2023-02-05 09:21:45 +02:00
|
|
|
//go:build search
|
|
|
|
// +build search
|
|
|
|
|
2022-09-28 21:39:54 +03:00
|
|
|
package trivy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/json"
|
|
|
|
"os"
|
|
|
|
"path"
|
|
|
|
"testing"
|
2023-01-20 22:09:40 +02:00
|
|
|
"time"
|
2022-09-28 21:39:54 +03:00
|
|
|
|
|
|
|
godigest "github.com/opencontainers/go-digest"
|
|
|
|
ispec "github.com/opencontainers/image-spec/specs-go/v1"
|
|
|
|
. "github.com/smartystreets/goconvey/convey"
|
2022-10-20 19:39:20 +03:00
|
|
|
|
2023-07-05 19:08:16 +03:00
|
|
|
zerr "zotregistry.io/zot/errors"
|
2023-04-18 21:07:47 +03:00
|
|
|
"zotregistry.io/zot/pkg/common"
|
2022-09-28 21:39:54 +03:00
|
|
|
"zotregistry.io/zot/pkg/extensions/monitoring"
|
2023-07-06 11:36:26 +03:00
|
|
|
"zotregistry.io/zot/pkg/extensions/search/cve/model"
|
2022-09-28 21:39:54 +03:00
|
|
|
"zotregistry.io/zot/pkg/log"
|
2023-07-18 20:27:26 +03:00
|
|
|
"zotregistry.io/zot/pkg/meta"
|
|
|
|
"zotregistry.io/zot/pkg/meta/boltdb"
|
|
|
|
mTypes "zotregistry.io/zot/pkg/meta/types"
|
2022-09-28 21:39:54 +03:00
|
|
|
"zotregistry.io/zot/pkg/storage"
|
2023-05-26 21:08:19 +03:00
|
|
|
storageConstants "zotregistry.io/zot/pkg/storage/constants"
|
2022-09-30 20:35:16 +03:00
|
|
|
"zotregistry.io/zot/pkg/storage/local"
|
2023-05-26 21:08:19 +03:00
|
|
|
storageTypes "zotregistry.io/zot/pkg/storage/types"
|
2022-09-28 21:39:54 +03:00
|
|
|
"zotregistry.io/zot/pkg/test"
|
2023-07-06 11:36:26 +03:00
|
|
|
"zotregistry.io/zot/pkg/test/mocks"
|
2022-09-28 21:39:54 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
func generateTestImage(storeController storage.StoreController, image string) {
|
|
|
|
repoName, tag := common.GetImageDirAndTag(image)
|
|
|
|
|
|
|
|
config, layers, manifest, err := test.GetImageComponents(10)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
|
|
|
store := storeController.GetImageStore(repoName)
|
|
|
|
err = store.InitRepo(repoName)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
|
|
|
for _, layerBlob := range layers {
|
|
|
|
layerReader := bytes.NewReader(layerBlob)
|
|
|
|
layerDigest := godigest.FromBytes(layerBlob)
|
2022-10-22 23:46:13 +03:00
|
|
|
_, _, err = store.FullBlobUpload(repoName, layerReader, layerDigest)
|
2022-09-28 21:39:54 +03:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
}
|
|
|
|
|
|
|
|
configBlob, err := json.Marshal(config)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
configReader := bytes.NewReader(configBlob)
|
|
|
|
configDigest := godigest.FromBytes(configBlob)
|
2022-10-22 23:46:13 +03:00
|
|
|
_, _, err = store.FullBlobUpload(repoName, configReader, configDigest)
|
2022-09-28 21:39:54 +03:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
|
|
|
manifestBlob, err := json.Marshal(manifest)
|
|
|
|
So(err, ShouldBeNil)
|
2023-05-12 19:32:01 +03:00
|
|
|
_, _, err = store.PutImageManifest(repoName, tag, ispec.MediaTypeImageManifest, manifestBlob)
|
2022-09-28 21:39:54 +03:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestMultipleStoragePath(t *testing.T) {
|
|
|
|
Convey("Test multiple storage path", t, func() {
|
|
|
|
// Create temporary directory
|
|
|
|
firstRootDir := t.TempDir()
|
|
|
|
secondRootDir := t.TempDir()
|
|
|
|
thirdRootDir := t.TempDir()
|
|
|
|
|
|
|
|
log := log.NewLogger("debug", "")
|
|
|
|
metrics := monitoring.NewMetricsServer(false, log)
|
|
|
|
|
|
|
|
// Create ImageStore
|
|
|
|
|
2023-05-26 21:08:19 +03:00
|
|
|
firstStore := local.NewImageStore(firstRootDir, false, storageConstants.DefaultGCDelay, false, false, log, metrics,
|
|
|
|
nil, nil)
|
2022-09-28 21:39:54 +03:00
|
|
|
|
2023-05-26 21:08:19 +03:00
|
|
|
secondStore := local.NewImageStore(secondRootDir, false, storageConstants.DefaultGCDelay, false, false, log, metrics,
|
|
|
|
nil, nil)
|
|
|
|
|
|
|
|
thirdStore := local.NewImageStore(thirdRootDir, false, storageConstants.DefaultGCDelay, false, false, log, metrics,
|
|
|
|
nil, nil)
|
2022-09-28 21:39:54 +03:00
|
|
|
|
|
|
|
storeController := storage.StoreController{}
|
|
|
|
|
|
|
|
storeController.DefaultStore = firstStore
|
|
|
|
|
2023-05-26 21:08:19 +03:00
|
|
|
subStore := make(map[string]storageTypes.ImageStore)
|
2022-09-28 21:39:54 +03:00
|
|
|
|
|
|
|
subStore["/a"] = secondStore
|
|
|
|
subStore["/b"] = thirdStore
|
|
|
|
|
|
|
|
storeController.SubStore = subStore
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
params := boltdb.DBParameters{
|
2023-01-09 22:37:44 +02:00
|
|
|
RootDir: firstRootDir,
|
2023-03-28 20:20:09 +03:00
|
|
|
}
|
2023-07-18 20:27:26 +03:00
|
|
|
boltDriver, err := boltdb.GetBoltDriver(params)
|
2023-03-28 20:20:09 +03:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB, err := boltdb.New(boltDriver, log)
|
2023-01-09 22:37:44 +02:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "ghcr.io/project-zot/trivy-db", "", log)
|
2022-09-28 21:39:54 +03:00
|
|
|
|
|
|
|
So(scanner.storeController.DefaultStore, ShouldNotBeNil)
|
|
|
|
So(scanner.storeController.SubStore, ShouldNotBeNil)
|
|
|
|
|
|
|
|
img0 := "test/image0:tag0"
|
|
|
|
img1 := "a/test/image1:tag1"
|
|
|
|
img2 := "b/test/image2:tag2"
|
|
|
|
|
2023-01-18 18:24:44 +02:00
|
|
|
opts := scanner.getTrivyOptions(img0)
|
|
|
|
So(opts.ScanOptions.Target, ShouldEqual, path.Join(firstStore.RootDir(), img0))
|
2022-09-28 21:39:54 +03:00
|
|
|
|
2023-01-18 18:24:44 +02:00
|
|
|
opts = scanner.getTrivyOptions(img1)
|
|
|
|
So(opts.ScanOptions.Target, ShouldEqual, path.Join(secondStore.RootDir(), img1))
|
2022-09-28 21:39:54 +03:00
|
|
|
|
2023-01-18 18:24:44 +02:00
|
|
|
opts = scanner.getTrivyOptions(img2)
|
|
|
|
So(opts.ScanOptions.Target, ShouldEqual, path.Join(thirdStore.RootDir(), img2))
|
2022-09-28 21:39:54 +03:00
|
|
|
|
|
|
|
generateTestImage(storeController, img0)
|
|
|
|
generateTestImage(storeController, img1)
|
|
|
|
generateTestImage(storeController, img2)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = meta.ParseStorage(metaDB, storeController, log)
|
2023-07-06 11:36:26 +03:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-05 19:08:16 +03:00
|
|
|
// Try to scan without the DB being downloaded
|
|
|
|
_, err = scanner.ScanImage(img0)
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(err, ShouldWrap, zerr.ErrCVEDBNotFound)
|
|
|
|
|
2023-01-18 18:24:44 +02:00
|
|
|
// Download DB since DB download on scan is disabled
|
|
|
|
err = scanner.UpdateDB()
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2022-09-28 21:39:54 +03:00
|
|
|
// Scanning image in default store
|
|
|
|
cveMap, err := scanner.ScanImage(img0)
|
2023-02-27 21:23:18 +02:00
|
|
|
|
2022-09-28 21:39:54 +03:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
So(len(cveMap), ShouldEqual, 0)
|
|
|
|
|
|
|
|
// Scanning image in substore
|
|
|
|
cveMap, err = scanner.ScanImage(img1)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
So(len(cveMap), ShouldEqual, 0)
|
|
|
|
|
|
|
|
// Scanning image which does not exist
|
|
|
|
cveMap, err = scanner.ScanImage("a/test/image2:tag100")
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(len(cveMap), ShouldEqual, 0)
|
|
|
|
|
|
|
|
// Download the DB to a default store location without permissions
|
|
|
|
err = os.Chmod(firstRootDir, 0o000)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
err = scanner.UpdateDB()
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
|
|
|
|
// Check the download works correctly when permissions allow
|
|
|
|
err = os.Chmod(firstRootDir, 0o777)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
err = scanner.UpdateDB()
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
|
|
|
// Download the DB to a substore location without permissions
|
|
|
|
err = os.Chmod(secondRootDir, 0o000)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
err = scanner.UpdateDB()
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
|
|
|
|
err = os.Chmod(secondRootDir, 0o777)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
})
|
|
|
|
}
|
2023-01-18 18:24:44 +02:00
|
|
|
|
|
|
|
func TestTrivyLibraryErrors(t *testing.T) {
|
|
|
|
Convey("Test trivy API errors", t, func() {
|
|
|
|
// Create temporary directory
|
|
|
|
rootDir := t.TempDir()
|
|
|
|
|
|
|
|
err := test.CopyFiles("../../../../../test/data/zot-test", path.Join(rootDir, "zot-test"))
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
|
|
|
log := log.NewLogger("debug", "")
|
|
|
|
metrics := monitoring.NewMetricsServer(false, log)
|
|
|
|
|
|
|
|
// Create ImageStore
|
2023-05-26 21:08:19 +03:00
|
|
|
store := local.NewImageStore(rootDir, false, storageConstants.DefaultGCDelay, false, false, log, metrics, nil, nil)
|
2023-01-18 18:24:44 +02:00
|
|
|
|
|
|
|
storeController := storage.StoreController{}
|
|
|
|
storeController.DefaultStore = store
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
params := boltdb.DBParameters{
|
2023-01-18 18:24:44 +02:00
|
|
|
RootDir: rootDir,
|
2023-03-28 20:20:09 +03:00
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
boltDriver, err := boltdb.GetBoltDriver(params)
|
2023-03-28 20:20:09 +03:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB, err := boltdb.New(boltDriver, log)
|
2023-01-18 18:24:44 +02:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = meta.ParseStorage(metaDB, storeController, log)
|
2023-01-18 18:24:44 +02:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-05 19:08:16 +03:00
|
|
|
img := "zot-test:0.0.1" //nolint:goconst
|
|
|
|
|
2023-06-01 00:37:46 +03:00
|
|
|
// Download DB fails for missing DB url
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "", "", log)
|
2023-06-01 00:37:46 +03:00
|
|
|
|
|
|
|
err = scanner.UpdateDB()
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
|
2023-07-05 19:08:16 +03:00
|
|
|
// Try to scan without the DB being downloaded
|
|
|
|
opts := scanner.getTrivyOptions(img)
|
|
|
|
_, err = scanner.runTrivy(opts)
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(err, ShouldWrap, zerr.ErrCVEDBNotFound)
|
|
|
|
|
2023-06-01 00:37:46 +03:00
|
|
|
// Download DB fails for invalid Java DB
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner = NewScanner(storeController, metaDB, "ghcr.io/project-zot/trivy-db",
|
2023-06-01 00:37:46 +03:00
|
|
|
"ghcr.io/project-zot/trivy-not-db", log)
|
|
|
|
|
|
|
|
err = scanner.UpdateDB()
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
|
|
|
|
// Download DB passes for valid Trivy DB url, and missing Trivy Java DB url
|
|
|
|
// Download DB is necessary since DB download on scan is disabled
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner = NewScanner(storeController, metaDB, "ghcr.io/project-zot/trivy-db", "", log)
|
2023-01-18 18:24:44 +02:00
|
|
|
|
|
|
|
err = scanner.UpdateDB()
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
|
|
|
// Scanning image with correct options
|
2023-07-05 19:08:16 +03:00
|
|
|
opts = scanner.getTrivyOptions(img)
|
2023-01-18 18:24:44 +02:00
|
|
|
_, err = scanner.runTrivy(opts)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
|
|
|
// Scanning image with incorrect cache options
|
|
|
|
// to trigger runner initialization errors
|
|
|
|
opts.CacheOptions.CacheBackend = "redis://asdf!$%&!*)("
|
|
|
|
_, err = scanner.runTrivy(opts)
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
|
|
|
|
// Scanning image with invalid input to trigger a scanner error
|
2023-02-27 21:23:18 +02:00
|
|
|
opts = scanner.getTrivyOptions("nilnonexisting_image:0.0.1")
|
2023-01-18 18:24:44 +02:00
|
|
|
_, err = scanner.runTrivy(opts)
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
|
|
|
|
// Scanning image with incorrect report options
|
|
|
|
// to trigger report filtering errors
|
|
|
|
opts = scanner.getTrivyOptions(img)
|
|
|
|
opts.ReportOptions.IgnorePolicy = "invalid file path"
|
|
|
|
_, err = scanner.runTrivy(opts)
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
})
|
|
|
|
}
|
2023-01-19 00:18:03 +02:00
|
|
|
|
2023-01-20 22:09:40 +02:00
|
|
|
func TestImageScannable(t *testing.T) {
|
|
|
|
rootDir := t.TempDir()
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
params := boltdb.DBParameters{
|
2023-01-20 22:09:40 +02:00
|
|
|
RootDir: rootDir,
|
2023-03-28 20:20:09 +03:00
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
boltDriver, err := boltdb.GetBoltDriver(params)
|
2023-03-28 20:20:09 +03:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
log := log.NewLogger("debug", "")
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB, err := boltdb.New(boltDriver, log)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create test data for the following cases
|
|
|
|
// - Error: RepoMeta not found in DB
|
|
|
|
// - Error: Tag not found in DB
|
|
|
|
// - Error: Digest in RepoMeta is invalid
|
2023-07-18 20:27:26 +03:00
|
|
|
// - Error: ManifestData not found in metadb
|
2023-01-20 22:09:40 +02:00
|
|
|
// - Error: ManifestData cannot be unmarshalled
|
|
|
|
// - Error: ManifestData contains unscannable layer type
|
|
|
|
// - Valid Scannable image
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
// Create metadb data for scannable image
|
2023-01-20 22:09:40 +02:00
|
|
|
timeStamp := time.Date(2008, 1, 1, 12, 0, 0, 0, time.UTC)
|
|
|
|
|
|
|
|
validConfigBlob, err := json.Marshal(ispec.Image{
|
|
|
|
Created: &timeStamp,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
validManifestBlob, err := json.Marshal(ispec.Manifest{
|
|
|
|
Config: ispec.Descriptor{
|
|
|
|
MediaType: ispec.MediaTypeImageConfig,
|
|
|
|
Size: 0,
|
|
|
|
Digest: godigest.FromBytes(validConfigBlob),
|
|
|
|
},
|
|
|
|
Layers: []ispec.Descriptor{
|
|
|
|
{
|
|
|
|
MediaType: ispec.MediaTypeImageLayerGzip,
|
|
|
|
Size: 0,
|
|
|
|
Digest: godigest.NewDigestFromEncoded(godigest.SHA256, "digest"),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
validRepoMeta := mTypes.ManifestData{
|
2023-01-20 22:09:40 +02:00
|
|
|
ManifestBlob: validManifestBlob,
|
|
|
|
ConfigBlob: validConfigBlob,
|
|
|
|
}
|
|
|
|
|
|
|
|
digestValidManifest := godigest.FromBytes(validManifestBlob)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = metaDB.SetManifestData(digestValidManifest, validRepoMeta)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = metaDB.SetRepoReference("repo1", "valid", digestValidManifest, ispec.MediaTypeImageManifest)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
// Create MetaDB data for manifest with unscannable layers
|
2023-01-20 22:09:40 +02:00
|
|
|
manifestBlobUnscannableLayer, err := json.Marshal(ispec.Manifest{
|
|
|
|
Config: ispec.Descriptor{
|
|
|
|
MediaType: ispec.MediaTypeImageConfig,
|
|
|
|
Size: 0,
|
|
|
|
Digest: godigest.FromBytes(validConfigBlob),
|
|
|
|
},
|
|
|
|
Layers: []ispec.Descriptor{
|
|
|
|
{
|
|
|
|
MediaType: "unscannable_media_type",
|
|
|
|
Size: 0,
|
|
|
|
Digest: godigest.NewDigestFromEncoded(godigest.SHA256, "digest"),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
repoMetaUnscannableLayer := mTypes.ManifestData{
|
2023-01-20 22:09:40 +02:00
|
|
|
ManifestBlob: manifestBlobUnscannableLayer,
|
|
|
|
ConfigBlob: validConfigBlob,
|
|
|
|
}
|
|
|
|
|
|
|
|
digestManifestUnscannableLayer := godigest.FromBytes(manifestBlobUnscannableLayer)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = metaDB.SetManifestData(digestManifestUnscannableLayer, repoMetaUnscannableLayer)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = metaDB.SetRepoReference("repo1", "unscannable-layer", digestManifestUnscannableLayer,
|
2023-03-09 20:41:48 +02:00
|
|
|
ispec.MediaTypeImageManifest)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
// Create MetaDB data for unmarshable manifest
|
2023-01-20 22:09:40 +02:00
|
|
|
unmarshableManifestBlob := []byte("Some string")
|
2023-07-18 20:27:26 +03:00
|
|
|
repoMetaUnmarshable := mTypes.ManifestData{
|
2023-01-20 22:09:40 +02:00
|
|
|
ManifestBlob: unmarshableManifestBlob,
|
|
|
|
ConfigBlob: validConfigBlob,
|
|
|
|
}
|
|
|
|
|
|
|
|
digestUnmarshableManifest := godigest.FromBytes(unmarshableManifestBlob)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = metaDB.SetManifestData(digestUnmarshableManifest, repoMetaUnmarshable)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = metaDB.SetRepoReference("repo1", "unmarshable", digestUnmarshableManifest, ispec.MediaTypeImageManifest)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Manifest meta cannot be found
|
|
|
|
digestMissingManifest := godigest.FromBytes([]byte("Some other string"))
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = metaDB.SetRepoReference("repo1", "missing", digestMissingManifest, ispec.MediaTypeImageManifest)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// RepoMeta contains invalid digest
|
2023-07-18 20:27:26 +03:00
|
|
|
err = metaDB.SetRepoReference("repo1", "invalid-digest", "invalid", ispec.MediaTypeImageManifest)
|
2023-01-20 22:09:40 +02:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Continue with initializing the objects the scanner depends on
|
|
|
|
metrics := monitoring.NewMetricsServer(false, log)
|
|
|
|
|
2023-05-26 21:08:19 +03:00
|
|
|
store := local.NewImageStore(rootDir, false, storageConstants.DefaultGCDelay, false, false, log, metrics, nil, nil)
|
2023-01-20 22:09:40 +02:00
|
|
|
|
|
|
|
storeController := storage.StoreController{}
|
|
|
|
storeController.DefaultStore = store
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "ghcr.io/project-zot/trivy-db",
|
2023-06-01 00:37:46 +03:00
|
|
|
"ghcr.io/aquasecurity/trivy-java-db", log)
|
2023-01-20 22:09:40 +02:00
|
|
|
|
|
|
|
Convey("Valid image should be scannable", t, func() {
|
2023-02-27 21:23:18 +02:00
|
|
|
result, err := scanner.IsImageFormatScannable("repo1", "valid")
|
2023-01-20 22:09:40 +02:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
So(result, ShouldBeTrue)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Image with layers of unsupported types should be unscannable", t, func() {
|
2023-02-27 21:23:18 +02:00
|
|
|
result, err := scanner.IsImageFormatScannable("repo1", "unscannable-layer")
|
2023-01-20 22:09:40 +02:00
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(result, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Image with unmarshable manifests should be unscannable", t, func() {
|
2023-02-27 21:23:18 +02:00
|
|
|
result, err := scanner.IsImageFormatScannable("repo1", "unmarshable")
|
2023-01-20 22:09:40 +02:00
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(result, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Image with missing manifest meta should be unscannable", t, func() {
|
2023-02-27 21:23:18 +02:00
|
|
|
result, err := scanner.IsImageFormatScannable("repo1", "missing")
|
2023-01-20 22:09:40 +02:00
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(result, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Image with invalid manifest digest should be unscannable", t, func() {
|
2023-02-27 21:23:18 +02:00
|
|
|
result, err := scanner.IsImageFormatScannable("repo1", "invalid-digest")
|
2023-01-20 22:09:40 +02:00
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(result, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Image with unknown tag should be unscannable", t, func() {
|
2023-02-27 21:23:18 +02:00
|
|
|
result, err := scanner.IsImageFormatScannable("repo1", "unknown-tag")
|
2023-01-20 22:09:40 +02:00
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(result, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Image with unknown repo should be unscannable", t, func() {
|
2023-02-27 21:23:18 +02:00
|
|
|
result, err := scanner.IsImageFormatScannable("unknown-repo", "sometag")
|
2023-01-20 22:09:40 +02:00
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(result, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2023-01-19 00:18:03 +02:00
|
|
|
func TestDefaultTrivyDBUrl(t *testing.T) {
|
|
|
|
Convey("Test trivy DB download from default location", t, func() {
|
|
|
|
// Create temporary directory
|
|
|
|
rootDir := t.TempDir()
|
|
|
|
|
|
|
|
err := test.CopyFiles("../../../../../test/data/zot-test", path.Join(rootDir, "zot-test"))
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-06-01 00:37:46 +03:00
|
|
|
err = test.CopyFiles("../../../../../test/data/zot-cve-java-test", path.Join(rootDir, "zot-cve-java-test"))
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-01-19 00:18:03 +02:00
|
|
|
log := log.NewLogger("debug", "")
|
|
|
|
metrics := monitoring.NewMetricsServer(false, log)
|
|
|
|
|
|
|
|
// Create ImageStore
|
2023-05-26 21:08:19 +03:00
|
|
|
store := local.NewImageStore(rootDir, false, storageConstants.DefaultGCDelay, false, false, log, metrics, nil, nil)
|
2023-01-19 00:18:03 +02:00
|
|
|
|
|
|
|
storeController := storage.StoreController{}
|
|
|
|
storeController.DefaultStore = store
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
params := boltdb.DBParameters{
|
2023-01-19 00:18:03 +02:00
|
|
|
RootDir: rootDir,
|
2023-03-28 20:20:09 +03:00
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
boltDriver, err := boltdb.GetBoltDriver(params)
|
2023-03-28 20:20:09 +03:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB, err := boltdb.New(boltDriver, log)
|
2023-01-19 00:18:03 +02:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
err = meta.ParseStorage(metaDB, storeController, log)
|
2023-01-19 00:18:03 +02:00
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "ghcr.io/aquasecurity/trivy-db",
|
2023-06-01 00:37:46 +03:00
|
|
|
"ghcr.io/aquasecurity/trivy-java-db", log)
|
2023-01-19 00:18:03 +02:00
|
|
|
|
|
|
|
// Download DB since DB download on scan is disabled
|
|
|
|
err = scanner.UpdateDB()
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
|
2023-06-01 00:37:46 +03:00
|
|
|
// Scanning image
|
2023-07-05 19:08:16 +03:00
|
|
|
img := "zot-test:0.0.1" //nolint:goconst
|
2023-01-19 00:18:03 +02:00
|
|
|
|
|
|
|
opts := scanner.getTrivyOptions(img)
|
|
|
|
_, err = scanner.runTrivy(opts)
|
|
|
|
So(err, ShouldBeNil)
|
2023-06-01 00:37:46 +03:00
|
|
|
|
|
|
|
// Scanning image containing a jar file
|
|
|
|
img = "zot-cve-java-test:0.0.1"
|
|
|
|
|
|
|
|
opts = scanner.getTrivyOptions(img)
|
|
|
|
_, err = scanner.runTrivy(opts)
|
|
|
|
So(err, ShouldBeNil)
|
2023-01-19 00:18:03 +02:00
|
|
|
})
|
|
|
|
}
|
2023-07-06 11:36:26 +03:00
|
|
|
|
|
|
|
func TestIsIndexScanable(t *testing.T) {
|
|
|
|
Convey("IsIndexScanable", t, func() {
|
|
|
|
storeController := storage.StoreController{}
|
|
|
|
storeController.DefaultStore = &local.ImageStoreLocal{}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB := &boltdb.BoltDB{}
|
2023-07-06 11:36:26 +03:00
|
|
|
log := log.NewLogger("debug", "")
|
|
|
|
|
|
|
|
Convey("Find index in cache", func() {
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "", "", log)
|
2023-07-06 11:36:26 +03:00
|
|
|
|
|
|
|
scanner.cache.Add("digest", make(map[string]model.CVE))
|
|
|
|
|
|
|
|
found, err := scanner.isIndexScanable("digest")
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
So(found, ShouldBeTrue)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestScanIndexErrors(t *testing.T) {
|
|
|
|
Convey("Errors", t, func() {
|
|
|
|
storeController := storage.StoreController{}
|
|
|
|
storeController.DefaultStore = mocks.MockedImageStore{}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB := mocks.MetaDBMock{}
|
2023-07-06 11:36:26 +03:00
|
|
|
log := log.NewLogger("debug", "")
|
|
|
|
|
|
|
|
Convey("GetIndexData fails", func() {
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB.GetIndexDataFn = func(indexDigest godigest.Digest) (mTypes.IndexData, error) {
|
|
|
|
return mTypes.IndexData{}, godigest.ErrDigestUnsupported
|
2023-07-06 11:36:26 +03:00
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "", "", log)
|
2023-07-06 11:36:26 +03:00
|
|
|
|
|
|
|
_, err := scanner.scanIndex("repo", "digest")
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Bad Index Blob, Unamrshal fails", func() {
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB.GetIndexDataFn = func(indexDigest godigest.Digest) (mTypes.IndexData, error) {
|
|
|
|
return mTypes.IndexData{
|
2023-07-06 11:36:26 +03:00
|
|
|
IndexBlob: []byte(`bad-blob`),
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "", "", log)
|
2023-07-06 11:36:26 +03:00
|
|
|
|
|
|
|
_, err := scanner.scanIndex("repo", "digest")
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestIsIndexScanableErrors(t *testing.T) {
|
|
|
|
Convey("Errors", t, func() {
|
|
|
|
storeController := storage.StoreController{}
|
|
|
|
storeController.DefaultStore = mocks.MockedImageStore{}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB := mocks.MetaDBMock{}
|
2023-07-06 11:36:26 +03:00
|
|
|
log := log.NewLogger("debug", "")
|
|
|
|
|
|
|
|
Convey("GetIndexData errors", func() {
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB.GetIndexDataFn = func(indexDigest godigest.Digest) (mTypes.IndexData, error) {
|
|
|
|
return mTypes.IndexData{}, zerr.ErrManifestDataNotFound
|
2023-07-06 11:36:26 +03:00
|
|
|
}
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "", "", log)
|
2023-07-06 11:36:26 +03:00
|
|
|
|
|
|
|
_, err := scanner.isIndexScanable("digest")
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("bad index data, can't unmarshal", func() {
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB.GetIndexDataFn = func(indexDigest godigest.Digest) (mTypes.IndexData, error) {
|
|
|
|
return mTypes.IndexData{IndexBlob: []byte(`bad`)}, nil
|
2023-07-06 11:36:26 +03:00
|
|
|
}
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "", "", log)
|
2023-07-06 11:36:26 +03:00
|
|
|
|
|
|
|
ok, err := scanner.isIndexScanable("digest")
|
|
|
|
So(err, ShouldNotBeNil)
|
|
|
|
So(ok, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("is Manifest Scanable errors", func() {
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB.GetIndexDataFn = func(indexDigest godigest.Digest) (mTypes.IndexData, error) {
|
|
|
|
return mTypes.IndexData{IndexBlob: []byte(`{
|
2023-07-06 11:36:26 +03:00
|
|
|
"manifests": [{
|
|
|
|
"digest": "digest2"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"digest": "digest1"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}`)}, nil
|
|
|
|
}
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB.GetManifestDataFn = func(manifestDigest godigest.Digest) (mTypes.ManifestData, error) {
|
2023-07-06 11:36:26 +03:00
|
|
|
switch manifestDigest {
|
|
|
|
case "digest1":
|
2023-07-18 20:27:26 +03:00
|
|
|
return mTypes.ManifestData{
|
2023-07-06 11:36:26 +03:00
|
|
|
ManifestBlob: []byte("{}"),
|
|
|
|
}, nil
|
|
|
|
case "digest2":
|
2023-07-18 20:27:26 +03:00
|
|
|
return mTypes.ManifestData{}, zerr.ErrBadBlob
|
2023-07-06 11:36:26 +03:00
|
|
|
}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
return mTypes.ManifestData{}, nil
|
2023-07-06 11:36:26 +03:00
|
|
|
}
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "", "", log)
|
2023-07-06 11:36:26 +03:00
|
|
|
|
|
|
|
ok, err := scanner.isIndexScanable("digest")
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
So(ok, ShouldBeTrue)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("is Manifest Scanable returns false because no manifest is scanable", func() {
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB.GetIndexDataFn = func(indexDigest godigest.Digest) (mTypes.IndexData, error) {
|
|
|
|
return mTypes.IndexData{IndexBlob: []byte(`{
|
2023-07-06 11:36:26 +03:00
|
|
|
"manifests": [{
|
|
|
|
"digest": "digest2"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}`)}, nil
|
|
|
|
}
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB.GetManifestDataFn = func(manifestDigest godigest.Digest) (mTypes.ManifestData, error) {
|
|
|
|
return mTypes.ManifestData{}, zerr.ErrBadBlob
|
2023-07-06 11:36:26 +03:00
|
|
|
}
|
2023-07-18 20:27:26 +03:00
|
|
|
scanner := NewScanner(storeController, metaDB, "", "", log)
|
2023-07-06 11:36:26 +03:00
|
|
|
|
|
|
|
ok, err := scanner.isIndexScanable("digest")
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
So(ok, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|