-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(aws): only check artifacts that can be scanned for vulnerabilities by ecr_repositories_scan_vulnerabilities_in_latest_image
#4507
Conversation
… by ecr_repositories_scan_vulnerabilities_in_latest_image
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4507 +/- ##
==========================================
+ Coverage 88.69% 88.86% +0.16%
==========================================
Files 893 910 +17
Lines 27205 27693 +488
==========================================
+ Hits 24130 24608 +478
- Misses 3075 3085 +10 ☔ View full report in Codecov by Sentry. |
WOW @kagahd this is impressive 🤯 Thank you for this contribution, we will review it and get back to you! Thanks for contributing with Prowler always taking care of it ❤️ |
ecr_repositories_scan_vulnerabilities_in_latest_image
Hello @kagahd I'm in the middle of the review but I'm not sure I'll be able to finish it today. If not I'll do that on Monday. Thank you! |
Hello @jfagoagas, thanks for the info. I won't be at work for the next few weeks anyway, so there's no rush 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please @kagahd, add a new test for a non scannable artifact.
try: | ||
# use "image" for scan findings to get data the same way as for an image | ||
image = ( | ||
client.describe_image_scan_findings( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, create a new function in the ECR class for this API Call.
@@ -121,6 +121,27 @@ def __get_repository_lifecycle_policy__(self, regional_client): | |||
|
|||
def __get_image_details__(self, regional_client): | |||
logger.info("ECR - Getting images details...") | |||
|
|||
def is_artifact_scannable(artifact_media_type, tags): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, put this function outside of the parent function and use try/except.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love this @kagahd ❤️ Please, review my comments.
No new permissions needed, |
…s by `ecr_repositories_scan_vulnerabilities_in_latest_image` (#4507) Co-authored-by: Pepe Fagoaga <[email protected]> (cherry picked from commit 26a5ffa) # Conflicts: # tests/providers/aws/services/ecr/ecr_service_test.py
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
Context
Until now, the check
ecr_repositories_scan_vulnerabilities_in_latest_image
just takes the newest pushed image from the ECR repository to check its scan report for vulnerabilities. However, the newest pushed image in a repository is not always an artifact that can be scanned, hence there is no report for it and the prowler check fails.Description
AWS ECR is generally able to scan artifacts of the following artifact media types (not to confound with manifest media type):
application/vnd.docker.container.image.v1+json
Docker image configurationapplication/vnd.docker.image.rootfs.diff.tar
Docker image layer as a tar archiveapplication/vnd.docker.image.rootfs.diff.tar.gzip
Docker image layer that is compressed using gzipapplication/vnd.oci.image.config.v1+json
OCI image configurationapplication/vnd.oci.image.layer.v1.tar
Uncompressed OCI image layerapplication/vnd.oci.image.layer.v1.tar+gzip
Compressed OCI image layerHowever, tools like Google container tool Jib, use
application/vnd.oci.image.config.v1+json
also for signatures, which are not scannable. Luckily, these are tagged withsha-<HASH-CODE>.sig
, so that they can still be easily recognized.In contrast, non-scannable artifacts are for example:
application/vnd.docker.distribution.manifest.list.v2+json
application/vnd.cncf.notary.v2.signature
application/vnd.oci.artifact.v1+json
For example, if a signed container image was built with the Google container tool Jib, multiple artifacts are pushed to the registry.
As you can see in the screenshot, the artifacts are ordered by
Pushed at
. The four first artifacts are not scannable because they are not Docker container images. The first three are signatures and the fourth is an "Image Index". All these four artifacts do not contain any layers that could be scanned.Furthermore, as you can see in the screenshot, the fifth artifact, which is a scannable Docker container image, does not have any tags which is represented by the
-
sign. This can have several reasons as for example:However, the current prowler report refers to an image tag that not only may not be present, but is also used by different artifacts, so the user would have difficulty understanding which image is meant in the prowler report (the prowler report also didn't mention that the newest image of that tag is meant).
Implemented solution
ecr_repositories_scan_vulnerabilities_in_latest_image
verifies now the scan report of newest pushed scannable artifact.License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.