Puppet Class: vulnerability::update
- Defined in:
- manifests/update.pp
Summary
Update the `grype` vulnerability database from the URL specified as `vulnerability::setup::update_url`.Overview
vulnerability::update
When a new version is detected, it is downloaded and installed. Also, the ‘cve_list` fact cache is invalidated, so a new vulnerability scan is executed on the next Puppet run.
See the file “LICENSE” for the full license governing this code.
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# File 'manifests/update.pp', line 10
class vulnerability::update () {
include vulnerability::clear_facter_cache
case $facts['kernel'] {
'Linux': {
$update_command = '/usr/local/bin/grype db update -c /usr/local/etc/grype.yaml'
$unless_command = '/usr/local/bin/grype db status -c /usr/local/etc/grype.yaml'
}
'windows': {
$update_command = 'C:\Vulnerability\bin\grype.exe db update -c C:\Vulnerability\etc\grype.yaml'
$unless_command = 'C:\Vulnerability\bin\grype.exe db status -c C:\Vulnerability\etc\grype.yaml'
}
default: {
fail "vulnerability scanning not (yet) supported on ${facts['kernel']}"
}
}
exec { 'Update vulnerability database':
command => $update_command,
unless => $unless_command,
notify => Fact_cache['cve_list'],
}
}
|