more scan logic improvements

pluralsh · Nov 11, 2022 · aa4327e · aa4327e
1 parent 41f648e
commit aa4327e
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 4 deletions.
diff --git a/apps/core/lib/core/schema/docker_image.ex b/apps/core/lib/core/schema/docker_image.ex
@@ -32,7 +32,8 @@ defmodule Core.Schema.DockerImage do
 
   def scanned_before(query \\ __MODULE__, days) do
     prior = Timex.now() |> Timex.shift(days: -days)
-    from(di in query, where: di.scanned_at < ^prior or is_nil(di.scanned_at) or di.scan_completed_at < ^prior or is_nil(di.scan_completed_at))
+    scanning = Timex.now() |> Timex.shift(minutes: -10)
+    from(di in query, where: di.scanned_at < ^prior or is_nil(di.scanned_at) or ((di.scan_completed_at < ^prior or is_nil(di.scan_completed_at)) and di.scanned_at < ^scanning))
   end
 
   def for_repository(query \\ __MODULE__, repo_id),

diff --git a/apps/core/lib/core/services/scan.ex b/apps/core/lib/core/services/scan.ex
@@ -14,7 +14,7 @@ defmodule Core.Services.Scan do
 
     image = "#{registry_name}:#{image.tag}"
     Logger.info "Scanning image #{image}"
-    case System.cmd("trivy", ["--quiet", "image", "--format", "json", image, "--timeout", "10m0s"], env: env) do
+    case System.cmd("trivy", ["--quiet", "image", "--format", "json", image, "--timeout", "5m0s"], env: env) do
       {output, 0} ->
         case Jason.decode(output) do
           {:ok, [%{"Vulnerabilities" => vulns} | _]} -> insert_vulns(vulns, img)
@@ -49,7 +49,9 @@ defmodule Core.Services.Scan do
   defp handle_trivy_error(output, %DockerImage{} = img) do
     case String.contains?(output, "timeout") do
       true -> Ecto.Changeset.change(img, %{scan_completed_at: Timex.now()}) |> Core.Repo.update()
-      _ -> :error
+      _ ->
+        Logger.error "unrecognized trivy output, retrying immediately"
+        :error
     end
   end
 

diff --git a/apps/core/test/services/scan_test.exs b/apps/core/test/services/scan_test.exs
@@ -10,7 +10,7 @@ defmodule Core.Services.ScanTest do
       image_name = "dkr.plural.sh/#{image.docker_repository.repository.name}/#{image.docker_repository.name}:#{image.tag}"
       vuln = Application.get_env(:core, :vulnerability)
       expect(System, :cmd, fn
-        "trivy", ["--quiet", "image", "--format", "json", ^image_name, "--timeout", "10m0s"], [env: [{"TRIVY_REGISTRY_TOKEN", _}]] ->
+        "trivy", ["--quiet", "image", "--format", "json", ^image_name, "--timeout", "5m0s"], [env: [{"TRIVY_REGISTRY_TOKEN", _}]] ->
           {~s([{"Vulnerabilities": [#{vuln}]}]), 0}
       end)
 
@@ -23,6 +23,19 @@ defmodule Core.Services.ScanTest do
       [vuln] = scanned.vulnerabilities
       assert vuln.image_id == scanned.id
     end
+
+    test "it will mark on timeouts" do
+      image = insert(:docker_image)
+      expect(System, :cmd, fn
+        "trivy", ["--quiet", "image", "--format", "json", _, "--timeout", "5m0s"], [env: [{"TRIVY_REGISTRY_TOKEN", _}]] ->
+          {~s(image scan error: scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded), 1}
+      end)
+
+      {:ok, errored} = Scan.scan_image(image)
+
+      assert errored.id == image.id
+      assert errored.scan_completed_at
+    end
   end
 
   describe "terrascan/2" do