From a0e2df207c0ad0e2515af3e1b59b4650b0a9571e Mon Sep 17 00:00:00 2001 From: Alex Stancu Date: Tue, 21 Mar 2023 16:05:02 +0200 Subject: [PATCH] Create script for SBOM and Vulnerabilities analysis of docker images. Issue-ID: OAM-318 Change-Id: I17599098f2c8b105be396ab7c75c74f171b97358 Signed-off-by: Alex Stancu --- code/container-analysis.sh | 58 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100755 code/container-analysis.sh diff --git a/code/container-analysis.sh b/code/container-analysis.sh new file mode 100755 index 0000000..087675c --- /dev/null +++ b/code/container-analysis.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +################################################################################ +# Copyright 2023 highstreet technologies GmbH +# +# Licensed under the Apache License, Version 2.0 (the 'License'); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an 'AS IS' BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ + +# Excluded images is an array containing the name of the docker images we want to exclude from the analysis. +# Please modify it according to your needs. + +# Installing syft +# curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + +# Installing grype +# curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + +SYFT=$(which syft) +if [ -z "$SYFT" ]; then + echo "unable to find syft. please install." + exit 1 +fi + +GRYPE=$(which grype) +if [ -z "$GRYPE" ]; then + echo "unable to find grype. please install." + exit 1 +fi + +excluded_images=(nexus3.onap.org:10001/onap/dmaap/dmaap-mr:1.1.18 nexus3.onap.org:10001/onap/dmaap/kafka111:1.0.4 nexus3.onap.org:10001/onap/dmaap/zookeeper:6.0.3 nexus3.onap.org:10001/onap/org.onap.dcaegen2.collectors.ves.vescollector:1.10.1) + +image_names=($(docker ps --format '{{.Image}}' | tr ' ' '\n' | sort -u | tr '\n' ' ')) + +for ele in "${excluded_images[@]}"; do +image_names=(${image_names[@]/*${ele}*/}) +done + +echo "Analysing following images: ${image_names[*]}" + +for image in "${image_names[@]}"; do +image_name_no_repo="${image##*/}" +echo "Creating SBOM for ${image} in ${image_name_no_repo}.sbom.spdx.json..." +${SYFT} -q ${image} -o spdx-json --file ${image_name_no_repo}.sbom.spdx.json +echo "Creating Vulnerabilities for ${image} in ${image_name_no_repo}.vulnerabilities.vex.json..." +${GRYPE} -q ${image} -o embedded-cyclonedx-vex-json --file ${image_name_no_repo}.vulnerabilities.vex.json +done + +echo "Done!" -- 2.16.6