Custom Image Vulnerability Assessment Report
Overview:
Fidelis designed and implemented a standalone Python script to create the custom image vulnerability assessment report. This script retrieves the whole list of container images known to HALO. For every retrieved image, the script retrieves details of CVEs and software packages that belong to this container image.
Features:
The implemented script provides the following features:
- List details of all available container images known to HALO (i.e., Image ID, Repository Name, Registry Name, URI, Inspection Status, Running Containers, Last Scan Date, Imported Date, Created Date, OS Distribution, OS Version, Size, and Tags).
- List details of all CVEs for every container image (i.e., CVE ID, CVSS Base Score, Criticality, Remotely Exploitable, Packages Impacted, CVE Description, and Suppressed).
- List details of all software packages for every container image (i.e., Package Name, Platform, Version, and Vulnerable).
- Generates overall statistics about the retrieved container images such as:
- Number and Percentage of Vulnerable and Non-Vulnerable Images.
- Number and Percentage of Critical and Non-Critical CVEs.
- Number and Percentage of Vulnerable and Non-Vulnerable Software Packages.
- Generates Pie charts to represent the above statistics.
- Export the results into CSV file format.
- Script supports multithreading to reduce execution time.
Requirements:
To be able to run the script, you will need to have the following information:
- CloudPassage HALO API key (with Auditor privileges).
- Python 3.6 or later including packages specified in "requirements.txt".
Installation:
git clone https://github.com/cloudpassage/image_vulnerability_report.git
cd image_vulnerability_report
pip install -r requirements.txt
Configuration:
| Variable | Description | Default Value |
|---|---|---|
| HALO_API_KEY | ID of HALO API Key | |
| HALO_API_SECRET_KEY | Secret of HALO API Key | |
| HALO_API_HOSTNAME | HALO API Host Name | https://api.cloudpassage.com |
| HALO_API_PORT | HALO API Port Number | 443 |
| HALO_API_VERSION | HALO EndPoint Version | v2 |
| OUTPUT_DIRECTORY | Location for generated CSV files | /var/log |
How the script works:
The script performs the following tasks:
- Checking and validation of the provided configuration parameters and fails in case of missing any required parameter.
- Use HALO API key id/secret to generate access token to be used to access Protected HALO resources.
- Retrieving the whole list of container images along with CVEs and software packages details for every container image.
- Preparing image vulnerability report statistics (i.e., Percentage of Vulnerable and Non-Vulnerable Images, Percentage of Critical and Non-Critical CVEs, and Percentage of Vulnerable and Non-Vulnerable Software Packages).
- Exporting retrieved image vulnerability report data into output CSV file format.
- Generate Pie Charts as a visual representation for the report overall statistics.
How to run the script:
Running the script is a quite easy process consisting of two steps described below:
- Navigate to the app folder that contains module "runner.py".
cd image_vulnerability_report/app
- Then run the Python module "runner.py".
Sample Results:
- Overall Statistics
- Container Images detailed Report
- Images Vulnerability Graph
- CVEs Criticality Graph
- Software Packages Vulnerability Graph
Future Work:
- Filter retrieved images by repository name.
- Filter retrieved images by registry name.
- Filter retrieved images by OS Distribution.
- Add capability of saving images details into more than one csv file in case of huge number of images.