-
Notifications
You must be signed in to change notification settings - Fork 0
/
create-csv.sh
executable file
·79 lines (63 loc) · 3.41 KB
/
create-csv.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#! /bin/bash -xe
VERSION="${VERSION:-v1}"
# This must be in HTML encoded format, i.e no spaces, use %20, etc
POLICY="${POLICY:-MyCVSSPolicy}"
if [[ -z "${ROX_ENDPOINT}" ]]; then
echo >&2 "ROX_ENDPOINT must be set"
exit 1
fi
if [[ -z "${ROX_API_TOKEN}" ]]; then
echo >&2 "ROX_API_TOKEN must be set"
exit 1
fi
if [[ -z "$1" ]]; then
echo >&2 "usage: create-csv.sh <output filename>"
exit 1
fi
output_file="$1"
if [[ "${VERSION}" == "v1" ]]; then
echo '"Deployment", "Image", "CVE", "CVSS Score", "Summary", "Severity", "Component", "Version", "Fixed By", "Layer Index", "Layer Instruction"' > "${output_file}"
elif [[ "${VERSION}" == "v2" ]]; then
echo '"Cluster Name", "Cluster Id", "Namespace", "Namespace Id","Deployment", "Image", "CVE", "CVSS Score", "Severity", "Component", "Version", "Fixed By"' > "${output_file}"
else
echo "Unknown version ${VERSION} detected. v1 and v2 supported"
exit 1
fi
function curl_central() {
curl -sk -H "Authorization: Bearer ${ROX_API_TOKEN}" "https://${ROX_ENDPOINT}/$1"
}
# Collect all alerts
cvss=7
res="$(curl_central "v1/alerts?query=Policy%3A${POLICY}")"
# Iterate over all deployments and get the full deployment
for deployment_id in $(echo "${res}" | jq -r .alerts[].deployment.id); do
deployment_res="$(curl_central "v1/deployments/${deployment_id}")"
if [[ "$(echo "${deployment_res}" | jq -rc .name)" == null ]]; then
continue;
fi
if [[ "$(echo "${deployment_res}" | jq '.containers | length')" == "0" ]]; then
continue;
fi
export deployment_name="$(echo "${deployment_res}" | jq -rc .name)"
export namespace="$(echo "${deployment_res}" | jq -rc .namespace)"
export namespaceId="$(echo "${deployment_res}" | jq -rc .namespaceId)"
export clusterName="$(echo "${deployment_res}" | jq -rc .clusterName)"
export clusterId="$(echo "${deployment_res}" | jq -rc .clusterId)"
# Iterate over all images within the deployment and render the CSV Lines
for image_id in $(echo "${deployment_res}" | jq -r 'select(.containers != null) | .containers[].image.id'); do
if [[ "${image_id}" != "" ]]; then
image_res="$(curl_central "v1/images/${image_id}" | jq -rc)"
if [[ "$(echo "${image_res}" | jq -rc .name)" == null ]]; then
continue;
fi
image_name="$(echo "${image_res}" | jq -rc '.name.fullName')"
export image_name
# Format the CSV correctly
if [[ "${VERSION}" == "v1" ]]; then
echo "${image_res}" | jq -r --argjson cvss "$cvss" 'try (.metadata.v1.layers as $layers | .scan.components | sort_by(.layerIndex, .name) | .[]? | . as $component | select(.vulns != null) | .vulns[] | select(.cvss >= $cvss) | [ env.deployment_name, env.image_name, .cve, .cvss, .summary, .severity, $component.name, $component.version, .fixedBy, $component.layerIndex, ($layers[$component.layerIndex // 0].instruction + " " +$layers[$component.layerIndex // 0].value)]) | @csv' >> "${output_file}"
else
echo "${image_res}" | jq -r --argjson cvss "$cvss" 'try (.metadata.v1.layers as $layers | .scan.components | sort_by(.layerIndex, .name) | .[]? | . as $component | select(.vulns != null) | .vulns[] | select((.cvss >= $cvss) and .severity != "LOW_VULNERABILITY_SEVERITY") | [ env.clusterName, env.clusterId, env.namespace, env.namespaceId, env.deployment_name, env.image_name, .cve, .cvss, .severity, $component.name, $component.version, .fixedBy]) | @csv' >> "${output_file}"
fi
fi
done
done