-
Notifications
You must be signed in to change notification settings - Fork 0
/
process_acs_cve_export.sh
executable file
·98 lines (78 loc) · 3.07 KB
/
process_acs_cve_export.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/bin/bash
# Contains CVE/image pairings from ACS export
TMP_CVES="/tmp/cves.txt"
# Container cve-analyser results
CVE_ANALYSER_RESULTS="/tmp/cve_analyser.txt"
if [ $# -eq 0 ]
then
echo "Usage: $0 <CSV from ACS>"
exit 1
fi
INPUT_FILE="${1}"
OUTPUT_FILE="$(echo ${INPUT_FILE} | sed 's|\.csv||')_annotated.csv"
# Script requires the binary from here: https://github.com/p-rog/cve-analyser.git
# build the go binary and ensure it is in your path
if ! `which cve-analyser 2>&1 > /dev/null`
then
echo "cve-analyser binary missing"
exit 1
fi
# Remove old temp files
rm -f "${TMP_CVES}" "${CVE_ANALYSER_RESULTS}"
echo "Parsing ACS input CSV"
while read -r line
do
clusterName=$(echo "${line}" | awk -F\, '{print $1}')
clusterId=$(echo "${line}" | awk -F\, '{print $2}')
namespace=$(echo "${line}" | awk -F\, '{print $3}')
namespaceId=$(echo "${line}" | awk -F\, '{print $4}')
deployment_name=$(echo "${line}" | awk -F\, '{print $5}')
image_name=$(echo "${line}" | awk -F\, '{print $6}')
cve=$(echo "${line}" | awk -F\, '{print $7}' | tr -d '"')
cvss=$(echo "${line}" | awk -F\, '{print $8}')
if [[ "${image_name}" =~ "@" ]]; then
image_repo=$(echo "${image_name}" | awk -F\@ '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
else
image_repo=$(echo "${image_name}" | awk -F\: '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
fi
# Script doesn't currently use these fields
#severity=$(echo "${line}" | awk -F\, '{print $9}')
#component=$(echo "${line}" | awk -F\, '{print $10}')
#version=$(echo "${line}" | awk -F\, '{print $11}')
#fixedBy=$(echo "${line}" | awk -F\, '{print $12}')
#echo "clusterName: ${clusterName}"
#echo "clusterId: ${clusterId}"
#echo "namespace: ${namespace}"
#echo "namespaceId: ${namespaceId}"
#echo "image_name: ${image_name}"
#echo "image_repo: ${image_repo}"
#echo "cve: ${cve}"
#echo "cvss: ${cvss}"
echo "${cve},${image_repo}" >> "${TMP_CVES}"
done < <(tail -n +2 ${INPUT_FILE})
# Skip first line of ACS CSV export which has column names
# Don't need to send duplicate entries to the cve analyser
T=$(mktemp)
cat "${TMP_CVES}" | sort -u > "${T}"
mv "${T}" "${TMP_CVES}"
# cve-analyser is multi-threaded and output is not in the same order as input
echo "Generating results for CVE and image pairs"
cve-analyser "${TMP_CVES}" > "${CVE_ANALYSER_RESULTS}"
echo "Creating annotated CSV file with results"
# Write out a new CSV file with the added information
rm -f "${OUTPUT_FILE}"
COLS=$(head -1 ${INPUT_FILE})
echo "${COLS},RedHat" > "${OUTPUT_FILE}"
while read -r line
do
cve=$(echo "${line}" | awk -F\, '{print $7}' | tr -d '"')
image_name=$(echo "${line}" | awk -F\, '{print $6}')
if [[ "${image_name}" =~ "@" ]]; then
image_repo=$(echo "${image_name}" | awk -F\@ '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
else
image_repo=$(echo "${image_name}" | awk -F\: '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
fi
rst=$(grep "${cve}" "${CVE_ANALYSER_RESULTS}" | grep "${image_repo}" | awk -F\, '{print $NF}')
echo "${line},${rst}" >> "${OUTPUT_FILE}"
done < <(tail -n +2 ${INPUT_FILE})
exit 0