Merge pull request #1187 from matejak/oscap-docker-fix_rc

Refactored the oscap-docker script.

Author: jan-cerny

utils/oscap-docker.in

@@ -26,31 +26,18 @@ import sys
 from requests import exceptions
 
 
-class OscapDocker(object):
-    ''' Generic class to call the scans '''
-    def __init__(self):
-        pass
-
-    def set_args(self, args, unknown):
-        '''
-        Sets arguments for argparse into the oscapDocker class
-        '''
-        self.args = args
-        self.unknown_args = unknown
-
-    def cve_scan(self):
-        ''' Wrapper function for container/image scanning '''
-        OS = OscapScan()
-        result = OS.scan_cve(self.args.scan_target, self.unknown_args)
-        if result is not None:
-            print(result)
-
-    def scan(self):
-        ''' Wrapper functiopn to scan with openscap'''
-        OS = OscapScan()
-        result = OS.scan(self.args.scan_target, self.unknown_args)
-        if result is not None:
-            print(result)
+def cve_scan(scan_target, other_scan_args):
+    ''' Wrapper function for container/image scanning '''
+    OS = OscapScan()
+    result = OS.scan_cve(scan_target, other_scan_args)
+    return result
+
+
+def scan(scan_target, other_scan_args):
+    ''' Wrapper function to scan with openscap'''
+    OS = OscapScan()
+    result = OS.scan(scan_target, other_scan_args)
+    return result
 
 
 def ping_docker():
@@ -63,10 +50,8 @@ def ping_docker():
         client = docker.Client()
     client.ping()
 
-if __name__ == '__main__':
-
-    OD = OscapDocker()
 
+if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='oscap docker',
                                      epilog='See `man oscap` to learn \
                                      more about OSCAP-ARGUMENTS')
@@ -75,32 +60,32 @@ if __name__ == '__main__':
     # Scan CVEs in image
     image_cve = subparser.add_parser('image-cve', help='Scan a docker image \
                                     for known vulnerabilities.')
-    image_cve.set_defaults(func=OD.cve_scan)
+    image_cve.set_defaults(func=cve_scan)
     image_cve.add_argument('scan_target', help='Container or image to scan')
 
     # Scan an Image
     image = subparser.add_parser('image', help='Scan a docker image')
     image.add_argument('scan_target',
                        help='Container or image to scan')
 
-    image.set_defaults(func=OD.scan)
+    image.set_defaults(func=scan)
     # Scan a container
     container = subparser.add_parser('container', help='Scan a running docker\
                                       container of given name.')
     container.add_argument('scan_target',
                            help='Container or image to scan')
-    container.set_defaults(func=OD.scan)
+    container.set_defaults(func=scan)
 
     # Scan CVEs in container
     container_cve = subparser.add_parser('container-cve', help='Scan a \
                                          running container for known \
                                          vulnerabilities.')
 
-    container_cve.set_defaults(func=OD.cve_scan)
+    container_cve.set_defaults(func=cve_scan)
     container_cve.add_argument('scan_target',
                                help='Container or image to scan')
 
-    args, unknown = parser.parse_known_args()
+    args, leftover_args = parser.parse_known_args()
 
     if "func" not in args:
         parser.print_help()
@@ -113,5 +98,10 @@ if __name__ == '__main__':
         print("The docker daemon does not appear to be running")
         sys.exit(1)
 
-    OD.set_args(args, unknown)
-    args.func()
+    try:
+        rc = args.func(args.scan_target, leftover_args)
+    except Exception as exc:
+        sys.exit(255)
+        raise exc
+
+    sys.exit(rc)

utils/oscap_docker_python/oscap_docker_util.py

@@ -17,6 +17,8 @@
 
 ''' Utilities for oscap-docker '''
 
+from __future__ import print_function
+
 import os
 import tempfile
 import subprocess
@@ -25,6 +27,7 @@
 from oscap_docker_python.get_cve_input import getInputCVE
 import sys
 import docker
+import collections
 
 try:
     from Atomic.mount import DockerMount
@@ -68,6 +71,9 @@ class OscapError(Exception):
     pass
 
 
+OscapResult = collections.namedtuple("OscapResult", ("returncode", "stdout", "stderr"))
+
+
 class OscapHelpers(object):
     ''' oscap class full of helpers for scanning '''
     CPE = 'oval:org.open-scap.cpe.rhel:def:'
@@ -102,10 +108,10 @@ def _get_dist(self, chroot, target):
         if not os.path.exists(cpe_dict):
             raise OscapError()
         for dist in self.DISTS:
-            output = self.oscap_chroot(chroot, target, 'oval', 'eval',
+            result = self.oscap_chroot(chroot, target, 'oval', 'eval',
                                        '--id', self.CPE + dist, cpe_dict,
                                        '2>&1', '>', '/dev/null')
-            if "{0}{1}: true".format(self.CPE, dist) in output:
+            if "{0}{1}: true".format(self.CPE, dist) in result.stdout:
                 return dist
 
     def _get_target_name(self, target):
@@ -149,15 +155,8 @@ def oscap_chroot(self, chroot_path, target, *oscap_args):
         cmd = ['oscap'] + [x for x in oscap_args]
         oscap_process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         oscap_stdout, oscap_stderr = oscap_process.communicate()
-        if oscap_process.returncode not in [0, 2]:
-            sys.stderr.write("\nCommand: {0} failed!\n".format(" ".join(cmd)))
-            sys.stderr.write("Command returned exit code {0}.\n".format(oscap_process.returncode))
-            sys.stderr.write(oscap_stderr.decode("utf-8") + "\n")
-
-            sys.exit(1)
-
-        sys.stderr.write(oscap_stderr.decode("utf-8") + "\n")
-        return oscap_stdout.decode("utf-8")
+        return OscapResult(oscap_process.returncode,
+                           oscap_stdout.decode("utf-8"), oscap_stderr.decode("utf-8"))
 
     def _scan_cve(self, chroot, target, dist, scan_args):
         '''
@@ -272,13 +271,17 @@ def scan_cve(self, image, scan_args):
             fetch._fetch_single(dist)
 
             # Scan the chroot
-            sys.stdout.write(self.helper._scan_cve(chroot, image, dist, scan_args))
+            scan_result = self.helper._scan_cve(chroot, image, dist, scan_args)
+            print(scan_result.stdout)
+            print(scan_result.stderr, file=sys.stderr)
 
         finally:
             # Clean up
             self.helper._cleanup_by_path(_tmp_mnt_dir, DM)
             self._remove_mnt_dir(mnt_dir)
 
+        return scan_result.returncode
+
     def scan(self, image, scan_args):
         '''
         Wrapper function for basic security scans using
@@ -299,9 +302,13 @@ def scan(self, image, scan_args):
             chroot = self._find_chroot_path(_tmp_mnt_dir)
 
             # Scan the chroot
-            sys.stdout.write(self.helper._scan(chroot, image, scan_args))
+            scan_result = self.helper._scan(chroot, image, scan_args)
+            print(scan_result.stdout)
+            print(scan_result.stderr, file=sys.stderr)
 
         finally:
             # Clean up
             self.helper._cleanup_by_path(_tmp_mnt_dir, DM)
             self._remove_mnt_dir(mnt_dir)
+
+        return scan_result.returncode