2020-04-23 09:12:10 +02:00
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2022-01-24 10:48:01 +02:00
|
|
|
piperDocker "github.com/SAP/jenkins-library/pkg/docker"
|
2020-04-23 09:12:10 +02:00
|
|
|
piperhttp "github.com/SAP/jenkins-library/pkg/http"
|
|
|
|
"github.com/SAP/jenkins-library/pkg/log"
|
2022-01-24 10:48:01 +02:00
|
|
|
"github.com/SAP/jenkins-library/pkg/malwarescan"
|
|
|
|
"github.com/SAP/jenkins-library/pkg/piperutils"
|
2020-04-23 09:12:10 +02:00
|
|
|
"github.com/SAP/jenkins-library/pkg/telemetry"
|
2022-01-24 10:48:01 +02:00
|
|
|
"github.com/SAP/jenkins-library/pkg/toolrecord"
|
2020-04-23 09:12:10 +02:00
|
|
|
"github.com/pkg/errors"
|
|
|
|
"io"
|
|
|
|
"os"
|
2022-01-24 10:48:01 +02:00
|
|
|
"path/filepath"
|
|
|
|
"strings"
|
2020-06-03 11:08:34 +02:00
|
|
|
"time"
|
2020-04-23 09:12:10 +02:00
|
|
|
)
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
type malwareScanUtils interface {
|
|
|
|
OpenFile(name string, flag int, perm os.FileMode) (io.ReadCloser, error)
|
|
|
|
SHA256(path string) (string, error)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
newDockerClient(piperDocker.ClientOptions) piperDocker.Download
|
|
|
|
|
|
|
|
malwarescan.Client
|
|
|
|
piperutils.FileUtils
|
2020-04-23 09:12:10 +02:00
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
type malwareScanUtilsBundle struct {
|
|
|
|
malwarescan.Client
|
|
|
|
*piperutils.Files
|
2020-04-23 09:12:10 +02:00
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
func (utils *malwareScanUtilsBundle) OpenFile(name string, flag int, perm os.FileMode) (io.ReadCloser, error) {
|
|
|
|
return utils.Files.FileOpen(name, flag, perm)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (utils *malwareScanUtilsBundle) newDockerClient(options piperDocker.ClientOptions) piperDocker.Download {
|
|
|
|
dClient := piperDocker.Client{}
|
|
|
|
dClient.SetOptions(options)
|
|
|
|
return &dClient
|
|
|
|
}
|
|
|
|
|
|
|
|
func newMalwareScanUtilsBundle(config malwareExecuteScanOptions) *malwareScanUtilsBundle {
|
|
|
|
timeout, err := time.ParseDuration(fmt.Sprintf("%ss", config.Timeout))
|
|
|
|
if err != nil {
|
|
|
|
timeout = 60
|
|
|
|
log.Entry().Warnf("Unable to parse timeout for malwareScan: '%v'. Falling back to %ds", err, timeout)
|
|
|
|
}
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
httpClientOptions := piperhttp.ClientOptions{
|
|
|
|
Username: config.Username,
|
|
|
|
Password: config.Password,
|
|
|
|
MaxRequestDuration: timeout,
|
|
|
|
TransportTimeout: timeout,
|
|
|
|
}
|
2020-04-23 09:12:10 +02:00
|
|
|
|
|
|
|
httpClient := &piperhttp.Client{}
|
2022-01-24 10:48:01 +02:00
|
|
|
httpClient.SetOptions(httpClientOptions)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
return &malwareScanUtilsBundle{
|
|
|
|
Client: &malwarescan.ClientImpl{
|
|
|
|
HTTPClient: httpClient,
|
|
|
|
Host: config.Host,
|
|
|
|
},
|
|
|
|
Files: &piperutils.Files{},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func malwareExecuteScan(config malwareExecuteScanOptions, telemetryData *telemetry.CustomData) {
|
|
|
|
utils := newMalwareScanUtilsBundle(config)
|
|
|
|
|
|
|
|
err := runMalwareScan(&config, telemetryData, utils)
|
2020-04-23 09:12:10 +02:00
|
|
|
if err != nil {
|
|
|
|
log.Entry().WithError(err).Fatal("step execution failed")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
func runMalwareScan(config *malwareExecuteScanOptions, telemetryData *telemetry.CustomData, utils malwareScanUtils) error {
|
|
|
|
file, err := selectAndPrepareFileForMalwareScan(config, utils)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
log.Entry().Infof("Scanning file \"%s\" for malware using service \"%s\"", file, config.Host)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
candidate, err := utils.OpenFile(file, os.O_RDONLY, 0666)
|
2020-04-23 09:12:10 +02:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer candidate.Close()
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
scannerInfo, err := utils.Info()
|
2020-06-03 11:08:34 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
log.Entry().Infof("***************************************")
|
|
|
|
log.Entry().Infof("* Engine: %s", scannerInfo.EngineVersion)
|
|
|
|
log.Entry().Infof("* Signatures: %s", scannerInfo.SignatureTimestamp)
|
|
|
|
log.Entry().Infof("***************************************")
|
|
|
|
|
|
|
|
if _, err = createToolRecordMalwareScan("./", config, scannerInfo); err != nil {
|
|
|
|
return err
|
2020-06-03 11:08:34 +02:00
|
|
|
}
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
scanResponse, err := utils.Scan(candidate)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
if err = createMalwareScanReport(config, scanResponse, utils); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-04-23 09:12:10 +02:00
|
|
|
log.Entry().Debugf(
|
2022-01-24 10:48:01 +02:00
|
|
|
"File '%s' has been scanned. MalwareDetected: %t, EncryptedContentDetected: %t, ScanSize: %d, MimeType: '%s', SHA256: '%s', Finding: '%s'",
|
|
|
|
file,
|
2020-04-23 09:12:10 +02:00
|
|
|
scanResponse.MalwareDetected,
|
|
|
|
scanResponse.EncryptedContentDetected,
|
|
|
|
scanResponse.ScanSize,
|
|
|
|
scanResponse.MimeType,
|
2022-01-24 10:48:01 +02:00
|
|
|
scanResponse.SHA256,
|
|
|
|
scanResponse.Finding)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
if err = validateHash(scanResponse.SHA256, file, utils); err != nil {
|
2020-04-23 09:12:10 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if scanResponse.MalwareDetected || scanResponse.EncryptedContentDetected {
|
2022-01-24 10:48:01 +02:00
|
|
|
return fmt.Errorf("Malware scan failed for file '%s'. Malware detected: %t, encrypted content detected: %t, finding: %v",
|
|
|
|
file, scanResponse.MalwareDetected, scanResponse.EncryptedContentDetected, scanResponse.Finding)
|
2020-04-23 09:12:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
log.Entry().Infof("Malware scan succeeded for file '%s'. Malware detected: %t, encrypted content detected: %t",
|
2022-01-24 10:48:01 +02:00
|
|
|
file, scanResponse.MalwareDetected, scanResponse.EncryptedContentDetected)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
func selectAndPrepareFileForMalwareScan(config *malwareExecuteScanOptions, utils malwareScanUtils) (string, error) {
|
|
|
|
if len(config.ScanFile) > 0 {
|
|
|
|
return config.ScanFile, nil
|
2020-04-23 09:12:10 +02:00
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
// automatically detect the file to be scanned depending on the buildtool
|
|
|
|
if config.BuildTool == "docker" && len(config.ScanImage) > 0 {
|
|
|
|
correctMalwareDockerConfigEnvVar(config, utils)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
saveImageOptions := containerSaveImageOptions{
|
|
|
|
ContainerImage: config.ScanImage,
|
|
|
|
ContainerRegistryURL: config.ScanImageRegistryURL,
|
|
|
|
IncludeLayers: config.ScanImageIncludeLayers,
|
|
|
|
FilePath: config.ScanImage,
|
|
|
|
}
|
|
|
|
dClientOptions := piperDocker.ClientOptions{ImageName: saveImageOptions.ContainerImage, RegistryURL: saveImageOptions.ContainerRegistryURL, LocalPath: "", IncludeLayers: saveImageOptions.IncludeLayers}
|
|
|
|
dClient := utils.newDockerClient(dClientOptions)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
tarFile, err := runContainerSaveImage(&saveImageOptions, &telemetry.CustomData{}, "./cache", "", dClient)
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
if err != nil {
|
|
|
|
if strings.Contains(fmt.Sprint(err), "no image found") {
|
|
|
|
log.SetErrorCategory(log.ErrorConfiguration)
|
|
|
|
}
|
|
|
|
return "", errors.Wrapf(err, "failed to download Docker image %v", config.ScanImage)
|
|
|
|
}
|
|
|
|
return tarFile, nil
|
2020-04-23 09:12:10 +02:00
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
return "", fmt.Errorf("Please specify a file to be scanned")
|
2020-04-23 09:12:10 +02:00
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
func validateHash(remoteHash, fileName string, utils malwareScanUtils) error {
|
|
|
|
hash, err := utils.SHA256(fileName)
|
2020-04-23 09:12:10 +02:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if hash == remoteHash {
|
|
|
|
log.Entry().Infof("Hash returned from malwarescan service matches file hash for file '%s' (%s)", fileName, hash)
|
|
|
|
} else {
|
|
|
|
return fmt.Errorf("Hash returned from malwarescan service ('%s') does not match file hash ('%s') for file '%s'",
|
|
|
|
remoteHash, hash, fileName)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
// create toolrecord file for malwarescan
|
|
|
|
func createToolRecordMalwareScan(workspace string, config *malwareExecuteScanOptions, scanner *malwarescan.Info) (string, error) {
|
|
|
|
record := toolrecord.New(workspace, "malwarescan", config.Host)
|
|
|
|
record.SetOverallDisplayData("Malware Scanner", "")
|
2020-04-23 09:12:10 +02:00
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
if err := record.AddKeyData("engineVersion", scanner.EngineVersion, "Engine Version", ""); err != nil {
|
2020-04-23 09:12:10 +02:00
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
if err := record.AddKeyData("signatureTimestamp", scanner.SignatureTimestamp, "Signature Timestamp", ""); err != nil {
|
2020-04-23 09:12:10 +02:00
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
if err := record.Persist(); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return record.GetFileName(), nil
|
2020-04-23 09:12:10 +02:00
|
|
|
}
|
|
|
|
|
2022-01-24 10:48:01 +02:00
|
|
|
func createMalwareScanReport(config *malwareExecuteScanOptions, scanResult *malwarescan.ScanResult, utils malwareScanUtils) error {
|
|
|
|
scanResultJSON, err := json.Marshal(scanResult)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return utils.FileWrite(config.ReportFileName, scanResultJSON, 0666)
|
|
|
|
}
|
|
|
|
|
|
|
|
func correctMalwareDockerConfigEnvVar(config *malwareExecuteScanOptions, utils malwareScanUtils) {
|
|
|
|
path := config.DockerConfigJSON
|
|
|
|
if len(path) > 0 {
|
|
|
|
log.Entry().Infof("Docker credentials configuration: %v", path)
|
|
|
|
if len(config.ScanImageRegistryURL) > 0 && len(config.ContainerRegistryUser) > 0 && len(config.ContainerRegistryPassword) > 0 {
|
|
|
|
var err error
|
|
|
|
path, err = piperDocker.CreateDockerConfigJSON(config.ScanImageRegistryURL, config.ContainerRegistryUser, config.ContainerRegistryPassword, "", config.DockerConfigJSON, utils)
|
|
|
|
if err != nil {
|
|
|
|
log.Entry().Warningf("failed to update Docker config.json: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
path, _ := utils.Abs(path)
|
|
|
|
// use parent directory
|
|
|
|
path = filepath.Dir(path)
|
|
|
|
os.Setenv("DOCKER_CONFIG", path)
|
|
|
|
} else {
|
|
|
|
log.Entry().Info("Docker credentials configuration: NONE")
|
|
|
|
}
|
2020-04-23 09:12:10 +02:00
|
|
|
}
|