-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathclairctl.groovy
157 lines (138 loc) · 4.81 KB
/
clairctl.groovy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
def vulnerabilitycheck(String CLAIRCTL_REGISTRY) {
PTCS_DOCKER_REGISTRY_ANALYSIS = CLAIRCTL_REGISTRY.replaceAll(/\//,'-')
FIXEDJOBNAME = JOB_NAME.replace(/\//,'/job/')
// Send Docker image layers to Clair and create HTML-report including vulnerabilities
sh """
clairctl --log-level Debug push --config /usr/share/clairctl.yml --local ${CLAIRCTL_REGISTRY}
clairctl --log-level Debug report --config /usr/share/clairctl.yml --format html --local ${CLAIRCTL_REGISTRY}:latest
"""
// HTML Publisher Plugin creates a link to Clairctl HTML-report
publishHTML (target: [
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports/html',
reportFiles: 'analysis-*',
reportName: 'Vulnerability Report',
reportTitles: ''
])
// Unknown vulnerabilities
UNKNOWN_V = sh (
script: "grep -c '<div>Unknown</div>' reports/html/analysis-${PTCS_DOCKER_REGISTRY_ANALYSIS}-latest.html | cat",
returnStdout: true
).trim()
echo "Unknown vulnerabilities: ${UNKNOWN_V}"
// Negligible vulnerabilities
NEGLIGIBLE_V = sh (
script: "grep -c '<div>Negligible</div>' reports/html/analysis-${PTCS_DOCKER_REGISTRY_ANALYSIS}-latest.html | cat",
returnStdout: true
).trim()
echo "Negligible vulnerabilities: ${NEGLIGIBLE_V}"
// Low vulnerabilities
LOW_V = sh (
script: "grep -c '<div>Low</div>' reports/html/analysis-${PTCS_DOCKER_REGISTRY_ANALYSIS}-latest.html | cat",
returnStdout: true
).trim()
echo "Low vulnerabilities: ${LOW_V}"
// Medium vulnerabilities
MEDIUM_V = sh (
script: "grep -c '<div>Medium</div>' reports/html/analysis-${PTCS_DOCKER_REGISTRY_ANALYSIS}-latest.html | cat",
returnStdout: true
).trim()
echo "Medium vulnerabilities: ${MEDIUM_V}"
// High vulnerabilities
HIGH_V = sh (
script: "grep -c '<div>High</div>' reports/html/analysis-${PTCS_DOCKER_REGISTRY_ANALYSIS}-latest.html | cat",
returnStdout: true
).trim()
echo "High vulnerabilities: ${HIGH_V}"
// Critical vulnerabilities
CRITICAL_V = sh (
script: "grep -c '<div>Critical</div>' reports/html/analysis-${PTCS_DOCKER_REGISTRY_ANALYSIS}-latest.html | cat",
returnStdout: true
).trim()
echo "Critical vulnerabilities: ${CRITICAL_V}"
// Defcon1 vulnerabilities
DEFCON_V = sh (
script: "grep -c '<div>Defcon1</div>' reports/html/analysis-${PTCS_DOCKER_REGISTRY_ANALYSIS}-latest.html | cat",
returnStdout: true
).trim()
echo "Defcon1 vulnerabilities: ${DEFCON_V}"
// Introduce previous environment variables to understandable format as integers. Required for if/else to work.
int unknown_v = UNKNOWN_V as Integer
int negligible_v = NEGLIGIBLE_V as Integer
int low_v = LOW_V as Integer
int medium_v = MEDIUM_V as Integer
int high_v = HIGH_V as Integer
int critical_v = CRITICAL_V as Integer
int defcon_v = DEFCON_V as Integer
// Introduce vulnerability limits' environment variables to understandable format as integers. Required for if/else to work.
int unknown_vulnerability_limit = UNKNOWN_VULNERABILITY_LIMIT as Integer
int negligible_vulnerability_limit = NEGLIGIBLE_VULNERABILITY_LIMIT as Integer
int low_vulnerability_limit = LOW_VULNERABILITY_LIMIT as Integer
int medium_vulnerability_limit = MEDIUM_VULNERABILITY_LIMIT as Integer
int high_vulnerability_limit = HIGH_VULNERABILITY_LIMIT as Integer
int critical_vulnerability_limit = CRITICAL_VULNERABILITY_LIMIT as Integer
int defcon_vulnerability_limit = DEFCON_VULNERABILITY_LIMIT as Integer
// Exit build if there are too many vulnerabilities of specific level
if (unknown_vulnerability_limit < unknown_v) {
echo 'Unknown: Too many vulnerabilities. Exiting build..'
sh 'exit 1'
}
else {
echo 'Unknown: OK.'
}
if (negligible_vulnerability_limit < negligible_v) {
echo 'Negligible: Too many vulnerabilities. Exiting build..'
sh 'exit 1'
}
else {
echo 'Negligible: OK.'
}
if (low_vulnerability_limit < low_v) {
echo 'Low: Too many vulnerabilities. Exiting build..'
sh 'exit 1'
}
else {
echo 'Low: OK.'
}
if (medium_vulnerability_limit < medium_v) {
echo 'Medium: Too many vulnerabilities. Exiting build..'
sh 'exit 1'
}
else {
echo 'Medium: OK.'
}
if (high_vulnerability_limit < high_v) {
echo 'High: Too many vulnerabilities. Exiting build..'
sh 'exit 1'
}
else {
echo 'High: OK.'
}
if (critical_vulnerability_limit < critical_v) {
echo 'Critical: Too many vulnerabilities. Exiting build..'
sh 'exit 1'
}
else {
echo 'Critical: OK.'
}
if (defcon_vulnerability_limit < defcon_v) {
echo 'Defcon1: Too many vulnerabilities. Exiting build..'
sh 'exit 1'
}
else {
echo 'Defcon1: OK.'
}
// Setting env for reporting
env.FIXEDJOBNAME = FIXEDJOBNAME
env.PTCS_DOCKER_REGISTRY_ANALYSIS = PTCS_DOCKER_REGISTRY_ANALYSIS
env.UNKNOWN_V = UNKNOWN_V
env.NEGLIGIBLE_V = NEGLIGIBLE_V
env.LOW_V = LOW_V
env.MEDIUM_V = MEDIUM_V
env.HIGH_V = HIGH_V
env.CRITICAL_V = CRITICAL_V
env.DEFCON_V = DEFCON_V
}
return this