From a903c70ee857275fd89baafbe5623f29b82a8839 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= <65334626+nilsgstrabo@users.noreply.github.com> Date: Thu, 18 Apr 2024 16:26:58 +0200 Subject: [PATCH] Log snyk stdout on error (#63) * log snyk stdout as warning * set ctx with logger * bump chart version --- charts/radix-vulnerability-scanner/Chart.yaml | 4 ++-- pkg/scan/snyk.go | 19 +++++++++++-------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/charts/radix-vulnerability-scanner/Chart.yaml b/charts/radix-vulnerability-scanner/Chart.yaml index aa25dcf..036a659 100644 --- a/charts/radix-vulnerability-scanner/Chart.yaml +++ b/charts/radix-vulnerability-scanner/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.1.2 -version: 1.1.2 +appVersion: 1.1.3 +version: 1.1.3 description: Scan images in RadixDeployments for vulnerabilities name: radix-vulnerability-scanner diff --git a/pkg/scan/snyk.go b/pkg/scan/snyk.go index ab93847..8cfdf78 100644 --- a/pkg/scan/snyk.go +++ b/pkg/scan/snyk.go @@ -41,12 +41,13 @@ func NewSnykScanner(executor executor.Executor, opts ...SnykOption) *SnykScanner } func (s *SnykScanner) Scan(ctx context.Context, image string, dockerConfig dockercfg.Config) (*ScanResult, error) { - + logger := log.Ctx(ctx).With().Str("pkg", "scan").Str("image", image).Logger() + ctx = logger.WithContext(ctx) auths := append(s.commonDockerAuths, &dockerConfig) var credArgs []string // Try to get docker creds for image from common auths for _, auth := range auths { - tmpCreds, err := s.getCredentialArgs(image, auth) + tmpCreds, err := s.getCredentialArgs(ctx, image, auth) if err != nil { return nil, err } @@ -64,17 +65,18 @@ func (s *SnykScanner) Scan(ctx context.Context, image string, dockerConfig docke return nil } - log.Ctx(ctx).Debug().Str("pkg", "scan").Str("image", image).Msg("scanning image") + logger.Debug().Msg("scanning image") testArgs := []string{"container", "test", "--json", image} var testArgsWithCreds []string testArgsWithCreds = append(testArgsWithCreds, testArgs...) testArgsWithCreds = append(testArgsWithCreds, credArgs...) buf := &bytes.Buffer{} err := scanFn(ctx, testArgsWithCreds, buf) - log.Trace().Str("pkg", "scan").Stringer("result", buf).Strs("args", testArgsWithCreds).Err(err).Msg("scan completed") + logger.Trace().Stringer("result", buf).Strs("args", testArgsWithCreds).Err(err).Msg("scan completed") if err != nil { if len(credArgs) == 0 { + logger.Warn().Stringer("stdout", buf).Msg("scan failed") return nil, err } @@ -85,11 +87,12 @@ func (s *SnykScanner) Scan(ctx context.Context, image string, dockerConfig docke // parameter contains invalid credentials for docker.io. Even if redis:latest is public, the invalid credentials // from the `auths` parameter causes the scan to fail. We'll therefore try to do a second scan // without supplying credential arguments - log.Ctx(ctx).Debug().Str("pkg", "scan").Str("image", image).Msg("scanning image again without creds") + logger.Debug().Msg("scanning image again without creds") buf = &bytes.Buffer{} err = scanFn(ctx, testArgs, buf) - log.Trace().Str("pkg", "scan").Stringer("result", buf).Strs("args", testArgsWithCreds).Err(err).Msg("retry scan completed") + logger.Trace().Stringer("result", buf).Strs("args", testArgsWithCreds).Err(err).Msg("retry scan completed") if err != nil { + logger.Warn().Stringer("stdout", buf).Msg("scan failed") return nil, err } } @@ -102,8 +105,8 @@ func (s *SnykScanner) Scan(ctx context.Context, image string, dockerConfig docke return &result, nil } -func (s *SnykScanner) getCredentialArgs(image string, authProvider registry.AuthProvider) ([]string, error) { - auth, err := authProvider.GetAuth(context.Background(), image) +func (s *SnykScanner) getCredentialArgs(ctx context.Context, image string, authProvider registry.AuthProvider) ([]string, error) { + auth, err := authProvider.GetAuth(ctx, image) if err != nil { return nil, err }