Skip to content

Commit 8b9eace

Browse files
jan-cernyjan-cerny
authored
Merge pull request #1371 from evgenyz/oscap-docker
Add ability to run uninstalled oscap-docker
2 parents 71d7034 + 31184b6 commit 8b9eace

File tree

4 files changed

+20
-25
lines changed

4 files changed

+20
-25
lines changed

run.in

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,8 @@ fi
5353

5454
# For SWIG bindings.
5555
export PERL5LIB=$b/swig/perl:$b/swig/perl${PERL5LIB:+:$PERL5LIB}
56-
export PYTHONPATH=$s/swig/python3:$b/swig/src:$b/swig/python3:$b/swig/python3${PYTHONPATH:+:$PYTHONPATH}
56+
export PYTHONPATH=$s/utils:$s/swig/python3:$b/swig/src:$b/swig/python3:$b/swig/python3${PYTHONPATH:+:$PYTHONPATH}
57+
export PYTHONDONTWRITEBYTECODE=Y
5758

5859
# This is a cheap way to find some use-after-free and uninitialized
5960
# read problems when using glibc.

utils/CMakeLists.txt

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,12 @@ if(ENABLE_OSCAP_UTIL_CHROOT)
3939
)
4040
endif()
4141
if(ENABLE_OSCAP_UTIL_DOCKER)
42-
configure_file("oscap-docker.in" "oscap-docker" @ONLY)
42+
configure_file("oscap-docker.in" "${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/oscap-docker" @ONLY)
43+
file(
44+
COPY "${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/oscap-docker"
45+
DESTINATION ${CMAKE_CURRENT_BINARY_DIR}
46+
FILE_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
47+
)
4348
execute_process(COMMAND
4449
${OSCAP_DOCKER_PYTHON} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(False, False, prefix='${CMAKE_INSTALL_PREFIX}'))"
4550
OUTPUT_VARIABLE PYTHON_SITE_PACKAGES_INSTALL_DIR

utils/oscap-docker.in

Lines changed: 7 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -26,20 +26,6 @@ import sys
2626
from requests import exceptions
2727

2828

29-
def cve_scan(scan_target, other_scan_args):
30-
''' Wrapper function for container/image scanning '''
31-
OS = OscapScan()
32-
result = OS.scan_cve(scan_target, other_scan_args)
33-
return result
34-
35-
36-
def scan(scan_target, other_scan_args):
37-
''' Wrapper function to scan with openscap'''
38-
OS = OscapScan()
39-
result = OS.scan(scan_target, other_scan_args)
40-
return result
41-
42-
4329
def ping_docker():
4430
''' Simple check if the docker daemon is running '''
4531
# Class docker.Client was renamed to docker.APIClient in
@@ -55,33 +41,34 @@ if __name__ == '__main__':
5541
parser = argparse.ArgumentParser(description='oscap docker',
5642
epilog='See `man oscap` to learn \
5743
more about OSCAP-ARGUMENTS')
44+
parser.add_argument('--oscap', dest='oscap_binary', default='', help='Set the oscap binary to use')
5845
subparser = parser.add_subparsers(help="commands")
5946

6047
# Scan CVEs in image
6148
image_cve = subparser.add_parser('image-cve', help='Scan a docker image \
6249
for known vulnerabilities.')
63-
image_cve.set_defaults(func=cve_scan)
50+
image_cve.set_defaults(func=OscapScan.scan_cve)
6451
image_cve.add_argument('scan_target', help='Container or image to scan')
6552

6653
# Scan an Image
6754
image = subparser.add_parser('image', help='Scan a docker image')
6855
image.add_argument('scan_target',
6956
help='Container or image to scan')
7057

71-
image.set_defaults(func=scan)
58+
image.set_defaults(func=OscapScan.scan)
7259
# Scan a container
7360
container = subparser.add_parser('container', help='Scan a running docker\
7461
container of given name.')
7562
container.add_argument('scan_target',
7663
help='Container or image to scan')
77-
container.set_defaults(func=scan)
64+
container.set_defaults(func=OscapScan.scan)
7865

7966
# Scan CVEs in container
8067
container_cve = subparser.add_parser('container-cve', help='Scan a \
8168
running container for known \
8269
vulnerabilities.')
8370

84-
container_cve.set_defaults(func=cve_scan)
71+
container_cve.set_defaults(func=OscapScan.scan_cve)
8572
container_cve.add_argument('scan_target',
8673
help='Container or image to scan')
8774

@@ -99,7 +86,8 @@ if __name__ == '__main__':
9986
sys.exit(1)
10087

10188
try:
102-
rc = args.func(args.scan_target, leftover_args)
89+
OS = OscapScan(oscap_binary=args.oscap_binary)
90+
rc = args.func(OS, args.scan_target, leftover_args)
10391
except Exception as exc:
10492
sys.exit(255)
10593
raise exc

utils/oscap_docker_python/oscap_docker_util.py

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -79,8 +79,9 @@ class OscapHelpers(object):
7979
CPE = 'oval:org.open-scap.cpe.rhel:def:'
8080
DISTS = ["7", "6", "5"]
8181

82-
def __init__(self, cve_input_dir):
82+
def __init__(self, cve_input_dir, oscap_binary):
8383
self.cve_input_dir = cve_input_dir
84+
self.oscap_binary = oscap_binary or 'oscap'
8485

8586
@staticmethod
8687
def _mk_tmp_dir(tmp_dir):
@@ -152,7 +153,7 @@ def oscap_chroot(self, chroot_path, target, *oscap_args):
152153
os.environ["OSCAP_PROBE_OS_NAME"] = platform.system()
153154
os.environ["OSCAP_PROBE_OS_VERSION"] = platform.release()
154155
os.environ["OSCAP_EVALUATION_TARGET"] = self._get_target_name(target)
155-
cmd = ['oscap'] + [x for x in oscap_args]
156+
cmd = [self.oscap_binary] + [x for x in oscap_args]
156157
oscap_process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
157158
oscap_stdout, oscap_stderr = oscap_process.communicate()
158159
return OscapResult(oscap_process.returncode,
@@ -207,9 +208,9 @@ def mount_image_filesystem():
207208

208209
class OscapScan(object):
209210
def __init__(self, tmp_dir=tempfile.gettempdir(), mnt_dir=None,
210-
hours_old=2):
211+
hours_old=2, oscap_binary=''):
211212
self.tmp_dir = tmp_dir
212-
self.helper = OscapHelpers(tmp_dir)
213+
self.helper = OscapHelpers(tmp_dir, oscap_binary)
213214
self.mnt_dir = mnt_dir
214215
self.hours_old = hours_old
215216

0 commit comments

Comments
 (0)