Monday, 1 July 2019

IBM Cloud Vulnerability Advisor - Poking the Endpoint

I've been using the Vulnerability Advisor (VA) tool to automate the testing of my built Docker images, looking for code vulnerabilities, scanning against the IBM X-Force database and known Common Vulnerabilities and Exposures (CVE) issues.

This is a nifty feature of the IBM Cloud Container Registry and provides both web UI *AND* command-line interface (CLI) options, which is super-good.

However, I'd not really looked at the REST APIs that VA provides, as documented here: -

Vulnerability Advisor for IBM Cloud Container Registry

Talking with a colleague, I realised that one can leverage API calls such as Report, which returns a JSON payload comprising ALL of the images "owned" by that IBM Cloud account, with an indication of status e.g. OK, UNSUPPORTED, FAIL, plus details of vulnerabilities, configuration issues etc.

So it's the same information that's available via the web UI and the CLI, but available for programmatic consumption ....

To consume this, one needs to pass in HTTP headers such as Account ( which IBM account is being targeted ) and Authorization ( a Bearer token ).

The first is retrieved via the command: -

bx iam accounts

which returns a list of Account GUIDs, plus the Name, Status and Owner.

The second is retrieved by the command: -

bx iam oauth-tokens

which returns a nice long string of apparent gibberish which is actually one's auth token.

Armed with the account ( which should be 32 hex characters ) and the auth token ( which should be 1074 characters ), one can hit the API endpoint.

This is the cURL command - other REST clients are available: -

curl -X GET \
  https://us.icr.io/va/api/v3/report/account \
  -H 'Accept: */*' \
  -H 'Account: db52f980f8c07a05b50cb223fae0d849' \
  -H 'Authorization: Bearer xdx60o64BxVzavTaO8ayNRZCwE4zavFdMbHh0DHh6sB2JKqqTENlQmBDVoBJdOwgQq5eYgUQiikG1KSJs6MuUGyIy2tdQD7eZ0DzIhj6YBX70V8UY0rwLjX0CEfV3UMIOHaGT1yZE7MRLy8iCLn0BOo20rI7vBqgjfJfQlJpd74o5fAkw6oppqchNRFW99GOtAJgGWxzULhx1hsG99ejHZNA7631uJ693whc1gdhp2xw46xQ0g66vGYMLKlyOMUqbm3aM9QoBJulDAp2k8TKdzy589PUafXcIKY4m3nFREAMdr6s8e6bktzkJLtFvqBPGejcaYSLXmnIuP7clOaGvMwwUd2k6KQkpeLPqqmnWP11nNnoMDAiFTnHsPSd74dXtZ4jpfb6co6fXRXmL1Nd2hqfXpVGCbn4wfHWhxbTZhVJs729UJjoZtJGZqdhRLQgrSqzO4jDre0WFfGy0JKsgTRJd37W92d2lbYyiX4Gze9rkSawPhMuRsHw9W6JwAZtqglOIweqy2AcwD3f599k2oEXhZ7LaXPUSlyJQtmTtE4VMBualv3R3zE3Q2wQrPzGLqrFHo30TdNeXDA99o5WVGxSb1QAs9oSWia3sLIr0c6IAdxBPSVv7Xb7aSnlTyB4EII4RKi0GiHWn1f4tJzeBSC9FMNCFvla7utslQB3lMPpA0SZprIa2FuQ9gdy6FYwhe8nzKlBLlCdcqGj7UG2S0m4YIdvtrxT8WDe0JiNY2kQtyZYOlF6tqDdGZNZpYjOvoWZLercfT71bKd3zpAkXcY9XK9G32CpZewBvPvFETzQj7mkdJOQirKY0ZADrUasniu1KgrrcirJt0TqnDRpkxOk23cDoLfs6utxEx3nxNeKqL0sxQdOtLjUsNCh0heranPqbUfV5DaWt4oHLBULOfTBpdcKLeOvIYl1khH9UnzW82fk7FrINp40vwUti5euXHsX2bbkfk0i0JG1qm7ynJY4ZatX4j6B4wglK4KRXeYql7wffRAq10fvbgrgKgBqrUsTHjuprElrFHHkpAS6jKvDmCquHD1ePLFA0IVOdAO407Apbe
' \

and wait for a nice long list of images and their vulnerabilities ....


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...