From 735aa835a60c81702a1086a6d6f53853cd39671b Mon Sep 17 00:00:00 2001 From: Kota Kanbe Date: Tue, 14 Mar 2017 20:07:51 +0900 Subject: [PATCH] Change container scan setting in config.toml --- README.ja.md | 40 ++++++++++++++++++++++++++++++-------- README.md | 44 ++++++++++++++++++++++++++++++------------ commands/configtest.go | 2 ++ commands/discover.go | 5 +++-- commands/scan.go | 2 ++ config/config.go | 10 ++++++++-- config/tomlloader.go | 4 +--- models/models.go | 1 + scan/base.go | 17 ++++++++++------ scan/executil.go | 2 +- scan/serverapi.go | 18 +++++++++++++---- 11 files changed, 107 insertions(+), 38 deletions(-) diff --git a/README.ja.md b/README.ja.md index 0f8bfba6..1df238da 100644 --- a/README.ja.md +++ b/README.ja.md @@ -446,7 +446,6 @@ subjectPrefix = "[vuls]" #cpeNames = [ # "cpe:/a:rubyonrails:ruby_on_rails:4.2.1", #] -#containers = ["${running}"] #optional = [ # ["key", "value"], #] @@ -461,10 +460,13 @@ host = "172.31.4.82" #cpeNames = [ # "cpe:/a:rubyonrails:ruby_on_rails:4.2.1", #] -#containers = ["${running}"] #optional = [ # ["key", "value"], #] +#[servers.172-31-4-82.containers] +#type = "lxd" # or "docker" +#indludes = ["${running}"] +#excludes = ["container_name", "container_id"] ``` このテンプレート使ってVulsの設定ファイルを作ってもよい。 @@ -530,11 +532,14 @@ host = "172.31.4.82" #cpeNames = [ # "cpe:/a:rubyonrails:ruby_on_rails:4.2.1", #] - #containers = ["${running}"] #ignoreCves = ["CVE-2016-6313"] #optional = [ # ["key", "value"], #] + #[servers.172-31-4-82.containers] + #type = "lxd" # or "docker" + #indludes = ["${running}"] + #excludes = ["container_name", "container_id"] ``` 下記serversセクションで値が指定されなかった場合のデフォルト値 @@ -555,7 +560,7 @@ host = "172.31.4.82" # ["key", "value"], #] #containers = ["${running}"] - #[servers.172-31-4-82.container] + #[servers.172-31-4-82.containers] #type = "lxd" ``` @@ -792,7 +797,9 @@ Vulsは、DockerホストにSSHで接続し、`docker exec`でDockerコンテナ host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" - containers = ["${running}"] + + [servers.172-31-4-82.containers] + indludes = ["${running}"] ``` - あるコンテナのみスキャン @@ -806,7 +813,23 @@ Vulsは、DockerホストにSSHで接続し、`docker exec`でDockerコンテナ host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" - containers = ["container_name_a", "4aa37a8b63b9"] + + [servers.172-31-4-82.containers] + includes = ["container_name_a", "4aa37a8b63b9"] + ``` + +- あるコンテナ以外をスキャン + ``` + [servers] + + [servers.172-31-4-82] + host = "172.31.4.82" + user = "ec2-user" + keyPath = "/home/username/.ssh/id_rsa" + + [servers.172-31-4-82.containers] + indludes = ["${running}"] + excludes = ["container_name_a", "4aa37a8b63b9"] ``` - コンテナのみをスキャンする場合(ホストはスキャンしない) @@ -822,9 +845,10 @@ Vulsは、ホストにSSHで接続し、`lxc exec`でLXDコンテナにコマン host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" -containers = ["${running}"] -[servers.172-31-4-82.container] + +[servers.172-31-4-82.containers] type = "lxd" +includes = ["${running}"] ``` # Usage: Report diff --git a/README.md b/README.md index 90655ff9..37ad2611 100644 --- a/README.md +++ b/README.md @@ -447,7 +447,6 @@ subjectPrefix = "[vuls]" #cpeNames = [ # "cpe:/a:rubyonrails:ruby_on_rails:4.2.1", #] -#containers = ["${running}"] #ignoreCves = ["CVE-2016-6313"] #optional = [ # ["key", "value"], @@ -467,9 +466,10 @@ host = "172.31.4.82" #optional = [ # ["key", "value"], #] -#containers = ["${running}"] -#[servers.172-31-4-82.container] -#type = "lxd" +#[servers.172-31-4-82.containers] +#type = "lxd" # or "docker" +#indludes = ["${running}"] +#excludes = ["container_name", "container_id"] ``` You can customize your configuration using this template. @@ -538,7 +538,6 @@ You can customize your configuration using this template. #cpeNames = [ # "cpe:/a:rubyonrails:ruby_on_rails:4.2.1", #] - #containers = ["${running}"] #ignoreCves = ["CVE-2016-6313"] #optional = [ # ["key", "value"], @@ -562,9 +561,10 @@ You can customize your configuration using this template. #optional = [ # ["key", "value"], #] - #containers = ["${running}"] - #[servers.172-31-4-82.container] - #type = "lxd" + #[servers.172-31-4-82.containers] + #type = "lxd" # or "docker" + #indludes = ["${running}"] + #excludes = ["container_name", "container_id"] ``` You can overwrite the default value specified in default section. @@ -794,7 +794,9 @@ For more details, see [Architecture section](https://github.com/future-architect host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" - containers = ["${running}"] + + [servers.172-31-4-82.containers] + indludes = ["${running}"] ``` - To scan specific containers @@ -809,8 +811,25 @@ For more details, see [Architecture section](https://github.com/future-architect host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" - containers = ["container_name_a", "4aa37a8b63b9"] + + [servers.172-31-4-82.containers] + includes = ["container_name_a", "4aa37a8b63b9"] ``` + +- To scan except specific containers + ``` + [servers] + + [servers.172-31-4-82] + host = "172.31.4.82" + user = "ec2-user" + keyPath = "/home/username/.ssh/id_rsa" + + [servers.172-31-4-82.containers] + indludes = ["${running}"] + excludes = ["container_name_a", "4aa37a8b63b9"] + ``` + - To scan containers only - --containers-only option is available. @@ -824,9 +843,10 @@ Vuls scans lxd via `lxc exec` instead of SSH. host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" -containers = ["${running}"] -[servers.172-31-4-82.container] + +[servers.172-31-4-82.containers] type = "lxd" +includes = ["${running}"] ``` ---- diff --git a/commands/configtest.go b/commands/configtest.go index 049e9cf8..8f0a3bed 100644 --- a/commands/configtest.go +++ b/commands/configtest.go @@ -114,6 +114,8 @@ func (p *ConfigtestCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interfa err = c.Load(p.configPath, keyPass) if err != nil { util.Log.Errorf("Error loading %s, %s", p.configPath, err) + util.Log.Errorf("If you update Vuls and get this error, there may be incompatible changes in config.toml") + util.Log.Errorf("Please check README: https://github.com/future-architect/vuls#configuration") return subcommands.ExitUsageError } c.Conf.SSHExternal = p.sshExternal diff --git a/commands/discover.go b/commands/discover.go index d9e0e903..36aeb77e 100644 --- a/commands/discover.go +++ b/commands/discover.go @@ -139,9 +139,10 @@ host = "{{$ip}}" #optional = [ # ["key", "value"], #] -#containers = ["${running}"] -#[servers.{{index $names $i}}.container] +#[servers.{{index $names $i}}.containers] #type = "docker" #or "lxd" defualt: docker +#includes = ["${running}"] +#excludes = ["container_name_a", "4aa37a8b63b9"] {{end}} diff --git a/commands/scan.go b/commands/scan.go index ebdef500..f04005c2 100644 --- a/commands/scan.go +++ b/commands/scan.go @@ -156,6 +156,8 @@ func (p *ScanCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) err = c.Load(p.configPath, keyPass) if err != nil { util.Log.Errorf("Error loading %s, %s", p.configPath, err) + util.Log.Errorf("If you update Vuls and get this error, there may be incompatible changes in config.toml") + util.Log.Errorf("Please check README: https://github.com/future-architect/vuls#configuration") return subcommands.ExitUsageError } diff --git a/config/config.go b/config/config.go index dd7ab958..e7cf4eee 100644 --- a/config/config.go +++ b/config/config.go @@ -339,7 +339,7 @@ type ServerInfo struct { DependencyCheckXMLPath string // Container Names or IDs - Containers []string + Containers Containers IgnoreCves []string @@ -394,10 +394,16 @@ func (s *ServerInfo) SetContainer(d Container) { s.Container = d } +// Containers has Containers information. +type Containers struct { + Type string + Includes []string + Excludes []string +} + // Container has Container information. type Container struct { ContainerID string Name string - Type string Image string } diff --git a/config/tomlloader.go b/config/tomlloader.go index 0c5c9082..6ed77023 100644 --- a/config/tomlloader.go +++ b/config/tomlloader.go @@ -127,12 +127,10 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error { } s.Containers = v.Containers - if len(s.Containers) == 0 { + if len(s.Containers.Includes) == 0 { s.Containers = d.Containers } - s.Container.Type = v.Container.Type - s.IgnoreCves = v.IgnoreCves for _, cve := range d.IgnoreCves { found := false diff --git a/models/models.go b/models/models.go index 4b440b3b..f13d10fd 100644 --- a/models/models.go +++ b/models/models.go @@ -541,6 +541,7 @@ type Container struct { ContainerID string Name string Image string + Type string } // Platform has platform information diff --git a/scan/base.go b/scan/base.go index bd847331..99c4eb40 100644 --- a/scan/base.go +++ b/scan/base.go @@ -77,7 +77,7 @@ func (l base) getPlatform() models.Platform { } func (l base) allContainers() (containers []config.Container, err error) { - switch l.ServerInfo.Container.Type { + switch l.ServerInfo.Containers.Type { case "", "docker": stdout, err := l.dockerPs("-a --format '{{.ID}} {{.Names}} {{.Image}}'") if err != nil { @@ -92,12 +92,12 @@ func (l base) allContainers() (containers []config.Container, err error) { return l.parseLxdPs(stdout) default: return containers, fmt.Errorf( - "Not supported yet: %s", l.ServerInfo.Container.Type) + "Not supported yet: %s", l.ServerInfo.Containers.Type) } } func (l *base) runningContainers() (containers []config.Container, err error) { - switch l.ServerInfo.Container.Type { + switch l.ServerInfo.Containers.Type { case "", "docker": stdout, err := l.dockerPs("--format '{{.ID}} {{.Names}} {{.Image}}'") if err != nil { @@ -112,12 +112,12 @@ func (l *base) runningContainers() (containers []config.Container, err error) { return l.parseLxdPs(stdout) default: return containers, fmt.Errorf( - "Not supported yet: %s", l.ServerInfo.Container.Type) + "Not supported yet: %s", l.ServerInfo.Containers.Type) } } func (l *base) exitedContainers() (containers []config.Container, err error) { - switch l.ServerInfo.Container.Type { + switch l.ServerInfo.Containers.Type { case "", "docker": stdout, err := l.dockerPs("--filter 'status=exited' --format '{{.ID}} {{.Names}} {{.Image}}'") if err != nil { @@ -132,7 +132,7 @@ func (l *base) exitedContainers() (containers []config.Container, err error) { return l.parseLxdPs(stdout) default: return containers, fmt.Errorf( - "Not supported yet: %s", l.ServerInfo.Container.Type) + "Not supported yet: %s", l.ServerInfo.Containers.Type) } } @@ -271,10 +271,15 @@ func (l *base) convertToModel() models.ScanResult { } sort.Sort(l.VulnInfos) + ctype := l.ServerInfo.Containers.Type + if l.ServerInfo.Container.ContainerID != "" && ctype == "" { + ctype = "docker" + } container := models.Container{ ContainerID: l.ServerInfo.Container.ContainerID, Name: l.ServerInfo.Container.Name, Image: l.ServerInfo.Container.Image, + Type: ctype, } errs := []string{} diff --git a/scan/executil.go b/scan/executil.go index 07ee5729..2835367e 100644 --- a/scan/executil.go +++ b/scan/executil.go @@ -339,7 +339,7 @@ func decorateCmd(c conf.ServerInfo, cmd string, sudo bool) string { // } if c.IsContainer() { - switch c.Container.Type { + switch c.Containers.Type { case "", "docker": cmd = fmt.Sprintf(`docker exec %s /bin/bash -c "%s"`, c.Container.ContainerID, cmd) case "lxd": diff --git a/scan/serverapi.go b/scan/serverapi.go index c0198267..487da400 100644 --- a/scan/serverapi.go +++ b/scan/serverapi.go @@ -259,7 +259,7 @@ func detectContainerOSes() (actives, inactives []osTypeInterface) { func detectContainerOSesOnServer(containerHost osTypeInterface) (oses []osTypeInterface) { containerHostInfo := containerHost.getServerInfo() - if len(containerHostInfo.Containers) == 0 { + if len(containerHostInfo.Containers.Includes) == 0 { return } @@ -271,14 +271,24 @@ func detectContainerOSesOnServer(containerHost osTypeInterface) (oses []osTypeIn return append(oses, containerHost) } - if containerHostInfo.Containers[0] == "${running}" { + if containerHostInfo.Containers.Includes[0] == "${running}" { for _, containerInfo := range running { + + found := false + for _, ex := range containerHost.getServerInfo().Containers.Excludes { + if containerInfo.Name == ex || containerInfo.ContainerID == ex { + found = true + } + } + if found { + continue + } + copied := containerHostInfo copied.SetContainer(config.Container{ ContainerID: containerInfo.ContainerID, Name: containerInfo.Name, Image: containerInfo.Image, - Type: containerHostInfo.Container.Type, }) os := detectOS(copied) oses = append(oses, os) @@ -295,7 +305,7 @@ func detectContainerOSesOnServer(containerHost osTypeInterface) (oses []osTypeIn } var exited, unknown []string - for _, container := range containerHostInfo.Containers { + for _, container := range containerHostInfo.Containers.Includes { found := false for _, c := range running { if c.ContainerID == container || c.Name == container {