UNPKG

snyk-docker-plugin

Version:

Snyk CLI docker plugin

github.com/snyk/snyk-docker-plugin

snyk/snyk-docker-plugin

202 lines 8.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.pullIfNotLocal = exports.extractImageDetails = exports.getImageArchive = void 0; const Debug = require("debug"); const fs = require("fs"); const mkdirp = require("mkdirp"); const path = require("path"); const docker_1 = require("../docker"); const debug = Debug("snyk"); async function getInspectResult(docker, targetImage) { const info = await docker.inspectImage(targetImage); return JSON.parse(info.stdout)[0]; } function cleanupCallback(imageFolderPath, imageName) { return () => { const fullImagePath = path.join(imageFolderPath, imageName); if (fs.existsSync(fullImagePath)) { fs.unlinkSync(fullImagePath); } fs.rmdir(imageFolderPath, (err) => { if (err !== null) { debug(`Can't remove folder ${imageFolderPath}, got error ${err}`); } }); }; } async function pullWithDockerBinary(docker, targetImage, saveLocation, username, password, platform) { let pullAndSaveSuccessful = false; try { if (username || password) { debug("using local docker binary credentials. the credentials you provided will be ignored"); } await docker.pullCli(targetImage, { platform }); await docker.save(targetImage, saveLocation); return (pullAndSaveSuccessful = true); } catch (err) { debug(`couldn't pull ${targetImage} using docker binary: ${JSON.stringify(err)}`); if (err.stderr && err.stderr.includes("unknown operating system or architecture")) { throw new Error("Unknown operating system or architecture"); } if (err.stderr && err.stderr.includes("operating system is not supported")) { throw new Error(`Operating system is not supported`); } if (err.stderr && err.stderr.includes("no matching manifest for")) { if (platform) { throw new Error(`The image does not exist for ${platform}`); } throw new Error(`The image does not exist for the current platform`); } if (err.stderr && err.stderr.includes("invalid reference format")) { throw new Error(`invalid image format`); } if (err.stderr.includes("unknown flag: --platform")) { throw new Error('"--platform" is only supported on a Docker daemon with version later than 17.09'); } if (err.stderr && err.stderr === '"--platform" is only supported on a Docker daemon with experimental features enabled') { throw new Error(err.stderr); } return pullAndSaveSuccessful; } } async function pullFromContainerRegistry(docker, targetImage, imageSavePath, username, password) { const { hostname, imageName, tag } = extractImageDetails(targetImage); debug(`Attempting to pull: registry: ${hostname}, image: ${imageName}, tag: ${tag}`); await docker.pull(hostname, imageName, tag, imageSavePath, username, password); } async function pullImage(docker, targetImage, saveLocation, imageSavePath, username, password, platform) { if (await docker_1.Docker.binaryExists()) { const pullAndSaveSuccessful = await pullWithDockerBinary(docker, targetImage, saveLocation, username, password, platform); if (pullAndSaveSuccessful) { return; } } await pullFromContainerRegistry(docker, targetImage, imageSavePath, username, password); } /** * In the case that an `ImageType.Identifier` is detected we need to produce * an image archive, either by saving the image if it's already loaded into * the local docker daemon, or by pulling the image from a remote registry and * saving it to the filesystem directly. * * Users may also provide us with a URL to an image in a Docker compatible * remote registry. * * @param {string} targetImage - The image to test, this could be in one of * the following forms: * * [registry/]<repo>/<image>[:tag] * * <repo>/<image>[:tag] * * <image>[:tag] * In the case that a registry is not provided, the plugin will default * this to Docker Hub. If a tag is not provided this will default to * `latest`. * @param {string} [username] - Optional username for private repo auth. * @param {string} [password] - Optional password for private repo auth. * @param {string} [platform] - Optional platform parameter to pull specific image arch. */ async function getImageArchive(targetImage, imageSavePath, username, password, platform) { const docker = new docker_1.Docker(); mkdirp.sync(imageSavePath); const destination = { name: imageSavePath, removeCallback: cleanupCallback(imageSavePath, "image.tar"), }; const saveLocation = path.join(destination.name, "image.tar"); let inspectResult; try { inspectResult = await getInspectResult(docker, targetImage); } catch (_a) { debug(`${targetImage} does not exist locally, proceeding to pull image.`); } if (inspectResult === undefined) { await pullImage(docker, targetImage, saveLocation, imageSavePath, username, password, platform); return { path: saveLocation, removeArchive: destination.removeCallback, }; } if (platform !== undefined && inspectResult && !isLocalImageSameArchitecture(platform, inspectResult.Architecture)) { await pullImage(docker, targetImage, saveLocation, imageSavePath, username, password, platform); } else { await docker.save(targetImage, saveLocation); } return { path: saveLocation, removeArchive: destination.removeCallback, }; } exports.getImageArchive = getImageArchive; function extractImageDetails(targetImage) { let remainder; let hostname; let imageName; let tag; // We need to detect if the `targetImage` is part of a URL. Based on the Docker specification, // the hostname should contain a `.` or `:` before the first instance of a `/` otherwise the // default hostname will be used (registry-1.docker.io). ref: https://stackoverflow.com/a/37867949 const i = targetImage.indexOf("/"); if (i === -1 || (!targetImage.substring(0, i).includes(".") && !targetImage.substring(0, i).includes(":") && targetImage.substring(0, i) !== "localhost")) { hostname = "registry-1.docker.io"; remainder = targetImage; // First assume the remainder is image@sha [imageName, tag] = remainder.split("@"); if (tag === undefined) { [imageName, tag] = remainder.split(":"); } imageName = imageName.indexOf("/") === -1 ? "library/" + imageName : imageName; } else { hostname = targetImage.substring(0, i); remainder = targetImage.substring(i + 1); [imageName, tag] = remainder.split("@"); if (tag === undefined) { [imageName, tag] = remainder.split(":"); } } // Assume the latest tag if no tag was found. tag = tag || "latest"; return { hostname, imageName, tag, }; } exports.extractImageDetails = extractImageDetails; function isLocalImageSameArchitecture(platformOption, inspectResultArchitecture) { let platformArchitecture; try { // Note: this is using the same flag/input pattern as the new Docker buildx: eg. linux/arm64/v8 platformArchitecture = platformOption.split("/")[1]; } catch (error) { debug(`Error parsing platform flag: '${JSON.stringify(error)}'`); return false; } return platformArchitecture === inspectResultArchitecture; } async function pullIfNotLocal(targetImage, options) { const docker = new docker_1.Docker(); try { await docker.inspectImage(targetImage); return; } catch (err) { // image doesn't exist locally } await docker.pullCli(targetImage); } exports.pullIfNotLocal = pullIfNotLocal; //# sourceMappingURL=image-inspector.js.map