Skip to content

Commit 65e5669

Browse files
saturnismsaturnism
authored
Vulnerability notification example (GoogleCloudPlatform#3931)
* added vulnerability notification example * fixed issues * updated * lint * upgraded libraries bom version * license * removed mvnw and license file * Updated README
1 parent f4ca1dd commit 65e5669

File tree

10 files changed

+483
-0
lines changed

10 files changed

+483
-0
lines changed

container-registry/vulnerability-notification-function/.gcloudignore

+18
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# This file specifies files that are *not* uploaded to Google Cloud Platform
2+
# using gcloud. It follows the same syntax as .gitignore, with the addition of
3+
# "#!include" directives (which insert the entries of the given .gitignore-style
4+
# file at that point).
5+
#
6+
# For more information, run:
7+
# $ gcloud topic gcloudignore
8+
#
9+
.gcloudignore
10+
# If you would like to upload your .git directory, .gitignore file or files
11+
# from your .gitignore file, remove the corresponding line
12+
# below:
13+
.git
14+
.gitignore
15+
target/
16+
17+
node_modules
18+
#!include:.gitignore

container-registry/vulnerability-notification-function/.gitignore

+33
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
HELP.md
2+
target/
3+
!.mvn/wrapper/maven-wrapper.jar
4+
!**/src/main/**/target/
5+
!**/src/test/**/target/
6+
7+
### STS ###
8+
.apt_generated
9+
.classpath
10+
.factorypath
11+
.project
12+
.settings
13+
.springBeans
14+
.sts4-cache
15+
16+
### IntelliJ IDEA ###
17+
.idea
18+
*.iws
19+
*.iml
20+
*.ipr
21+
22+
### NetBeans ###
23+
/nbproject/private/
24+
/nbbuild/
25+
/dist/
26+
/nbdist/
27+
/.nb-gradle/
28+
build/
29+
!**/src/main/**/build/
30+
!**/src/test/**/build/
31+
32+
### VS Code ###
33+
.vscode/

container-registry/vulnerability-notification-function/README.md

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
## Introduction
2+
This is an example Google Cloud Function that can listen to Pub/Sub events from
3+
[Container Analysis](https://cloud.google.com/container-registry/docs/container-analysis)'
4+
[Vulnerability Scanning](https://cloud.google.com/container-registry/docs/vulnerability-scanning) feature,
5+
and create an log entry so that you can use Log-based Metrics to create a Cloud Ops Alert, and
6+
send a notification when new container image vulnerability is detected.
7+
8+
In general, this is how it works:
9+
1. [Enable Container Analysis API](https://cloud.google.com/container-registry/docs/enabling-disabling-container-analysis)
10+
1. This will also automatically create Pub/Sub topics to publish scanning results
11+
1. [Occurrences](https://cloud.google.com/container-registry/docs/metadata-storage#occurrence) (vulnerabilities on an image) is published to the `container-analysis-occurrences-v1` topic
12+
1. Deploy a Function that analyzes the notification, and print the result to log
13+
1. Create a Log-based metrics, and extract the `Image` name, `CVE`, and `Severity`
14+
1. Create an alert policy on this metrics, and count the vulnerabilities grouped by the image name
15+
1. FInally, you can configure a [notification channel](https://cloud.google.com/monitoring/support/notification-options) to get notified
16+
17+
## Detailed Steps
18+
Enable Container Analysis:
19+
```
20+
gcloud services enable containeranalysis.googleapis.com
21+
```
22+
23+
Build and Deploy this function:
24+
```
25+
mvn package
26+
27+
gcloud functions deploy vulnerability-function \
28+
--entry-point com.example.containeranalysis.VulnerabilityFunction \
29+
--runtime java11 \
30+
--trigger-topic container-analysis-occurrences-v1 \
31+
--memory 512MB
32+
```
33+
34+
Deploy the Log-based Metrics configuration:
35+
```
36+
gcloud beta logging metrics create container-vulnerability \
37+
--config-from-file=cloudops/container-analysis-metrics.yaml
38+
```
39+
40+
Deploy the Alert Policy configuration:
41+
```
42+
gcloud alpha monitoring policies create \
43+
--policy-from-file=cloudops/vulnerability-policy.yaml
44+
```
45+
46+
This configuration doesn't configure any notification channels. To get notified via e-mail, or Slack
47+
see [Manging notification channels documentation](https://cloud.google.com/monitoring/support/notification-options).
48+
49+
## Development
50+
Run Locally:
51+
```
52+
mvn function:run
53+
```
54+
55+
Build:
56+
```
57+
mvn clean package
58+
```
59+

container-registry/vulnerability-notification-function/cloudops/container-analysis-metrics.yaml

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
name: container-vulnerability
2+
description: Container Analysis Vulnerability
3+
filter: 'resource.type="cloud_function" resource.labels.function_name="occurrences-consumer" textPayload: "Image: "'
4+
labelExtractors:
5+
cve: 'REGEXP_EXTRACT(textPayload, "CVE: (.*), Severity")'
6+
image: 'REGEXP_EXTRACT(textPayload, "Image: (.*), CVE:")'
7+
severity: 'REGEXP_EXTRACT(textPayload, "Severity: (.*)")'
8+
metricDescriptor:
9+
description: Container Analysis Vulnerability
10+
labels:
11+
- description: CVE
12+
key: cve
13+
- description: Severity
14+
key: severity
15+
- description: Image Name
16+
key: image
17+
metricKind: DELTA
18+
unit: '1'
19+
valueType: INT64

container-registry/vulnerability-notification-function/cloudops/vulnerability-policy.yaml

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
displayName: Container Vulnerability Detected
2+
combiner: OR
3+
conditions:
4+
- conditionThreshold:
5+
aggregations:
6+
- alignmentPeriod: 60s
7+
crossSeriesReducer: REDUCE_COUNT
8+
groupByFields:
9+
- metric.label.image
10+
perSeriesAligner: ALIGN_COUNT
11+
comparison: COMPARISON_GT
12+
duration: 60s
13+
filter: metric.type="logging.googleapis.com/user/container-vulnerability" resource.type="cloud_function"
14+
trigger:
15+
count: 1
16+
displayName: Container Vulnerability by Image [COUNT]
17+
documentation:
18+
content: Container Image ${metric.label.image} has N vulnerabilities!
19+
mimeType: text/markdown
20+
enabled: true

container-registry/vulnerability-notification-function/pom.xml

+102
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!--
3+
Copyright 2019 Google LLC
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
http://www.apache.org/licenses/LICENSE-2.0
8+
Unless required by applicable law or agreed to in writing, software
9+
distributed under the License is distributed on an "AS IS" BASIS,
10+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11+
See the License for the specific language governing permissions and
12+
limitations under the License.
13+
-->
14+
<project xmlns="http://maven.apache.org/POM/4.0.0"
15+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
16+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
17+
<modelVersion>4.0.0</modelVersion>
18+
19+
<parent>
20+
<groupId>com.google.cloud.samples</groupId>
21+
<artifactId>shared-configuration</artifactId>
22+
<version>1.0.21</version>
23+
</parent>
24+
25+
<groupId>com.google.containerregistry</groupId>
26+
<artifactId>containeranalysis-function</artifactId>
27+
<version>1.0</version>
28+
<name>container-analysis-function</name>
29+
<description>Container Analysis Function</description>
30+
31+
<properties>
32+
<maven.compiler.target>11</maven.compiler.target>
33+
<maven.compiler.source>11</maven.compiler.source>
34+
</properties>
35+
36+
<dependencies>
37+
<dependency>
38+
<groupId>com.google.cloud.functions</groupId>
39+
<artifactId>functions-framework-api</artifactId>
40+
<version>1.0.1</version>
41+
<scope>provided</scope>
42+
</dependency>
43+
44+
<dependency>
45+
<groupId>com.google.cloud</groupId>
46+
<artifactId>google-cloud-containeranalysis</artifactId>
47+
</dependency>
48+
49+
<dependency>
50+
<groupId>com.google.code.gson</groupId>
51+
<artifactId>gson</artifactId>
52+
<version>2.8.6</version>
53+
</dependency>
54+
55+
<dependency>
56+
<groupId>org.projectlombok</groupId>
57+
<artifactId>lombok</artifactId>
58+
<version>1.18.12</version>
59+
</dependency>
60+
61+
<dependency>
62+
<groupId>junit</groupId>
63+
<artifactId>junit</artifactId>
64+
<version>4.13</version>
65+
<scope>test</scope>
66+
</dependency>
67+
68+
<dependency>
69+
<groupId>org.mockito</groupId>
70+
<artifactId>mockito-core</artifactId>
71+
<version>3.4.0</version>
72+
<scope>test</scope>
73+
</dependency>
74+
</dependencies>
75+
76+
<dependencyManagement>
77+
<dependencies>
78+
<dependency>
79+
<groupId>com.google.cloud</groupId>
80+
<artifactId>libraries-bom</artifactId>
81+
<version>12.0.0</version>
82+
<type>pom</type>
83+
<scope>import</scope>
84+
</dependency>
85+
</dependencies>
86+
</dependencyManagement>
87+
88+
<build>
89+
<plugins>
90+
<plugin>
91+
<groupId>com.google.cloud.functions</groupId>
92+
<artifactId>function-maven-plugin</artifactId>
93+
<version>0.9.5</version>
94+
<configuration>
95+
<functionTarget>com.example.containeranalysis.VulnerabilityFunction</functionTarget>
96+
<port>8080</port>
97+
</configuration>
98+
</plugin>
99+
</plugins>
100+
</build>
101+
102+
</project>

container-registry/vulnerability-notification-function/src/main/java/com/example/containeranalysis/OccurrenceNotification.java

+26
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
/*
2+
* Copyright 2020 Google LLC
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package com.example.containeranalysis;
18+
19+
import lombok.Data;
20+
21+
@Data
22+
class OccurrenceNotification {
23+
private String name;
24+
private String kind;
25+
private String notificationTime;
26+
}

container-registry/vulnerability-notification-function/src/main/java/com/example/containeranalysis/PubSubMessage.java

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
/*
2+
* Copyright 2020 Google LLC
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package com.example.containeranalysis;
18+
19+
import java.util.Map;
20+
import lombok.Data;
21+
22+
@Data
23+
class PubSubMessage {
24+
private String data;
25+
private Map<String, String> attributes;
26+
private String messageId;
27+
private String publishTime;
28+
}

0 commit comments

Comments
 (0)