Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deep Security Smart Check Scan Report is not working #4

Open
winggundamth opened this issue May 28, 2020 · 1 comment
Open

Deep Security Smart Check Scan Report is not working #4

winggundamth opened this issue May 28, 2020 · 1 comment

Comments

@winggundamth
Copy link

After scan finished. I go to summary report and found below sceenshot

Selection_227

I dig some code and found that report is read output from docker run deepsecurity/smartcheck-scan-action and write to artifact result file. So this is cause of the problem because stdout from docker run is not json valid format. It show others plain text output too. I'm not sure where to open this issue between this smartcheck Jenkins plugin or https://github.com/deep-security/smartcheck-scan-action

Please find sample result json stdout below

info: Logging in...
info: Logged in
info: Creating scan...
info: Scan started.
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: Checking scan status...
info: scan finished with status: completed-with-findings
{
    "id": "a61daa1f-63bb-4b40-934d-175faaf309e7",
    "href": "/api/scans/a61daa1f-63bb-4b40-934d-175faaf309e7",
    "name": "registry.example.com/bookinfo/productpage:dev",
    "source": {
        "registry": "registry.example.com",
        "repository": "bookinfo/productpage",
        "tag": "dev",
        "type": "docker",
        "insecureSkipVerify": false
    },
    "status": "completed-with-findings",
    "details": {
        "requested": "2020-05-28T11:16:15Z",
        "started": "2020-05-28T11:16:16Z",
        "updated": "2020-05-28T11:16:58Z",
        "completed": "2020-05-28T11:16:58Z",
        "digest": "sha256:f9a8250150f088dae37db50d8d1575a60047f37a7a14fadee4ca2efe686a5e04",
        "os": "linux",
        "architecture": "amd64",
        "results": [
            {
                "id": "sha256:cbdbe7a5bc2a134ca8ec91be58565ec07d037386d1f1d8385412d224deafca08",
                "createdBy": "/bin/sh -c #(nop) ADD file:b91adb67b670d3a6ff9463e48b7def903ed516be66fc4282d22c53e41512be49 in / ",
                "createdAt": "2020-04-24T01:05:03Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:26ebcd19a4e3221ee54d309346df0869af0d74a25920287f70b0ee1da1bf75de",
                "createdBy": "/bin/sh -c apk add --no-cache ca-certificates",
                "createdAt": "2020-04-24T01:10:57Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:35acdcbeccf10aebe0958173e6cb658cc153db5b0494c9b2b0fe40b342374542",
                "createdBy": "/bin/sh -c set -ex \t&& apk add --no-cache --virtual .fetch-deps \t\tgnupg \t\ttar \t\txz \t\t&& wget -O python.tar.xz \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz\" \t&& wget -O python.tar.xz.asc \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc\" \t&& export GNUPGHOME=\"$(mktemp -d)\" \t&& gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys \"$GPG_KEY\" \t&& gpg --batch --verify python.tar.xz.asc python.tar.xz \t&& { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \t&& rm -rf \"$GNUPGHOME\" python.tar.xz.asc \t&& mkdir -p /usr/src/python \t&& tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \t&& rm python.tar.xz \t\t&& apk add --no-cache --virtual .build-deps  \t\tbluez-dev \t\tbzip2-dev \t\tcoreutils \t\tdpkg-dev dpkg \t\texpat-dev \t\tfindutils \t\tgcc \t\tgdbm-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibnsl-dev \t\tlibtirpc-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl-dev \t\tpax-utils \t\treadline-dev \t\tsqlite-dev \t\ttcl-dev \t\ttk \t\ttk-dev \t\tutil-linux-dev \t\txz-dev \t\tzlib-dev \t&& apk del --no-network .fetch-deps \t\t&& cd /usr/src/python \t&& gnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\" \t&& ./configure \t\t--build=\"$gnuArch\" \t\t--enable-loadable-sqlite-extensions \t\t--enable-optimizations \t\t--enable-option-checking=fatal \t\t--enable-shared \t\t--with-system-expat \t\t--with-system-ffi \t\t--without-ensurepip \t&& make -j \"$(nproc)\" \t\tEXTRA_CFLAGS=\"-DTHREAD_STACK_SIZE=0x100000\" \t&& make install \t\t&& find /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \t\t| tr ',' '\\n' \t\t| sort -u \t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t\t| xargs -rt apk add --no-cache --virtual .python-rundeps \t&& apk del --no-network .build-deps \t\t&& find /usr/local -depth \t\t\\( \t\t\t\\( -type d -a \\( -name test -o -name tests -o -name idle_test \\) \\) \t\t\t-o \t\t\t\\( -type f -a \\( -name '*.pyc' -o -name '*.pyo' \\) \\) \t\t\\) -exec rm -rf '{}' + \t&& rm -rf /usr/src/python \t\t&& python3 --version",
                "createdAt": "2020-04-24T01:34:28Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:647f327f91ddb1dd668d2647783c6138710571d7c6f8b87f7e550cbeb619bc26",
                "createdBy": "/bin/sh -c cd /usr/local/bin \t&& ln -s idle3 idle \t&& ln -s pydoc3 pydoc \t&& ln -s python3 python \t&& ln -s python3-config python-config",
                "createdAt": "2020-04-24T01:34:30Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:9add0a120de2565c11f584ee700dbbfc335a3f1d8f5590152463f99146391425",
                "createdBy": "/bin/sh -c set -ex; \t\twget -O get-pip.py \"$PYTHON_GET_PIP_URL\"; \techo \"$PYTHON_GET_PIP_SHA256 *get-pip.py\" | sha256sum -c -; \t\tpython get-pip.py \t\t--disable-pip-version-check \t\t--no-cache-dir \t\t\"pip==$PYTHON_PIP_VERSION\" \t; \tpip --version; \t\tfind /usr/local -depth \t\t\\( \t\t\t\\( -type d -a \\( -name test -o -name tests -o -name idle_test \\) \\) \t\t\t-o \t\t\t\\( -type f -a \\( -name '*.pyc' -o -name '*.pyo' \\) \\) \t\t\\) -exec rm -rf '{}' +; \trm -f get-pip.py",
                "createdAt": "2020-04-29T17:38:10Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:849dbde68abc162cbf7821a798c68298ecea2a4e25d676c1abc41d6532ac6cb5",
                "createdBy": "WORKDIR /usr/src/app",
                "createdAt": "2020-05-28T05:19:29Z",
                "findings": {
                    "contents": {
                        "total": {},
                        "unresolved": {}
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:7249eb61dcd124483687d5f709ea7016d6ec66a90ffd0e3a692f92639e8eff33",
                "createdBy": "COPY /opt/venv /opt/venv # buildkit",
                "createdAt": "2020-05-28T05:25:22Z",
                "contents": "/api/scans/a61daa1f-63bb-4b40-934d-175faaf309e7/layers/sha256:7249eb61dcd124483687d5f709ea7016d6ec66a90ffd0e3a692f92639e8eff33/contents",
                "findings": {
                    "contents": {
                        "total": {
                            "high": 11
                        },
                        "unresolved": {
                            "high": 11
                        }
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            },
            {
                "id": "sha256:2915a4a2b503e3a0bbf480ab152854505aa7aeeb0f5e097d917757adf775769e",
                "createdBy": "COPY src/ /usr/src/app/ # buildkit",
                "createdAt": "2020-05-28T05:25:23Z",
                "contents": "/api/scans/a61daa1f-63bb-4b40-934d-175faaf309e7/layers/sha256:2915a4a2b503e3a0bbf480ab152854505aa7aeeb0f5e097d917757adf775769e/contents",
                "findings": {
                    "contents": {
                        "total": {
                            "high": 1
                        },
                        "unresolved": {
                            "high": 1
                        }
                    },
                    "vulnerabilities": {
                        "total": {},
                        "unresolved": {},
                        "fixAvailable": {}
                    }
                }
            }
        ]
    },
    "findings": {
        "contents": {
            "total": {
                "high": 12
            },
            "unresolved": {
                "high": 12
            }
        },
        "vulnerabilities": {
            "total": {},
            "unresolved": {},
            "fixAvailable": {}
        },
        "checklists": {
            "unresolved": {},
            "total": {}
        },
        "scanners": {
            "malware": {
                "status": "ok",
                "updated": "2020-05-28T00:30:05Z",
                "versions": {
                    "icrc": "1589300",
                    "trendX": "111200",
                    "blacklist": "25100"
                }
            },
            "vulnerabilities": {
                "status": "ok",
                "updated": "2020-05-28T01:08:08Z"
            },
            "vulnerabilityPatterns": {
                "status": "ok"
            }
        }
    }
}info: Content findings exceeded threshold { high: 12 }
@johan1252
Copy link
Collaborator

johan1252 commented May 28, 2020
edited
Loading

Hi @winggundamth,

I was able to reproduce this only when using the kubernetes plugin (1.25.7).
Verified that behaviour is correct when using Jenkins slaves outside of the kubernetes plugin.

The expected behaviour is:
Stdout (no JSON is printed to STDOUT):

16:51:21  info: Logging in...
16:51:21  info: Logged in
16:51:21  info: Creating scan...
16:51:21  info: Scan started.
16:51:26  info: Checking scan status...
16:51:32  info: Checking scan status...
16:51:37  info: Checking scan status...
16:51:37  info: scan finished with status: completed-with-findings
16:51:37  info: Malware found: 1
16:51:37  Status code was: 2
16:51:37  Build root directory: /var/jenkins_home/jobs/Developer/jobs/test/jobs/test/builds/80
16:51:37  Workspace remote: /builds/workspace/Developer/test/test
16:51:37  Archiving artifacts: scan-results.json

Archived file scan-results.json:

{
    "id": "5dd061a8-d21e-424c-bb7f-9b9f2a6a98f6",
    "href": "/api/scans/5dd061a8-d21e-424c-bb7f-9b9f2a6a98f6",
....

contains only valid JSON

image

At this time it looks like multiple features are not supported when running with the kubernetes plugin. If you are interested in having this support you could look into creating a PR for the kubernetes plugin to fix these issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@winggundamth @johan1252