Giter VIP home page Giter VIP logo

grypescanner-plugin's Introduction

Grype vulnerability scanner

Introduction

Grype is a vulnerability scanner for container images and filesystems. This jenkins plugin scans a given target and saves a report as job artifact. Starting from version 1.7, the grype plugin can be integrated with the Warnings Next Generation plugin (minimal version: 10.3.0).

Grype plugin

Getting started

This jenkins plugin installs grype in the job workspace directory and performs scan. See section Installation/Recommended for more installation details.

Grype as a build step:

Grype plugin

Grype plugin

Possible scan targets:

Grype plugin

Configure Warnings Next Generation plugin:

Grype plugin

Scan result report as job artifact:

Grype plugin

Scan results:

Grype plugin

Grype plugin

Usage in a pipeline, with Warnings Next Generation plugin (minimal version: 10.3.0):

 pipeline {
  agent {label ''}
  stages {
     stage('Grype scan') {
      steps {
       grypeScan scanDest: 'dir:/tmp/grpc', repName: 'myScanResult.txt', autoInstall:true
      }
    }
  }

post {
    always {
        recordIssues(
          tools: [grype()],
          aggregatingResults: true,
          failedNewAll: 1, //fail if >=1 new issues
          failedTotalHigh: 20, //fail if >=20 HIGHs
          failedTotalAll : 100, //fail if >=100 issues in total
          filters: [
            excludeType('CVE-2023-2976'),
            excludeType('CVE-2012-17488'),
          ],
          //failOnError: true
        )
    }
  }
}

See https://www.jenkins.io/doc/pipeline/steps/warnings-ng/ for more advanced features.

Acknowledgments

Thanks to Patrick Röder and Thomas Spicker for contributions and creative input!

LICENSE

Licensed under MIT, see LICENSE

grypescanner-plugin's People

Contributors

dtbaum avatar mguillem avatar

Watchers

avatar avatar

Forkers

retsubasa mguillem wand3r3r gounthar

grypescanner-plugin's Issues

exception after scan: java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1

Jenkins and plugins versions report

Jenkins: 2.426.1
OS: Linux - 5.15.0-89-generic
Java: 11.0.20.1 - Ubuntu (OpenJDK 64-Bit Server VM)

Office-365-Connector:4.20.2
active-directory:2.34
analysis-model-api:11.13.0
ansible:285.v2f044b_eb_7a_3e
ansicolor:1.0.4
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.2.1-1.1
authentication-tokens:1.53.v1c90fd9191a_b_
bootstrap5-api:5.3.2-2
bouncycastle-api:2.29
branch-api:2.1135.v8de8e7899051
build-blocker-plugin:1.7.9
build-environment:1.7
build-monitor-plugin:1.14-745.ve2023a_305f40
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.2
cloud-stats:320.v96b_65297a_4b_b_
cloudbees-folder:6.858.v898218f3609d
code-coverage-api:4.99.0
command-launcher:107.v773860566e2e
commons-httpclient3-api:3.1-3
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.11.0-94.v3e1f4a_926e49
config-file-provider:959.vcff671a_4518b_
configurationslicing:548.ve92d48e66b_f8
copyartifact:722.v0662a_9b_e22a_c
coverage:1.4.0
credentials:1309.v8835d63eb_d8a_
credentials-binding:642.v737c34dea_6c2
cvs:2.19.1
data-tables-api:1.13.6-5
dependencyanalyzer:0.7
display-url-api:2.200.vb_9327d658781
docker-build-publish:1.4.0
docker-commons:439.va_3cb_0a_6a_fb_29
docker-java-api:3.3.1-79.v20b_53427e041
docker-plugin:1.5
docker-workflow:572.v950f58993843
dtkit-api:3.0.2
durable-task:523.va_a_22cf15d5e0
echarts-api:5.4.0-7
embeddable-build-status:412.v09da_db_1dee68
envinject:2.908.v66a_774b_31d93
envinject-api:1.199.v3ce31253ed13
external-monitor-job:215.v2e88e894db_f8
file-operations:177.vd1773063d935
font-awesome-api:6.4.2-1
forensics-api:2.3.0
git:5.2.1
git-client:4.5.0
git-server:99.va_0826a_b_cdfa_d
github:1.37.3.1
github-api:1.316-451.v15738eef3414
github-branch-source:1750.v6b_fb_8df8f985
github-pullrequest:0.5.0
gitlab-api:5.3.0-91.v1f9a_fda_d654f
gitlab-logo:1.1.2
gitlab-merge-request-jenkins:2.0.0
gitlab-oauth:1.18
gitlab-plugin:1.7.16
grypescanner:1.8
h2-api:11.1.4.199-12.v9f4244395f7a_
htmlpublisher:1.32
instance-identity:185.v303dc7c645f9
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.3-372.v309620682326
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.9-1
jdk-tool:73.vddf737284550
jenkins-jira-plugin:3.10.0
jersey2-api:2.41-133.va_03323b_a_1396
jira:3.11
jjwt-api:0.11.5-77.v646c772fddb_0
job-import-plugin:3.6
jobConfigHistory:1229.v3039470161a_d
jobcopy-builder:1.5.0
jquery3-api:3.7.1-1
jsch:0.2.8-65.v052c39de79b_2
junit:1240.vf9529b_881428
ldap:711.vb_d1a_491714dc
locale:314.v22ce953dfe9e
lockable-resources:1185.v0c528656ce04
log-parser:2.3.1
m2release:0.16.4
mailer:463.vedf8358e006b_
mapdb-api:1.0.9-28.vf251ce40855d
matrix-auth:3.2.1
matrix-project:818.v7eb_e657db_924
maven-plugin:3.23
mina-sshd-api-common:2.11.0-86.v836f585d47fa_
mina-sshd-api-core:2.11.0-86.v836f585d47fa_
nodejs:1.6.1
nvm-wrapper:0.1.7
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
openJDK-native-plugin:1.7
pam-auth:1.10
pipeline-build-step:516.v8ee60a_81c5b_9
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:689.veec561a_dee13
pipeline-input-step:477.v339683a_8d55e
pipeline-maven:1362.vee39a_d4b_02b_1
pipeline-maven-api:1362.vee39a_d4b_02b_1
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2151.ve32c9d209a_3f
pipeline-model-definition:2.2151.ve32c9d209a_3f
pipeline-model-extensions:2.2151.ve32c9d209a_3f
pipeline-rest-api:2.34
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f
pipeline-stage-view:2.34
pipeline-utility-steps:2.16.0
plain-credentials:143.v1b_df8b_d3b_e48
plugin-usage-plugin:4.2
plugin-util-api:3.6.0
polarion:1.3
prism-api:1.29.0-8
publish-over:0.22
publish-over-ssh:1.25
resource-disposer:0.23
scm-api:683.vb_16722fb_b_80b_
script-security:1275.v23895f409fb_d
scriptler:334.v29792d5a_c058
simple-theme-plugin:176.v39740c03a_a_f5
snakeyaml-api:2.2-111.vc6598e30cc65
snyk-security-scanner:4.0.2
sonar:2.16.1
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.916.vd17b_43357ce4
sshd:3.312.v1c601b_c83b_0e
structs:325.vcb_307d2a_2782
subversion:2.17.3
svn-release-mgr:1.2
text-finder:1.26
timestamper:1.26
token-macro:384.vf35b_f26814ec
trilead-api:2.84.v72119de229b_7
variant:60.v7290fc0eb_b_cd
versionnumber:1.11
warnings-ng:10.5.1
windows-slaves:1.8.1
workflow-aggregator:596.v8c21c963d92d
workflow-api:1283.v99c10937efcb_
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3806.va_3a_6988277b_2
workflow-cps-global-lib:609.vd95673f149b_b
workflow-durable-task-step:1289.v4d3e7b_01546b_
workflow-job:1360.vc6700e3136f5
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:865.v43e78cc44e0d
ws-cleanup:0.45
xunit:3.1.3

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 22.04, Java 11, Latest Jenkins LTS

Reproduction steps

I try to scan some syft output (json). In the logs the run looks OK, but still I get an exception. It may be a configuration issue, but at least the logging should be imporved, it doesn't tell me anything.

The grype step:

grypeScan scanDest: "file:${fileName}", repName: 'grype-report.json', autoInstall: true

The recordIssues step in the post section:

            recordIssues(
                tools: [grype(pattern: 'grype-report.json')],
                aggregatingResults: true
                )

Expected Results

Valid build or at least a better error message

Actual Results

red build, exception in the log:

00:01:16  Running grype scan:.
00:01:17  Installing grype...
00:01:17  [nerability-scan_servername] $ sh /home/jenkins/jenkins/workspace/nerability-scan_servername/grypeTmpDir/install.sh -b /home/jenkins/jenkins/workspace/nerability-scan_servername/grypeTmpDir/
00:01:17  [info] checking github for the current release tag.
00:01:17  [info] fetching release script for tag='v0.73.3'.
00:01:17  [info] checking github for the current release tag.
00:01:18  [info] using release tag='v0.73.3' version='0.73.3' os='linux' arch='amd64'.
00:01:20  [info] installed /home/jenkins/jenkins/workspace/nerability-scan_servername/grypeTmpDir//grype.
00:01:20  [nerability-scan_servername] $ /home/jenkins/jenkins/workspace/nerability-scan_servername/grypeTmpDir/grype file:/home/jenkins/jenkins/workspace/nerability-scan_servername/syft-report-servername.json -o template -t /home/jenkins/jenkins/workspace/nerability-scan_servername/grypeTmpDir/default.tmpl --file /home/jenkins/jenkins/workspace/nerability-scan_servername/grype-report.json
00:01:37  First (backward compatibility) grype run return value: 0
00:01:37..
00:01:37  Grype second run, generating report for Warnings Next Generation Plugin.
00:01:37  [nerability-scan_servername] $ /home/jenkins/jenkins/workspace/nerability-scan_servername/grypeTmpDir/grype file:/home/jenkins/jenkins/workspace/nerability-scan_servername/syft-report-servername.json -o json --file /home/jenkins/jenkins/workspace/nerability-scan_servername/grype-report.json
00:01:38  Second grype run return value: 0
00:01:38  Archiving artifacts
[Pipeline] }
[Pipeline] // script
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Declarative: Post Actions)
[Pipeline] recordIssues
00:01:39  [Grype] Skipping execution of recorder since overall result is 'FAILURE'
[Pipeline] archiveArtifacts
00:01:39  Archiving artifacts
00:01:39  Recording fingerprints
[Pipeline] archiveArtifacts
00:01:39  Archiving artifacts
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
00:01:39  
[Pipeline] // ansiColor
[Pipeline] }
[Pipeline] // timestamps
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Also:   org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 96220e33-3df7-4d91-87e4-d03831321f28
java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1
	at io.jenkins.plugins.grypescanner.Finding.<init>(Finding.java:66)
	at io.jenkins.plugins.grypescanner.Findings.<init>(Findings.java:43)
	at io.jenkins.plugins.grypescanner.GrypeScannerStep.perform(GrypeScannerStep.java:118)
	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:101)
	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:71)
	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Finished: FAILURE

Anything else?

No response

Are you interested in contributing a fix?

No response

How to set limits and exceptions in a jenkinsfile/pipeline

What feature do you want to see added?

Would be great if you could set some limits like in the OWASP plugin (count per severity category) or something similar. Could also be more specific if that helps making things easier. Anyway, is there already a way to fail the build and i missed that one?

Upstream changes

No response

Output format(s)

What feature do you want to see added?

It might be useful to have a set of output formats for the artifact(s) - such as HTML - that could then be published in Jenkins.

Upstream changes

No response

No enum constant io.jenkins.plugins.grypescanner.Finding.SEVERITY.Negligible

Jenkins and plugins versions report

Environment 
Jenkins: 2.319.1
OS: Linux - 4.15.0-189-generic
Java: 1.8.0_362 - Private Build (OpenJDK 64-Bit Server VM)
---
JDK_Parameter_Plugin:1.0
Matrix-sorter-plugin:1.3
PrioritySorter:4.0.1
ace-editor:1.1
analysis-core:1.96
anchore-container-scanner:1.0.23
ansicolor:1.0.1
ant:1.13
antisamy-markup-formatter:2.5
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.14.2
authentication-tokens:1.4
badge:1.9
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-4
bouncycastle-api:2.25
branch-api:2.7.0
build-failure-analyzer:2.1.0
build-hpi-hudson:1.2
build-monitor-plugin:1.13+build.202112201608
build-name-setter:2.2.0
build-pipeline-plugin:1.5.8
build-timeout:1.20
built-on-column:1.1
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
claim:2.18.2
cloudbees-folder:6.17
clover:4.12.1
cobertura:1.17
code-coverage-api:2.0.4
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.2
console-column-plugin:1.5
copyartifact:1.46.2
credentials:1087.1089.v2f1b_9a_b_040e4
credentials-binding:523.vd859a_4b_122e6
cucumber-reports:5.6.1
cvs:2.19
dark-theme:156.v6cf16af6f9ef
dashboard-view:2.18
data-tables-api:1.11.3-6
dependency-check-jenkins-plugin:5.1.2
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
durable-task:493.v195aefbb0ff2
dynamic-axis:1.0.3
echarts-api:5.2.2-2
email-ext:2.86
emotional-jenkins-plugin:1.2
envfile:1.2
envinject:2.4.0
envinject-api:1.8
environment-script:1.2.6
extended-choice-parameter:0.82
extended-read-permission:3.2
extensible-choice-parameter:1.8.0
external-monitor-job:1.7
font-awesome-api:5.15.4-5
forensics-api:1.7.0
generic-webhook-trigger:1.84
git:4.10.1
git-client:3.10.0
git-server:1.10
github:1.34.3
github-api:1.303-400.v35c2d8258028
gradle:1.37.1
grails:1.7
greenballs:1.15
groovy:2.4
groovy-postbuild:2.5
groovyaxis:0.3
grypescanner:1.4
handlebars:3.0.8
htmlpublisher:1.28
icon-shim:3.0.0
instant-messaging:1.48
iphoneview:0.2
ivy:2.1
jackson2-api:2.13.2.20220328-273.v11d70a_b_a_1a_52
jacoco:3.3.0
javadoc:1.6
javax-activation-api:1.2.0-3
jaxb:2.3.6-1
jdk-tool:1.5
jenkins-multijob-plugin:1.36
jobConfigHistory:2.30
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes-cli:1.10.3
kubernetes-client-api:5.10.1-171.vaa0774fb8c20
kubernetes-credentials:0.9.0
ldap:2.7
lockable-resources:2.12
locks-and-latches:0.6
mailer:1.34
mapdb-api:1.0.9.0
mask-passwords:3.0
matrix-auth:3.0
matrix-combinations-parameter:1.3.1
matrix-project:772.v494f19991984
maven-plugin:3.15.1
metrics:4.0.2.8
momentjs:1.1.1
msbuild:1.30
multi-branch-project-plugin:0.7
naginator:1.18.1
nodelabelparameter:1.10.2
okhttp-api:4.9.3-105.vb96869f8ac3a
pam-auth:1.6.1
parameterized-scheduler:1.1
parameterized-trigger:2.43
performance:3.20
pipeline-build-step:2.15
pipeline-graph-analysis:1.12
pipeline-input-step:427.va6441fa17010
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.19
plain-credentials:1.8
plugin-usage-plugin:2.1
plugin-util-api:2.8.0
popper-api:1.16.1-2
popper2-api:2.11.0-1
postbuild-task:1.9
publish-over:0.22
radiatorviewplugin:1.29
rebuild:1.32
resource-disposer:0.20
ruby-runtime:0.12
run-condition:1.5
rvm:0.6
scm-api:608.vfa_f971c5a_a_e9
scm-sync-configuration:0.0.10
scoring-load-balancer:1.0.1
script-security:1138.v8e727069a_025
setenv:1.1
signal-killer:1.1
slack:2.49
snakeyaml-api:1.29.1
sonar:2.14
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:318.va_f3ccb_729b_71
subversion:2.15.1
theme-manager:0.6
thinBackup:1.10
throttle-concurrents:2.5
timestamper:1.15
token-macro:293.v283932a_0a_b_49
translation:1.16
trilead-api:1.0.13
variant:1.4
view-job-filters:2.3
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:1153.vb_912c0e47fb_a_
workflow-basic-steps:2.24
workflow-cps:2660.vb_c0412dc4e6d
workflow-cps-global-lib:552.vd9cc05b8a2e1
workflow-durable-task-step:1107.v5dab75aaccbd
workflow-job:1145.v7f2433caa07f
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:625.vd896b_f445a_f8
workflow-support:804.vba10a18a1476
ws-cleanup:0.43
xcode-plugin:2.0.17-565.v1c48051d46ef
zap:1.1.0
zapper:1.0.7

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

Set up a simple job to scan a Docker image.

Expected Results

The job would finish without error.

Actual Results

The scan seems to complete with return code of 0, but in post processing, it fails:

grype return value: 0 Archiving artifacts ERROR: Build step failed with exception java.lang.IllegalArgumentException: No enum constant io.jenkins.plugins.grypescanner.Finding.SEVERITY.Negligible at java.lang.Enum.valueOf(Enum.java:238) at io.jenkins.plugins.grypescanner.Finding$SEVERITY.valueOf(Finding.java:9) at io.jenkins.plugins.grypescanner.Finding.<init>(Finding.java:68) at io.jenkins.plugins.grypescanner.Findings.<init>(Findings.java:43) at io.jenkins.plugins.grypescanner.GrypeScannerStep.perform(GrypeScannerStep.java:110) at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:78) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:806) at hudson.model.Build$BuildExecution.build(Build.java:198) at hudson.model.Build$BuildExecution.doRun(Build.java:163) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:514) at hudson.model.Run.execute(Run.java:1888) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:99) at hudson.model.Executor.run(Executor.java:432) Build step 'Vulnerability scan with grype' marked build as failure

Anything else?

No response

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.