mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
4cfb58f675
In some evironments, there may be a very large number of images,
containers, etc not satisfying a given test. For example, in one
environment, we saw *378k* images not satisfying 4.6, mostly because
the customer was never cleaning up old images.
To avoid overly long lists of items, add a new option "-n LIMIT" that
limits the number of items included in JSON output. When the limit is
reached, the list will be truncated and a trailing (truncated) will be
added. Here's an example:
```
{"id": "5.9", "desc": "Ensure the host's network namespace is not
shared", "result": "WARN", "details": "Containers running with
networking mode 'host': k8s_POD_storage-provisioner_kube-system_ef960ef5-62c5-11e9-802f-08002719228f_0
k8s_POD_kube-proxy-xfln8_kube-system_ee70c4c3-62c5-11e9-802f-08002719228f_0 (truncated)",
"items":
["k8s_POD_storage-provisioner_kube-system_ef960ef5-62c5-11e9-802f-08002719228f_0","k8s_POD_kube-proxy-xfln8_kube-system_ee70c4c3-62c5-11e9-802f-08002719228f_0","(truncated)"]},
```
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
96 lines
2.6 KiB
Bash
96 lines
2.6 KiB
Bash
#!/bin/sh
|
|
|
|
if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then
|
|
bldred=''
|
|
bldgrn=''
|
|
bldblu=''
|
|
bldylw=''
|
|
txtrst=''
|
|
else
|
|
bldred='\033[1;31m'
|
|
bldgrn='\033[1;32m'
|
|
bldblu='\033[1;34m'
|
|
bldylw='\033[1;33m' # Yellow
|
|
txtrst='\033[0m'
|
|
fi
|
|
|
|
logit () {
|
|
printf "%b\n" "$1" | tee -a "$logger"
|
|
}
|
|
|
|
info () {
|
|
printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
|
|
}
|
|
|
|
pass () {
|
|
printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
|
|
}
|
|
|
|
warn () {
|
|
printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
|
|
}
|
|
|
|
note () {
|
|
printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
|
|
}
|
|
|
|
yell () {
|
|
printf "%b\n" "${bldylw}$1${txtrst}\n"
|
|
}
|
|
|
|
beginjson () {
|
|
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2
|
|
}
|
|
|
|
endjson (){
|
|
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s \n}\n" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
}
|
|
|
|
logjson (){
|
|
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
}
|
|
|
|
SSEP=
|
|
SEP=
|
|
startsectionjson() {
|
|
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
SEP=
|
|
SSEP=","
|
|
}
|
|
|
|
endsectionjson() {
|
|
printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
}
|
|
|
|
starttestjson() {
|
|
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
SEP=","
|
|
}
|
|
|
|
resulttestjson() {
|
|
if [ $# -eq 1 ]; then
|
|
printf "\"result\": \"%s\"}" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
elif [ $# -eq 2 ]; then
|
|
# Result also contains details
|
|
printf "\"result\": \"%s\", \"details\": \"%s\"}" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
else
|
|
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
|
|
# Also limit the number of items to $limit, if $limit is non-zero
|
|
if [ $limit != 0 ]; then
|
|
truncItems=""
|
|
ITEM_COUNT=0
|
|
for item in $3; do
|
|
truncItems="$truncItems $item"
|
|
ITEM_COUNT=$((ITEM_COUNT + 1));
|
|
if [ "$ITEM_COUNT" == "$limit" ]; then
|
|
truncItems="$truncItems (truncated)"
|
|
break;
|
|
fi
|
|
done
|
|
else
|
|
truncItems=$3
|
|
fi
|
|
itemsJson=$(printf "["; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]")
|
|
printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s}" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
|
|
fi
|
|
}
|