Merge pull request #260 from kubescape/regv2

regv2

Author: refaelm92

go.mod

@@ -5,9 +5,9 @@ go 1.23.0
 toolchain go1.23.2
 
 require (
-	github.com/armosec/armoapi-go v0.0.467
+	github.com/armosec/armoapi-go v0.0.473
 	github.com/armosec/cluster-notifier-api-go v0.0.5
-	github.com/armosec/registryx v0.0.16
+	github.com/armosec/registryx v0.0.18
 	github.com/armosec/utils-go v0.0.58
 	github.com/armosec/utils-k8s-go v0.0.30
 	github.com/aws/aws-sdk-go v1.50.8
@@ -38,6 +38,7 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.44.0
 	go.opentelemetry.io/otel v1.28.0
 	go.opentelemetry.io/otel/trace v1.28.0
+	golang.org/x/sync v0.8.0
 	gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22
 	istio.io/pkg v0.0.0-20231221211216-7635388a563e
 	k8s.io/api v0.30.2
@@ -95,6 +96,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v2 v2.4.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/acobaugh/osrelease v0.1.0 // indirect
@@ -287,7 +289,6 @@ require (
 	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/net v0.29.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.25.0 // indirect
 	golang.org/x/term v0.24.0 // indirect
 	golang.org/x/text v0.18.0 // indirect

go.sum

@@ -97,6 +97,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/IBM/sarama v1.42.1 h1:wugyWa15TDEHh2kvq2gAy1IHLjEjuYOYgXz/ruC/OSQ=
 github.com/IBM/sarama v1.42.1/go.mod h1:Xxho9HkHd4K/MDUo/T/sOqwtX/17D33++E9Wib6hUdQ=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0=
@@ -137,14 +139,14 @@ github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmV
 github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/armosec/armoapi-go v0.0.467 h1:HkPC4ZWMIoQo0rh0M0yFumOlo/Orrf1TvaRciVv48JI=
-github.com/armosec/armoapi-go v0.0.467/go.mod h1:TruqDSAPgfRBXCeM+Cgp6nN4UhJSbe7la+XDKV2pTsY=
+github.com/armosec/armoapi-go v0.0.473 h1:YPCz2Tj5GmdegItI9PPwY1e4AXGCp2RxS9S17mOF8Zc=
+github.com/armosec/armoapi-go v0.0.473/go.mod h1:TruqDSAPgfRBXCeM+Cgp6nN4UhJSbe7la+XDKV2pTsY=
 github.com/armosec/cluster-notifier-api-go v0.0.5 h1:UKY58ehKocKgtqzrawyaIHJa5paG9A4srv+4/6n+Ez4=
 github.com/armosec/cluster-notifier-api-go v0.0.5/go.mod h1:p5w9/zWIWwpi8W8mHGQdE6HuBb3AxXmZM9Rp//JWvx0=
 github.com/armosec/gojay v1.2.17 h1:VSkLBQzD1c2V+FMtlGFKqWXNsdNvIKygTKJI9ysY8eM=
 github.com/armosec/gojay v1.2.17/go.mod h1:vuvX3DlY0nbVrJ0qCklSS733AWMoQboq3cFyuQW9ybc=
-github.com/armosec/registryx v0.0.16 h1:L+oA9h4cJO42YfqYGO+NkmeloY0+z/VQCPjqVU6i9kU=
-github.com/armosec/registryx v0.0.16/go.mod h1:tWzKL9LcYySAfcujIPgYSvKG+HiJqqiMxF5juUaBKxU=
+github.com/armosec/registryx v0.0.18 h1:DkZ0DEjXSFJshsZQgVSWijTv5VAQ+kyVIdNB8a8E39A=
+github.com/armosec/registryx v0.0.18/go.mod h1:48rlQqJa+WGTKzPsusO8f0BPN6ZeuiiMXoVJYd3h7VU=
 github.com/armosec/utils-go v0.0.58 h1:g9RnRkxZAmzTfPe2ruMo2OXSYLwVSegQSkSavOfmaIE=
 github.com/armosec/utils-go v0.0.58/go.mod h1:CdqKHKruVJMCxGcZXYW9J+5P9FZou8dMzVpcB0Xt8pk=
 github.com/armosec/utils-k8s-go v0.0.30 h1:Gj8MJck0jZPSLSq8ZMiRPT3F/laOYQdaLxXKKcjijt4=

mainhandler/handlerequests.go

@@ -260,6 +260,8 @@ func (actionHandler *ActionHandler) runCommand(ctx context.Context, sessionObj *
 		return actionHandler.updateRegistryScanCronJob(ctx, sessionObj)
 	case apis.TypeDeleteRegistryScanCronJob:
 		return actionHandler.deleteRegistryScanCronJob(ctx)
+	case apis.TypeScanRegistryV2:
+		return actionHandler.scanRegistriesV2(ctx, sessionObj)
 	default:
 		logger.L().Ctx(ctx).Error(fmt.Sprintf("Command %s not found", c.CommandName))
 	}

mainhandler/vulnscan.go

@@ -5,6 +5,9 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/armosec/registryx/interfaces"
+	"github.com/armosec/registryx/registryclients"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"net/url"
 	"strings"
 	"time"
@@ -156,6 +159,102 @@ func (actionHandler *ActionHandler) scanRegistries(ctx context.Context, sessionO
 	return actionHandler.scanRegistry(ctx, registryScan, sessionObj)
 }
 
+func (actionHandler *ActionHandler) scanRegistriesV2(ctx context.Context, sessionObj *utils.SessionObj) error {
+	ctx, span := otel.Tracer("").Start(ctx, "actionHandler.scanRegistries")
+	defer span.End()
+
+	if !actionHandler.config.Components().Kubevuln.Enabled {
+		return errors.New("kubevuln is not enabled")
+	}
+
+	// send change status of registry to scanning
+	imageRegistry, err := actionHandler.loadRegistryFromSessionObj(sessionObj)
+	if err != nil {
+		return fmt.Errorf("scanRegistriesV2 failed to load registry from sessionObj with err %v", err)
+	}
+
+	if err = actionHandler.loadRegistrySecret(ctx, sessionObj, imageRegistry); err != nil {
+		return fmt.Errorf("scanRegistriesV2 failed to load secret with err %v", err)
+	}
+
+	client, err := registryclients.GetRegistryClient(imageRegistry)
+	if err != nil {
+		return fmt.Errorf("scanRegistriesV2 failed to get registry client with err %v", err)
+	}
+
+	images, err := client.GetImagesToScan(ctx)
+	if err != nil {
+		return fmt.Errorf("scanRegistriesV2 failed to get registry images to scan with err %v", err)
+	}
+
+	registryScanCMDList := actionHandler.getRegistryImageScanCommands(sessionObj, client, imageRegistry, images)
+	sessionObj.Reporter.SendDetails(fmt.Sprintf("sending %d images from registry %v to vuln scan", len(registryScanCMDList), imageRegistry), actionHandler.sendReport)
+
+	return sendAllImagesToRegistryScan(ctx, actionHandler.config, registryScanCMDList)
+}
+
+func (actionHandler *ActionHandler) loadRegistrySecret(ctx context.Context, sessionObj *utils.SessionObj, imageRegistry apitypes.ContainerImageRegistry) error {
+	secretName := sessionObj.Command.Args[apitypes.RegistrySecretNameArgKey].(string)
+	secret, err := actionHandler.k8sAPI.KubernetesClient.CoreV1().Secrets(apitypes.KubescapeNamespace).Get(ctx, secretName, metav1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("loadRegistrySecret failed to get secret with err %v", err)
+	}
+
+	var secretMap map[string]string
+	err = json.Unmarshal(secret.Data[apitypes.RegistryAuthFieldInSecret], &secretMap)
+	if err != nil {
+		return fmt.Errorf("loadRegistrySecret failed to unmarshal registry secret with err %v", err)
+	}
+	err = imageRegistry.FillSecret(secretMap)
+	if err != nil {
+		return fmt.Errorf("loadRegistrySecret failed to fill registry secret with err %v", err)
+	}
+	return nil
+}
+
+func (actionHandler *ActionHandler) loadRegistryFromSessionObj(sessionObj *utils.SessionObj) (apitypes.ContainerImageRegistry, error) {
+	regInfo := sessionObj.Command.Args[apitypes.RegistryInfoArgKey].(map[string]interface{})
+	regInfoBytes, err := json.Marshal(regInfo)
+	if err != nil {
+		return nil, fmt.Errorf("scanRegistriesV2 failed to marshal command arg with err %v", err)
+	}
+	imageRegistry, err := apitypes.UnmarshalRegistry(regInfoBytes)
+	if err != nil {
+		return nil, fmt.Errorf("scanRegistriesV2 failed to unmarshal command with err %v", err)
+	}
+	return imageRegistry, nil
+}
+
+func (actionHandler *ActionHandler) getRegistryImageScanCommands(sessionObj *utils.SessionObj, client interfaces.RegistryClient, imageRegistry apitypes.ContainerImageRegistry, images map[string]string) []*apis.RegistryScanCommand {
+	registryScanCMDList := make([]*apis.RegistryScanCommand, 0, len(images))
+	for image, tag := range images {
+		repository := image
+		parts := strings.Split(image, "/")
+		if len(parts) > 1 {
+			repository = parts[1]
+		}
+		registryScanCommand := &apis.ImageScanParams{
+			ParentJobID: sessionObj.Reporter.GetJobID(),
+			JobID:       uuid.NewString(),
+			ImageTag:    image + ":" + tag,
+			Session:     apis.SessionChain{ActionTitle: "vulnerability-scan", JobIDs: make([]string, 0), Timestamp: sessionObj.Reporter.GetTimestamp()},
+			Args: map[string]interface{}{
+				identifiers.AttributeRegistryName:  imageRegistry.GetDisplayName(),
+				identifiers.AttributeRepository:    repository,
+				identifiers.AttributeTag:           tag,
+				identifiers.AttributeUseHTTP:       false,
+				identifiers.AttributeSkipTLSVerify: false,
+				identifiers.AttributeSensor:        imageRegistry.GetBase().ClusterName,
+			},
+		}
+		registryScanCommand.Credentialslist = append(registryScanCommand.Credentialslist, *client.GetDockerAuth())
+		registryScanCMDList = append(registryScanCMDList, &apis.RegistryScanCommand{
+			ImageScanParams: *registryScanCommand,
+		})
+	}
+	return registryScanCMDList
+}
+
 func (actionHandler *ActionHandler) loadRegistryScan(ctx context.Context, sessionObj *utils.SessionObj) (*registryScan, error) {
 	registryScan := NewRegistryScan(actionHandler.config, actionHandler.k8sAPI)
 	if regName, authMethodType := actionHandler.parseRegistryName(sessionObj); regName != "" {

watcher/registryhandler.go

@@ -6,11 +6,13 @@ import (
 	"fmt"
 	"github.com/armosec/armoapi-go/apis"
 	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/armosec/registryx/registryclients"
 	"github.com/kubescape/backend/pkg/command"
 	"github.com/kubescape/backend/pkg/command/types/v1alpha1"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
+	"golang.org/x/sync/errgroup"
 	batchv1 "k8s.io/api/batch/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -130,9 +132,25 @@ func (ch *RegistryCommandsHandler) patchCommandStatus(command *v1alpha1.Operator
 	logger.L().Info("patchCommandStatus: command status patched successfully")
 }
 
-func (ch *RegistryCommandsHandler) checkRegistry(_ v1alpha1.OperatorCommand) ([]byte, error) {
-	mockResponse := []string{"mockRepo1", "mockRepo2", "mockRepo3"}
-	payload, err := json.Marshal(mockResponse)
+func (ch *RegistryCommandsHandler) checkRegistry(cmd v1alpha1.OperatorCommand) ([]byte, error) {
+	registry, err := armotypes.UnmarshalRegistry(cmd.Spec.Body)
+	if err != nil {
+		logger.L().Error("checkRegistry - failed to unmarshal command payload", helpers.Error(err))
+		return nil, err
+	}
+	client, err := registryclients.GetRegistryClient(registry)
+	if err != nil {
+		logger.L().Error("checkRegistry - failed to get registry client", helpers.Error(err))
+		return nil, err
+	}
+
+	repositories, err := client.GetAllRepositories(context.Background())
+	if err != nil {
+		logger.L().Error("checkRegistry - failed to get registry repositories", helpers.Error(err))
+		return nil, err
+	}
+
+	payload, err := json.Marshal(repositories)
 	if err != nil {
 		return nil, err
 	}
@@ -173,34 +191,48 @@ func (ch *RegistryCommandsHandler) upsertRegistry(cmd v1alpha1.OperatorCommand)
 		logger.L().Error("upsertRegistry - failed to unmarshal command payload", helpers.Error(err))
 		return err
 	}
+	errGroup := errgroup.Group{}
+	errGroup.Go(func() error {
+		secret, err := createSecretObject(registry)
+		if err != nil {
+			logger.L().Error("upsertRegistry - failed to create secret resource", helpers.Error(err))
+			return err
+		}
+		if err = ch.upsertResource(secret, secretGVR, secret.Name); err != nil {
+			logger.L().Error("upsertRegistry - failed to upsert secret resource", helpers.Error(err))
+			return err
+		}
+		return nil
+	})
+
+	errGroup.Go(func() error {
+		configMap, err := createConfigMapObject(registry)
+		if err != nil {
+			logger.L().Error("upsertRegistry - failed to create config map resource", helpers.Error(err))
+			return err
+		}
+		if err = ch.upsertResource(configMap, configMapGVR, configMap.Name); err != nil {
+			logger.L().Error("upsertRegistry - failed to upsert config map resource", helpers.Error(err))
+			return err
+		}
+		return nil
+	})
+
+	errGroup.Go(func() error {
+		cronJob, err := createCronJobObject(ch.k8sAPI, registry)
+		if err != nil {
+			logger.L().Error("upsertRegistry - failed to create cron job resource", helpers.Error(err))
+			return err
+		}
+		if err = ch.upsertResource(cronJob, cronJobGVR, cronJob.Name); err != nil {
+			logger.L().Error("upsertRegistry - failed to upsert cron job resource", helpers.Error(err))
+			return err
+		}
+		return nil
+	})
 
-	secret, err := createSecretObject(registry)
-	if err != nil {
-		logger.L().Error("upsertRegistry - failed to create secret resource", helpers.Error(err))
-		return err
-	}
-	if err = ch.upsertResource(secret, secretGVR, secret.Name); err != nil {
-		logger.L().Error("upsertRegistry - failed to upsert secret resource", helpers.Error(err))
-		return err
-	}
-
-	configMap, err := createConfigMapObject(registry)
-	if err != nil {
-		logger.L().Error("upsertRegistry - failed to create config map resource", helpers.Error(err))
-		return err
-	}
-	if err = ch.upsertResource(configMap, configMapGVR, configMap.Name); err != nil {
-		logger.L().Error("upsertRegistry - failed to upsert config map resource", helpers.Error(err))
-		return err
-	}
-
-	cronJob, err := createCronJobObject(ch.k8sAPI, registry)
-	if err != nil {
-		logger.L().Error("upsertRegistry - failed to create cron job resource", helpers.Error(err))
-		return err
-	}
-	if err = ch.upsertResource(cronJob, cronJobGVR, cronJob.Name); err != nil {
-		logger.L().Error("upsertRegistry - failed to upsert cron job resource", helpers.Error(err))
+	if err := errGroup.Wait(); err != nil {
+		logger.L().Error("upsertRegistry - failed to upsert registry", helpers.Error(err))
 		return err
 	}