2023-09-18 01:12:20 +03:00
//go:build search
2023-07-06 11:36:26 +03:00
package trivy_test
import (
2023-08-18 11:46:11 +03:00
2023-07-06 11:36:26 +03:00
godigest "github.com/opencontainers/go-digest"
ispec "github.com/opencontainers/image-spec/specs-go/v1"
. "github.com/smartystreets/goconvey/convey"
extconf "zotregistry.io/zot/pkg/extensions/config"
2023-07-18 20:27:26 +03:00
2023-07-06 11:36:26 +03:00
2023-09-27 21:34:48 +03:00
. "zotregistry.io/zot/pkg/test/common"
2023-09-15 19:53:15 +03:00
. "zotregistry.io/zot/pkg/test/image-utils"
2023-07-06 11:36:26 +03:00
2023-08-18 11:46:11 +03:00
func TestScanBigTestFile(t *testing.T) {
Convey("Scan zot-test", t, func() {
2023-09-27 21:34:48 +03:00
projRootDir, err := GetProjectRootDir()
2023-08-18 11:46:11 +03:00
So(err, ShouldBeNil)
testImage := filepath.Join(projRootDir, "test/data/zot-test")
tempDir := t.TempDir()
2023-09-27 21:34:48 +03:00
port := GetFreePort()
2023-08-18 11:46:11 +03:00
conf := config.New()
conf.HTTP.Port = port
defaultVal := true
conf.Storage.RootDirectory = tempDir
conf.Extensions = &extconf.ExtensionConfig{
Search: &extconf.SearchConfig{
BaseConfig: extconf.BaseConfig{Enable: &defaultVal},
ctlr := api.NewController(conf)
So(ctlr, ShouldNotBeNil)
2023-09-27 21:34:48 +03:00
err = CopyFiles(testImage, filepath.Join(tempDir, "zot-test"))
2023-08-18 11:46:11 +03:00
So(err, ShouldBeNil)
2023-09-27 21:34:48 +03:00
cm := NewControllerManager(ctlr)
2023-08-18 11:46:11 +03:00
defer cm.StopServer()
// scan
scanner := trivy.NewScanner(ctlr.StoreController, ctlr.MetaDB, "ghcr.io/project-zot/trivy-db", "", ctlr.Log)
err = scanner.UpdateDB()
So(err, ShouldBeNil)
cveMap, err := scanner.ScanImage("zot-test:0.0.1")
So(err, ShouldBeNil)
So(cveMap, ShouldNotBeNil)
2023-07-06 11:36:26 +03:00
func TestScanningByDigest(t *testing.T) {
Convey("Scan the individual manifests inside an index", t, func() {
// start server
tempDir := t.TempDir()
2023-09-27 21:34:48 +03:00
port := GetFreePort()
baseURL := GetBaseURL(port)
2023-07-06 11:36:26 +03:00
conf := config.New()
conf.HTTP.Port = port
defaultVal := true
conf.Storage.RootDirectory = tempDir
conf.Extensions = &extconf.ExtensionConfig{
Search: &extconf.SearchConfig{
BaseConfig: extconf.BaseConfig{Enable: &defaultVal},
ctlr := api.NewController(conf)
So(ctlr, ShouldNotBeNil)
2023-09-27 21:34:48 +03:00
cm := NewControllerManager(ctlr)
2023-07-06 11:36:26 +03:00
defer cm.StopServer()
// push index with 2 manifests: one with vulns and one without
2023-09-15 19:53:15 +03:00
vulnImage := CreateDefaultVulnerableImage()
2023-07-06 11:36:26 +03:00
2023-09-15 19:53:15 +03:00
simpleImage := CreateRandomImage()
2023-07-06 11:36:26 +03:00
2023-09-27 21:34:48 +03:00
multiArch := deprecated.GetMultiarchImageForImages([]Image{simpleImage, //nolint:staticcheck
2023-07-06 11:36:26 +03:00
2023-09-15 19:53:15 +03:00
err := UploadMultiarchImage(multiArch, baseURL, "multi-arch", "multi-arch-tag")
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
// scan
2023-07-18 20:27:26 +03:00
scanner := trivy.NewScanner(ctlr.StoreController, ctlr.MetaDB, "ghcr.io/project-zot/trivy-db", "", ctlr.Log)
2023-07-06 11:36:26 +03:00
err = scanner.UpdateDB()
So(err, ShouldBeNil)
2023-07-26 13:08:04 +03:00
cveMap, err := scanner.ScanImage("multi-arch@" + vulnImage.DigestStr())
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
2023-09-15 19:53:15 +03:00
So(cveMap, ShouldContainKey, Vulnerability1ID)
So(cveMap, ShouldContainKey, Vulnerability2ID)
So(cveMap, ShouldContainKey, Vulnerability3ID)
2023-07-06 11:36:26 +03:00
2023-07-26 13:08:04 +03:00
cveMap, err = scanner.ScanImage("multi-arch@" + simpleImage.DigestStr())
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
So(cveMap, ShouldBeEmpty)
2023-07-26 13:08:04 +03:00
cveMap, err = scanner.ScanImage("multi-arch@" + multiArch.DigestStr())
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
2023-09-15 19:53:15 +03:00
So(cveMap, ShouldContainKey, Vulnerability1ID)
So(cveMap, ShouldContainKey, Vulnerability2ID)
So(cveMap, ShouldContainKey, Vulnerability3ID)
2023-07-06 11:36:26 +03:00
cveMap, err = scanner.ScanImage("multi-arch:multi-arch-tag")
So(err, ShouldBeNil)
2023-09-15 19:53:15 +03:00
So(cveMap, ShouldContainKey, Vulnerability1ID)
So(cveMap, ShouldContainKey, Vulnerability2ID)
So(cveMap, ShouldContainKey, Vulnerability3ID)
2023-07-06 11:36:26 +03:00
func TestVulnerableLayer(t *testing.T) {
Convey("Vulnerable layer", t, func() {
2023-09-15 19:53:15 +03:00
vulnerableLayer, err := GetLayerWithVulnerability()
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
created, err := time.Parse(time.RFC3339, "2023-03-29T18:19:24Z")
So(err, ShouldBeNil)
config := ispec.Image{
Created: &created,
Platform: ispec.Platform{
Architecture: "amd64",
OS: "linux",
Config: ispec.ImageConfig{
Env: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"},
Cmd: []string{"/bin/sh"},
RootFS: ispec.RootFS{
Type: "layers",
DiffIDs: []godigest.Digest{"sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5"},
2023-09-15 19:53:15 +03:00
img := CreateImageWith().
2023-07-26 13:08:04 +03:00
2023-07-06 11:36:26 +03:00
tempDir := t.TempDir()
log := log.NewLogger("debug", "")
2023-09-22 21:51:20 +03:00
imageStore := local.NewImageStore(tempDir, false, false,
2023-07-06 11:36:26 +03:00
log, monitoring.NewMetricsServer(false, log), nil, nil)
storeController := storage.StoreController{
DefaultStore: imageStore,
2023-09-27 21:34:48 +03:00
err = WriteImageToFileSystem(img, "repo", img.DigestStr(), storeController)
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
2023-07-18 20:27:26 +03:00
params := boltdb.DBParameters{
2023-07-06 11:36:26 +03:00
RootDir: tempDir,
2023-07-18 20:27:26 +03:00
boltDriver, err := boltdb.GetBoltDriver(params)
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
2023-07-18 20:27:26 +03:00
metaDB, err := boltdb.New(boltDriver, log)
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
2023-07-18 20:27:26 +03:00
err = meta.ParseStorage(metaDB, storeController, log)
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
2023-07-18 20:27:26 +03:00
scanner := trivy.NewScanner(storeController, metaDB, "ghcr.io/project-zot/trivy-db", "", log)
2023-07-06 11:36:26 +03:00
err = scanner.UpdateDB()
So(err, ShouldBeNil)
2023-07-26 13:08:04 +03:00
cveMap, err := scanner.ScanImage("repo@" + img.DigestStr())
2023-07-06 11:36:26 +03:00
So(err, ShouldBeNil)
2023-07-16 18:27:59 +03:00
t.Logf("cveMap: %v", cveMap)
2023-09-22 21:49:17 +03:00
// As of September 17 2023 there are 5 CVEs:
// CVE-2023-1255, CVE-2023-2650, CVE-2023-2975, CVE-2023-3817, CVE-2023-3446
2023-07-16 18:27:59 +03:00
// There may be more discovered in the future
2023-09-22 21:49:17 +03:00
So(len(cveMap), ShouldBeGreaterThanOrEqualTo, 5)
So(cveMap, ShouldContainKey, "CVE-2023-1255")
So(cveMap, ShouldContainKey, "CVE-2023-2650")
So(cveMap, ShouldContainKey, "CVE-2023-2975")
So(cveMap, ShouldContainKey, "CVE-2023-3817")
So(cveMap, ShouldContainKey, "CVE-2023-3446")
2023-07-06 11:36:26 +03:00