Note: ahab will soon be sailing into the sunset. See: OSS Index Updates for details.
ahab is a tool to check for vulnerabilities in your apt, apk, yum or dnf powered operating systems, powered by Sonatype OSS Index.
ahab currently works for images that use apt, apk, yum or dnf for package management and will do its best to auto detect which package
manager is being used by your os.
Well, we'd hope it is easy enough to see why, but what you can do with ahab is inject a command similar to the following in your Dockerfile:
RUN dpkg-query --show --showformat='${Package} ${Version}\n' | ./ahab chase
Since ahab will exit with a non zero code if vulnerabilities are found, you can use ahab to prevent images with vulnerabilities from being built, serving as a gate in your CI/CD process. ahab does not replace checking your own applications for vulnerable dependencies, etc..., but as the container has become more and more important to how an application eventually ends up in Production, checking that base image itself is critical as well.
A suggested setup would be to have a base image similar to:
FROM ubuntu:latest
RUN apt-get update && apt-get install pip
RUN ./script_to_install_ahab.sh
RUN dpkg-query --show --showformat='${Package} ${Version}\n' | ./ahab chase
Using this base image, you'd install all the packages necessary to run your application, and check it as a last step with ahab to ensure you aren't using anything vulnerable. From here, you'd use this base image to import your application, build it, etc... as you normally would, knowing you started from a clean base.
In this repo we have a Dockerfile that will copy in ahab, and run it on Ubuntu, to illustrate a failing Docker build.
To run this test:
Ubuntu
$ GOOS=linux GOARCH=amd64 go build
$ docker build -f docker/dpkg-query-autodetect/Dockerfile . -t test
Fedora older (yum based)
$ GOOS=linux GOARCH=amd64 go build
$ docker build -f docker/yum-autodetect/Dockerfile . -t test
Fedora latest (dnf based)
$ GOOS=linux GOARCH=amd64 go build
$ docker build -f docker/dnf-autodetect/Dockerfile . -t test
Alpine
$ GOOS=linux GOARCH=amd64 go build
$ docker build -f docker/apk-autodetect/Dockerfile . -t test
Depending on the OS, you'll see Ahab run and fail (Ubuntu and Fedora) or succeed (Alpine).
$ ahab
______ __ __
/\ _ \ /\ \ /\ \
\ \ \L\ \ \ \ \___ __ \ \ \____
\ \ __ \ \ \ _ `\ /'__`\ \ \ '__`\
\ \ \/\ \ \ \ \ \ \ /\ \L\.\_ \ \ \L\ \
\ \_\ \_\ \ \_\ \_\\ \__/.\_\ \ \_,__/
\/_/\/_/ \/_/\/_/ \/__/\/_/ \/___/
_ _ _ _
/_) /_` _ _ _ _/_ _ _ (/ /_` _ . _ _ _/ _
/_) /_/ ._/ /_// //_|/ /_/ /_//_' (_X / / / /_'/ //_/ _\
_/ _/ /
Ahab version: development
Usage:
ahab [flags]
ahab [command]
Available Commands:
chase chase is used for auditing projects with OSS Index
config Setup credentials to use when connecting to services
help Help about any command
iq iq is used for auditing your projects with Nexus IQ Server
Flags:
-h, --help help for ahab
-t, --token string Specify your OSS Index API Token
-u, --username string Specify your OSS Index Username
Use "ahab [command] --help" for more information about a command.
$ ahab chase -h
chase is used for auditing projects with OSS Index
Usage:
ahab chase [flags]
Examples:
dpkg-query --show --showformat='${Package} ${Version}\n' | ./ahab chase
yum list installed | ./ahab chase
dnf list installed | ./ahab chase
apk info -vv | sort | ./ahab chase
Flags:
-v, -- count Set log level, higher is more verbose
--clean-cache Flag to clean the database cache for OSS Index
-e, --exclude-vulnerability CveListFlag Comma separated list of CVEs to exclude (default [])
-x, --exclude-vulnerability-file string Path to a file containing newline separated CVEs to be excluded (default "./.ahab-ignore")
-h, --help help for chase
--loud Specify if you want non vulnerable packages included in your output
--no-color Specify if you want no color in your results
--os string Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it. (DEPRECATED: use package-manager)
--output string Specify the output type you want (json, text, csv) (default "text")
--package-manager string Specify package manager type you want to scan (apk, dnf, dpkg or yum). Useful if autodetection fails and/or you want to explicitly set it.
--quiet Quiet removes the header from being printed (default true)
Global Flags:
-t, --token string Specify your OSS Index API Token
-u, --username string Specify your OSS Index Username
Sometimes you'll run into a dependency that after taking a look at, you either aren't affected by, or cannot resolve for some reason. Ahab understands, and will let you exclude these vulnerabilities so you can get back to a passing build:
Vulnerabilities excluded will then be silenced and not show up in the output or fail your build.
We support exclusion of vulnerability either by CVE-ID (ex: CVE-2018-20303) or via the OSS Index ID (ex: a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14) as not all vulnerabilities have a CVE-ID.
./ahab --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2./ahab --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2
By default if a file named .ahab-ignore exists in the same directory that ahab is run it will use it, will no other options need to be passed.
If you would like to define the path to the file you can use the following
./ahab --exclude-vulnerability-file=/path/to/your/exclude-file./ahab --exclude-vulnerability-file=/path/to/your/exclude-file
The file format requires each vulnerability that you want to exclude to be on a separate line. Comments are allowed in the file as well to help provide context when needed. See an example file below.
# This vulnerability is coming from package xyz, we are ok with this for now
CVN-111
CVN-123 # Mitigated the risk of this since we only use one method in this package and the affected code doesn't matter
CVN-543
It's also possible to define expiring ignores. Meaning that if you define a date on a vulnerability ignore until that date it will be ignored and once that date is passed it will now be reported by ahab if its still an issue. Format to add an expiring ignore looks as follows. They can also be followed up by comments to provide context to as why its been ignored until that date.
CVN-111 until=2021-01-01
CVN-543 until=2018-02-12 #Waiting on release from third party. Should be out before this date but gives us a little time to fix it.
$ ahab iq -h
iq is used for auditing your projects with Nexus IQ Server
Usage:
ahab iq [flags]
Examples:
dpkg-query --show --showformat='${Package} ${Version}\n' | ./ahab iq --iq-application testapp
yum list installed | ./ahab iq --iq-application testapp
dnf list installed | ./ahab iq --iq-application testapp
apk info -vv | sort | ./ahab iq --iq-application testapp
Flags:
-v, -- count Set log level, higher is more verbose
-h, --help help for iq
-a, --iq-application string Specify public application ID for request (required)
-x, --iq-server-url string Specify Nexus IQ Server URL (default "http://host.docker.internal:8070")
-s, --iq-stage string Specify stage for application (default "develop")
-k, --iq-token string Specify Nexus IQ Token/Password for request (default "admin123")
-l, --iq-username string Specify Nexus IQ Username for request (default "admin")
--max-retries int Specify maximum number of tries to poll Nexus IQ Server (default 300)
--os string Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it. (DEPRECATED: use package-manager)
--package-manager string Specify package manager type you want to scan (apk, dnf, dpkg or yum). Useful if autodetection fails and/or you want to explicitly set it.
--quiet Quiet removes the header from being printed (default true)
Global Flags:
-t, --token string Specify your OSS Index API Token
-u, --username string Specify your OSS Index Username
Captain Ahab was a person hell bent on killing a white whale.
This project is called ahab as like the wild captain, it will kill the creation of a Docker image if any vulnerabilities are found in your installed packages.
At current time you have a few options:
TBD
$ export GO111MODULE=on
$ make deps
$ make test
$ make build
ahab is written using Golang 1.14, so it is best you start there.
Tests can be run like make test
Follow the steps below to release a new version of Ahab. You need to be part of the deploy from circle ci group for this to work.
-
Checkout/pull the latest
mainbranch, and create a new tag with the desired semantic version and a helpful note:git tag -a v0.2.x -m "Helpful message in tag." -
Push the tag up:
git push origin v0.2.x -
There is no step 3.
We care a lot about making the world a safer place, and that's why we created ahab. If you as well want to
speed up the pace of software development by working on this project, jump on in! Before you start work, create
a new issue, or comment on an existing issue, to let others know you are!
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)
Remember:
- Use this contribution at the risk tolerance that you have
- Do NOT file Sonatype support tickets related to
ahabsupport in regard to this project - DO file issues here on GitHub, so that the community can pitch in
Phew, that was easier than I thought. Last but not least of all:
Have fun creating and using ahab and the Sonatype OSS Index, we are glad to have you here!
Looking to contribute to our code but need some help? There's a few ways to get information:
- Chat with us on Gitter