UNPKG

snyk-docker-plugin

Version:

Snyk CLI docker plugin

github.com/snyk/snyk-docker-plugin

snyk/snyk-docker-plugin

171 lines (150 loc) 4.73 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
import * as fs from "fs"; import * as path from "path"; import { getImageArchive } from "./analyzer/image-inspector"; import { readDockerfileAndAnalyse } from "./dockerfile"; import { DockerFileAnalysis } from "./dockerfile/types"; import { fullImageSavePath } from "./image-save-path"; import { getArchivePath, getImageType } from "./image-type"; import { isNumber, isTrue } from "./option-utils"; import * as staticModule from "./static"; import { ImageType, PluginOptions, PluginResponse } from "./types"; // Registry credentials may also be provided by env vars. When both are set, flags take precedence. export function mergeEnvVarsIntoCredentials( options: Partial<PluginOptions>, ): void { options.username = options.username || process.env.SNYK_REGISTRY_USERNAME; options.password = options.password || process.env.SNYK_REGISTRY_PASSWORD; } export async function scan( options?: Partial<PluginOptions>, ): Promise<PluginResponse> { if (!options) { throw new Error("No plugin options provided"); } mergeEnvVarsIntoCredentials(options); if (!options.path) { throw new Error("No image identifier or path provided"); } const nestedJarsDepth = options["nested-jars-depth"] || options["shaded-jars-depth"]; if ( (isTrue(nestedJarsDepth) || isNumber(nestedJarsDepth)) && isTrue(options["exclude-app-vulns"]) ) { throw new Error( "To use --nested-jars-depth, you must not use --exclude-app-vulns", ); } if ( (!isNumber(nestedJarsDepth) && !isTrue(nestedJarsDepth) && typeof nestedJarsDepth !== "undefined") || Number(nestedJarsDepth) < 0 ) { throw new Error( "--nested-jars-depth accepts only numbers bigger than or equal to 0", ); } // TODO temporary solution to avoid double results for PHP if exists in `globsToFind` if (options.globsToFind) { options.globsToFind.include = options.globsToFind.include.filter( (glob) => !glob.includes("composer"), ); } const targetImage = appendLatestTagIfMissing(options.path); const dockerfilePath = options.file; const dockerfileAnalysis = await readDockerfileAndAnalyse(dockerfilePath); const imageType = getImageType(targetImage); switch (imageType) { case ImageType.DockerArchive: case ImageType.OciArchive: return localArchiveAnalysis( targetImage, imageType, dockerfileAnalysis, options, ); case ImageType.Identifier: return imageIdentifierAnalysis( targetImage, imageType, dockerfileAnalysis, options, ); default: throw new Error("Unhandled image type for image " + targetImage); } } async function localArchiveAnalysis( targetImage: string, imageType: ImageType, dockerfileAnalysis: DockerFileAnalysis | undefined, options: Partial<PluginOptions>, ): Promise<PluginResponse> { const globToFind = { include: options.globsToFind?.include || [], exclude: options.globsToFind?.exclude || [], }; const archivePath = getArchivePath(targetImage); if (!fs.existsSync(archivePath)) { throw new Error( "The provided archive path does not exist on the filesystem", ); } if (!fs.lstatSync(archivePath).isFile()) { throw new Error("The provided archive path is not a file"); } const imageIdentifier = options.imageNameAndTag || // The target image becomes the base of the path, e.g. "archive.tar" for "/var/tmp/archive.tar" path.basename(archivePath); return await staticModule.analyzeStatically( imageIdentifier, dockerfileAnalysis, imageType, archivePath, globToFind, options, ); } async function imageIdentifierAnalysis( targetImage: string, imageType: ImageType, dockerfileAnalysis: DockerFileAnalysis | undefined, options: Partial<PluginOptions>, ): Promise<PluginResponse> { const globToFind = { include: options.globsToFind?.include || [], exclude: options.globsToFind?.exclude || [], }; const imageSavePath = fullImageSavePath(options.imageSavePath); const archiveResult = await getImageArchive( targetImage, imageSavePath, options.username, options.password, options.platform, ); const imagePath = archiveResult.path; try { return await staticModule.analyzeStatically( targetImage, dockerfileAnalysis, imageType, imagePath, globToFind, options, ); } finally { archiveResult.removeArchive(); } } export function appendLatestTagIfMissing(targetImage: string): string { if ( getImageType(targetImage) === ImageType.Identifier && !targetImage.includes(":") ) { return `${targetImage}:latest`; } return targetImage; }