Documentation
¶
Overview ¶
Package vulnerabilityreport provides primitives for working with vulnerability scanners.
Index ¶
- Variables
- func GetScanJobName(obj client.Object) string
- func OrderedBy(less ...LessFunc) *multiSorter
- func RegistryCredentialsSecretName(obj client.Object) string
- type BySeverity
- type LessFunc
- type Plugin
- type ReadWriter
- type Reader
- type ReportBuilder
- func (b *ReportBuilder) Container(name string) *ReportBuilder
- func (b *ReportBuilder) Controller(controller client.Object) *ReportBuilder
- func (b *ReportBuilder) Data(data v1alpha1.VulnerabilityReportData) *ReportBuilder
- func (b *ReportBuilder) Get() (v1alpha1.VulnerabilityReport, error)
- func (b *ReportBuilder) PodSpecHash(hash string) *ReportBuilder
- func (b *ReportBuilder) ReportTTL(ttl *time.Duration) *ReportBuilder
- type ScanJobBuilder
- func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error)
- func (s *ScanJobBuilder) WithAnnotations(annotations map[string]string) *ScanJobBuilder
- func (s *ScanJobBuilder) WithCredentials(credentials map[string]docker.Auth) *ScanJobBuilder
- func (s *ScanJobBuilder) WithObject(object client.Object) *ScanJobBuilder
- func (s *ScanJobBuilder) WithPlugin(plugin Plugin) *ScanJobBuilder
- func (s *ScanJobBuilder) WithPluginContext(pluginContext starboard.PluginContext) *ScanJobBuilder
- func (s *ScanJobBuilder) WithPodTemplateLabels(podTemplateLabels labels.Set) *ScanJobBuilder
- func (s *ScanJobBuilder) WithTimeout(timeout time.Duration) *ScanJobBuilder
- func (s *ScanJobBuilder) WithTolerations(tolerations []corev1.Toleration) *ScanJobBuilder
- type Scanner
- type Vulnerabilities
- type WorkloadController
- type Writer
Constants ¶
This section is empty.
Variables ¶
var ( SummaryCount = []LessFunc{ func(r1, r2 *v1alpha1.VulnerabilityReport) bool { return r1.Report.Summary.CriticalCount < r2.Report.Summary.CriticalCount }, func(r1, r2 *v1alpha1.VulnerabilityReport) bool { return r1.Report.Summary.HighCount < r2.Report.Summary.HighCount }, func(r1, r2 *v1alpha1.VulnerabilityReport) bool { return r1.Report.Summary.MediumCount < r2.Report.Summary.MediumCount }, func(r1, r2 *v1alpha1.VulnerabilityReport) bool { return r1.Report.Summary.LowCount < r2.Report.Summary.LowCount }, func(r1, r2 *v1alpha1.VulnerabilityReport) bool { return r1.Report.Summary.UnknownCount < r2.Report.Summary.UnknownCount }} )
Functions ¶
func GetScanJobName ¶ added in v0.11.0
func OrderedBy ¶ added in v0.10.0
func OrderedBy(less ...LessFunc) *multiSorter
OrderedBy returns a Sorter that sorts using the LessFunc functions, in order. Call its Sort method to sort the data.
func RegistryCredentialsSecretName ¶ added in v0.15.0
Types ¶
type BySeverity ¶ added in v0.9.2
type BySeverity struct{ Vulnerabilities }
BySeverity implements sort.Interface by providing Less and using the Vulnerabilities.Len and Vulnerabilities.Swap methods of the embedded Vulnerabilities value.
func (BySeverity) Less ¶ added in v0.9.2
func (s BySeverity) Less(i, j int) bool
type LessFunc ¶ added in v0.10.0
type LessFunc func(p1, p2 *v1alpha1.VulnerabilityReport) bool
type Plugin ¶ added in v0.8.0
type Plugin interface {
// Init is a callback to initialize this plugin, e.g. ensure the default
// configuration.
Init(ctx starboard.PluginContext) error
// GetScanJobSpec describes the pod that will be created by Starboard when
// it schedules a Kubernetes job to scan the workload with the specified
// descriptor.
// The second argument maps container names to Docker registry credentials,
// which can be passed to the scanner as environment variables with values
// set from returned secrets.
GetScanJobSpec(ctx starboard.PluginContext, workload client.Object, credentials map[string]docker.Auth) (
corev1.PodSpec, []*corev1.Secret, error)
// ParseVulnerabilityReportData is a callback to parse and convert logs of
// the pod controlled by the scan job to v1alpha1.VulnerabilityScanResult.
ParseVulnerabilityReportData(ctx starboard.PluginContext, imageRef string, logsReader io.ReadCloser) (
v1alpha1.VulnerabilityReportData, error)
}
Plugin defines the interface between Starboard and static vulnerability scanners.
type ReadWriter ¶
func NewReadWriter ¶
func NewReadWriter(client client.Client) ReadWriter
NewReadWriter constructs a new ReadWriter which is using the client package provided by the controller-runtime libraries for interacting with the Kubernetes API server.
type Reader ¶
type Reader interface {
FindByOwner(context.Context, kube.ObjectRef) ([]v1alpha1.VulnerabilityReport, error)
FindByOwnerInHierarchy(ctx context.Context, object kube.ObjectRef) ([]v1alpha1.VulnerabilityReport, error)
}
Reader is the interface that wraps methods for finding v1alpha1.VulnerabilityReport objects.
FindByOwner returns the slice of v1alpha1.VulnerabilityReport instances owned by the given kube.ObjectRef or an empty slice if the reports are not found.
FindByOwnerInHierarchy is similar to FindByOwner except it tries to lookup v1alpha1.VulnerabilityReport objects owned by related Kubernetes objects. For example, if the given owner is a Deployment, but reports are owned by the active ReplicaSet (current revision) this method will return the reports.
type ReportBuilder ¶ added in v0.11.0
type ReportBuilder struct {
// contains filtered or unexported fields
}
func NewReportBuilder ¶ added in v0.11.0
func NewReportBuilder(scheme *runtime.Scheme) *ReportBuilder
func (*ReportBuilder) Container ¶ added in v0.11.0
func (b *ReportBuilder) Container(name string) *ReportBuilder
func (*ReportBuilder) Controller ¶ added in v0.11.0
func (b *ReportBuilder) Controller(controller client.Object) *ReportBuilder
func (*ReportBuilder) Data ¶ added in v0.11.0
func (b *ReportBuilder) Data(data v1alpha1.VulnerabilityReportData) *ReportBuilder
func (*ReportBuilder) Get ¶ added in v0.11.0
func (b *ReportBuilder) Get() (v1alpha1.VulnerabilityReport, error)
func (*ReportBuilder) PodSpecHash ¶ added in v0.11.0
func (b *ReportBuilder) PodSpecHash(hash string) *ReportBuilder
func (*ReportBuilder) ReportTTL ¶ added in v0.14.0
func (b *ReportBuilder) ReportTTL(ttl *time.Duration) *ReportBuilder
type ScanJobBuilder ¶ added in v0.13.0
type ScanJobBuilder struct {
// contains filtered or unexported fields
}
func NewScanJobBuilder ¶ added in v0.13.0
func NewScanJobBuilder() *ScanJobBuilder
func (*ScanJobBuilder) WithAnnotations ¶ added in v0.13.0
func (s *ScanJobBuilder) WithAnnotations(annotations map[string]string) *ScanJobBuilder
func (*ScanJobBuilder) WithCredentials ¶ added in v0.13.0
func (s *ScanJobBuilder) WithCredentials(credentials map[string]docker.Auth) *ScanJobBuilder
func (*ScanJobBuilder) WithObject ¶ added in v0.13.0
func (s *ScanJobBuilder) WithObject(object client.Object) *ScanJobBuilder
func (*ScanJobBuilder) WithPlugin ¶ added in v0.13.0
func (s *ScanJobBuilder) WithPlugin(plugin Plugin) *ScanJobBuilder
func (*ScanJobBuilder) WithPluginContext ¶ added in v0.13.0
func (s *ScanJobBuilder) WithPluginContext(pluginContext starboard.PluginContext) *ScanJobBuilder
func (*ScanJobBuilder) WithPodTemplateLabels ¶ added in v0.14.0
func (s *ScanJobBuilder) WithPodTemplateLabels(podTemplateLabels labels.Set) *ScanJobBuilder
func (*ScanJobBuilder) WithTimeout ¶ added in v0.13.0
func (s *ScanJobBuilder) WithTimeout(timeout time.Duration) *ScanJobBuilder
func (*ScanJobBuilder) WithTolerations ¶ added in v0.13.0
func (s *ScanJobBuilder) WithTolerations(tolerations []corev1.Toleration) *ScanJobBuilder
type Scanner ¶
type Scanner struct {
// contains filtered or unexported fields
}
Scanner is a template for running static vulnerability scanners that implement the Plugin interface.
func NewScanner ¶ added in v0.8.0
func NewScanner( clientset kubernetes.Interface, client client.Client, plugin Plugin, pluginContext starboard.PluginContext, config starboard.ConfigData, opts kube.ScannerOpts, ) *Scanner
NewScanner constructs a new static vulnerability Scanner with the specified Plugin that knows how to perform the actual scanning, which is performed by running a Kubernetes job, and knows how to convert logs to instances of v1alpha1.VulnerabilityReport.
func (*Scanner) Scan ¶ added in v0.8.0
func (s *Scanner) Scan(ctx context.Context, workload kube.ObjectRef) ([]v1alpha1.VulnerabilityReport, error)
Scan creates a Kubernetes job to scan the specified workload. The pod created by the scan job has template contributed by the Plugin. It is a blocking method that watches the status of the job until it succeeds or fails. When succeeded it parses container logs and coverts the output to instances of v1alpha1.VulnerabilityReport by delegating such transformation logic also to the Plugin.
type Vulnerabilities ¶ added in v0.9.2
type Vulnerabilities []v1alpha1.Vulnerability
func (Vulnerabilities) Len ¶ added in v0.9.2
func (s Vulnerabilities) Len() int
func (Vulnerabilities) Swap ¶ added in v0.9.2
func (s Vulnerabilities) Swap(i, j int)
type WorkloadController ¶ added in v0.15.0
type WorkloadController struct {
logr.Logger
etc.Config
client.Client
kube.ObjectResolver
controller.LimitChecker
kube.LogsReader
kube.SecretsReader
Plugin
starboard.PluginContext
ReadWriter
starboard.ConfigData
}
WorkloadController watches Kubernetes workloads and generates v1alpha1.VulnerabilityReport instances using vulnerability scanner that that implements the Plugin interface.
func (*WorkloadController) SetupWithManager ¶ added in v0.15.0
func (r *WorkloadController) SetupWithManager(mgr ctrl.Manager) error
Source Files