AzureDevOpsPipeline.psm1
|
# Module Constants #Set-Variable XYZ -option Constant -value (@{XYZ = 'abc'}) Function Get-TrivyCommand { <# .SYNOPSIS Get a Command to run trivy .EXAMPLE & (Get-TrivyCommand) fs . #> [CmdletBinding()] [OutputType([PSCustomObject])] param() Process { if(-not (Test-Trivy)) { throw "Install-Trivy must be called prior to this function." } # Retrieve trivy command $trivy = Get-Command "$($env:TrivyPath)" -ErrorAction SilentlyContinue if(-not ($trivy -is [System.Management.Automation.ApplicationInfo])) { throw "Unable to Get Command `$($env:TrivyPath)`." } $trivy | Write-Output } } Function Test-IsAdministrator { <# .SYNOPSIS Test if current user has Administrator privileges .EXAMPLE if(-not (Test-IsAdministrator)) { throw 'Not an admin.' } #> [CmdletBinding()] [OutputType([PSCustomObject])] param() Process { (New-Object Security.Principal.WindowsPrincipal -ArgumentList ([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator ) | Write-Output } } Function Get-TrivyOutputDirectory { <# .SYNOPSIS Get the OutputDirectory used by Trivy .EXAMPLE # Get the directory where reports are saved Get-TrivyOutputDirectory | Write-Warning .EXAMPLE # Get the staging directory where other files are saved (this is Azure DevOps' BUILD_ARTIFACTSTAGINGDIRECTORY directory) Get-TrivyOutputDirectory -Staging | Write-Warning #> [CmdletBinding()] [OutputType([PSCustomObject])] param( [Parameter(Mandatory = $false)] [Switch] $Staging ) Process { if(Test-Trivy) { if($Staging) { return $env:BUILD_ARTIFACTSTAGINGDIRECTORY } return $env:TrivyOutPath } } } Function Install-Trivy { <# .SYNOPSIS Download and Install trivy on the CI/CD host .EXAMPLE Install-Trivy #> [CmdletBinding()] [OutputType([PSCustomObject])] param() Begin { if (-Not (Test-IsAdministrator)) { "Insufficient privileges" | Write-Error Exit 1 } $TrivyReleaseInfoUri = 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' $TrivyReleaseInfoContentType = 'application/vnd.github.v3+json' if ($IsWindows) { $Trivy = [pscustomobject]@{ path = 'C:\Program Files\trivy' bin = 'trivy.exe' data = Join-Path $env:LocalAppData 'trivy' outdir = Join-Path $env:LocalAppData 'trivy-out' releaseInfoUri = $TrivyReleaseInfoUri releaseContentType = $TrivyReleaseInfoContentType archiveExpression = '^trivy_([\d\.]+)_Windows-64bit.zip$' downloadUri = $null releaseInfo = $null version = $null } } else { $Trivy = [pscustomobject]@{ path = '/usr/local/bin/trivy' bin = 'trivy' data = '/usr/local/bin/trivy/db' outdir = '/tmp/trivy-out' releaseInfoUri = $TrivyReleaseInfoUri releaseContentType = $TrivyReleaseInfoContentType archiveExpression = '^trivy_([\d\.]+)_Linux-64bit.tar.gz$' downloadUri = $null releaseInfo = $null version = $null } } # Get the Release Information, and Download URI $Trivy.releaseInfo = Invoke-RestMethod -Uri $Trivy.releaseInfoUri -Headers @{Accept = $Trivy.releaseContentType } | Select-Object -ExpandProperty assets | Where-Object { $_.name -match $Trivy.archiveExpression } $Trivy.downloadUri = $Trivy.releaseInfo | Select-Object -ExpandProperty browser_download_url # Capture Trivy's version number from ReleaseInfo $Trivy.releaseInfo.name -match $Trivy.archiveExpression | Out-Null $Trivy.version = $matches[1] # Create Directories if (-Not (Test-Path $Trivy.path)) { New-Item -ItemType Directory -Path $Trivy.path | Out-Null } if (-Not (Test-Path $Trivy.outdir)) { New-Item -ItemType Directory -Path $Trivy.outdir | Out-Null } } Process { try { # Download Trivy "Downloading $($Trivy.releaseInfo.name)" | Write-Output if (-Not $Trivy.downloadUri) { throw 'Unable to retrieve download URI for trivy.' } Invoke-WebRequest -Uri $Trivy.downloadUri -OutFile $Trivy.releaseInfo.name # Inflate downloaded archive, and add to PATH "Inflating $($Trivy.releaseInfo.name) to $($Trivy.path)" | Write-Output if ($IsWindows) { Expand-Archive -LiteralPath $Trivy.releaseInfo.name -DestinationPath $Trivy.path -Force $Path = [System.Environment]::GetEnvironmentVariable("Path", [System.EnvironmentVariableTarget]::Machine) -split ';' $Path += , ($Trivy.Path) [System.Environment]::SetEnvironmentVariable("Path", ($Path | Select-Object -Unique) -join ';', [System.EnvironmentVariableTarget]::Machine) } else { tar -zxvf $Trivy.releaseInfo.name -C $Trivy.path chmod u+x (Join-Path $Trivy.Path $Trivy.bin) "export PATH=`$PATH:""$($Trivy.path)""" | Out-File -Append -Encoding utf8 ~/.bashrc bash -c ". ~/.bashrc" } # Delete downloaded archive Remove-Item -Path $Trivy.releaseInfo.name # Set variables into the pipeline $trivyPath = $(Join-Path $Trivy.Path $Trivy.bin) "##vso[task.setvariable variable=TrivyPath;]$($trivyPath)" | Write-Output "##vso[task.setvariable variable=TrivyDbPath;]$($Trivy.data)" | Write-Output "##vso[task.setvariable variable=TrivyVersion;]$($Trivy.version)" | Write-Output "##vso[task.setvariable variable=TrivyOutPath;]$($Trivy.outdir)" | Write-Output "Variable added: `$(TrivyPath) - Path to trivy's binary" | Write-Output "Variable added: `$(TrivyDbPath) - Path to trivy's database" | Write-Output "Variable added: `$(TrivyVersion) - Version of trivy" | Write-Output "Variable added: `$(TrivyOutPath) - Path where trivy will write its output files" | Write-Output # Download Trivy Database "Downloading DB for trivy $($Trivy.version)" | Write-Output $trivy = Get-Command $trivyPath -ErrorAction SilentlyContinue if (-not ($trivy -is [System.Management.Automation.ApplicationInfo])) { throw "Unable to get Command $trivyPath." } & ($trivy) image --download-db-only --cache-dir "$($Trivy.data)" 2>&1 | Where-Object { $_ -is [System.Management.Automation.ErrorRecord] } | Out-String | Write-Output if ($LASTEXITCODE -ne 0) { Exit $LASTEXITCODE } } catch { $_ | Write-Error Exit 1 } } } Function Invoke-Trivy { <# .SYNOPSIS Download and Install trivy on the CI/CD host .PARAMETER InputDirectory The input directory to scan .PARAMETER Name A nickname for the reports (useful if you generate multiple reports) .EXAMPLE Invoke-Trivy -InputDirectory . #> [CmdletBinding()] [OutputType([PSCustomObject])] param( [Parameter(Mandatory = $false)] [ValidateScript({Test-Path $_ -PathType Container})] $InputDirectory = '.', [Parameter(Mandatory = $false)] $Name = 'report' ) Process { try { # Retrieve the trivy Command $trivy = Get-TrivyCommand # Run trivy on the target directory, capturing all dependencies, store JSON result in the BUILD_ARTIFACTSTAGINGDIRECTORY $DependenciesPath = Join-Path $env:BUILD_ARTIFACTSTAGINGDIRECTORY "dependency-$($Name).json" $SecurityReportPath = Join-Path $env:TrivyOutPath "sast-$($Name).sarif" # Trivy outputs to STDERR (it uses STDOUT to return the actual report); we need to redirect and capture STDERR; and to test the EXITCODE to know if trivy it succeeded or not "Running SAST scan using trivy $($env:TrivyVersion)" | Write-Output & ($trivy) fs "$($InputDirectory)" --skip-db-update --cache-dir "$($env:TrivyDbPath)" --list-all-pkgs --format json --output "$($DependenciesPath)" 2>&1 | Where-Object { $_ -is [System.Management.Automation.ErrorRecord] } | Out-String | Write-Output if($LASTEXITCODE -ne 0) { Exit $LASTEXITCODE } "Storing SAST scan report" | Write-Output & ($trivy) convert --format sarif --output "$($SecurityReportPath)" "$($DependenciesPath)" 2>&1 | Where-Object { $_ -is [System.Management.Automation.ErrorRecord] } | Out-String | Write-Output if($LASTEXITCODE -ne 0) { Exit $LASTEXITCODE } } catch { $_ | Write-Error Exit 1 } } } Function Test-Trivy { <# .SYNOPSIS Test installation of trivy .EXAMPLE if(-not (Test-Trivy)) { throw "Please call Install-Trivy" } #> [CmdletBinding()] [OutputType([PSCustomObject])] param() Process { try { if(-not (Test-Path env:SYSTEM_ISAZUREVM)) { throw "Environment variable SYSTEM_ISAZUREVM is missing. This function is designed to be called from within a Azure DevOps pipeline Did you call Install-Trivy?" } if(-not (Test-Path env:BUILD_ARTIFACTSTAGINGDIRECTORY)) { throw "Environment variable BUILD_ARTIFACTSTAGINGDIRECTORY is missing. This function is designed to be called from within a Azure DevOps pipeline Did you call Install-Trivy?" } if(-not (Test-Path env:TrivyPath)) { throw "Environment variable TrivyPath is missing. Did you call Install-Trivy?" } if(-not (Test-Path env:TrivyDbPath)) { throw "Environment variable TrivyDbPath is missing. Did you call Install-Trivy?" } if(-not (Test-Path env:TrivyOutPath)) { throw "Environment variable TrivyOutPath is missing. Did you call Install-Trivy?" } return $true } catch { $_ | Write-Warning } return $false } } |