Search code examples
amazon-web-servicesboto3amazon-ecramazon-inspector

I'm not getting the expected response from client.describe_image_scan_findings() using Boto3

I'm trying to use Boto3 to get the number of vulnerabilities from my images in my repositories. I have a list of repository names and image IDs that are getting passed into this function. Based off their documentation

I'm expecting a response like this when I filter for ['imageScanFindings']

'imageScanFindings': {
        'imageScanCompletedAt': datetime(2015, 1, 1),
        'vulnerabilitySourceUpdatedAt': datetime(2015, 1, 1),
        'findingSeverityCounts': {
            'string': 123
        },
        'findings': [
            {
                'name': 'string',
                'description': 'string',
                'uri': 'string',
                'severity': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'|'UNDEFINED',
                'attributes': [
                    {
                        'key': 'string',
                        'value': 'string'
                    },
                ]
            },
        ],

What I really need is the 'findingSeverityCounts' number, however, it's not showing up in my response. Here's my code and the response I get:

main.py

repo_names = ['cftest/repo1', 'your-repo-name', 'cftest/repo2']
image_ids = ['1.1.1', 'latest', '2.2.2']

def get_vuln_count(repo_names, image_ids):
    container_inventory = []

    client = boto3.client('ecr')
    for n, i in zip(repo_names, image_ids):
        response = client.describe_image_scan_findings(
            repositoryName=n,
            imageId={'imageTag': i}
        )
        findings = response['imageScanFindings']
        print(findings)

Output

{'findings': []}

The only thing that shows up is findings and I was expecting findingSeverityCounts in the response along with the others, but nothing else is showing up.

THEORY

I have 3 repositories and an image in each repository that I uploaded. One of my theories is that I'm not getting the other responses, such as findingSeverityCounts because my images don't have vulnerabilities? I have inspector set-up to scan on push, but they don't have vulnerabilities so nothing shows up in the inspector dashboard. Could that be causing the issue? If so, how would I be able to generate a vulnerability in one of my images to test this out?

Solution

  • My theory was correct and when there are no vulnerabilities, the response completely omits certain values, including the 'findingSeverityCounts' value that I needed.

    I created a docker image using python 2.7 to generate vulnerabilities in my scan to test out my script properly. My work around was to implement this if statement- if there's vulnerabilities it will return them, if there aren't any vulnerabilities, that means 'findingSeverityCounts' is omitted from the response, so I'll have it return 0 instead of giving me a key error.

    Example Solution:

    response = client.describe_image_scan_findings(
            repositoryName=n,
            imageId={'imageTag': i}
        )      

        if 'findingSeverityCounts' in response['imageScanFindings']:
            print(response['imageScanFindings']['findingSeverityCounts'])
        else:
            print(0)