wip: add trivy command

components/producers/cloudpi/neo4j-client/.dockerignore

@@ -0,0 +1,5 @@
+__pycache__/
+*.pyc
+*.pyo
+.git
+.env

components/producers/cloudpi/neo4j-client/Dockerfile

@@ -0,0 +1,44 @@
+FROM python:3.12.2-slim as builder
+
+# Set environment variables for Python
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+# Install system dependencies required for building Python packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc \
+    libpq-dev \
+    curl \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# Create a working directory for the app
+WORKDIR /usr/src/app
+
+
+# Install Trivy
+RUN TRIVY_VERSION=0.40.0 && \
+    curl -L "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -o trivy.tar.gz && \
+    tar zxvf trivy.tar.gz && \
+    mv trivy /usr/local/bin/ && \
+    rm trivy.tar.gz 
+
+# Install pip and wheel, which are required to build many Python packages
+RUN pip install --upgrade pip setuptools wheel
+
+# Copy only the requirements file to install dependencies (this helps with caching)
+COPY requirements.txt .
+
+# Install Python dependencies without cache to keep the image smaller
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Create a non-root user and switch to it (security best practice)
+RUN useradd -ms /bin/bash appuser
+USER appuser
+
+# Copy the rest of the application code
+COPY --chown=appuser:appuser . .
+
+# Run the application (customize this command based on how your app is run)
+CMD ["python", "main.py"]
+

components/producers/cloudpi/neo4j-client/main.py

@@ -0,0 +1,15 @@
+from reachability import assessor
+from trivy import run
+import os
+
+
+def main():
+    snaps = assessor.get_snapshosts_exposed()
+    print(snaps)
+    for snap in snaps:
+        print(f"running scan on snap {snap}")
+        vuln = run.scan_ebs(snap["snapshot_id"])
+        print(vuln)
+
+if __name__ == '__main__':
+    main()

components/producers/cloudpi/neo4j-client/reachability/assessor.py

@@ -0,0 +1,24 @@
+from neo4j import GraphDatabase
+
+uri = "bolt://localhost:7687"
+
+# Create a Neo4j driver instance
+driver = GraphDatabase.driver(uri)
+
+def get_snapshosts_exposed():
+    query = """
+    MATCH (s:EBSSnapshot)-[:CREATED_FROM]->(v:EBSVolume),
+    (v)-[:ATTACHED_TO]->(i:EC2Instance{exposed_internet:true})
+    RETURN i.id AS instance_id, v.id AS volume_id, s.id AS snapshot_id, s.lastupdated AS last_updated  LIMIT 25
+    """
+    with driver.session() as session:
+        result = session.run(query)
+        snapshots = [
+            {
+                "instance_id": record["instance_id"], 
+                "volume_id": record["volume_id"],
+                "snapshot_id": record["snapshot_id"], 
+                "last_updated": record["last_updated"],
+            } 
+        for record in result]
+        return snapshots

components/producers/cloudpi/neo4j-client/requirements.txt

@@ -0,0 +1,2 @@
+neo4j==5.25.0
+pytz==2024.2

components/producers/cloudpi/neo4j-client/trivy/run.py

@@ -0,0 +1,21 @@
+import json
+import subprocess
+
+def scan_ebs(snap_name):
+    try:
+        # Run Trivy scan command for the specified ebs
+        # trivy vm --scanners vuln ebs:snap-02f3d4e008898f8d0 --aws-region eu-west-1
+        result = subprocess.run(
+            ['trivy', 'vm', '--scanners', 'vuln', '--format', 'json', f"ebs:{snap_name}"],
+            capture_output=True,
+            text=True,
+            check=True
+        )
+
+        # Parse the JSON output
+        vulnerabilities = json.loads(result.stdout)
+        return vulnerabilities
+
+    except subprocess.CalledProcessError as e:
+        print(f"Error scanning ebs {snap_name}: {e.stderr}")
+        return None

components/producers/cloudpi/task.yaml

@@ -20,19 +20,23 @@ spec:
   volumes:
     - name: scratch
       emptyDir: {}
-  # workspaces:
-  #   - name: output
-  #     description: The workspace containing the source-code to scan.
+  workspaces:
+    - name: output
+      description: The workspace containing the source-code to scan.
   steps:
   - name: run-cartography
-    image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/docker-cloudpi:{{ .Chart.AppVersion }}'
+    image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/cloudpi-cartography:{{ .Chart.AppVersion }}'
     env:
       - name: AWS_ACCESS_KEY_ID
         value: $(params.AWS_ACCESS_KEY_ID)
       - name: AWS_SECRET_ACCESS_KEY
         value: $(params.AWS_SECRET_ACCESS_KEY)
       - name: AWS_REGION
         value: $(params.AWS_REGION)
+      - name: READ_PATH
+        value: $(workspaces.output.path)/.dracon/producers
+      - name: WRITE_PATH
+        value: "$(workspaces.output.path)/.dracon/producers"
     command: 
       - cartography
     args:
@@ -41,3 +45,13 @@ spec:
     volumeMounts:
     - mountPath: /scratch
       name: scratch
+  - name: run-trivy
+    image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/cloudpi-trivy:{{ .Chart.AppVersion }}'
+    env:
+      - name: READ_PATH
+        value: $(workspaces.output.path)/.dracon/producers
+      - name: WRITE_PATH
+        value: "$(workspaces.output.path)/.dracon/producers"
+    volumeMounts:
+    - mountPath: /scratch
+      name: scratch