Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deployment Analytic results separation into independent goals #205

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Deployment Analytic results separation into independent goals #205

wants to merge 3 commits into from

Conversation

nadgowdas
Copy link
Contributor

Changes:

  1. Separate the evidence format, wherein every check is reported independently as "pass|fail".
  2. The status of the task is "success|failure" if at least one of the checks fails
  3. Reports evident report in the task log

Test:

Pipeline Definitions:

Screen Shot 2021-03-08 at 5 22 00 PM

Task Results:

2021-03-08T22:18:17.536Z	INFO	deploy-analytic/main.go:21	Ecosystem initialized successfully.
2021-03-08T22:18:17.536Z	INFO	controller/engine.go:48	Starting deployment analytics.
2021-03-08T22:18:17.536Z	INFO	risk/parser.go:102	Initializing KCCSS risks
2021-03-08T22:18:17.566Z	INFO	controller/engine.go:108	manifest filepath deploy/app-deployment.yaml: #objects: 1
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:120	Resource Name: hello-app
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:121	Namespace: default 
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:126	Found Container Risk: Ensure CPU priority is set appropriately on the container
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:127	- Container Name: [hello-app] Risk Severity: [{ 5.11  If you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrainted, CPU shares do not place any restrictions on individual resources. medium 5.000000 AV:N/AC:L/Au:N/C:N/I:N/A:P}] 
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:126	Found Container Risk: Ensure the host's network namespace is not shared
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:127	- Container Name: [hello-app] Risk Severity: [{ 5.9  None. medium 4.600000 AV:L/AC:L/Au:N/C:P/I:P/A:P}] 
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:126	Found Container Risk: Ensure memory usage for container is limited
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:127	- Container Name: [hello-app] Risk Severity: [{ 5.10  If correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources. medium 5.000000 AV:N/AC:L/Au:N/C:N/I:N/A:P}] 
2021-03-08T22:18:17.572Z	INFO	controller/engine.go:108	manifest filepath deploy/app-service.yaml: #objects: 1
2021-03-08T22:18:17.573Z	INFO	controller/engine.go:120	Resource Name: hello-app-svc
2021-03-08T22:18:17.573Z	INFO	controller/engine.go:121	Namespace:  
2021-03-08T22:18:17.576Z	DEBUG	httpclient/apiclient.go:46	making api call: `https://gitsecure.us-south.devopsinsights.cloud.ibm.com/v2/compliance/cis/toolchainids/a5275d1e-f0c8-414f-b5f4-85e8b376a060`
2021-03-08T22:18:18.117Z	INFO	httpclient/apiclient.go:57	api call completed with status: 201: message: 
*************************
Deployment Analytic Results:
{
    "giturl": "https://github.ibm.com/test-rig/hello-flask",
    "gitbranch": "master",
    "commitid": "7e6dea4f778bdfb7454913181fadb357861352e7",
    "evidence_report": [
        {
            "ManifestFilepath": "deploy/app-deployment.yaml",
            "ManifestFilehash": "a260fe14b3966f180d9b64adea81436e26d26d81a9e4f1e788cc344baa9e7f32",
            "Resource": [
                {
                    "Name": "hello-app",
                    "Kind": "Deployment",
                    "Namespace": "default",
                    "Labels": {
                        "app": "hello-app"
                    },
                    "Containers": [
                        {
                            "ContainerName": "hello-app",
                            "Result": [
                                {
                                    "RuleID": "GS-4",
                                    "CISRuleID": "",
                                    "Description": "Ensure containers does not allow privilege escalation",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-16",
                                    "CISRuleID": "",
                                    "Description": "Ensure containers does not allow unsafe allocation of CPU resources",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-3",
                                    "CISRuleID": "5.4",
                                    "Description": "Ensure privileged containers are not used",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-2",
                                    "CISRuleID": "5.3",
                                    "Description": "Ensure containers do not have CAP_NET_RAW capability",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-5",
                                    "CISRuleID": "5.5",
                                    "Description": "Ensure sensitive host system directories are not mounted on containers",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-9",
                                    "CISRuleID": "5.11",
                                    "Description": "Ensure CPU priority is set appropriately on the container",
                                    "Risk": {
                                        "recommendation_id": "5.11",
                                        "impact": "If you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrainted, CPU shares do not place any restrictions on individual resources.",
                                        "category": "medium",
                                        "score": "5.000000",
                                        "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
                                    },
                                    "Status": "fail"
                                },
                                {
                                    "RuleID": "GS-10",
                                    "CISRuleID": "5.15",
                                    "Description": "Ensure the host's process namespace is not shared",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-11",
                                    "CISRuleID": "5.16",
                                    "Description": "Ensure the host's IPC namespace is not shared",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-12",
                                    "CISRuleID": "5.31",
                                    "Description": "Ensure the Docker socket is not mounted inside any containers",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-18",
                                    "CISRuleID": "5.12",
                                    "Description": "Ensure the container's root filesystem is mounted as read only",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-1",
                                    "CISRuleID": "5.3",
                                    "Description": "Ensure containers do not have CAP_SYS_ADMIN capability",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-19",
                                    "CISRuleID": "",
                                    "Description": "Ensure containers are not exposed through a shared host port",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-7",
                                    "CISRuleID": "5.9",
                                    "Description": "Ensure the host's network namespace is not shared",
                                    "Risk": {
                                        "recommendation_id": "5.9",
                                        "impact": "None.",
                                        "category": "medium",
                                        "score": "4.600000",
                                        "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"
                                    },
                                    "Status": "fail"
                                },
                                {
                                    "RuleID": "GS-17",
                                    "CISRuleID": "",
                                    "Description": "Ensure container does not exposes unsafe parts of /proc",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-6",
                                    "CISRuleID": "5.7",
                                    "Description": "Ensure privileged ports are not mapped within containers",
                                    "Risk": {},
                                    "Status": "pass"
                                },
                                {
                                    "RuleID": "GS-8",
                                    "CISRuleID": "5.10",
                                    "Description": "Ensure memory usage for container is limited",
                                    "Risk": {
                                        "recommendation_id": "5.10",
                                        "impact": "If correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.",
                                        "category": "medium",
                                        "score": "5.000000",
                                        "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
                                    },
                                    "Status": "fail"
                                }
                            ]
                        }
                    ]
                }
            ]
        },
        {
            "ManifestFilepath": "deploy/app-service.yaml",
            "ManifestFilehash": "f51dd341db77384dc69c3773c6c36f1abd13f653ab03f3c4f3854c3a6a18dbe0",
            "Resource": [
                {
                    "Name": "hello-app-svc",
                    "Kind": "Service",
                    "Namespace": "",
                    "Labels": null,
                    "Containers": null
                }
            ]
        }
    ]
}*************************

Shripad Nadgowda added 3 commits March 8, 2021 16:58
deploy analytic results
b9f7318 
Signed-off-by: Shripad Nadgowda <[email protected]>
deploy analytic results
9dbf3a5 
Signed-off-by: Shripad Nadgowda <[email protected]>
updated image tag
7bb2942 
Signed-off-by: Shripad Nadgowda <[email protected]>
@nadgowdas
Copy link
Contributor Author

@padraic-edwards can you please review this ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maire-kehoe maire-kehoe Awaiting requested review from maire-kehoe

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nadgowdas