex.json + # documentation .tox docs/_build/ diff --git a/code/container-analysis/README.md b/code/container-analysis/README.md new file mode 100644 index 0000000..d48fd6a --- /dev/null +++ b/code/container-analysis/README.md @@ -0,0 +1,31 @@ +# Container Analysis + +This directory contains a script to output Software Bill of Materials (SBOM)tree and vulnerabilities of running docker images. + +## Prerequisites + +The script depend on the [Syft](https://github.com/anchore/syft) project and the [Grype](https://github.com/anchore/grype) project. + +### Installing syft + +``` +curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin +``` + +### Installing grype + +``` +curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin +``` + +## Usage + +Once your docker containers are up and running just use: + +``` +./container-analysis.sh +``` + +Note: It takes time ... + +You will find the results in the 'out' folder. \ No newline at end of file diff --git a/code/container-analysis.sh b/code/container-analysis/container-analysis.sh similarity index 66% rename from code/container-analysis.sh rename to code/container-analysis/container-analysis.sh index 087675c..880d7a0 100755 --- a/code/container-analysis.sh +++ b/code/container-analysis/container-analysis.sh @@ -27,32 +27,35 @@ SYFT=$(which syft) if [ -z "$SYFT" ]; then - echo "unable to find syft. please install." + echo "Unable to find syft. Please install." exit 1 fi GRYPE=$(which grype) if [ -z "$GRYPE" ]; then - echo "unable to find grype. please install." + echo "Unable to find grype. Please install." exit 1 fi -excluded_images=(nexus3.onap.org:10001/onap/dmaap/dmaap-mr:1.1.18 nexus3.onap.org:10001/onap/dmaap/kafka111:1.0.4 nexus3.onap.org:10001/onap/dmaap/zookeeper:6.0.3 nexus3.onap.org:10001/onap/org.onap.dcaegen2.collectors.ves.vescollector:1.10.1) +mkdir -p out + +excluded_images=() image_names=($(docker ps --format '{{.Image}}' | tr ' ' '\n' | sort -u | tr '\n' ' ')) +# avoid doublicates for ele in "${excluded_images[@]}"; do -image_names=(${image_names[@]/*${ele}*/}) + image_names=(${image_names[@]/*${ele}*/}) done echo "Analysing following images: ${image_names[*]}" for image in "${image_names[@]}"; do -image_name_no_repo="${image##*/}" -echo "Creating SBOM for ${image} in ${image_name_no_repo}.sbom.spdx.json..." -${SYFT} -q ${image} -o spdx-json --file ${image_name_no_repo}.sbom.spdx.json -echo "Creating Vulnerabilities for ${image} in ${image_name_no_repo}.vulnerabilities.vex.json..." -${GRYPE} -q ${image} -o embedded-cyclonedx-vex-json --file ${image_name_no_repo}.vulnerabilities.vex.json + image_name_no_repo="${image##*/}" + echo "Creating SBOM for ${image} in ${image_name_no_repo}.sbom.spdx.json..." + ${SYFT} -q ${image} -o spdx-json --file out/${image_name_no_repo}.sbom.spdx.json + echo "Creating Vulnerabilities for ${image} in ${image_name_no_repo}.vulnerabilities.vex.json..." + ${GRYPE} -q ${image} -o embedded-cyclonedx-vex-json --file out/${image_name_no_repo}.vulnerabilities.vex.json done echo "Done!"