From cfc02f4e1a37e9e455b4be59f48a9e8f732f9620 Mon Sep 17 00:00:00 2001 From: Muhammed Ibrahim Date: Mon, 25 Sep 2023 13:48:42 +0100 Subject: [PATCH 1/2] add grype + cheatsheet --- grype/README.md | 36 +++++++++++++++++++++++++++++ grype/install.ps1 | 59 +++++++++++++++++++++++++++++++++++++++++++++++ grype/install.sh | 43 ++++++++++++++++++++++++++++++++++ grype/releases.js | 20 ++++++++++++++++ 4 files changed, 158 insertions(+) create mode 100644 grype/README.md create mode 100644 grype/install.ps1 create mode 100644 grype/install.sh create mode 100644 grype/releases.js diff --git a/grype/README.md b/grype/README.md new file mode 100644 index 000000000..eeb1731ea --- /dev/null +++ b/grype/README.md @@ -0,0 +1,36 @@ +--- +title: Grype +homepage: https://github.com/anchore/grype/ +tagline: | + Grype is a vulnerability scanner for container images and filesystems. +--- + +To update or switch versions, run `webi grype@stable` (or `@v0.6`, `@beta`, +etc) + +## Cheat Sheet + +> It also helps find vulnerabilites for major operating system and language-specific packages. +> Supports Docker, OCI and Singularity image formats, OpenVEX support for filtering and augmenting scanning results. +> Works with `syft`, a powerful `SBOM` (software bill of materials) tool for container images and filesystems + +### To scan for vulnerabilities in an image: + +```sh +grype +``` + +### To scan all image layers + +```sh +grype --scope all-layers +``` + +### To run grype from a Docker container so it can scan a running container + +```sh +docker run --rm \ +--volume /var/run/docker.sock:/var/run/docker.sock \ +--name Grype anchore/grype:latest \ +$(ImageName):$(ImageTag) +``` diff --git a/grype/install.ps1 b/grype/install.ps1 new file mode 100644 index 000000000..5ca5fcad4 --- /dev/null +++ b/grype/install.ps1 @@ -0,0 +1,59 @@ +#!/usr/bin/env pwsh + +################# +# Install grype # +################# + +# Every package should define these variables +$pkg_cmd_name = "grype" + +$pkg_dst_cmd = "$Env:USERPROFILE\.local\bin\grype.exe" +$pkg_dst_bin = "$Env:USERPROFILE\.local\bin" +$pkg_dst = "$pkg_dst_cmd" + +$pkg_src_cmd = "$Env:USERPROFILE\.local\opt\grype-v$Env:WEBI_VERSION\bin\grype.exe" +$pkg_src_bin = "$Env:USERPROFILE\.local\opt\grype-v$Env:WEBI_VERSION\bin" +$pkg_src_dir = "$Env:USERPROFILE\.local\opt\grype-v$Env:WEBI_VERSION" +$pkg_src = "$pkg_src_cmd" + +New-Item "$Env:USERPROFILE\Downloads\webi" -ItemType Directory -Force | out-null +$pkg_download = "$Env:USERPROFILE\Downloads\webi\$Env:WEBI_PKG_FILE" + +# Fetch archive +IF (!(Test-Path -Path "$Env:USERPROFILE\Downloads\webi\$Env:WEBI_PKG_FILE")) +{ + echo "Downloading grype from $Env:WEBI_PKG_URL to $pkg_download" + & curl.exe -A "$Env:WEBI_UA" -fsSL "$Env:WEBI_PKG_URL" -o "$pkg_download.part" + & move "$pkg_download.part" "$pkg_download" +} + +IF (!(Test-Path -Path "$pkg_src_cmd")) +{ + echo "Installing grype" + + # TODO: create package-specific temp directory + # Enter tmp + pushd .local\tmp + + # Remove any leftover tmp cruft + Remove-Item -Path ".\grype-v*" -Recurse -ErrorAction Ignore + Remove-Item -Path ".\grype.exe" -Recurse -ErrorAction Ignore + + # Unpack archive file into this temporary directory + # Windows BSD-tar handles zip. Imagine that. + echo "Unpacking $pkg_download" + & tar xf "$pkg_download" + + # Settle unpacked archive into place + echo "Install Location: $pkg_src_cmd" + New-Item "$pkg_src_bin" -ItemType Directory -Force | out-null + Move-Item -Path ".\grype.exe" -Destination "$pkg_src_bin" + + # Exit tmp + popd +} + +echo "Copying into '$pkg_dst_cmd' from '$pkg_src_cmd'" +Remove-Item -Path "$pkg_dst_cmd" -Recurse -ErrorAction Ignore | out-null +New-Item "$pkg_dst_bin" -ItemType Directory -Force | out-null +Copy-Item -Path "$pkg_src" -Destination "$pkg_dst" -Recurse diff --git a/grype/install.sh b/grype/install.sh new file mode 100644 index 000000000..6964fe750 --- /dev/null +++ b/grype/install.sh @@ -0,0 +1,43 @@ +#!/bin/sh +set -e +set -u + +__init_grype() { + + ################## + # Install Grype # + ################## + + # Every package should define these 6 variables + pkg_cmd_name="grype" + + pkg_dst_cmd="$HOME/.local/bin/grype" + pkg_dst="$pkg_dst_cmd" + + pkg_src_cmd="$HOME/.local/opt/grype-v$WEBI_VERSION/bin/grype" + pkg_src_dir="$HOME/.local/opt/grype-v$WEBI_VERSION" + pkg_src="$pkg_src_cmd" + + # pkg_install must be defined by every package + pkg_install() { + # ~/.local/opt/grype-v0.99.9/bin + mkdir -p "$(dirname "${pkg_src_cmd}")" + + # mv ./grype ~/.local/opt/grype-v0.99.9/bin/grype + mv ./"$pkg_cmd_name"* "$pkg_src" + } + + # pkg_get_current_version is recommended, but not required + pkg_get_current_version() { + # 'grype --version' has output in this format: + # grype 0.99.9 (rev abcdef0123) + # This trims it down to just the version number: + # 0.99.9 + grype --version 2> /dev/null | + head -n 1 | + cut -d ' ' -f 2 + } + +} + +__init_grype diff --git a/grype/releases.js b/grype/releases.js new file mode 100644 index 000000000..861729b72 --- /dev/null +++ b/grype/releases.js @@ -0,0 +1,20 @@ +'use strict'; + +var github = require('../_common/github.js'); +var owner = 'anchore'; +var repo = 'grype'; + +module.exports = function (request) { + return github(request, owner, repo).then(function (all) { + return all; + }); +}; + +if (module === require.main) { + module.exports(require('@root/request')).then(function (all) { + all = require('../_webi/normalize.js')(all); + // just select the first 5 for demonstration + all.releases = all.releases.slice(0, 5); + console.info(JSON.stringify(all, null, 2)); + }); +} From a2cf9f39bb8f604e331c7e2f39e5bc4b8769ca2c Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 12 Oct 2023 05:09:47 +0000 Subject: [PATCH 2/2] doc(grype): fmt + minor cleanup --- grype/README.md | 33 +++++++++++++++++++++------------ grype/install.sh | 8 ++++---- 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/grype/README.md b/grype/README.md index eeb1731ea..b0fb9bc36 100644 --- a/grype/README.md +++ b/grype/README.md @@ -2,35 +2,44 @@ title: Grype homepage: https://github.com/anchore/grype/ tagline: | - Grype is a vulnerability scanner for container images and filesystems. + Grype is a vulnerability scanner for container images and filesystems. --- -To update or switch versions, run `webi grype@stable` (or `@v0.6`, `@beta`, -etc) +To update or switch versions, run `webi grype@stable` (or `@v0.6`, `@beta`, etc) + +### Files + +```text +~/.config/envman/PATH.env +~/.grype.yaml +~/.local/bin/grype +``` ## Cheat Sheet -> It also helps find vulnerabilites for major operating system and language-specific packages. -> Supports Docker, OCI and Singularity image formats, OpenVEX support for filtering and augmenting scanning results. -> Works with `syft`, a powerful `SBOM` (software bill of materials) tool for container images and filesystems +> It also helps find vulnerabilities for major operating system and +> language-specific packages. Supports Docker, OCI and Singularity image +> formats, OpenVEX support for filtering and augmenting scanning results. Works +> with `syft`, a powerful `SBOM` (software bill of materials) tool for container +> images and file systems -### To scan for vulnerabilities in an image: +### How to for vulnerabilities in an image ```sh grype ``` -### To scan all image layers +### How to scan all image layers ```sh grype --scope all-layers ``` -### To run grype from a Docker container so it can scan a running container +### How to scan a running container ```sh docker run --rm \ ---volume /var/run/docker.sock:/var/run/docker.sock \ ---name Grype anchore/grype:latest \ -$(ImageName):$(ImageTag) + --volume /var/run/docker.sock:/var/run/docker.sock \ + --name Grype anchore/grype:latest \ + my_image_name:my_image_tag ``` diff --git a/grype/install.sh b/grype/install.sh index 6964fe750..3de331765 100644 --- a/grype/install.sh +++ b/grype/install.sh @@ -3,7 +3,7 @@ set -e set -u __init_grype() { - + ################## # Install Grype # ################## @@ -24,15 +24,15 @@ __init_grype() { mkdir -p "$(dirname "${pkg_src_cmd}")" # mv ./grype ~/.local/opt/grype-v0.99.9/bin/grype - mv ./"$pkg_cmd_name"* "$pkg_src" + mv ./"$pkg_cmd_name"* "$pkg_src" } # pkg_get_current_version is recommended, but not required pkg_get_current_version() { # 'grype --version' has output in this format: - # grype 0.99.9 (rev abcdef0123) + # grype 0.70.0 # This trims it down to just the version number: - # 0.99.9 + # 0.70.0 grype --version 2> /dev/null | head -n 1 | cut -d ' ' -f 2