Add method to scan Dogu images; #136

cloudogu · Nov 27, 2024 · a32591f · a32591f
1 parent 5bf7fdf
commit a32591f
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -1329,6 +1329,24 @@ trivy.saveFormattedTrivyReport(TrivyScanFormat.JSON)
 trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML)
 ```
 
+## Scan Dogu image with Trivy
+
+The `scanDogu()` function lets you scan a Dogu image without typing its full name. The method reads the image name
+and version from the dogu.json inside the directory you point it to via its first argument.
+The default directory is the current directory.
+
+```groovy
+Trivy trivy = new Trivy(this)
+trivy.scanDogu()
+// Explicitly set directory that contains the dogu code (dogu.json)
+trivy.scanDogu("subfolder/test1/jenkins")
+// Set scan options just like in the scanImage method
+trivy.scanDogu(".", TrivySeverityLevel.ALL, TrivyScanStrategy.UNSTABLE, "", "trivy/mydogu.json")
+trivy.saveFormattedTrivyReport(TrivyScanFormat.TABLE)
+trivy.saveFormattedTrivyReport(TrivyScanFormat.JSON)
+trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML)
+```
+
 ## Ignore / allowlist
 
 If you want to ignore / allow certain vulnerabilities, please use a .trivyignore file

diff --git a/src/com/cloudogu/ces/cesbuildlib/Trivy.groovy b/src/com/cloudogu/ces/cesbuildlib/Trivy.groovy
@@ -21,10 +21,10 @@ class Trivy implements Serializable {
      * - Evaluate via exit codes: 0 = no vulnerability; 1 = vulnerabilities found; other = function call failed
      *
      * @param imageName The name of the image to be scanned; may include a version tag
-     * @param trivyVersion The version of Trivy used for scanning
-     * @param additionalFlags Additional Trivy command flags
      * @param severityLevel The vulnerability level to scan. Can be a member of TrivySeverityLevel or a custom String (e.g. 'CRITICAL,LOW')
      * @param strategy The strategy to follow after the scan. Should the build become unstable or failed? Or Should any vulnerability be ignored? (@see TrivyScanStrategy)
+     * @param additionalFlags Additional Trivy command flags
+     * @param trivyReportFile Location of Trivy report file. Should be set individually when scanning multiple images in the same pipeline
      * @return Returns true if the scan was ok (no vulnerability found); returns false if any vulnerability was found
      */
     boolean scanImage(
@@ -70,6 +70,33 @@ class Trivy implements Serializable {
         }
     }
 
+    /**
+     * Scans a dogu image for vulnerabilities.
+     * Notes:
+     * - Use a .trivyignore file for allowed CVEs
+     * - This function will generate a JSON formatted report file which can be converted to other formats via saveFormattedTrivyReport()
+     * - Evaluate via exit codes: 0 = no vulnerability; 1 = vulnerabilities found; other = function call failed
+     *
+     * @param doguDir The directory the dogu code (dogu.json) is located
+     * @param severityLevel The vulnerability level to scan. Can be a member of TrivySeverityLevel or a custom String (e.g. 'CRITICAL,LOW')
+     * @param strategy The strategy to follow after the scan. Should the build become unstable or failed? Or Should any vulnerability be ignored? (@see TrivyScanStrategy)
+     * @param additionalFlags Additional Trivy command flags
+     * @param trivyReportFile Location of Trivy report file. Should be set individually when scanning multiple images in the same pipeline
+     * @return Returns true if the scan was ok (no vulnerability found); returns false if any vulnerability was found
+     */
+    boolean scanDogu(
+        String doguDir = ".",
+        String severityLevel = TrivySeverityLevel.CRITICAL,
+        String strategy = TrivyScanStrategy.UNSTABLE,
+        // Avoid rate limits of default Trivy database source
+        String additionalFlags = "--db-repository public.ecr.aws/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db",
+        String trivyReportFile = "trivy/trivyReport.json"
+    ) {
+        String image = script.sh(script: "jq .Image ${doguDir}/dogu.json", returnStdout: true)
+        String version = script.sh(script: "jq .Version ${doguDir}/dogu.json", returnStdout: true)
+        return scanImage(image+":"+version, severityLevel, strategy, additionalFlags, trivyReportFile)
+    }
+
     /**
      * Save the Trivy scan results as a file with a specific format
      *