fix(oci): handling of complex image indexes (aquasecurity#262)

image/oci.go

@@ -49,11 +49,21 @@ func tryOCI(fileName string) (v1.Image, error) {
 func getOCIImage(m *v1.IndexManifest, index v1.ImageIndex, inputTag string) (v1.Image, error) {
 	for _, manifest := range m.Manifests {
 		annotation := manifest.Annotations
-
 		tag := annotation[ispec.AnnotationRefName]
 		if inputTag == "" || // always select the first digest
 			tag == inputTag {
 			h := manifest.Digest
+			if manifest.MediaType.IsIndex() {
+				childIndex, err := index.ImageIndex(h)
+				if err != nil {
+					return nil, xerrors.Errorf("unable to retrieve a child image %q: %w", h.String(), err)
+				}
+				childManifest, err := childIndex.IndexManifest()
+				if err != nil {
+					return nil, xerrors.Errorf("invalid a child manifest for %q: %w", h.String(), err)
+				}
+				return getOCIImage(childManifest, childIndex, "")
+			}
 
 			img, err := index.Image(h)
 			if err != nil {

image/oci_test.go

@@ -0,0 +1,57 @@
+package image
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestTryOCI(t *testing.T) {
+	tests := []struct{
+		name string
+		ociImagePath string
+		wantErr string
+	}{
+		{
+			name: "correct path to index without tag",
+			ociImagePath: "testdata/multi",
+			wantErr: "",
+		},
+		{
+			name: "correct path to index with correct tag",
+			ociImagePath: "testdata/multi:tg11",
+			wantErr: "",
+		},
+		{
+			name: "correct path to index with incorrect tag",
+			ociImagePath: "testdata/multi:tg12",
+			wantErr: "invalid OCI image tag",
+		},
+		{
+			name: "correct path to manifest without tag",
+			ociImagePath: "testdata/single",
+			wantErr: "",
+		},
+		{
+			name: "correct path to manifest with correct tag",
+			ociImagePath: "testdata/single:3.14",
+			wantErr: "",
+		},
+		{
+			name: "correct path to manifest with incorrect tag",
+			ociImagePath: "testdata/single:3.11",
+			wantErr: "invalid OCI image tag",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			_, err := tryOCI(test.ociImagePath)
+			if test.wantErr != "" {
+				assert.NotNil(t, err)
+				assert.Contains(t, err.Error(), test.wantErr, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

image/testdata/multi/blobs/sha256/56f658ee7c94c1a65099c680916c12f6b81ae4c586c662a8146791054fa466ab

@@ -0,0 +1 @@
+{"schemaVersion":2,"manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:56ae38f2f5c54b98311b8b2463d4861368c451ac17098f4227d84946b42ab96d","size":348,"platform":{"architecture":"amd64","os":"linux"}},{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:d4797ba2a3f15e3fe4c13398104f2199cc3fe22da004c9d382a60b74990136ad","size":348,"platform":{"architecture":"arm","os":"linux"}}]}

image/testdata/multi/index.json

@@ -0,0 +1 @@
+{"schemaVersion":2,"manifests":[{"mediaType":"application/vnd.oci.image.index.v1+json","digest":"sha256:56f658ee7c94c1a65099c680916c12f6b81ae4c586c662a8146791054fa466ab","size":435,"annotations":{"org.opencontainers.image.ref.name":"tg11"}}]}

image/testdata/single/index.json

@@ -0,0 +1 @@
+{"schemaVersion":2,"manifests":[{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:56ae38f2f5c54b98311b8b2463d4861368c451ac17098f4227d84946b42ab96d","size":348,"annotations":{"org.opencontainers.image.ref.name":"3.14"}}]}