File neuvector-scanner-database-refresh.sh of Package scanner-databases.42604

#!/bin/bash

# Strict mode
set -euo pipefail

DATABASE_FILE="neuvector-scanner-database"
NEUVECTOR_SCANNER_IMAGE_REPOSITORIES="registry.rancher.com/rancher/neuvector-scanner,neuvector/scanner"

# Helper functions
log() {
    echo >&2 "$@"
}
idempotent_tar() {
    tar "$@" --sort=name --owner=root:0 --group=root:0 --mtime="0" --format=gnu
}

if ! which podman >/dev/null 2>&1 || ! podman version >/dev/null 2>&1; then
    podman version || true
    log "Could not find a valid Docker installation"
    exit 1
fi

# TODO: Move to recipes image
if ! which skopeo >/dev/null 2>&1 || ! skopeo --version >/dev/null 2>&1; then
    zypper install -y skopeo
fi

# Try to pull NeuVector Scanner from various repositories
read -r -a NEUVECTOR_SCANNER_IMAGE_REPOSITORIES_ARRAY <<<"$(tr ',' ' ' <<<"$NEUVECTOR_SCANNER_IMAGE_REPOSITORIES")"
NEUVECTOR_SCANNER_PULLED=false
for NEUVECTOR_SCANNER_IMAGE_REPOSITORY in "${NEUVECTOR_SCANNER_IMAGE_REPOSITORIES_ARRAY[@]}"; do
    if NEUVECTOR_SCANNER_IMAGE_TAG="$(skopeo list-tags "docker://$NEUVECTOR_SCANNER_IMAGE_REPOSITORY" |
        jq -r '.Tags | .[]' |
        grep -E '^[0-9]\.[0-9]+$' |
        tail -n 1)" && [[ $NEUVECTOR_SCANNER_IMAGE_TAG =~ ^[0-9]\.[0-9]+$ ]]; then
        log "Pulling $NEUVECTOR_SCANNER_IMAGE_REPOSITORY:$NEUVECTOR_SCANNER_IMAGE_TAG"
        if podman pull "$NEUVECTOR_SCANNER_IMAGE_REPOSITORY:$NEUVECTOR_SCANNER_IMAGE_TAG"; then
            NEUVECTOR_SCANNER_PULLED=true
            podman tag "$NEUVECTOR_SCANNER_IMAGE_REPOSITORY:$NEUVECTOR_SCANNER_IMAGE_TAG" neuvector-scanner
            break
        fi
    fi
done
if ! "$NEUVECTOR_SCANNER_PULLED"; then
    log "Could not pull any NeuVector Scanner image of: ${NEUVECTOR_SCANNER_IMAGE_REPOSITORIES_ARRAY[*]}"
    exit 1
fi

log "Obtaining vulnerability database version"
DATABASE_VERSION="$(
    podman run --rm --entrypoint=scanner neuvector-scanner \
        -d /etc/neuvector/db/ -v | grep -Eo '[0-9.]+'
)"
log "Found database version: $DATABASE_VERSION"

SPEC_FILE=scanner-databases.spec

rm -f newspec
cat $SPEC_FILE | while read xline
do
        if echo $xline | grep -Eq "%define neuvectordbversion"  ; then
                if echo $xline | grep -Eq "neuvectordbversion\s*$DATABASE_VERSION$" ; then
                log "The database is up-to-date"
                rm newspec
                exit
            else
                echo "%define neuvectordbversion    $DATABASE_VERSION" >> newspec
            fi
        else
            echo "$xline" >> newspec
        fi
done

if [ ! -f newspec ] ; then
        exit
fi
diff -u $SPEC_FILE newspec || true
mv newspec $SPEC_FILE

log "Extracting the contents of neuvector-scanner image"
TEMP_DIR="$(mktemp -d)"
mkdir -p "$TEMP_DIR/neuvector-scanner-database-$DATABASE_VERSION"
CONTAINER_ID="$(podman create neuvector-scanner)"
podman export "$CONTAINER_ID" | tar x -C "$TEMP_DIR/neuvector-scanner-database-$DATABASE_VERSION"

# Compress database and related files (such as certs)
log "Compressing database"
idempotent_tar -Jcf "$DATABASE_FILE-$DATABASE_VERSION.tar.xz" -C "$TEMP_DIR" \
    neuvector-scanner-database-$DATABASE_VERSION/etc/neuvector

# Cleanup
podman rm "$CONTAINER_ID"
chmod u+w -R $TEMP_DIR
rm -rf "$TEMP_DIR"