UNPKG

snyk-docker-plugin

Version:

Snyk CLI docker plugin

github.com/snyk/snyk-docker-plugin

snyk/snyk-docker-plugin

145 lines 7.28 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.extractContent = exports.appendLatestTagIfMissing = exports.scan = exports.mergeEnvVarsIntoCredentials = void 0; const fs = require("fs"); const path = require("path"); const image_inspector_1 = require("./analyzer/image-inspector"); const dockerfile_1 = require("./dockerfile"); const extractor_1 = require("./extractor"); const image_1 = require("./extractor/image"); const image_save_path_1 = require("./image-save-path"); const image_type_1 = require("./image-type"); const option_utils_1 = require("./option-utils"); const staticModule = require("./static"); const types_1 = require("./types"); // Registry credentials may also be provided by env vars. When both are set, flags take precedence. function mergeEnvVarsIntoCredentials(options) { options.username = options.username || process.env.SNYK_REGISTRY_USERNAME; options.password = options.password || process.env.SNYK_REGISTRY_PASSWORD; } exports.mergeEnvVarsIntoCredentials = mergeEnvVarsIntoCredentials; async function getAnalysisParameters(options) { if (!options) { throw new Error("No plugin options provided"); } mergeEnvVarsIntoCredentials(options); if (!options.path) { throw new Error("No image identifier or path provided"); } const nestedJarsDepth = options["nested-jars-depth"] || options["shaded-jars-depth"]; if (((0, option_utils_1.isTrue)(nestedJarsDepth) || (0, option_utils_1.isNumber)(nestedJarsDepth)) && (0, option_utils_1.isTrue)(options["exclude-app-vulns"])) { throw new Error("To use --nested-jars-depth, you must not use --exclude-app-vulns"); } if ((!(0, option_utils_1.isNumber)(nestedJarsDepth) && !(0, option_utils_1.isTrue)(nestedJarsDepth) && typeof nestedJarsDepth !== "undefined") || Number(nestedJarsDepth) < 0) { throw new Error("--nested-jars-depth accepts only numbers bigger than or equal to 0"); } // TODO temporary solution to avoid double results for PHP if exists in `globsToFind` if (options.globsToFind) { options.globsToFind.include = options.globsToFind.include.filter((glob) => !glob.includes("composer")); } const targetImage = appendLatestTagIfMissing(options.path); const dockerfilePath = options.file; const dockerfileAnalysis = await (0, dockerfile_1.readDockerfileAndAnalyse)(dockerfilePath); const imageType = (0, image_type_1.getImageType)(targetImage); return { targetImage, imageType, dockerfileAnalysis, options, }; } async function scan(options) { const { targetImage, imageType, dockerfileAnalysis, options: updatedOptions, } = await getAnalysisParameters(options); switch (imageType) { case types_1.ImageType.DockerArchive: case types_1.ImageType.OciArchive: case types_1.ImageType.KanikoArchive: case types_1.ImageType.UnspecifiedArchiveType: return localArchiveAnalysis(targetImage, imageType, dockerfileAnalysis, updatedOptions); case types_1.ImageType.Identifier: return imageIdentifierAnalysis(targetImage, imageType, dockerfileAnalysis, updatedOptions); default: throw new Error("Unhandled image type for image " + targetImage); } } exports.scan = scan; function getAndValidateArchivePath(targetImage) { const archivePath = (0, image_type_1.getArchivePath)(targetImage); if (!fs.existsSync(archivePath)) { throw new Error("The provided archive path does not exist on the filesystem"); } if (!fs.lstatSync(archivePath).isFile()) { throw new Error("The provided archive path is not a file"); } return archivePath; } async function localArchiveAnalysis(targetImage, imageType, dockerfileAnalysis, options) { var _a, _b, _c, _d, _e, _f; const globToFind = { include: ((_a = options.globsToFind) === null || _a === void 0 ? void 0 : _a.include) || [], exclude: ((_b = options.globsToFind) === null || _b === void 0 ? void 0 : _b.exclude) || [], }; const archivePath = getAndValidateArchivePath(targetImage); const imageIdentifier = options.imageNameAndTag || // The target image becomes the base of the path, e.g. "archive.tar" for "/var/tmp/archive.tar" path.basename(archivePath); let imageName; if ((((_c = options.digests) === null || _c === void 0 ? void 0 : _c.manifest) || ((_d = options.digests) === null || _d === void 0 ? void 0 : _d.index)) && options.imageNameAndTag) { imageName = new image_1.ImageName(options.imageNameAndTag, { manifest: (_e = options.digests) === null || _e === void 0 ? void 0 : _e.manifest, index: (_f = options.digests) === null || _f === void 0 ? void 0 : _f.index, }); } return await staticModule.analyzeStatically(imageIdentifier, dockerfileAnalysis, imageType, archivePath, globToFind, options, imageName); } async function imageIdentifierAnalysis(targetImage, imageType, dockerfileAnalysis, options) { var _a, _b; const globToFind = { include: ((_a = options.globsToFind) === null || _a === void 0 ? void 0 : _a.include) || [], exclude: ((_b = options.globsToFind) === null || _b === void 0 ? void 0 : _b.exclude) || [], }; const imageSavePath = (0, image_save_path_1.fullImageSavePath)(options.imageSavePath); const archiveResult = await (0, image_inspector_1.getImageArchive)(targetImage, imageSavePath, options.username, options.password, options.platform); const imagePath = archiveResult.path; const imageName = archiveResult.imageName; try { return await staticModule.analyzeStatically(targetImage, dockerfileAnalysis, imageType, imagePath, globToFind, options, imageName); } finally { archiveResult.removeArchive(); } } function appendLatestTagIfMissing(targetImage) { if ((0, image_type_1.getImageType)(targetImage) === types_1.ImageType.Identifier && !targetImage.includes(":")) { return `${targetImage}:latest`; } return targetImage; } exports.appendLatestTagIfMissing = appendLatestTagIfMissing; async function extractContent(extractActions, options) { const { targetImage, imageType, options: updatedOptions, } = await getAnalysisParameters(options); const { username, password, platform, imageSavePath } = updatedOptions; let imagePath; switch (imageType) { case types_1.ImageType.DockerArchive: case types_1.ImageType.OciArchive: imagePath = getAndValidateArchivePath(targetImage); break; case types_1.ImageType.Identifier: const imageSavePathFull = (0, image_save_path_1.fullImageSavePath)(imageSavePath); const archiveResult = await (0, image_inspector_1.getImageArchive)(targetImage, imageSavePathFull, username, password, platform); imagePath = archiveResult.path; break; default: throw new Error("Unhandled image type for image " + targetImage); } return (0, extractor_1.extractImageContent)(imageType, imagePath, extractActions, updatedOptions); } exports.extractContent = extractContent; //# sourceMappingURL=scan.js.map