scanner.go

package main

import (
	"context"
	"encoding/json"
	"strings"

	foundation "github.com/estafette/estafette-foundation"
)

type Scanner interface {
	ScanImage(image string) (vulnerabilityReports []VulnerabilityReport, err error)
	UpdateDatabase() (err error)
}

// NewScanner returns a new Scanner
func NewScanner(ctx context.Context) Scanner {
	return &scanner{
		ctx: ctx,
	}
}

type scanner struct {
	ctx context.Context
}

func (s *scanner) ScanImage(image string) (vulnerabilityReports []VulnerabilityReport, err error) {

	output, trivyErr := foundation.GetCommandWithArgsOutput(s.ctx, "/trivy", []string{"--cache-dir", "/trivy-cache", "--quiet", "image", "--light", "--skip-update", "--no-progress", "--exit-code", "15", "--ignore-unfixed", "--format", "json", image})
	if trivyErr == nil {
		return
	}

	if strings.EqualFold(trivyErr.Error(), "exit status 1") {
		// ignore exit code, until trivy fixes this on their side, see https://github.com/aquasecurity/trivy/issues/8
	} else if strings.EqualFold(trivyErr.Error(), "exit status 15") {
		err = json.Unmarshal([]byte(output), &vulnerabilityReports)
	} else {
		err = trivyErr
	}

	return
}

func (s *scanner) UpdateDatabase() (err error) {

	err = foundation.RunCommandWithArgsExtended(s.ctx, "/trivy", []string{"--cache-dir", "/trivy-cache", "--quiet", "image", "--light", "--download-db-only", "--no-progress"})

	return
}

type VulnerabilityReport struct {
	Target          string
	Vulnerabilities []Vulnerability
}

type Vulnerability struct {
	VulnerabilityID  string
	PkgName          string
	InstalledVersion string
	FixedVersion     string
	Severity         string
}