fix(aws): only check artifacts that can be scanned for vulnerabilities by ecr_repositories_scan_vulnerabilities_in_latest_image
#4507
Conversation
… by ecr_repositories_scan_vulnerabilities_in_latest_image
github-actions
bot
added
the
provider/aws
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4507 +/- ##
==========================================
+ Coverage 88.69% 88.86% +0.16%
==========================================
Files 893 910 +17
Lines 27205 27693 +488
==========================================
+ Hits 24130 24608 +478
- Misses 3075 3085 +10 ☔ View full report in Codecov by Sentry. |
|
WOW @kagahd this is impressive 🤯 Thank you for this contribution, we will review it and get back to you! Thanks for contributing with Prowler always taking care of it ❤️ |
sergargar
changed the title
ecr_repositories_scan_vulnerabilities_in_latest_image
|
Hello @kagahd I'm in the middle of the review but I'm not sure I'll be able to finish it today. If not I'll do that on Monday. Thank you! |
Hello @jfagoagas, thanks for the info. I won't be at work for the next few weeks anyway, so there's no rush 😄 |
There was a problem hiding this comment.
Please @kagahd, add a new test for a non scannable artifact.
| try: | ||
| # use "image" for scan findings to get data the same way as for an image | ||
| image = ( | ||
| client.describe_image_scan_findings( |
There was a problem hiding this comment.
Please, create a new function in the ECR class for this API Call.
| @@ -121,6 +121,27 @@ def __get_repository_lifecycle_policy__(self, regional_client): | |||
|
|
|||
| def __get_image_details__(self, regional_client): | |||
| logger.info("ECR - Getting images details...") | |||
|
|
|||
| def is_artifact_scannable(artifact_media_type, tags): | |||
There was a problem hiding this comment.
Please, put this function outside of the parent function and use try/except.
|
No new permissions needed, |
jfagoagas
added
backport-to-v3
…s by `ecr_repositories_scan_vulnerabilities_in_latest_image` (#4507) Co-authored-by: Pepe Fagoaga <[email protected]> (cherry picked from commit 26a5ffa) # Conflicts: # tests/providers/aws/services/ecr/ecr_service_test.py
github-actions
bot
added
the
was-backported
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
Context
Until now, the check
ecr_repositories_scan_vulnerabilities_in_latest_imagejust takes the newest pushed image from the ECR repository to check its scan report for vulnerabilities. However, the newest pushed image in a repository is not always an artifact that can be scanned, hence there is no report for it and the prowler check fails.Description
AWS ECR is generally able to scan artifacts of the following artifact media types (not to confound with manifest media type):
application/vnd.docker.container.image.v1+jsonDocker image configurationapplication/vnd.docker.image.rootfs.diff.tarDocker image layer as a tar archiveapplication/vnd.docker.image.rootfs.diff.tar.gzipDocker image layer that is compressed using gzipapplication/vnd.oci.image.config.v1+jsonOCI image configurationapplication/vnd.oci.image.layer.v1.tarUncompressed OCI image layerapplication/vnd.oci.image.layer.v1.tar+gzipCompressed OCI image layerHowever, tools like Google container tool Jib, use
application/vnd.oci.image.config.v1+jsonalso for signatures, which are not scannable. Luckily, these are tagged withsha-<HASH-CODE>.sig, so that they can still be easily recognized.In contrast, non-scannable artifacts are for example:
application/vnd.docker.distribution.manifest.list.v2+jsonapplication/vnd.cncf.notary.v2.signatureapplication/vnd.oci.artifact.v1+jsonFor example, if a signed container image was built with the Google container tool Jib, multiple artifacts are pushed to the registry.
As you can see in the screenshot, the artifacts are ordered by
Pushed at. The four first artifacts are not scannable because they are not Docker container images. The first three are signatures and the fourth is an "Image Index". All these four artifacts do not contain any layers that could be scanned.Furthermore, as you can see in the screenshot, the fifth artifact, which is a scannable Docker container image, does not have any tags which is represented by the
-sign. This can have several reasons as for example:However, the current prowler report refers to an image tag that not only may not be present, but is also used by different artifacts, so the user would have difficulty understanding which image is meant in the prowler report (the prowler report also didn't mention that the newest image of that tag is meant).
Implemented solution
ecr_repositories_scan_vulnerabilities_in_latest_imageverifies now the scan report of newest pushed scannable artifact.License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.