snyk-docker-plugin
Version:
Snyk CLI docker plugin
160 lines • 8.92 kB
JavaScript
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.analyze = void 0;
const Debug = require("debug");
const archiveExtractor = require("../extractor");
const go_parser_1 = require("../go-parser");
const inputs_1 = require("../inputs");
const static_1 = require("../inputs/apk/static");
const static_2 = require("../inputs/apt/static");
const static_3 = require("../inputs/binaries/static");
const static_4 = require("../inputs/chisel/static");
const static_5 = require("../inputs/distroless/static");
const filePatternStatic = require("../inputs/file-pattern/static");
const static_6 = require("../inputs/java/static");
const static_7 = require("../inputs/node/static");
const static_8 = require("../inputs/os-release/static");
const static_9 = require("../inputs/php/static");
const static_10 = require("../inputs/python/static");
const static_11 = require("../inputs/redHat/static");
const static_12 = require("../inputs/rpm/static");
const option_utils_1 = require("../option-utils");
const applications_1 = require("./applications");
const java_1 = require("./applications/java");
const python_1 = require("./applications/python");
const runtime_common_1 = require("./applications/runtime-common");
const osReleaseDetector = require("./os-release");
const apk_1 = require("./package-managers/apk");
const apt_1 = require("./package-managers/apt");
const chisel_1 = require("./package-managers/chisel");
const rpm_1 = require("./package-managers/rpm");
const debug = Debug("snyk");
async function analyze(targetImage, dockerfileAnalysis, imageType, imagePath, globsToFind, options) {
const staticAnalysisActions = [
static_1.getApkDbFileContentAction,
static_2.getDpkgFileContentAction,
static_2.getExtFileContentAction,
static_12.getRpmDbFileContentAction,
static_12.getRpmSqliteDbFileContentAction,
static_12.getRpmNdbFileContentAction,
static_4.getChiselManifestAction,
...static_8.getOsReleaseActions,
static_3.getNodeBinariesFileContentAction,
static_3.getOpenJDKBinariesFileContentAction,
static_5.getDpkgPackageFileContentAction,
static_11.getRedHatRepositoriesContentAction,
];
const checkForGlobs = shouldCheckForGlobs(globsToFind);
if (checkForGlobs) {
staticAnalysisActions.push(filePatternStatic.generateExtractAction(globsToFind.include, globsToFind.exclude));
}
const appScan = !(0, option_utils_1.isTrue)(options["exclude-app-vulns"]);
const nodeModulesScan = !(0, option_utils_1.isTrue)(options["exclude-node-modules"]);
// A runtime logic enabler flag. Is off by default.
const collectApplicationFiles = (0, option_utils_1.isTrue)(options["collect-application-files"]);
if (appScan) {
const jarActions = [static_6.getJarFileContentAction];
// Include system JARs from /usr/lib if flag is enabled
if ((0, option_utils_1.isTrue)(options["include-system-jars"])) {
jarActions.push(static_6.getUsrLibJarFileContentAction);
}
staticAnalysisActions.push(...[
static_7.getNodeAppFileContentAction,
static_9.getPhpAppFileContentAction,
static_10.getPoetryAppFileContentAction,
static_10.getPipAppFileContentAction,
...jarActions,
go_parser_1.getGoModulesContentAction,
]);
if (collectApplicationFiles) {
staticAnalysisActions.push(static_7.getNodeJsTsAppFileContentAction, static_10.getPythonAppFileContentAction);
}
}
const { imageId, manifestLayers, extractedLayers, rootFsLayers, autoDetectedUserInstructions, platform, imageLabels, imageCreationTime, } = await archiveExtractor.extractImageContent(imageType, imagePath, staticAnalysisActions, options);
const [apkDbFileContent, aptDbFileContent, rpmDbFileContent, rpmSqliteDbFileContent, rpmNdbFileContent, chiselPackages,] = await Promise.all([
(0, static_1.getApkDbFileContent)(extractedLayers),
(0, static_2.getAptDbFileContent)(extractedLayers),
(0, static_12.getRpmDbFileContent)(extractedLayers),
(0, static_12.getRpmSqliteDbFileContent)(extractedLayers),
(0, static_12.getRpmNdbFileContent)(extractedLayers),
(0, static_4.getChiselManifestContent)(extractedLayers),
]);
const distrolessAptFiles = (0, static_5.getAptFiles)(extractedLayers);
const manifestFiles = [];
if (checkForGlobs) {
const matchingFiles = filePatternStatic.getMatchingFiles(extractedLayers);
manifestFiles.push(...matchingFiles);
}
let osRelease;
try {
osRelease = await osReleaseDetector.detectStatically(extractedLayers, dockerfileAnalysis);
}
catch (err) {
debug(`Could not detect OS release: ${err.message}`);
throw new Error("Failed to detect OS release");
}
const redHatRepositories = (0, static_11.getRedHatRepositoriesFromExtractedLayers)(extractedLayers);
let results;
try {
results = await Promise.all([
(0, apk_1.analyze)(targetImage, apkDbFileContent),
(0, apt_1.analyze)(targetImage, aptDbFileContent, osRelease),
(0, rpm_1.analyze)(targetImage, [...rpmDbFileContent, ...rpmNdbFileContent], redHatRepositories, osRelease),
(0, rpm_1.mapRpmSqlitePackages)(targetImage, rpmSqliteDbFileContent, redHatRepositories, osRelease),
(0, apt_1.analyzeDistroless)(targetImage, distrolessAptFiles, osRelease),
(0, chisel_1.analyze)(targetImage, chiselPackages),
]);
}
catch (err) {
debug(`Could not detect installed OS packages: ${err.message}`);
throw new Error("Failed to detect installed OS packages");
}
const binaries = (0, static_3.getBinariesHashes)(extractedLayers);
const applicationDependenciesScanResults = [];
if (appScan) {
const nodeDependenciesScanResults = await (0, applications_1.nodeFilesToScannedProjects)((0, inputs_1.getFileContent)(extractedLayers, static_7.getNodeAppFileContentAction.actionName), nodeModulesScan);
let nodeApplicationFilesScanResults = [];
if (collectApplicationFiles) {
nodeApplicationFilesScanResults = (0, runtime_common_1.getApplicationFiles)((0, inputs_1.getFileContent)(extractedLayers, static_7.getNodeJsTsAppFileContentAction.actionName), "node", "npm");
}
const phpDependenciesScanResults = await (0, applications_1.phpFilesToScannedProjects)((0, inputs_1.getFileContent)(extractedLayers, static_9.getPhpAppFileContentAction.actionName));
const poetryDependenciesScanResults = await (0, applications_1.poetryFilesToScannedProjects)((0, inputs_1.getFileContent)(extractedLayers, static_10.getPoetryAppFileContentAction.actionName));
const pipDependenciesScanResults = await (0, python_1.pipFilesToScannedProjects)((0, inputs_1.getFileContent)(extractedLayers, static_10.getPipAppFileContentAction.actionName));
let pythonApplicationFilesScanResults = [];
if (collectApplicationFiles) {
pythonApplicationFilesScanResults = (0, runtime_common_1.getApplicationFiles)((0, inputs_1.getFileContent)(extractedLayers, static_10.getPythonAppFileContentAction.actionName), "python", "python");
}
const desiredLevelsOfUnpacking = getNestedJarsDesiredDepth(options);
const jarFingerprintScanResults = await (0, java_1.jarFilesToScannedResults)((0, inputs_1.getBufferContent)(extractedLayers, static_6.getJarFileContentAction.actionName), targetImage, desiredLevelsOfUnpacking);
const goModulesScanResult = await (0, go_parser_1.goModulesToScannedProjects)((0, inputs_1.getElfFileContent)(extractedLayers, go_parser_1.getGoModulesContentAction.actionName));
applicationDependenciesScanResults.push(...nodeDependenciesScanResults, ...nodeApplicationFilesScanResults, ...phpDependenciesScanResults, ...poetryDependenciesScanResults, ...pipDependenciesScanResults, ...pythonApplicationFilesScanResults, ...jarFingerprintScanResults, ...goModulesScanResult);
}
return {
imageId,
osRelease,
platform,
results,
binaries,
imageLayers: manifestLayers,
rootFsLayers,
applicationDependenciesScanResults,
manifestFiles,
autoDetectedUserInstructions,
imageLabels,
imageCreationTime,
};
}
exports.analyze = analyze;
function getNestedJarsDesiredDepth(options) {
const nestedJarsOption = options["nested-jars-depth"] || options["shaded-jars-depth"];
let nestedJarsDepth = 1;
const depthNumber = Number(nestedJarsOption);
if (!isNaN(depthNumber) && depthNumber >= 0) {
nestedJarsDepth = depthNumber;
}
return nestedJarsDepth;
}
function shouldCheckForGlobs(globsToFind) {
return globsToFind.include.length > 0;
}
//# sourceMappingURL=static-analyzer.js.map