95 lines
3.1 KiB
Bash
95 lines
3.1 KiB
Bash
#!/bin/bash
|
|
|
|
# Strict mode
|
|
set -euo pipefail
|
|
|
|
DATABASE_FILE="neuvector-scanner-database"
|
|
NEUVECTOR_SCANNER_IMAGE_REPOSITORIES="registry.rancher.com/rancher/neuvector-scanner,neuvector/scanner"
|
|
|
|
# Helper functions
|
|
log() {
|
|
echo >&2 "$@"
|
|
}
|
|
idempotent_tar() {
|
|
tar "$@" --sort=name --owner=root:0 --group=root:0 --mtime="0" --format=gnu
|
|
}
|
|
|
|
if ! which podman >/dev/null 2>&1 || ! podman version >/dev/null 2>&1; then
|
|
podman version || true
|
|
log "Could not find a valid Docker installation"
|
|
exit 1
|
|
fi
|
|
|
|
# TODO: Move to recipes image
|
|
if ! which skopeo >/dev/null 2>&1 || ! skopeo --version >/dev/null 2>&1; then
|
|
zypper install -y skopeo
|
|
fi
|
|
|
|
# Try to pull NeuVector Scanner from various repositories
|
|
read -r -a NEUVECTOR_SCANNER_IMAGE_REPOSITORIES_ARRAY <<<"$(tr ',' ' ' <<<"$NEUVECTOR_SCANNER_IMAGE_REPOSITORIES")"
|
|
NEUVECTOR_SCANNER_PULLED=false
|
|
for NEUVECTOR_SCANNER_IMAGE_REPOSITORY in "${NEUVECTOR_SCANNER_IMAGE_REPOSITORIES_ARRAY[@]}"; do
|
|
if NEUVECTOR_SCANNER_IMAGE_TAG="$(skopeo list-tags "docker://$NEUVECTOR_SCANNER_IMAGE_REPOSITORY" |
|
|
jq -r '.Tags | .[]' |
|
|
grep -E '^[0-9]\.[0-9]+$' |
|
|
tail -n 1)" && [[ $NEUVECTOR_SCANNER_IMAGE_TAG =~ ^[0-9]\.[0-9]+$ ]]; then
|
|
log "Pulling $NEUVECTOR_SCANNER_IMAGE_REPOSITORY:$NEUVECTOR_SCANNER_IMAGE_TAG"
|
|
if podman pull "$NEUVECTOR_SCANNER_IMAGE_REPOSITORY:$NEUVECTOR_SCANNER_IMAGE_TAG"; then
|
|
NEUVECTOR_SCANNER_PULLED=true
|
|
podman tag "$NEUVECTOR_SCANNER_IMAGE_REPOSITORY:$NEUVECTOR_SCANNER_IMAGE_TAG" neuvector-scanner
|
|
break
|
|
fi
|
|
fi
|
|
done
|
|
if ! "$NEUVECTOR_SCANNER_PULLED"; then
|
|
log "Could not pull any NeuVector Scanner image of: ${NEUVECTOR_SCANNER_IMAGE_REPOSITORIES_ARRAY[*]}"
|
|
exit 1
|
|
fi
|
|
|
|
log "Obtaining vulnerability database version"
|
|
DATABASE_VERSION="$(
|
|
podman run --rm --entrypoint=scanner neuvector-scanner \
|
|
-d /etc/neuvector/db/ -v | grep -Eo '[0-9.]+'
|
|
)"
|
|
log "Found database version: $DATABASE_VERSION"
|
|
|
|
SPEC_FILE=scanner-databases.spec
|
|
|
|
rm -f newspec
|
|
cat $SPEC_FILE | while read xline
|
|
do
|
|
if echo $xline | grep -Eq "%define neuvectordbversion" ; then
|
|
if echo $xline | grep -Eq "neuvectordbversion\s*$DATABASE_VERSION$" ; then
|
|
log "The database is up-to-date"
|
|
rm newspec
|
|
exit
|
|
else
|
|
echo "%define neuvectordbversion $DATABASE_VERSION" >> newspec
|
|
fi
|
|
else
|
|
echo "$xline" >> newspec
|
|
fi
|
|
done
|
|
|
|
if [ ! -f newspec ] ; then
|
|
exit
|
|
fi
|
|
diff -u $SPEC_FILE newspec || true
|
|
mv newspec $SPEC_FILE
|
|
|
|
log "Extracting the contents of neuvector-scanner image"
|
|
TEMP_DIR="$(mktemp -d)"
|
|
mkdir -p "$TEMP_DIR/neuvector-scanner-database-$DATABASE_VERSION"
|
|
CONTAINER_ID="$(podman create neuvector-scanner)"
|
|
podman export "$CONTAINER_ID" | tar x -C "$TEMP_DIR/neuvector-scanner-database-$DATABASE_VERSION"
|
|
|
|
# Compress database and related files (such as certs)
|
|
log "Compressing database"
|
|
idempotent_tar -Jcf "$DATABASE_FILE-$DATABASE_VERSION.tar.xz" -C "$TEMP_DIR" \
|
|
neuvector-scanner-database-$DATABASE_VERSION/etc/neuvector
|
|
|
|
# Cleanup
|
|
podman rm "$CONTAINER_ID"
|
|
chmod u+w -R $TEMP_DIR
|
|
rm -rf "$TEMP_DIR"
|