From 8063fc9b2d4f1393e7932ef4c03b20094da3cb02 Mon Sep 17 00:00:00 2001
From: Magnus Kulke <magnus.kulke@moovel.com>
Date: Tue, 24 May 2016 17:34:28 +0200
Subject: [PATCH] Added json output option.

---
 contrib/analyze-local-images/README.md |  12 +++
 contrib/analyze-local-images/main.go   | 135 +++++++++++++++++--------
 2 files changed, 107 insertions(+), 40 deletions(-)

diff --git a/contrib/analyze-local-images/README.md b/contrib/analyze-local-images/README.md
index d76b012f..4cc28043 100644
--- a/contrib/analyze-local-images/README.md
+++ b/contrib/analyze-local-images/README.md
@@ -28,4 +28,16 @@ analyze-local-images -endpoint "http://<CLAIR-IP-ADDRESS>:6060" -my-address "<MY
 
 Clair needs access to the image files. If you run Clair locally, this tool will store the files in the system's temporary folder and Clair will find them there. It means if Clair is running in Docker, the host's temporary folder must be mounted in the Clair's container. If you run Clair remotely, this tool will run a small HTTP server to let Clair downloading them. It listens on the port 9279 and allows a single host: Clair's IP address, extracted from the `-endpoint` parameter. The `my-address` parameters defines the IP address of the HTTP server that Clair will use to download the images. With boot2docker, these parameters would be `-endpoint "http://192.168.99.100:6060" -my-address "192.168.99.1"`.
 
+By default the output is human readable text, you can toggle the `-json` flag to receive a json report which you can process further:
+
+```
+#!/bin/bash
+set -e
+set -u
+set -o pipefail
+
+OUTPUT=$(./analyze-local-images -endpoint "http://192.168.99.100:6060" -my-address "192.168.99.1" -json ${IMAGE})
+echo "$OUTPUT" | jq '.vulnerabilities | map(select(.severity == "High" or .severity == "Critical" or .severity == "Defcon1"))'
+```
+
 As it runs an HTTP server and not an HTTP**S** one, be sure to **not** expose sensitive data and container images.
diff --git a/contrib/analyze-local-images/main.go b/contrib/analyze-local-images/main.go
index f36526e2..42af4de1 100644
--- a/contrib/analyze-local-images/main.go
+++ b/contrib/analyze-local-images/main.go
@@ -1,7 +1,3 @@
-// Copyright 2015 clair authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
@@ -50,6 +46,7 @@ var (
 	flagMyAddress       = flag.String("my-address", "127.0.0.1", "Address from the point of view of Clair")
 	flagMinimumSeverity = flag.String("minimum-severity", "Negligible", "Minimum severity of vulnerabilities to show (Unknown, Negligible, Low, Medium, High, Critical, Defcon1)")
 	flagColorMode       = flag.String("color", "auto", "Colorize the output (always, auto, never)")
+	flagJsonOutput      = flag.Bool("json", false, "Machine parsable json output (true, false)")
 )
 
 type vulnerabilityInfo struct {
@@ -129,7 +126,7 @@ func intMain() int {
 	// Analyze the image.
 	analyzeCh := make(chan error, 1)
 	go func() {
-		analyzeCh <- AnalyzeLocalImage(imageName, minSeverity, *flagEndpoint, *flagMyAddress, tmpPath)
+		analyzeCh <- AnalyzeLocalImage(imageName, minSeverity, *flagEndpoint, *flagMyAddress, tmpPath, *flagJsonOutput)
 	}()
 
 	select {
@@ -144,16 +141,81 @@ func intMain() int {
 	return 0
 }
 
-func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, myAddress, tmpPath string) error {
+func displayText(vulnerabilities []vulnerabilityInfo) {
+	for _, vulnerabilityInfo := range vulnerabilities {
+		vulnerability := vulnerabilityInfo.vulnerability
+		feature := vulnerabilityInfo.feature
+		severity := vulnerabilityInfo.severity
+
+		fmt.Printf("%s (%s)\n", vulnerability.Name, coloredSeverity(severity))
+
+		if vulnerability.Description != "" {
+			fmt.Printf("%s\n\n", text.Indent(text.Wrap(vulnerability.Description, 80), "\t"))
+		}
+
+		fmt.Printf("\tPackage:       %s @ %s\n", feature.Name, feature.Version)
+
+		if vulnerability.FixedBy != "" {
+			fmt.Printf("\tFixed version: %s\n", vulnerability.FixedBy)
+		}
+
+		if vulnerability.Link != "" {
+			fmt.Printf("\tLink:          %s\n", vulnerability.Link)
+		}
+
+		fmt.Printf("\tLayer:         %s\n", feature.AddedBy)
+		fmt.Println("")
+	}
+}
+
+type jsonOutput struct {
+	Vulnerabilities []vulnerabilityOutput `json:"vulnerabilities"`
+}
+
+type vulnerabilityOutput struct {
+	Package  string `json:"package"`
+	Severity string `json:"severity"`
+	Name     string `json:"name"`
+	FixedBy  string `json:"fixedBy"`
+	Link     string `json:"link"`
+}
+
+func displayJson(vulnerabilities []vulnerabilityInfo) {
+	outputs := []vulnerabilityOutput{}
+	for _, info := range vulnerabilities {
+		vulnerability := info.vulnerability
+		feature := info.feature
+		output := vulnerabilityOutput{
+			fmt.Sprintf("%s@%s", feature.Name, feature.Version),
+			vulnerability.Severity,
+			vulnerability.Name,
+			vulnerability.FixedBy,
+			vulnerability.Link,
+		}
+		outputs = append(outputs, output)
+	}
+	output := jsonOutput{outputs}
+	bytes, err := json.Marshal(output)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf(string(bytes))
+}
+
+func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, myAddress, tmpPath string, jsonOutput bool) error {
 	// Save image.
-	log.Printf("Saving %s to local disk (this may take some time)", imageName)
+	if !jsonOutput {
+		log.Printf("Saving %s to local disk (this may take some time)", imageName)
+	}
 	err := save(imageName, tmpPath)
 	if err != nil {
 		return fmt.Errorf("Could not save image: %s", err)
 	}
 
 	// Retrieve history.
-	log.Println("Retrieving image history")
+	if !jsonOutput {
+		log.Println("Retrieving image history")
+	}
 	layerIDs, err := historyFromManifest(tmpPath)
 	if err != nil {
 		layerIDs, err = historyFromCommand(imageName)
@@ -170,7 +232,9 @@ func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, m
 			allowedHost = allowedHost[:portIndex]
 		}
 
-		log.Printf("Setting up HTTP server (allowing: %s)\n", allowedHost)
+		if !jsonOutput {
+			log.Printf("Setting up HTTP server (allowing: %s)\n", allowedHost)
+		}
 
 		ch := make(chan error)
 		go listenHTTP(tmpPath, allowedHost, ch)
@@ -185,9 +249,13 @@ func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, m
 	}
 
 	// Analyze layers.
-	log.Printf("Analyzing %d layers... \n", len(layerIDs))
+	if !jsonOutput {
+		log.Printf("Analyzing %d layers... \n", len(layerIDs))
+	}
 	for i := 0; i < len(layerIDs); i++ {
-		log.Printf("Analyzing %s\n", layerIDs[i])
+		if !jsonOutput {
+			log.Printf("Analyzing %s\n", layerIDs[i])
+		}
 
 		if i > 0 {
 			err = analyzeLayer(endpoint, tmpPath+"/"+layerIDs[i]+"/layer.tar", layerIDs[i], layerIDs[i-1])
@@ -200,14 +268,18 @@ func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, m
 	}
 
 	// Get vulnerabilities.
-	log.Println("Retrieving image's vulnerabilities")
+	if !jsonOutput {
+		log.Println("Retrieving image's vulnerabilities")
+	}
 	layer, err := getLayer(endpoint, layerIDs[len(layerIDs)-1])
 	if err != nil {
 		return fmt.Errorf("Could not get layer information: %s", err)
 	}
 
 	// Print report.
-	fmt.Printf("Clair report for image %s (%s)\n", imageName, time.Now().UTC())
+	if !jsonOutput {
+		fmt.Printf("Clair report for image %s (%s)\n", imageName, time.Now().UTC())
+	}
 
 	if len(layer.Features) == 0 {
 		fmt.Printf("%s No features have been detected in the image. This usually means that the image isn't supported by Clair.\n", color.YellowString("NOTE:"))
@@ -241,35 +313,18 @@ func AnalyzeLocalImage(imageName string, minSeverity types.Priority, endpoint, m
 
 	By(priority).Sort(vulnerabilities)
 
-	for _, vulnerabilityInfo := range vulnerabilities {
-		vulnerability := vulnerabilityInfo.vulnerability
-		feature := vulnerabilityInfo.feature
-		severity := vulnerabilityInfo.severity
-
-		fmt.Printf("%s (%s)\n", vulnerability.Name, coloredSeverity(severity))
-
-		if vulnerability.Description != "" {
-			fmt.Printf("%s\n\n", text.Indent(text.Wrap(vulnerability.Description, 80), "\t"))
-		}
-
-		fmt.Printf("\tPackage:       %s @ %s\n", feature.Name, feature.Version)
-
-		if vulnerability.FixedBy != "" {
-			fmt.Printf("\tFixed version: %s\n", vulnerability.FixedBy)
-		}
-
-		if vulnerability.Link != "" {
-			fmt.Printf("\tLink:          %s\n", vulnerability.Link)
-		}
-
-		fmt.Printf("\tLayer:         %s\n", feature.AddedBy)
-		fmt.Println("")
+	if jsonOutput == true {
+		displayJson(vulnerabilities)
+	} else {
+		displayText(vulnerabilities)
 	}
 
-	if isSafe {
-		fmt.Printf("%s No vulnerabilities were detected in your image\n", color.GreenString("Success!"))
-	} else if !hasVisibleVulnerabilities {
-		fmt.Printf("%s No vulnerabilities matching the minimum severity level were detected in your image\n", color.YellowString("NOTE:"))
+	if !jsonOutput {
+		if isSafe {
+			fmt.Printf("%s No vulnerabilities were detected in your image\n", color.GreenString("Success!"))
+		} else if !hasVisibleVulnerabilities {
+			fmt.Printf("%s No vulnerabilities matching the minimum severity level were detected in your image\n", color.YellowString("NOTE:"))
+		}
 	}
 
 	return nil