mirror of
https://github.com/project-zot/zot.git
synced 2025-01-20 22:52:51 -05:00
b80deb9927
unified both local and s3 ImageStore logic into a single ImageStore added a new driver interface for common file/dirs manipulations to be implemented by different storage types refactor(gc): drop umoci dependency, implemented internal gc added retentionDelay config option that specifies the garbage collect delay for images without tags this will also clean manifests which are part of an index image (multiarch) that no longer exist. fix(dedupe): skip blobs under .sync/ directory if startup dedupe is running while also syncing is running ignore blobs under sync's temporary storage fix(storage): do not allow image indexes modifications when deleting a manifest verify that it is not part of a multiarch image and throw a MethodNotAllowed error to the client if it is. we don't want to modify multiarch images Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
219 lines
6.5 KiB
Go
219 lines
6.5 KiB
Go
package trivy_test
|
|
|
|
import (
|
|
"path/filepath"
|
|
"testing"
|
|
"time"
|
|
|
|
godigest "github.com/opencontainers/go-digest"
|
|
ispec "github.com/opencontainers/image-spec/specs-go/v1"
|
|
. "github.com/smartystreets/goconvey/convey"
|
|
|
|
zerr "zotregistry.io/zot/errors"
|
|
"zotregistry.io/zot/pkg/api"
|
|
"zotregistry.io/zot/pkg/api/config"
|
|
extconf "zotregistry.io/zot/pkg/extensions/config"
|
|
"zotregistry.io/zot/pkg/extensions/monitoring"
|
|
"zotregistry.io/zot/pkg/extensions/search/cve/trivy"
|
|
"zotregistry.io/zot/pkg/log"
|
|
"zotregistry.io/zot/pkg/meta"
|
|
"zotregistry.io/zot/pkg/meta/boltdb"
|
|
mTypes "zotregistry.io/zot/pkg/meta/types"
|
|
"zotregistry.io/zot/pkg/storage"
|
|
"zotregistry.io/zot/pkg/storage/local"
|
|
"zotregistry.io/zot/pkg/test"
|
|
"zotregistry.io/zot/pkg/test/mocks"
|
|
)
|
|
|
|
func TestScanBigTestFile(t *testing.T) {
|
|
Convey("Scan zot-test", t, func() {
|
|
projRootDir, err := test.GetProjectRootDir()
|
|
So(err, ShouldBeNil)
|
|
|
|
testImage := filepath.Join(projRootDir, "test/data/zot-test")
|
|
|
|
tempDir := t.TempDir()
|
|
port := test.GetFreePort()
|
|
conf := config.New()
|
|
conf.HTTP.Port = port
|
|
defaultVal := true
|
|
conf.Storage.RootDirectory = tempDir
|
|
conf.Extensions = &extconf.ExtensionConfig{
|
|
Search: &extconf.SearchConfig{
|
|
BaseConfig: extconf.BaseConfig{Enable: &defaultVal},
|
|
},
|
|
}
|
|
ctlr := api.NewController(conf)
|
|
So(ctlr, ShouldNotBeNil)
|
|
|
|
err = test.CopyFiles(testImage, filepath.Join(tempDir, "zot-test"))
|
|
So(err, ShouldBeNil)
|
|
|
|
cm := test.NewControllerManager(ctlr)
|
|
cm.StartAndWait(port)
|
|
defer cm.StopServer()
|
|
// scan
|
|
scanner := trivy.NewScanner(ctlr.StoreController, ctlr.MetaDB, "ghcr.io/project-zot/trivy-db", "", ctlr.Log)
|
|
|
|
err = scanner.UpdateDB()
|
|
So(err, ShouldBeNil)
|
|
|
|
cveMap, err := scanner.ScanImage("zot-test:0.0.1")
|
|
So(err, ShouldBeNil)
|
|
So(cveMap, ShouldNotBeNil)
|
|
})
|
|
}
|
|
|
|
func TestScanningByDigest(t *testing.T) {
|
|
Convey("Scan the individual manifests inside an index", t, func() {
|
|
// start server
|
|
tempDir := t.TempDir()
|
|
port := test.GetFreePort()
|
|
baseURL := test.GetBaseURL(port)
|
|
conf := config.New()
|
|
conf.HTTP.Port = port
|
|
defaultVal := true
|
|
conf.Storage.RootDirectory = tempDir
|
|
conf.Extensions = &extconf.ExtensionConfig{
|
|
Search: &extconf.SearchConfig{
|
|
BaseConfig: extconf.BaseConfig{Enable: &defaultVal},
|
|
},
|
|
}
|
|
ctlr := api.NewController(conf)
|
|
So(ctlr, ShouldNotBeNil)
|
|
|
|
cm := test.NewControllerManager(ctlr)
|
|
cm.StartAndWait(port)
|
|
defer cm.StopServer()
|
|
// push index with 2 manifests: one with vulns and one without
|
|
vulnImage := test.CreateDefaultVulnerableImage()
|
|
|
|
simpleImage := test.CreateRandomImage()
|
|
|
|
multiArch := test.GetMultiarchImageForImages([]test.Image{simpleImage, vulnImage}) //nolint:staticcheck
|
|
|
|
err := test.UploadMultiarchImage(multiArch, baseURL, "multi-arch", "multi-arch-tag")
|
|
So(err, ShouldBeNil)
|
|
|
|
// scan
|
|
scanner := trivy.NewScanner(ctlr.StoreController, ctlr.MetaDB, "ghcr.io/project-zot/trivy-db", "", ctlr.Log)
|
|
|
|
err = scanner.UpdateDB()
|
|
So(err, ShouldBeNil)
|
|
|
|
cveMap, err := scanner.ScanImage("multi-arch@" + vulnImage.DigestStr())
|
|
So(err, ShouldBeNil)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability1ID)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability2ID)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability3ID)
|
|
|
|
cveMap, err = scanner.ScanImage("multi-arch@" + simpleImage.DigestStr())
|
|
So(err, ShouldBeNil)
|
|
So(cveMap, ShouldBeEmpty)
|
|
|
|
cveMap, err = scanner.ScanImage("multi-arch@" + multiArch.DigestStr())
|
|
So(err, ShouldBeNil)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability1ID)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability2ID)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability3ID)
|
|
|
|
cveMap, err = scanner.ScanImage("multi-arch:multi-arch-tag")
|
|
So(err, ShouldBeNil)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability1ID)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability2ID)
|
|
So(cveMap, ShouldContainKey, test.Vulnerability3ID)
|
|
})
|
|
}
|
|
|
|
func TestScannerErrors(t *testing.T) {
|
|
digest := godigest.FromString("dig")
|
|
|
|
Convey("Errors", t, func() {
|
|
storeController := storage.StoreController{}
|
|
storeController.DefaultStore = mocks.MockedImageStore{}
|
|
|
|
metaDB := mocks.MetaDBMock{}
|
|
log := log.NewLogger("debug", "")
|
|
|
|
Convey("IsImageFormatSanable", func() {
|
|
metaDB.GetManifestDataFn = func(manifestDigest godigest.Digest) (mTypes.ManifestData, error) {
|
|
return mTypes.ManifestData{}, zerr.ErrManifestDataNotFound
|
|
}
|
|
metaDB.GetIndexDataFn = func(indexDigest godigest.Digest) (mTypes.IndexData, error) {
|
|
return mTypes.IndexData{}, zerr.ErrManifestDataNotFound
|
|
}
|
|
scanner := trivy.NewScanner(storeController, metaDB, "", "", log)
|
|
|
|
_, err := scanner.ScanImage("repo@" + digest.String())
|
|
So(err, ShouldNotBeNil)
|
|
})
|
|
})
|
|
}
|
|
|
|
func TestVulnerableLayer(t *testing.T) {
|
|
Convey("Vulnerable layer", t, func() {
|
|
vulnerableLayer, err := test.GetLayerWithVulnerability()
|
|
So(err, ShouldBeNil)
|
|
|
|
created, err := time.Parse(time.RFC3339, "2023-03-29T18:19:24Z")
|
|
So(err, ShouldBeNil)
|
|
|
|
config := ispec.Image{
|
|
Created: &created,
|
|
Platform: ispec.Platform{
|
|
Architecture: "amd64",
|
|
OS: "linux",
|
|
},
|
|
Config: ispec.ImageConfig{
|
|
Env: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"},
|
|
Cmd: []string{"/bin/sh"},
|
|
},
|
|
RootFS: ispec.RootFS{
|
|
Type: "layers",
|
|
DiffIDs: []godigest.Digest{"sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5"},
|
|
},
|
|
}
|
|
|
|
img := test.CreateImageWith().
|
|
LayerBlobs([][]byte{vulnerableLayer}).
|
|
ImageConfig(config).
|
|
Build()
|
|
|
|
tempDir := t.TempDir()
|
|
|
|
log := log.NewLogger("debug", "")
|
|
imageStore := local.NewImageStore(tempDir, false, false, 0, 0, false, false,
|
|
log, monitoring.NewMetricsServer(false, log), nil, nil)
|
|
|
|
storeController := storage.StoreController{
|
|
DefaultStore: imageStore,
|
|
}
|
|
|
|
err = test.WriteImageToFileSystem(img, "repo", img.DigestStr(), storeController)
|
|
So(err, ShouldBeNil)
|
|
|
|
params := boltdb.DBParameters{
|
|
RootDir: tempDir,
|
|
}
|
|
boltDriver, err := boltdb.GetBoltDriver(params)
|
|
So(err, ShouldBeNil)
|
|
|
|
metaDB, err := boltdb.New(boltDriver, log)
|
|
So(err, ShouldBeNil)
|
|
|
|
err = meta.ParseStorage(metaDB, storeController, log)
|
|
So(err, ShouldBeNil)
|
|
|
|
scanner := trivy.NewScanner(storeController, metaDB, "ghcr.io/project-zot/trivy-db", "", log)
|
|
|
|
err = scanner.UpdateDB()
|
|
So(err, ShouldBeNil)
|
|
|
|
cveMap, err := scanner.ScanImage("repo@" + img.DigestStr())
|
|
So(err, ShouldBeNil)
|
|
t.Logf("cveMap: %v", cveMap)
|
|
// As of July 15 2023 there are 3 CVEs: CVE-2023-1255, CVE-2023-2650, CVE-2023-2975
|
|
// There may be more discovered in the future
|
|
So(len(cveMap), ShouldBeGreaterThanOrEqualTo, 3)
|
|
})
|
|
}
|