diff --git a/CVEs/Makefile b/CVEs/Makefile index aa06b47b..0a2567c8 100644 --- a/CVEs/Makefile +++ b/CVEs/Makefile @@ -7,7 +7,7 @@ scan-vulns \ concat-multiple-kfd-images-list -KFD_VERSIONS := $(shell find . -type d -name "v*" -maxdepth 1 -mindepth 1 | cut -d/ -f2 | sort ) +KFD_VERSIONS := $(shell find . -maxdepth 1 -mindepth 1 -type d -name "v*" | cut -d/ -f2 | sort ) DRY_RUN := 1 PATCH_FILE_IMAGE_LIST_TO_PATCHING := all_kfd_images.txt diff --git a/CVEs/patch_images_with_copacetic.sh b/CVEs/patch_images_with_copacetic.sh index 32525125..ef17d2f1 100755 --- a/CVEs/patch_images_with_copacetic.sh +++ b/CVEs/patch_images_with_copacetic.sh @@ -62,6 +62,7 @@ echo -n "" > "${PATCH_ERROR_OUTPUT_FILE}" REGISTRY_BASE_URL='registry.sighup.io/fury/' REGISTRY_SECURED_BASE_URL='registry.sighup.io/fury-secured/' RETURN_ERROR=0 +PATCH_IMAGE_RETURN_ERROR=0 function patch_image() { local image="$1" @@ -73,7 +74,7 @@ function patch_image() { secured_image_repo=$(echo ${secured_image} | cut -d: -f1) ARCHITECTURES=$(get_architecture_and_digest ${image_to_patch} | jq -r '.[].architecture' ) - [[ -z "${ARCHITECTURES}" ]] && error "no architectures found for ${image_to_patch}" && RETURN_ERROR=$((RETURN_ERROR + 1 )) && return 1 + [[ -z "${ARCHITECTURES}" ]] && error "no architectures found for ${image_to_patch}" && PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1 )) && return $PATCH_IMAGE_RETURN_ERROR MULTI_ARCH_IMAGES="" @@ -87,7 +88,7 @@ function patch_image() { if ! docker pull "${image_to_patch_with_digest}" --platform linux/${ARCHITECTURE} > /dev/null 2>&1 then error "Failed pull ${image_to_patch_with_digest} for linux/${ARCHITECTURE}" - RETURN_ERROR=$((RETURN_ERROR + 1)) + PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1)) continue fi # Replace with skopeo/podman if exists a command that get imageId @@ -151,19 +152,30 @@ function patch_image() { secured_image_labeled_image_id=$(docker inspect "${secured_image_with_tag_arch}" --format '{{.Id}}') if [ ${DRY_RUN:-1} -eq 0 ] then - info "Push secure image: ${secured_image_with_tag_arch}" - docker push $(docker inspect ${secured_image_with_tag_arch} --format '{{json .RepoDigests}}' | jq '.[0]' -r) - MULTI_ARCH_IMAGES="${secured_image_with_tag_arch} ${MULTI_ARCH_IMAGES}" + secured_image_labeled_digest=$(skopeo_run "skopeo inspect docker-daemon:${secured_image_with_tag_arch}" | jq -r '.Digest') + secured_image_with_digest=${secured_image_repo}@${secured_image_labeled_digest} + info "Push secure image: ${secured_image_with_digest}" + skopeo_run "skopeo copy \ + --authfile=\$DOCKER_CONFIG/config.json \ + docker-daemon:${secured_image_with_tag_arch} \ + docker://${secured_image_with_digest}" + if [ $? -eq 0 ] + then + success "${secured_image_with_tag_arch} pushed with image id: ${secured_image_labeled_image_id}" + else + PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1)) + error "failed to push ${secured_image_with_tag_arch} with image id: ${secured_image_labeled_image_id}" + fi + MULTI_ARCH_IMAGES="${secured_image_with_digest} ${MULTI_ARCH_IMAGES}" fi sed -i'.unsecured' s#"${image_patched}"#"${secured_image}"# "${PATCH_REPORT_OUTPUT_FILE}" - sed -i'.unsecured' s#"${image_patched_hashimage_patched_image_id}"#"${secured_image_labeled_image_id}"# "${PATCH_REPORT_OUTPUT_FILE}" + sed -i'.unsecured' s#"${image_patched_image_id}"#"${secured_image_labeled_image_id}"# "${PATCH_REPORT_OUTPUT_FILE}" rm "${PATCH_REPORT_OUTPUT_FILE}.unsecured" info "Cleanup ${image_patched}" buildctl --addr tcp://127.0.0.1:8888 prune docker rmi -f "${image_patched}" info "cleanup ${secured_image_with_tag_arch}" docker rmi -f "${secured_image_with_tag_arch}" - success "${secured_image_with_tag_arch} pushed with image id: ${secured_image_labeled_image_id}" else if [ "${image_to_patch}" != "${secured_image}" ] then @@ -189,24 +201,32 @@ function patch_image() { if [ ${DRY_RUN:-1} -eq 0 ] && [[ -n ${MULTI_ARCH_IMAGES} ]] then info "Create and push manifest ${secured_image}" - podman_run "podman manifest create ${secured_image} ${MULTI_ARCH_IMAGES} && podman manifest push ${secured_image}" - success "manifest ${secured_image} pushed" + if podman_run "podman manifest create ${secured_image} ${MULTI_ARCH_IMAGES} && podman manifest push ${secured_image}" + then + success "manifest ${secured_image} pushed" + else + error "failed pushing manifest ${secured_image}" + PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1)) + fi fi echo "================================================================" echo "" - return 0 + return $PATCH_IMAGE_RETURN_ERROR } function patch_from_list(){ while IFS= read -r image; do patch_image "${image}" + RETURN_ERROR=$(($RETURN_ERROR + PATCH_IMAGE_RETURN_ERROR)) + PATCH_IMAGE_RETURN_ERROR=0 done } if [ -n "${IMAGE_TO_PATCH}" ] then patch_image "${IMAGE_TO_PATCH}" + RETURN_ERROR=$(($RETURN_ERROR + PATCH_IMAGE_RETURN_ERROR)) else [[ ! -f "${FILE_WITH_IMAGES_LIST_TO_PATCH}" ]] && fail "Missing image list files" patch_from_list < "${FILE_WITH_IMAGES_LIST_TO_PATCH}" diff --git a/CVEs/utils.sh b/CVEs/utils.sh index b58de951..3caaf51a 100644 --- a/CVEs/utils.sh +++ b/CVEs/utils.sh @@ -13,7 +13,7 @@ function podman_run(){ } function skopeo_run(){ - docker run --rm -v ${DOCKER_CONFIG}:${DOCKER_CONFIG} -e DOCKER_CONFIG="${DOCKER_CONFIG}" --entrypoint bash quay.io/skopeo/stable:v1.13 -c "$*" + docker run --rm -v ${DOCKER_CONFIG}:${DOCKER_CONFIG} -v /var/run/docker.sock:/var/run/docker.sock -e DOCKER_CONFIG="${DOCKER_CONFIG}" --entrypoint bash quay.io/skopeo/stable:v1.16 -c "$*" } function get_architecture_and_digest(){