oc
, (>= v4) can be obtained from here: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/podman
andoscap-scanner
packages installed (on Fedora or RHEL variant)- pull secret (can be obtained from try.openshift.com, save in ~/.docker/config.json)
Translate image to friendly name:
$ oc image info -o json quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:03cd77cc134a7bfcaa14c111b76234749b9b8cb0986ab25e2fb2afeb0ba7fb6b | jq -r .config.config.Labels.url
https://access.redhat.com/containers/#/registry.access.redhat.com/openshift/ose-sdn/images/v4.6.0-202011181111.p0
Normally we could use this URL to compare with the scan results on the container catalog. Unfortunately, container health grades are currently hidden due to an issue related to scanning EUS content. We can compare with a local OpenSCAP scan instead.
Pull image:
$ podman pull registry.redhat.io/openshift4/ose-sdn-rhel8:v4.6
$ # OR
$ podman pull registry.redhat.io/openshift4/ose-sdn-rhel8@sha256:03cd77cc134a7bfcaa14c111b76234749b9b8cb0986ab25e2fb2afeb0ba7fb6b
Prepare container for scanning:
$ container=$(podman create registry.redhat.io/openshift4/ose-sdn-rhel8@sha256:03cd77cc134a7bfcaa14c111b76234749b9b8cb0986ab25e2fb2afeb0ba7fb6b)
$ # Get the mount point
$ mnt=$(podman unshare podman mount $container)
$ # Verify mount point has unpacked filesystem:
$ podman unshare ls $mnt
bin dev home lib64 media opt root sbin sys usr
boot etc lib lost+found mnt proc run srv tmp var
Grab oval and scan:
$ wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2
$ wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.2-eus.oval.xml.bz2
$ podman unshare oscap-chroot $mnt oval eval --report report.html rhel-8.oval.xml.bz2
$ podman unshare oscap-chroot $mnt oval eval --report report-eus.html rhel-8.2-eus.oval.xml.bz2
Open the .html reports in a browser to view. One will notice that the scan with EUS content reports far fewer missing advisories.
To determine, which OVAL files are required to scan, a container's content manifests can be checked
$ podman unshare cat $mnt/root/buildinfo/content_manifests/ose-node-container-v4.6.0-202011181111.p0.json
{
"metadata": {
"icm_version": 1,
"icm_spec": "https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json",
"image_layer_index": 4
},
"content_sets": [
"fast-datapath-for-rhel-8-x86_64-rpms",
"rhel-8-for-x86_64-baseos-eus-rpms",
"rhel-8-for-x86_64-appstream-eus-rpms",
"rhocp-4.6-for-rhel-8-x86_64-rpms"
],
"image_contents": []
}
The repositories used to build the container are listed under content_sets
. This container was built with EUS repositories so EUS OVAL should be used to scan.