1

I'm trying to use Boto3 to get the number of vulnerabilities from my images in my repositories. I have a list of repository names and image IDs that are getting passed into this function. Based off their documentation

I'm expecting a response like this when I filter for ['imageScanFindings']

'imageScanFindings': {
        'imageScanCompletedAt': datetime(2015, 1, 1),
        'vulnerabilitySourceUpdatedAt': datetime(2015, 1, 1),
        'findingSeverityCounts': {
            'string': 123
        },
        'findings': [
            {
                'name': 'string',
                'description': 'string',
                'uri': 'string',
                'severity': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'|'UNDEFINED',
                'attributes': [
                    {
                        'key': 'string',
                        'value': 'string'
                    },
                ]
            },
        ],

What I really need is the 'findingSeverityCounts' number, however, it's not showing up in my response. Here's my code and the response I get:

main.py

repo_names = ['cftest/repo1', 'your-repo-name', 'cftest/repo2']
image_ids = ['1.1.1', 'latest', '2.2.2']

def get_vuln_count(repo_names, image_ids):
    container_inventory = []

    client = boto3.client('ecr')
    for n, i in zip(repo_names, image_ids):
        response = client.describe_image_scan_findings(
            repositoryName=n,
            imageId={'imageTag': i}
        )
        findings = response['imageScanFindings']
        print(findings)

Output

{'findings': []}

The only thing that shows up is findings and I was expecting findingSeverityCounts in the response along with the others, but nothing else is showing up.

THEORY

I have 3 repositories and an image in each repository that I uploaded. One of my theories is that I'm not getting the other responses, such as findingSeverityCounts because my images don't have vulnerabilities? I have inspector set-up to scan on push, but they don't have vulnerabilities so nothing shows up in the inspector dashboard. Could that be causing the issue? If so, how would I be able to generate a vulnerability in one of my images to test this out?

Mitchell Privett
  • 77
  • 1
  • 7
  • did you check if your image scan is completed? – omuthu Sep 21 '22 at 16:53
  • @omuthu So if I go to my repositories in the console and click "see findings" under "vulnerabilities" it says "Initial scan has been completed and image is continuously being scanned for new vulnerabilities. No vulnerabilities are currently found." – Mitchell Privett Sep 21 '22 at 16:55
  • yes, so there are not findings and you would be getting the response you expected only when there are vulnerabilities and each of the vulnerability will have a severity – omuthu Sep 21 '22 at 17:05
  • you have a better example output in CLI but the same is what you get in boto3 as well https://docs.aws.amazon.com/cli/latest/reference/ecr/describe-image-scan-findings.html – omuthu Sep 21 '22 at 17:08
  • @omuthu The goal was to have this script create a list with the number of vulnerabilities, if there aren't any, do you know how I could make my code add a value of 0? – Mitchell Privett Sep 21 '22 at 17:18
  • just initialize a variable count=0 before your for loop and increment the count when you iterate the findings list variable – omuthu Sep 21 '22 at 17:58

1 Answers1

0

My theory was correct and when there are no vulnerabilities, the response completely omits certain values, including the 'findingSeverityCounts' value that I needed.

I created a docker image using python 2.7 to generate vulnerabilities in my scan to test out my script properly. My work around was to implement this if statement- if there's vulnerabilities it will return them, if there aren't any vulnerabilities, that means 'findingSeverityCounts' is omitted from the response, so I'll have it return 0 instead of giving me a key error.

Example Solution:

response = client.describe_image_scan_findings(
            repositoryName=n,
            imageId={'imageTag': i}
        )      

        if 'findingSeverityCounts' in response['imageScanFindings']:
            print(response['imageScanFindings']['findingSeverityCounts'])
        else:
            print(0)
Mitchell Privett
  • 77
  • 1
  • 7