UNPKG

snyk-docker-plugin

Version:
150 lines 8.36 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.analyze = void 0; const Debug = require("debug"); const archiveExtractor = require("../extractor"); const go_parser_1 = require("../go-parser"); const inputs_1 = require("../inputs"); const static_1 = require("../inputs/apk/static"); const static_2 = require("../inputs/apt/static"); const static_3 = require("../inputs/binaries/static"); const static_4 = require("../inputs/distroless/static"); const filePatternStatic = require("../inputs/file-pattern/static"); const static_5 = require("../inputs/java/static"); const static_6 = require("../inputs/node/static"); const static_7 = require("../inputs/os-release/static"); const static_8 = require("../inputs/php/static"); const static_9 = require("../inputs/python/static"); const static_10 = require("../inputs/redHat/static"); const static_11 = require("../inputs/rpm/static"); const option_utils_1 = require("../option-utils"); const applications_1 = require("./applications"); const java_1 = require("./applications/java"); const python_1 = require("./applications/python"); const runtime_common_1 = require("./applications/runtime-common"); const osReleaseDetector = require("./os-release"); const apk_1 = require("./package-managers/apk"); const apt_1 = require("./package-managers/apt"); const rpm_1 = require("./package-managers/rpm"); const debug = Debug("snyk"); async function analyze(targetImage, dockerfileAnalysis, imageType, imagePath, globsToFind, options) { const staticAnalysisActions = [ static_1.getApkDbFileContentAction, static_2.getDpkgFileContentAction, static_2.getExtFileContentAction, static_11.getRpmDbFileContentAction, static_11.getRpmSqliteDbFileContentAction, static_11.getRpmNdbFileContentAction, ...static_7.getOsReleaseActions, static_3.getNodeBinariesFileContentAction, static_3.getOpenJDKBinariesFileContentAction, static_4.getDpkgPackageFileContentAction, static_10.getRedHatRepositoriesContentAction, ]; const checkForGlobs = shouldCheckForGlobs(globsToFind); if (checkForGlobs) { staticAnalysisActions.push(filePatternStatic.generateExtractAction(globsToFind.include, globsToFind.exclude)); } const appScan = !(0, option_utils_1.isTrue)(options["exclude-app-vulns"]); const nodeModulesScan = !(0, option_utils_1.isTrue)(options["exclude-node-modules"]); // A runtime logic enabler flag. Is off by default. const collectApplicationFiles = (0, option_utils_1.isTrue)(options["collect-application-files"]); if (appScan) { staticAnalysisActions.push(...[ static_6.getNodeAppFileContentAction, static_8.getPhpAppFileContentAction, static_9.getPoetryAppFileContentAction, static_9.getPipAppFileContentAction, static_5.getJarFileContentAction, go_parser_1.getGoModulesContentAction, ]); if (collectApplicationFiles) { staticAnalysisActions.push(static_6.getNodeJsTsAppFileContentAction, static_9.getPythonAppFileContentAction); } } const { imageId, manifestLayers, extractedLayers, rootFsLayers, autoDetectedUserInstructions, platform, imageLabels, imageCreationTime, } = await archiveExtractor.extractImageContent(imageType, imagePath, staticAnalysisActions, options); const [apkDbFileContent, aptDbFileContent, rpmDbFileContent, rpmSqliteDbFileContent, rpmNdbFileContent,] = await Promise.all([ (0, static_1.getApkDbFileContent)(extractedLayers), (0, static_2.getAptDbFileContent)(extractedLayers), (0, static_11.getRpmDbFileContent)(extractedLayers), (0, static_11.getRpmSqliteDbFileContent)(extractedLayers), (0, static_11.getRpmNdbFileContent)(extractedLayers), ]); const distrolessAptFiles = (0, static_4.getAptFiles)(extractedLayers); const manifestFiles = []; if (checkForGlobs) { const matchingFiles = filePatternStatic.getMatchingFiles(extractedLayers); manifestFiles.push(...matchingFiles); } let osRelease; try { osRelease = await osReleaseDetector.detectStatically(extractedLayers, dockerfileAnalysis); } catch (err) { debug(`Could not detect OS release: ${err.message}`); throw new Error("Failed to detect OS release"); } const redHatRepositories = (0, static_10.getRedHatRepositoriesFromExtractedLayers)(extractedLayers); let results; try { results = await Promise.all([ (0, apk_1.analyze)(targetImage, apkDbFileContent), (0, apt_1.analyze)(targetImage, aptDbFileContent, osRelease), (0, rpm_1.analyze)(targetImage, [...rpmDbFileContent, ...rpmNdbFileContent], redHatRepositories, osRelease), (0, rpm_1.mapRpmSqlitePackages)(targetImage, rpmSqliteDbFileContent, redHatRepositories, osRelease), (0, apt_1.analyzeDistroless)(targetImage, distrolessAptFiles, osRelease), ]); } catch (err) { debug(`Could not detect installed OS packages: ${err.message}`); throw new Error("Failed to detect installed OS packages"); } const binaries = (0, static_3.getBinariesHashes)(extractedLayers); const applicationDependenciesScanResults = []; if (appScan) { const nodeDependenciesScanResults = await (0, applications_1.nodeFilesToScannedProjects)((0, inputs_1.getFileContent)(extractedLayers, static_6.getNodeAppFileContentAction.actionName), nodeModulesScan); let nodeApplicationFilesScanResults = []; if (collectApplicationFiles) { nodeApplicationFilesScanResults = (0, runtime_common_1.getApplicationFiles)((0, inputs_1.getFileContent)(extractedLayers, static_6.getNodeJsTsAppFileContentAction.actionName), "node", "npm"); } const phpDependenciesScanResults = await (0, applications_1.phpFilesToScannedProjects)((0, inputs_1.getFileContent)(extractedLayers, static_8.getPhpAppFileContentAction.actionName)); const poetryDependenciesScanResults = await (0, applications_1.poetryFilesToScannedProjects)((0, inputs_1.getFileContent)(extractedLayers, static_9.getPoetryAppFileContentAction.actionName)); const pipDependenciesScanResults = await (0, python_1.pipFilesToScannedProjects)((0, inputs_1.getFileContent)(extractedLayers, static_9.getPipAppFileContentAction.actionName)); let pythonApplicationFilesScanResults = []; if (collectApplicationFiles) { pythonApplicationFilesScanResults = (0, runtime_common_1.getApplicationFiles)((0, inputs_1.getFileContent)(extractedLayers, static_9.getPythonAppFileContentAction.actionName), "python", "python"); } const desiredLevelsOfUnpacking = getNestedJarsDesiredDepth(options); const jarFingerprintScanResults = await (0, java_1.jarFilesToScannedResults)((0, inputs_1.getBufferContent)(extractedLayers, static_5.getJarFileContentAction.actionName), targetImage, desiredLevelsOfUnpacking); const goModulesScanResult = await (0, go_parser_1.goModulesToScannedProjects)((0, inputs_1.getElfFileContent)(extractedLayers, go_parser_1.getGoModulesContentAction.actionName)); applicationDependenciesScanResults.push(...nodeDependenciesScanResults, ...nodeApplicationFilesScanResults, ...phpDependenciesScanResults, ...poetryDependenciesScanResults, ...pipDependenciesScanResults, ...pythonApplicationFilesScanResults, ...jarFingerprintScanResults, ...goModulesScanResult); } return { imageId, osRelease, platform, results, binaries, imageLayers: manifestLayers, rootFsLayers, applicationDependenciesScanResults, manifestFiles, autoDetectedUserInstructions, imageLabels, imageCreationTime, }; } exports.analyze = analyze; function getNestedJarsDesiredDepth(options) { const nestedJarsOption = options["nested-jars-depth"] || options["shaded-jars-depth"]; let nestedJarsDepth = 1; const depthNumber = Number(nestedJarsOption); if (!isNaN(depthNumber) && depthNumber >= 0) { nestedJarsDepth = depthNumber; } return nestedJarsDepth; } function shouldCheckForGlobs(globsToFind) { return globsToFind.include.length > 0; } //# sourceMappingURL=static-analyzer.js.map