mirror of
https://github.com/project-zot/zot.git
synced 2025-01-06 22:40:28 -05:00
Added image format validation to validate media type because squashfs image media type not supported for vulnerability scanning
This commit is contained in:
parent
2cf2c16137
commit
72ae02ca4b
6 changed files with 134 additions and 0 deletions
|
@ -34,4 +34,5 @@ var (
|
||||||
ErrConfigNotFound = errors.New("cli: config with the given name does not exist")
|
ErrConfigNotFound = errors.New("cli: config with the given name does not exist")
|
||||||
ErrNoURLProvided = errors.New("cli: no URL provided in argument or via config. see 'zot config -h'")
|
ErrNoURLProvided = errors.New("cli: no URL provided in argument or via config. see 'zot config -h'")
|
||||||
ErrIllegalConfigKey = errors.New("cli: given config key is not allowed")
|
ErrIllegalConfigKey = errors.New("cli: given config key is not allowed")
|
||||||
|
ErrScanNotSupported = errors.New("search: scanning of image media type not supported")
|
||||||
)
|
)
|
||||||
|
|
1
go.mod
1
go.mod
|
@ -14,6 +14,7 @@ require (
|
||||||
github.com/go-chi/chi v4.0.2+incompatible // indirect
|
github.com/go-chi/chi v4.0.2+incompatible // indirect
|
||||||
github.com/go-ldap/ldap/v3 v3.1.3
|
github.com/go-ldap/ldap/v3 v3.1.3
|
||||||
github.com/gofrs/uuid v3.2.0+incompatible
|
github.com/gofrs/uuid v3.2.0+incompatible
|
||||||
|
github.com/google/go-containerregistry v0.0.0-20200331213917-3d03ed9b1ca2
|
||||||
github.com/gorilla/handlers v1.4.2
|
github.com/gorilla/handlers v1.4.2
|
||||||
github.com/gorilla/mux v1.7.4
|
github.com/gorilla/mux v1.7.4
|
||||||
github.com/json-iterator/go v1.1.9
|
github.com/json-iterator/go v1.1.9
|
||||||
|
|
|
@ -10,6 +10,7 @@ go_library(
|
||||||
importpath = "github.com/anuvu/zot/pkg/extensions/search",
|
importpath = "github.com/anuvu/zot/pkg/extensions/search",
|
||||||
visibility = ["//visibility:public"],
|
visibility = ["//visibility:public"],
|
||||||
deps = [
|
deps = [
|
||||||
|
"//errors:go_default_library",
|
||||||
"//pkg/extensions/search/cve:go_default_library",
|
"//pkg/extensions/search/cve:go_default_library",
|
||||||
"//pkg/log:go_default_library",
|
"//pkg/log:go_default_library",
|
||||||
"//pkg/storage:go_default_library",
|
"//pkg/storage:go_default_library",
|
||||||
|
|
|
@ -9,10 +9,15 @@ go_library(
|
||||||
importpath = "github.com/anuvu/zot/pkg/extensions/search/cve",
|
importpath = "github.com/anuvu/zot/pkg/extensions/search/cve",
|
||||||
visibility = ["//visibility:public"],
|
visibility = ["//visibility:public"],
|
||||||
deps = [
|
deps = [
|
||||||
|
"//errors:go_default_library",
|
||||||
"//pkg/log:go_default_library",
|
"//pkg/log:go_default_library",
|
||||||
"@com_github_aquasecurity_trivy//integration:go_default_library",
|
"@com_github_aquasecurity_trivy//integration:go_default_library",
|
||||||
"@com_github_aquasecurity_trivy//integration/config:go_default_library",
|
"@com_github_aquasecurity_trivy//integration/config:go_default_library",
|
||||||
"@com_github_aquasecurity_trivy//pkg/report:go_default_library",
|
"@com_github_aquasecurity_trivy//pkg/report:go_default_library",
|
||||||
|
"@com_github_google_go_containerregistry//pkg/v1:go_default_library",
|
||||||
|
"@com_github_google_go_containerregistry//pkg/v1/types:go_default_library",
|
||||||
|
"@com_github_opencontainers_go_digest//:go_default_library",
|
||||||
|
"@com_github_opencontainers_image_spec//specs-go/v1:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,21 @@
|
||||||
package cveinfo
|
package cveinfo
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"path"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/anuvu/zot/errors"
|
||||||
"github.com/anuvu/zot/pkg/log"
|
"github.com/anuvu/zot/pkg/log"
|
||||||
integration "github.com/aquasecurity/trivy/integration"
|
integration "github.com/aquasecurity/trivy/integration"
|
||||||
config "github.com/aquasecurity/trivy/integration/config"
|
config "github.com/aquasecurity/trivy/integration/config"
|
||||||
"github.com/aquasecurity/trivy/pkg/report"
|
"github.com/aquasecurity/trivy/pkg/report"
|
||||||
|
v1 "github.com/google/go-containerregistry/pkg/v1"
|
||||||
|
"github.com/google/go-containerregistry/pkg/v1/types"
|
||||||
|
godigest "github.com/opencontainers/go-digest"
|
||||||
|
ispec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
// UpdateCVEDb ...
|
// UpdateCVEDb ...
|
||||||
|
@ -31,3 +42,91 @@ func NewTrivyConfig(dir string) (*config.Config, error) {
|
||||||
func ScanImage(config *config.Config) (report.Results, error) {
|
func ScanImage(config *config.Config) (report.Results, error) {
|
||||||
return integration.ScanTrivyImage(config.TrivyConfig)
|
return integration.ScanTrivyImage(config.TrivyConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (cveinfo CveInfo) IsValidImageFormat(imagePath string) (bool, error) {
|
||||||
|
imageDir := getImageDir(imagePath)
|
||||||
|
|
||||||
|
if !dirExists(imageDir) {
|
||||||
|
cveinfo.Log.Error().Msg("Image Directory not exists")
|
||||||
|
|
||||||
|
return false, errors.ErrRepoNotFound
|
||||||
|
}
|
||||||
|
|
||||||
|
buf, err := ioutil.ReadFile(path.Join(imageDir, "index.json"))
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
if os.IsNotExist(err) {
|
||||||
|
cveinfo.Log.Error().Err(err).Msg("Index.json does not exist")
|
||||||
|
|
||||||
|
return false, errors.ErrRepoNotFound
|
||||||
|
}
|
||||||
|
|
||||||
|
cveinfo.Log.Error().Err(err).Msg("Unable to open index.json")
|
||||||
|
|
||||||
|
return false, errors.ErrRepoNotFound
|
||||||
|
}
|
||||||
|
|
||||||
|
var index ispec.Index
|
||||||
|
|
||||||
|
var blobManifest v1.Manifest
|
||||||
|
|
||||||
|
var digest godigest.Digest
|
||||||
|
|
||||||
|
if err := json.Unmarshal(buf, &index); err != nil {
|
||||||
|
cveinfo.Log.Error().Err(err).Msg("Unable to marshal index.json file")
|
||||||
|
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, m := range index.Manifests {
|
||||||
|
digest = m.Digest
|
||||||
|
|
||||||
|
blobBuf, err := ioutil.ReadFile(path.Join(imageDir, "blobs", digest.Algorithm().String(), digest.Encoded()))
|
||||||
|
if err != nil {
|
||||||
|
cveinfo.Log.Error().Err(err).Msg("Failed to read manifest file")
|
||||||
|
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := json.Unmarshal(blobBuf, &blobManifest); err != nil {
|
||||||
|
cveinfo.Log.Error().Err(err).Msg("Invalid manifest json")
|
||||||
|
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
imageLayers := blobManifest.Layers
|
||||||
|
|
||||||
|
for _, imageLayer := range imageLayers {
|
||||||
|
switch imageLayer.MediaType {
|
||||||
|
case types.OCILayer, types.DockerLayer:
|
||||||
|
return true, nil
|
||||||
|
|
||||||
|
default:
|
||||||
|
cveinfo.Log.Debug().Msg("Image media type not supported for scanning")
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func dirExists(d string) bool {
|
||||||
|
fi, err := os.Stat(d)
|
||||||
|
if err != nil && os.IsNotExist(err) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
return fi.IsDir()
|
||||||
|
}
|
||||||
|
|
||||||
|
func getImageDir(imageName string) string {
|
||||||
|
var imageDir string
|
||||||
|
if strings.Contains(imageName, ":") {
|
||||||
|
imageDir = strings.Split(imageName, ":")[0]
|
||||||
|
} else {
|
||||||
|
imageDir = imageName
|
||||||
|
}
|
||||||
|
|
||||||
|
return imageDir
|
||||||
|
}
|
||||||
|
|
|
@ -7,6 +7,7 @@ import (
|
||||||
"path"
|
"path"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/anuvu/zot/errors"
|
||||||
"github.com/anuvu/zot/pkg/log"
|
"github.com/anuvu/zot/pkg/log"
|
||||||
|
|
||||||
cveinfo "github.com/anuvu/zot/pkg/extensions/search/cve"
|
cveinfo "github.com/anuvu/zot/pkg/extensions/search/cve"
|
||||||
|
@ -54,6 +55,19 @@ func (r *queryResolver) CVEListForImage(ctx context.Context, image string) (*CVE
|
||||||
|
|
||||||
r.cveInfo.Log.Info().Str("Scanning Image", image).Msg("")
|
r.cveInfo.Log.Info().Str("Scanning Image", image).Msg("")
|
||||||
|
|
||||||
|
isValidImage, err := r.cveInfo.IsValidImageFormat(r.cveInfo.CveTrivyConfig.TrivyConfig.Input)
|
||||||
|
if !isValidImage {
|
||||||
|
r.cveInfo.Log.Debug().Msg("Image media type not supported for scanning")
|
||||||
|
|
||||||
|
return &CVEResultForImage{}, errors.ErrScanNotSupported
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
r.cveInfo.Log.Error().Err(err).Msg("Error scanning image repository")
|
||||||
|
|
||||||
|
return &CVEResultForImage{}, err
|
||||||
|
}
|
||||||
|
|
||||||
cveResults, err := cveinfo.ScanImage(r.cveInfo.CveTrivyConfig)
|
cveResults, err := cveinfo.ScanImage(r.cveInfo.CveTrivyConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
r.cveInfo.Log.Error().Err(err).Msg("Error scanning image repository")
|
r.cveInfo.Log.Error().Err(err).Msg("Error scanning image repository")
|
||||||
|
@ -143,6 +157,19 @@ func (r *queryResolver) ImageListForCve(ctx context.Context, id string) ([]*ImgR
|
||||||
for _, repo := range repoList {
|
for _, repo := range repoList {
|
||||||
r.cveInfo.Log.Info().Str("Extracting list of tags available in image", repo).Msg("")
|
r.cveInfo.Log.Info().Str("Extracting list of tags available in image", repo).Msg("")
|
||||||
|
|
||||||
|
isValidImage, err := r.cveInfo.IsValidImageFormat(path.Join(r.dir, repo))
|
||||||
|
if !isValidImage {
|
||||||
|
r.cveInfo.Log.Debug().Str("Image media type not supported for scanning", repo)
|
||||||
|
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
r.cveInfo.Log.Error().Err(err).Str("Error reading image media type", repo)
|
||||||
|
|
||||||
|
return cveResult, err
|
||||||
|
}
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
r.cveInfo.Log.Error().Err(err).Str("Error reading image media type", repo)
|
r.cveInfo.Log.Error().Err(err).Str("Error reading image media type", repo)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue