[amazon-inspector-image-scanner] Extract inline script block in index.html

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      Problem

      == Inline Script Block
Line: 370
----
<script type="text/javascript">
  // txt is injected after the script opening tag.
  const result = JSON.parse(txt);

  const counts = {
    critical: 0,
    high: 0,
    medium: 0,
    low: 0,
    other: 0
  };

  let set_text = function (id, text) {
    document.getElementById(id).innerText = text;
  };

  let create_column = function (row, text, css) {
    const col = document.createElement("td");
    const col_span = document.createElement("span");

    if (css) {
      col_span.className = css.toLowerCase();
    }

    col_span.innerText = text;
    col.appendChild(col_span);
    row.appendChild(col);
  }

  let update_counts = function (severity) {
    const sev = severity.toLowerCase()

    if (sev in counts) {
      counts[sev] += 1;
      return sev;
    }

    counts.other += 1;
    return "other";
  };

  const updated_at = result.updatedAt ? result.updatedAt : new Date().toLocaleString();
  const vuln_total = result.vulnerabilities ? result.vulnerabilities.length : 0;
  const docker_total = result.docker ? result.docker.length : 0;
  const metadata = result.imageMetadata ? result.imageMetadata : {};

  let image_sha = metadata.sha ? metadata.sha : "N/A";
  let image_name = metadata.id ? metadata.id : "N/A";
  image_name = metadata.tags ? `${image_name}:${metadata.tags}` : image_name;

  set_text("updated-at", `Updated at ${updated_at}`);
  set_text("success-alert", `Image parsed successfully, ${vuln_total + docker_total} findings.`);
  set_text("image-name", image_name);
  set_text("image-sha", image_sha);

  if (result.artifactsPath) {
    const button = document.getElementById("download-artifacts")
    button.setAttribute("href", result.artifactsPath);
    button.style.display = "block";
  }

  if (vuln_total) {
    const vuln_body = document.getElementById("vulnerabilityfindings");

    result.vulnerabilities.forEach((finding) => {
      const row = document.createElement("tr");
      create_column(row, finding.title);
      create_column(row, finding.severity, update_counts(finding.severity));
      create_column(row, decodeURI(finding.component));
      vuln_body.appendChild(row);
    });

    set_text("vuln-total", `(${vuln_total})`);
    document.getElementById("vulnerabilities").style.display = "block";
  }

  if (docker_total) {
    document.getElementById("docker").style.display = "block";
    const docker_body = document.getElementById("dockerfindings");

    result.docker.forEach((finding) => {
      const row = document.createElement("tr");
      create_column(row, finding.id);
      create_column(row, finding.severity, update_counts(finding.severity));
      create_column(row, finding.description);
      create_column(row, finding.file)
      create_column(row, finding.lines);
      docker_body.appendChild(row);
    });

    set_text("docker-total", `(${docker_total})`);
  }

  set_text("critical", counts.critical);
  set_text("high", counts.high);
  set_text("medium", counts.medium);
  set_text("low", counts.low);
  set_text("other", counts.other);
</script>
----

      Solution

      https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks

            Assignee:
            Unassigned
            Reporter:
            Basil Crow
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Archived: