Annotate successful images with details #41
Conversation
enoodle
changed the title
enoodle
force-pushed
the
ssa_annotation_of_successful_images
branch
from
3339929
to
0ba9fb6
Compare
enoodle
changed the title
enoodle
force-pushed
the
ssa_annotation_of_successful_images
branch
from
0ba9fb6
to
208c14e
Compare
|
@moolitayer Please review |
|
@aweiteka Please Review |
|
About the ARF file: I tried to trim it as much a possible but it is a complicated file structure and I couldn't find a simple way to write an empty file. If you have any suggestions please share. |
| @@ -0,0 +1,5 @@ | |||
| FactoryGirl.define do | |||
| factory :openshift_container_image, :class => "ManageIQ::Providers::Openshift::ContainerManager::ContainerImage" do | |||
spec/factories/openscap_result.rb
Outdated
| @@ -0,0 +1,4 @@ | |||
| FactoryGirl.define do | |||
| factory :openscap_result | |||
| factory :openscap_rule_result | |||
There was a problem hiding this comment.
can you move openscap_rule_result to its own file please
| end | ||
|
|
||
| def openscap_summary | ||
| failed_rules = openscap_rule_results.where(:result => "fail") |
There was a problem hiding this comment.
openscap_rule_results.where(:result => "fail").group(:status).count
{
"Low" => 8,
"High" => 15
}
|
@enoodle do we have a contact from OpenShift or from OpenSCAP that was in the loop of this and can review the annotations? |
| { | ||
| :label => label, | ||
| :severityIndex => index, | ||
| :score => failed_rules.select { |rule| severities.include?(rule.severity) }.count |
There was a problem hiding this comment.
I think this is called data in https://github.com/adellape/openshift-docs/blob/master/security/container_content.adoc#container-content-scanning no?
There was a problem hiding this comment.
It was changed since I first started working on this apparently. 😮
AFAIK @aweiteka is our contact on this issue ManageIQ/manageiq#15013 |
enoodle
force-pushed
the
ssa_annotation_of_successful_images
branch
2 times, most recently
from
4ac3531
to
7fba3f5
Compare
|
@moolitayer I fixed your comments, ptal |
| end | ||
|
|
||
| def security_quality_annotation(compliant) | ||
| {"quality.images.openshift.io/vulnerability.manageiq" => { |
There was a problem hiding this comment.
https://docs.openshift.org/latest/security/container_content.html#security-image-metadata
lists 5 "acceptable values" for "providerId", which doesn't include "manageiq". I'm not sure they really intend this to be a closed list, but if yes perhaps this should be quality.images.openshift.io/vulnerability.openscap?
There was a problem hiding this comment.
@aweiteka ^^ is the list of allowed providerId intentionally close-ended? Can we use manageiq?
There was a problem hiding this comment.
@cben maybe we need to use some "global" function that will return the name of this tool, "manageiq" or "cfme" ? but I didn't know where to one and using "cfme" here seemed wrong.
There was a problem hiding this comment.
I didn't mean "manageiq" vs "cloudforms", 👍 for fixed "vulnerability.manageiq" (if we really wanted, we could change :name).
I just meant that the spec as written "allows" only 5 provider ids:
openscap redhatcatalog redhatinsights blackduck jfrog
The whole point of having the spec is allowing new products to integrate so I doubt that's the intent...
There was a problem hiding this comment.
I see in https://github.com/openshift/openshift-docs/pull/4461/files#diff-7f8d0575b67fa1bc3861ae9345fde2e2L98 @aweiteka changed allowed provider id redhatcloudforms to openscap, so I suppose he wants this to be vulnerability.openscap .
| :name => "ManageIQ", | ||
| :timestamp => Time.now.utc.to_i, | ||
| :description => "OpenSCAP Score", | ||
| :reference => "", |
There was a problem hiding this comment.
reference URL is "required". Do we have anything to put here?
URL of information source and/or more details. Required so user may validate the data.
There was a problem hiding this comment.
I wanted to find a cool way like url_to_entity to make this but couldn't.
There was a problem hiding this comment.
looks like Rails.application.routes.url_helpers.url_for(:controller => 'dashboard', :action => 'show', :only_path => true) .. but we should probably fix this at some point not to generate urls outside UI.
(I'm thinking urls can change, in the db, we need something that won't.)
| end | ||
|
|
||
| def annotate_deny_execution(causing_policy) | ||
| annotate_image({ | ||
| "security.manageiq.org/failed-policy" => causing_policy, | ||
| "images.openshift.io/deny-execution" => "true" |
There was a problem hiding this comment.
[out of scope for this PR]
This ties making the scan details annotation with making allow/deny-execution annotation.
Until now the way user decided whether to make deny-execution annotations is by using or not the action on a policy reacting to scan complete event.
Now it might become useful to make policy annotation without denying execution, or have extra conditions for denying.
Also, conceivably one might want to deny/allow in other policies that don't have an OpenSCAP scan at hand.
=> in future, it may be worth splitting this, making scan details annotation immediately on scan (or as independent action?), and having actions that make only deny/allow annotation...
| end | ||
|
|
||
| def annotate_deny_execution(causing_policy) | ||
| annotate_image({ | ||
| "security.manageiq.org/failed-policy" => causing_policy, | ||
| "images.openshift.io/deny-execution" => "true" |
There was a problem hiding this comment.
IMO when setting deny-execution we should clear allow-execution and vice versa.
See my comment ManageIQ/manageiq#15013 (comment)
There was a problem hiding this comment.
@cben we discussed this on the original PR too : ManageIQ/manageiq#15031 (comment)
There was a problem hiding this comment.
what about setting the other annotation to the negative value? It seems to convey more information?
| { | ||
| :label => label, | ||
| :severityIndex => index, | ||
| :data => failed_rules.select { |sev| severities.include?(sev) }.values.sum |
There was a problem hiding this comment.
took me a while to understand how this works. perhaps severities.sum { |sev| failed_rules.fetch(sev, 0) } would be clearer, perhaps not, your call.
|
Forgot one question: what happens when you use this action in another policy, on an image that's never been scanned? My only concern is that it won't crash. I think it won't, |
| def annotate_allow_execution(causing_policy) | ||
| annotate_image({ | ||
| "security.manageiq.org/successful-policy" => causing_policy, | ||
| "images.openshift.io/allow-execution" => "true" |
There was a problem hiding this comment.
btw @enoodle why do we use two different annotations:
images.openshift.io/allow-executionimages.openshift.io/deny-execution,
There was a problem hiding this comment.
"images.openshift.io/deny-execution" => "false" according to ManageIQ/manageiq#15013 (comment) (and the whole issue really)
@cben We might want in the future to annotate all the images that were not scanned yet until they are scanned (probably with non compliant) How would you suggest to fail here ? |
enoodle
changed the title
enoodle
changed the title
enoodle
force-pushed
the
ssa_annotation_of_successful_images
branch
from
e63aeb6
to
d56b929
Compare
converting severities from openscap convention (high, medium, low, info, unknown) to Openshift specifications.
|
@moolitayer @cben I addressed most of your earlier comments with the last refactoring (left as a separate commit to be squashed later). PTAL |
| :reference => Rails.application.routes.url_helpers.url_for(:controller => "container_image", | ||
| :action => "openscap_html", | ||
| :id => id, | ||
| :only_path => true), |
There was a problem hiding this comment.
The annotation will live in Openshift, so a relative URL isn't very useful.
Would :only_path => false give an absolute URL?
There was a problem hiding this comment.
@cben Not easily:
ArgumentError: Missing host to link to! Please provide the :host parameter, set default_url_options[:host], or set :only_path to true when I give :host => MiqServer.my_server.hostdname, but I don't see how to get the port number yet. any ideas?
enoodle
force-pushed
the
ssa_annotation_of_successful_images
branch
from
d56b929
to
cff66ad
Compare
|
@cben I removed the reference and now it is back to being empty. |
|
Checked commits enoodle/manageiq-providers-openshift@3af3d23~...cff66ad with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 app/models/manageiq/providers/openshift/container_manager/container_image.rb
|
|
@aweiteka Can you take a look at this? Your approval will help merge this faster. |
|
@aweiteka Please take a look |
|
LGTM. Thanks. |
|
@enoodle @moolitayer IIRC we also have BZ RFE to reference here. |
|
@enoodle ready for merge, is this safe to go in before ManageIQ/manageiq#15031 ? (seems to be the case) |
|
@moolitayer Yes, it will not crush but annotating will not work until the other patch is merged too. It is right for the other way too, they both should be merged together |
Will allow annotating images that are compliant and also with more details as stated here: https://github.com/adellape/openshift-docs/blob/master/security/container_content.adoc#container-content-scanning
This is in continuation of ManageIQ/manageiq#15031