UNPKG

snyk-docker-plugin

Version:

Snyk CLI docker plugin

github.com/snyk/snyk-docker-plugin

snyk/snyk-docker-plugin

252 lines 10 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.pullIfNotLocal = exports.extractImageDetails = exports.getImageArchive = void 0; const Debug = require("debug"); const fs = require("fs"); const mkdirp = require("mkdirp"); const path = require("path"); const docker_1 = require("../docker"); const image_1 = require("../extractor/image"); const debug = Debug("snyk"); async function getInspectResult(docker, targetImage) { const info = await docker.inspectImage(targetImage); return JSON.parse(info.stdout)[0]; } function cleanupCallback(imageFolderPath, imageName) { return () => { const fullImagePath = path.join(imageFolderPath, imageName); if (fs.existsSync(fullImagePath)) { fs.unlinkSync(fullImagePath); } try { fs.rmdirSync(imageFolderPath); } catch (err) { debug(`Can't remove folder ${imageFolderPath}, got error ${err.message}`); } }; } async function pullWithDockerBinary(docker, targetImage, saveLocation, username, password, platform) { let pullAndSaveSuccessful = false; try { if (username || password) { debug("using local docker binary credentials. the credentials you provided will be ignored"); } await docker.pullCli(targetImage, { platform }); await docker.save(targetImage, saveLocation); return (pullAndSaveSuccessful = true); } catch (err) { debug(`couldn't pull ${targetImage} using docker binary: ${err.message}`); handleDockerPullError(err.stderr, platform); return pullAndSaveSuccessful; } } function handleDockerPullError(err, platform) { if (err && err.includes("unknown operating system or architecture")) { throw new Error("Unknown operating system or architecture"); } if (err.includes("operating system is not supported")) { throw new Error(`Operating system is not supported`); } const unknownManifestConditions = [ "no matching manifest for", "manifest unknown", ]; if (unknownManifestConditions.some((value) => err.includes(value))) { if (platform) { throw new Error(`The image does not exist for ${platform}`); } throw new Error(`The image does not exist for the current platform`); } if (err.includes("invalid reference format")) { throw new Error(`invalid image format`); } if (err.includes("unknown flag: --platform")) { throw new Error('"--platform" is only supported on a Docker daemon with version later than 17.09'); } if (err === '"--platform" is only supported on a Docker daemon with experimental features enabled') { throw new Error(err); } } async function pullFromContainerRegistry(docker, targetImage, imageSavePath, username, password, platform) { const { hostname, imageName, tag } = extractImageDetails(targetImage); debug(`Attempting to pull: registry: ${hostname}, image: ${imageName}, tag: ${tag}`); try { return await docker.pull(hostname, imageName, tag, imageSavePath, username, password, platform); } catch (err) { handleDockerPullError(err.message); throw err; } } async function pullImage(docker, targetImage, saveLocation, imageSavePath, username, password, platform) { if (await docker_1.Docker.binaryExists()) { const pullAndSaveSuccessful = await pullWithDockerBinary(docker, targetImage, saveLocation, username, password, platform); if (pullAndSaveSuccessful) { return new image_1.ImageName(targetImage); } } const { indexDigest, manifestDigest } = await pullFromContainerRegistry(docker, targetImage, imageSavePath, username, password, platform); const imageName = new image_1.ImageName(targetImage, { manifest: manifestDigest, index: indexDigest, }); return imageName; } /** * In the case that an `ImageType.Identifier` is detected we need to produce * an image archive, either by saving the image if it's already loaded into * the local docker daemon, or by pulling the image from a remote registry and * saving it to the filesystem directly. * * Users may also provide us with a URL to an image in a Docker compatible * remote registry. * * @param {string} targetImage - The image to test, this could be in one of * the following forms: * * [registry/]<repo>/<image>[:tag] * * <repo>/<image>[:tag] * * <image>[:tag] * In the case that a registry is not provided, the plugin will default * this to Docker Hub. If a tag is not provided this will default to * `latest`. * @param {string} [username] - Optional username for private repo auth. * @param {string} [password] - Optional password for private repo auth. * @param {string} [platform] - Optional platform parameter to pull specific image arch. */ async function getImageArchive(targetImage, imageSavePath, username, password, platform) { const docker = new docker_1.Docker(); mkdirp.sync(imageSavePath); const destination = { name: imageSavePath, removeCallback: cleanupCallback(imageSavePath, "image.tar"), }; const saveLocation = path.join(destination.name, "image.tar"); let inspectResult; try { inspectResult = await getInspectResult(docker, targetImage); } catch (_a) { debug(`${targetImage} does not exist locally, proceeding to pull image.`); } if (inspectResult === undefined) { const imageName = await pullImage(docker, targetImage, saveLocation, imageSavePath, username, password, platform); return { imageName, path: saveLocation, removeArchive: destination.removeCallback, }; } if (platform !== undefined && inspectResult && !isLocalImageSameArchitecture(platform, inspectResult.Architecture)) { const imageName = await pullImage(docker, targetImage, saveLocation, imageSavePath, username, password, platform); return { imageName, path: saveLocation, removeArchive: destination.removeCallback, }; } else { await docker.save(targetImage, saveLocation); const imageName = new image_1.ImageName(targetImage); return { imageName, path: saveLocation, removeArchive: destination.removeCallback, }; } } exports.getImageArchive = getImageArchive; function isImagePartOfURL(targetImage) { // Based on the Docker spec, if the image contains a hostname, then the hostname should contain // a `.` or `:` before the first instance of a `/`. ref: https://stackoverflow.com/a/37867949 if (!targetImage.includes("/")) { return false; } const partBeforeFirstForwardSlash = targetImage.split("/")[0]; return (partBeforeFirstForwardSlash.includes(".") || partBeforeFirstForwardSlash.includes(":") || partBeforeFirstForwardSlash === "localhost"); } function extractHostnameFromTargetImage(targetImage) { // We need to detect if the `targetImage` is part of a URL. If not, the default hostname will be // used (registry-1.docker.io). ref: https://stackoverflow.com/a/37867949 const defaultHostname = "registry-1.docker.io"; if (!isImagePartOfURL(targetImage)) { return { hostname: defaultHostname, remainder: targetImage }; } const dockerFriendlyRegistryHostname = "docker.io/"; if (targetImage.startsWith(dockerFriendlyRegistryHostname)) { return { hostname: defaultHostname, remainder: targetImage.substring(dockerFriendlyRegistryHostname.length), }; } const i = targetImage.indexOf("/"); return { hostname: targetImage.substring(0, i), remainder: targetImage.substring(i + 1), }; } function extractImageNameAndTag(remainder, targetImage) { const defaultTag = "latest"; if (!remainder.includes("@")) { const [imageName, tag] = remainder.split(":"); return { imageName: appendDefaultRepoPrefixIfRequired(imageName, targetImage), tag: tag || defaultTag, }; } const [imageName, tag] = remainder.split("@"); return { imageName: appendDefaultRepoPrefixIfRequired(dropTagIfSHAIsPresent(imageName), targetImage), tag: tag || defaultTag, }; } function appendDefaultRepoPrefixIfRequired(imageName, targetImage) { const defaultRepoPrefix = "library/"; if (isImagePartOfURL(targetImage) || imageName.includes("/")) { return imageName; } return defaultRepoPrefix + imageName; } function dropTagIfSHAIsPresent(imageName) { if (!imageName.includes(":")) { return imageName; } return imageName.split(":")[0]; } function extractImageDetails(targetImage) { const { hostname, remainder } = extractHostnameFromTargetImage(targetImage); const { imageName, tag } = extractImageNameAndTag(remainder, targetImage); return { hostname, imageName, tag }; } exports.extractImageDetails = extractImageDetails; function isLocalImageSameArchitecture(platformOption, inspectResultArchitecture) { let platformArchitecture; try { // Note: this is using the same flag/input pattern as the new Docker buildx: eg. linux/arm64/v8 platformArchitecture = platformOption.split("/")[1]; } catch (error) { debug(`Error parsing platform flag: '${error.message}'`); return false; } return platformArchitecture === inspectResultArchitecture; } async function pullIfNotLocal(targetImage, options) { const docker = new docker_1.Docker(); try { await docker.inspectImage(targetImage); return; } catch (err) { // image doesn't exist locally } await docker.pullCli(targetImage); } exports.pullIfNotLocal = pullIfNotLocal; //# sourceMappingURL=image-inspector.js.map