From 286bb875403cc88373ca13b7ab2e59e69522e308 Mon Sep 17 00:00:00 2001 From: pohanhuangtw Date: Tue, 14 May 2024 15:30:34 +0800 Subject: [PATCH] [NVASHAS-8938] Add Critical CVE Severity to support CVSS v3 scores 9.0-10.0 (CI/CD tool) --- action.yml | 1 + run-scan.sh | 16 ++++++++++++++++ test/scan-image.bats | 10 ++++++++++ 3 files changed, 27 insertions(+) diff --git a/action.yml b/action.yml index bf1842a..a31d917 100644 --- a/action.yml +++ b/action.yml @@ -60,6 +60,7 @@ runs: using: "docker" image: 'Dockerfile' env: + CRITICAL_VUL_TO_FAIL: ${{ inputs.min-critical-cves-to-fail }} HIGH_VUL_TO_FAIL: ${{ inputs.min-high-cves-to-fail }} MEDIUM_VUL_TO_FAIL: ${{ inputs.min-medium-cves-to-fail }} VUL_NAMES_TO_FAIL: ${{ inputs.cve-names-to-fail }} diff --git a/run-scan.sh b/run-scan.sh index 59279c1..33ea3f0 100755 --- a/run-scan.sh +++ b/run-scan.sh @@ -16,6 +16,7 @@ if [ -n "${SCANNER_REGISTRY_PASSWORD}" ]; then fi NV_SCANNER_IMAGE=${NV_SCANNER_IMAGE:-"neuvector/scanner:latest"} +CRITICAL_VUL_TO_FAIL=${CRITICAL_VUL_TO_FAIL:-""} HIGH_VUL_TO_FAIL=${HIGH_VUL_TO_FAIL:-"0"} MEDIUM_VUL_TO_FAIL=${MEDIUM_VUL_TO_FAIL:-"0"} OUTPUT=${OUTPUT:-"text"} @@ -40,20 +41,35 @@ VUL_EXEMPT_LIST=$(printf '["%s"]' "${VUL_NAMES_TO_EXEMPT//,/\",\"}") filterOutExemptCVEsFromJson "scan_result.json" "$VUL_EXEMPT_LIST" VUL_NUM=$(cat scan_result.json | jq '.report.vulnerabilities | length') +FOUND_CRITICAL=$(cat scan_result.json | jq '.report.vulnerabilities[] | select(.severity == "Critical") | .severity' | wc -l) FOUND_HIGH=$(cat scan_result.json | jq '.report.vulnerabilities[] | select(.severity == "High") | .severity' | wc -l) FOUND_MEDIUM=$(cat scan_result.json | jq '.report.vulnerabilities[] | select(.severity == "Medium") | .severity' | wc -l) VUL_LIST=$(printf '["%s"]' "${VUL_NAMES_TO_FAIL//,/\",\"}") VUL_LIST_FOUND=$(cat scan_result.json | jq --arg arr "$VUL_LIST" '.report.vulnerabilities[] | select(.name as $n | $arr | index($n)) |.name') +total_high_critical=$((FOUND_HIGH + FOUND_CRITICAL)) echo "GITHUB_OUTPUT: $GITHUB_OUTPUT" echo "vulnerability_count=$VUL_NUM" >> "$GITHUB_OUTPUT" +echo "critical_vulnerability_count=$FOUND_CRITICAL" >> "$GITHUB_OUTPUT" echo "high_vulnerability_count=$FOUND_HIGH" >> "$GITHUB_OUTPUT" echo "medium_vulnerability_count=$FOUND_MEDIUM" >> "$GITHUB_OUTPUT" +aboveHighToFail=0 +# backward compatibility for upgraded version. +if [ -z "$CRITICAL_VUL_TO_FAIL" ]; then + aboveHighToFail=${HIGH_VUL_TO_FAIL} +fi + # we must count the high and med before we put. if [[ -n $VUL_LIST_FOUND ]]; then fail_reason="Found specific named vulnerabilities." scan_fail="true" +elif [ ${aboveHighToFail} -ne 0 -a $total_high_critical -ge ${aboveHighToFail} ]; then + fail_reason="Found ${FOUND_CRITICAL} critical and ${FOUND_HIGH} high vulnerabilities exceeding the maximum of ${aboveHighToFail} (combined high and critical threshold)." + scan_fail="true" +elif [ ${CRITICAL_VUL_TO_FAIL} -ne 0 -a $FOUND_CRITICAL -ge ${CRITICAL_VUL_TO_FAIL} ]; then + fail_reason="Found ${FOUND_CRITICAL} critical vulnerabilities exceeding the maximum of ${HIGH_VUL_TO_FAIL}." + scan_fail="true" elif [ ${HIGH_VUL_TO_FAIL} -ne 0 -a $FOUND_HIGH -ge ${HIGH_VUL_TO_FAIL} ]; then fail_reason="Found ${FOUND_HIGH} high vulnerabilities exceeding the maximum of ${HIGH_VUL_TO_FAIL}." scan_fail="true" diff --git a/test/scan-image.bats b/test/scan-image.bats index 5f5e537..01b96e7 100644 --- a/test/scan-image.bats +++ b/test/scan-image.bats @@ -32,6 +32,15 @@ setup_file() { [[ "$output" =~ "Image scanning succeed" ]] } +@test "scan image with vulnerabilities and above High severity fail" { + run docker run --rm -e HIGH_VUL_TO_FAIL=1 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp" neuvector/scan-action + echo "Status $status" + echo "Output" + echo -e $output + [ "$status" -eq 1 ] + [[ "$output" =~ "critical vulnerabilities" ]] +} + @test "scan image with vulnerabilities and high severity fail" { run docker run --rm -e HIGH_VUL_TO_FAIL=1 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp" neuvector/scan-action echo "Status $status" @@ -50,6 +59,7 @@ setup_file() { [[ "$output" =~ "medium vulnerabilities" ]] } + @test "scan image with vulnerabilities and specific CVE fail" { run docker run --rm -e VUL_NAMES_TO_FAIL=invalid,CVE-2020-16156 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp" neuvector/scan-action echo "Status $status"