feat: Add download_cve_report_csv method to download the csv report (#…

…161) This method takes a while in environments where the amount of images is very high, please use it carefully.
sysdiglabs · Oct 27, 2020 · 8611ed3 · 8611ed3
1 parent 80c41ec
commit 8611ed3
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 1 deletion.
diff --git a/sdcclient/_scanning.py b/sdcclient/_scanning.py
@@ -1186,4 +1186,43 @@ def update_vulnerability_exception(self, bundle, id, cve, enabled, note, expirat
 
         res_json = res.json()
         res_json["trigger_id"] = str(res_json["trigger_id"]).rstrip("+*")
-        return [True, res_json]
+        return [True, res_json]
+
+    def download_cve_report_csv(self, vuln_type="os", scope_type="static"):
+        """
+        Downloads a CVE report in CSV format
+
+        Args:
+            vuln_type (str): Vulnerability type, can be either "os" or "non-os".
+            scope_type (str): Scope type. Can be either "static" or "runtime".
+
+        Returns:
+            A tuple of (bool, str).
+            The first parameter, if true, means that the result is correct, while
+            if false, means that there's been an error. The second parameter
+            will hold the response of the API call.
+        """
+        url = f"{self.url}/api/scanning/v1/reports/csv"
+
+        params = {
+            "queryType": "vuln",
+            "scopeType": scope_type,
+            "staticScope":
+                {
+                    "registry": "",
+                    "repository": "",
+                    "tag": ""
+                },
+            "runtimeScope": {},
+            "imageQueryFilter": {
+                "vType": vuln_type
+            },
+            "offset": 0,
+            "limit": 100000
+        }
+
+        res = self.http.post(url, data=json.dumps(params), headers=self.hdrs, verify=self.ssl_verify)
+        if not self._checkResponse(res):
+            return [False, self.lasterr]
+
+        return [True, res.content.decode("utf-8")]
diff --git a/specs/secure/__init__.py b/specs/secure/__init__.py
diff --git a/specs/secure/scanning/__init__.py b/specs/secure/scanning/__init__.py
diff --git a/specs/secure/scanning/scanning_cve_report_spec.py b/specs/secure/scanning/scanning_cve_report_spec.py
@@ -0,0 +1,41 @@
+import os
+
+from expects import *
+from mamba import *
+
+from sdcclient import SdScanningClient
+from specs import be_successful_api_call
+
+with description("CVE Reports", "integration") as self:
+    with before.all:
+        self.client = SdScanningClient(sdc_url=os.getenv("SDC_SECURE_URL", "https://secure.sysdig.com"),
+                                       token=os.getenv("SDC_SECURE_TOKEN"))
+    with context("when the CSV of static can be downloaded"):
+        with it("is able to download it for OS vulnerabilities"):
+            ok, csv = self.client.download_cve_report_csv(vuln_type="os", scope_type="static")
+
+            expect((ok, csv)).to(be_successful_api_call)
+            expect(csv).to(start_with("Image Name,Tag,Package Name,Package Version,Package Path,Severity,Fixed In,"
+                                      "Vulnerability ID,Links,Image Digest,Runtime Metadata"))
+
+        with it("is able to download it for non-OS vulnerabilities"):
+            ok, csv = self.client.download_cve_report_csv(vuln_type="non-os", scope_type="static")
+
+            expect((ok, csv)).to(be_successful_api_call)
+            expect(csv).to(start_with("Image Name,Tag,Package Name,Package Version,Package Path,Severity,Fixed In,"
+                                      "Vulnerability ID,Links,Image Digest,Runtime Metadata"))
+
+    with context("when the CSV of runtime can be downloaded"):
+        with it("is able to download it for OS vulnerabilities"):
+            ok, csv = self.client.download_cve_report_csv(vuln_type="os", scope_type="runtime")
+
+            expect((ok, csv)).to(be_successful_api_call)
+            expect(csv).to(start_with("Image Name,Tag,Package Name,Package Version,Package Path,Severity,Fixed In,"
+                                      "Vulnerability ID,Links,Image Digest,Runtime Metadata"))
+
+        with it("is able to download it for non-OS vulnerabilities"):
+            ok, csv = self.client.download_cve_report_csv(vuln_type="non-os", scope_type="runtime")
+
+            expect((ok, csv)).to(be_successful_api_call)
+            expect(csv).to(start_with("Image Name,Tag,Package Name,Package Version,Package Path,Severity,Fixed In,"
+                                      "Vulnerability ID,Links,Image Digest,Runtime Metadata"))
diff --git a/...scanning_vulnerability_exceptions_spec.py → ...scanning_vulnerability_exceptions_spec.py b/...scanning_vulnerability_exceptions_spec.py → ...scanning_vulnerability_exceptions_spec.py
diff --git a/specs/secure/scanning_vulnerability_spec.py → ...e/scanning/scanning_vulnerability_spec.py b/specs/secure/scanning_vulnerability_spec.py → ...e/scanning/scanning_vulnerability_spec.py