Skip to content

Commit

Permalink
refactor(report): Replacing source_location in github report when…
Browse files Browse the repository at this point in the history
… scanning an image (aquasecurity#5999)

Co-authored-by: DmitriyLewen <[email protected]>
  • Loading branch information
Maxim-Durand and DmitriyLewen authored Feb 22, 2024
1 parent cd3e4bc commit 388f476
Show file tree
Hide file tree
Showing 2 changed files with 90 additions and 2 deletions.
25 changes: 23 additions & 2 deletions pkg/report/github/github.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,25 @@ func (w Writer) Write(ctx context.Context, report types.Report) error {
manifest.Name = string(result.Type)
// show path for language-specific packages only
if result.Class == types.ClassLangPkg {
manifest.File = &File{
SrcLocation: result.Target,
if report.ArtifactType == ftypes.ArtifactContainerImage {
// `RepoDigests` ~= <registry>/<image_name>@sha256:<image_hash>
// `RepoTag` ~= <registry>/<image_name>:<image_tag>
// By concatenating the hash from `RepoDigests` at the end of `RepoTag` we get all the information
imageReference := strings.Join(report.Metadata.RepoTags, ", ")
imageWithHash := strings.Join(report.Metadata.RepoDigests, ", ")
_, imageHash, found := strings.Cut(imageWithHash, "@")
if found {
imageReference += "@" + imageHash
}
// Replacing `source_location` in manifest by the image name, tag and hash
manifest.File = &File{
SrcLocation: imageReference,
}

} else {
manifest.File = &File{
SrcLocation: result.Target,
}
}
}

Expand All @@ -123,6 +140,10 @@ func (w Writer) Write(ctx context.Context, report types.Report) error {
return xerrors.Errorf("unable to build purl for %s: %w", pkg.Name, err)
}

if pkg.FilePath != "" {
githubPkg.Metadata = Metadata{"source_location": pkg.FilePath}
}

resolved[pkg.Name] = githubPkg
}

Expand Down
67 changes: 67 additions & 0 deletions pkg/report/github/github_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,73 @@ func TestWriter_Write(t *testing.T) {
},
},
},
{
name: "pypi from image",
report: types.Report{
SchemaVersion: 2,
ArtifactName: "fake_repo.azurecr.io/image_name",
ArtifactType: "container_image",
Metadata: types.Metadata{
RepoDigests: []string{"fake_repo.azurecr.io/image_name@sha256:a7c92cdcb3d010f6edeb37ddcdbacab14981aa31e7f1140e0097dc1b8e834c49"},
RepoTags: []string{"fake_repo.azurecr.io/image_name:latest"},
},
Results: types.Results{
{
Target: "Python",
Class: "lang-pkgs",
Type: "python-pkg",
Packages: []ftypes.Package{
{
Name: "jwcrypto",
Version: "0.7",
Licenses: []string{
"LGPLv3+",
},
Layer: ftypes.Layer{
Digest: "sha256:ddc612ba4e74ea5633a93e19e7c32f61f5f230073b21a070302a61ef5eec5c50",
DiffID: "sha256:12935ef6ce21a266aef8df75d601cebf7e935edd01e9f19fab16ccb78fbb9a5e",
},
FilePath: "opt/pyenv/versions/3.11.2/lib/python3.11/site-packages/jwcrypto-0.7.dist-info/METADATA",
},
{
Name: "matplotlib",
Version: "3.5.3",
Licenses: []string{
"PSF",
},
Layer: ftypes.Layer{
Digest: "sha256:ddc612ba4e74ea5633a93e19e7c32f61f5f230073b21a070302a61ef5eec5c50",
DiffID: "sha256:12935ef6ce21a266aef8df75d601cebf7e935edd01e9f19fab16ccb78fbb9a5e",
},
FilePath: "opt/pyenv/versions/3.11.2/lib/python3.11/site-packages/matplotlib-3.5.3.dist-info/METADATA",
},
},
},
},
},
want: map[string]github.Manifest{
"Python": {
Name: "python-pkg",
File: &github.File{
SrcLocation: "fake_repo.azurecr.io/image_name:latest@sha256:a7c92cdcb3d010f6edeb37ddcdbacab14981aa31e7f1140e0097dc1b8e834c49",
},
Resolved: map[string]github.Package{
"jwcrypto": {
PackageUrl: "pkg:pypi/[email protected]",
Relationship: "direct",
Scope: "runtime",
Metadata: github.Metadata{"source_location": "opt/pyenv/versions/3.11.2/lib/python3.11/site-packages/jwcrypto-0.7.dist-info/METADATA"},
},
"matplotlib": {
PackageUrl: "pkg:pypi/[email protected]",
Relationship: "direct",
Scope: "runtime",
Metadata: github.Metadata{"source_location": "opt/pyenv/versions/3.11.2/lib/python3.11/site-packages/matplotlib-3.5.3.dist-info/METADATA"},
},
},
},
},
},
}

for _, tt := range tests {
Expand Down

0 comments on commit 388f476

Please sign in to comment.