Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(dockerfile): add Image Referencer for Dockerfile #3571

Merged
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions checkov/common/images/image_referencer.py
Original file line number Diff line number Diff line change
Expand Up @@ -117,10 +117,10 @@ class ImageReferencerMixin:

def check_container_image_references(
self,
graph_connector: DiGraph | None,
root_path: str | Path | None,
runner_filter: RunnerFilter,
definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None
definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None,
graph_connector: DiGraph | None = None,
) -> Report | None:
"""Tries to find image references in graph based IaC templates"""
from checkov.common.bridgecrew.platform_integration import bc_integration
Expand Down
27 changes: 24 additions & 3 deletions checkov/dockerfile/base_registry.py
Original file line number Diff line number Diff line change
@@ -1,15 +1,36 @@
from __future__ import annotations

from typing import TYPE_CHECKING, Any

from checkov.common.bridgecrew.check_type import CheckType
from checkov.common.checks.base_check_registry import BaseCheckRegistry
from checkov.common.models.enums import CheckResult

if TYPE_CHECKING:
from dockerfile_parse.parser import _Instruction # only in extra_stubs
from checkov.common.checks.base_check import BaseCheck
from checkov.common.typing import _SkippedCheck, _CheckResult
from checkov.runner_filter import RunnerFilter


class Registry(BaseCheckRegistry):
def __init__(self):
def __init__(self) -> None:
super().__init__(CheckType.DOCKERFILE)

def scan(self, scanned_file, entity, skipped_checks, runner_filter):
def extract_entity_details(self, entity: dict[str, Any]) -> tuple[str, str, dict[str, Any]]:
# not needed
pass

def scan(
self,
scanned_file: str,
entity: dict[str, list[_Instruction]],
skipped_checks: list[_SkippedCheck],
runner_filter: RunnerFilter,
report_type: str | None = None,
) -> dict[BaseCheck, _CheckResult]:

results = {}
results: "dict[BaseCheck, _CheckResult]" = {}
if not entity:
return results
for instruction, checks in self.checks.items():
Expand Down
Empty file.
22 changes: 22 additions & 0 deletions checkov/dockerfile/image_referencer/manager.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
from __future__ import annotations

from typing import TYPE_CHECKING, Any

from checkov.dockerfile.image_referencer.provider import DockerfileProvider

if TYPE_CHECKING:
from checkov.common.images.image_referencer import Image


class DockerfileImageReferencerManager:
__slots__ = ("definitions",)

def __init__(self, definitions: dict[str, Any]) -> None:
self.definitions = definitions

def extract_images_from_resources(self) -> list[Image]:
provider = DockerfileProvider(definitions=self.definitions)

images = provider.extract_images_from_resources()

return images
59 changes: 59 additions & 0 deletions checkov/dockerfile/image_referencer/provider.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
from __future__ import annotations

import logging
import os
from typing import TYPE_CHECKING, Callable, Any

from checkov.common.images.image_referencer import Image
from checkov.common.util.str_utils import removeprefix
from checkov.dockerfile.utils import DOCKERFILE_STARTLINE, DOCKERFILE_ENDLINE

if TYPE_CHECKING:
from typing_extensions import TypeAlias

_ExtractImagesCallableAlias: TypeAlias = Callable[["dict[str, Any]"], "list[str]"]


class DockerfileProvider:
__slots__ = ("definitions", "supported_resource_types")
gruebel marked this conversation as resolved.
Show resolved Hide resolved

def __init__(self, definitions: dict[str, Any]) -> None:
self.definitions = definitions

def extract_images_from_resources(self) -> list[Image]:
images = []

for file_path, config in self.definitions.items():
instructions = config.get("FROM")
if not isinstance(instructions, list):
continue

for instruction in instructions:
name = instruction["value"]

if " AS " in name:
# indicates a multi-stage build, therefore remove everything starting from AS
# ex. FROM maven:3.8-openjdk-17-slim AS build
name = name.split(" AS ")[0]

if name.startswith("--platform"):
# indicates a multi-platform build, therefore remove the platform flag and its value
# ex. FROM --platform=$BUILDPLATFORM golang:alpine AS build
multi_platform = name.split(" ", maxsplit=1)
if len(multi_platform) != 2:
logging.info(f"Invalid FROM statement {instruction['value']}")
continue

name = multi_platform[1]

images.append(
gruebel marked this conversation as resolved.
Show resolved Hide resolved
Image(
file_path=file_path,
name=name,
start_line=instruction[DOCKERFILE_STARTLINE] + 1, # starts with 0
end_line=instruction[DOCKERFILE_ENDLINE] + 1,
related_resource_id=f'{removeprefix(file_path, os.getenv("BC_ROOT_DIR", ""))}.FROM'
)
)

return images
12 changes: 8 additions & 4 deletions checkov/dockerfile/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,26 @@

from collections import OrderedDict
from pathlib import Path
from typing import TYPE_CHECKING

from dockerfile_parse import DockerfileParser
from dockerfile_parse.constants import COMMENT_INSTRUCTION

from checkov.common.typing import _SkippedCheck
from checkov.common.util.suppression import collect_suppressions_for_context

if TYPE_CHECKING:
from dockerfile_parse.parser import _Instruction # only in extra_stubs

def parse(filename: str | Path) -> tuple[dict[str, list[dict[str, int | str]]], list[str]]:

def parse(filename: str | Path) -> tuple[dict[str, list[_Instruction]], list[str]]:
with open(filename) as dockerfile:
dfp = DockerfileParser(fileobj=dockerfile)
return dfp_group_by_instructions(dfp)


def dfp_group_by_instructions(dfp: DockerfileParser) -> tuple[dict[str, list[dict[str, int | str]]], list[str]]:
result: dict[str, list[dict[str, int | str]]] = OrderedDict()
def dfp_group_by_instructions(dfp: DockerfileParser) -> tuple[dict[str, list[_Instruction]], list[str]]:
result: dict[str, list[_Instruction]] = OrderedDict()
for instruction in dfp.structure:
instruction_literal = instruction["instruction"]
if instruction_literal not in result:
Expand All @@ -26,7 +30,7 @@ def dfp_group_by_instructions(dfp: DockerfileParser) -> tuple[dict[str, list[dic
return result, dfp.lines


def collect_skipped_checks(parse_result: dict[str, list[dict[str, int | str]]]) -> list[_SkippedCheck]:
def collect_skipped_checks(parse_result: dict[str, list[_Instruction]]) -> list[_SkippedCheck]:
skipped_checks = []

if COMMENT_INSTRUCTION in parse_result:
Expand Down
57 changes: 45 additions & 12 deletions checkov/dockerfile/runner.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,30 @@

import logging
import os
from typing import TYPE_CHECKING, Callable
from typing import TYPE_CHECKING, Callable, Any

from checkov.common.images.image_referencer import ImageReferencerMixin
from checkov.common.output.record import Record
from checkov.common.output.report import Report
from checkov.common.bridgecrew.check_type import CheckType
from checkov.common.parallelizer.parallel_runner import parallel_runner
from checkov.common.runners.base_runner import BaseRunner, filter_ignored_paths
from checkov.common.util.dockerfile import is_docker_file
from checkov.common.typing import _CheckResult
from checkov.dockerfile.image_referencer.manager import DockerfileImageReferencerManager
from checkov.dockerfile.parser import parse, collect_skipped_checks
from checkov.dockerfile.registry import registry
from checkov.dockerfile.utils import DOCKERFILE_STARTLINE, DOCKERFILE_ENDLINE
from checkov.runner_filter import RunnerFilter

if TYPE_CHECKING:
from checkov.common.parsers.node import DictNode
from checkov.dockerfile.base_dockerfile_check import BaseDockerfileCheck
from dockerfile_parse.parser import _Instruction # only in extra_stubs
from networkx import DiGraph
from checkov.common.checks.base_check import BaseCheck
from checkov.common.images.image_referencer import Image


class Runner(BaseRunner):
class Runner(ImageReferencerMixin, BaseRunner[None]):
check_type = CheckType.DOCKERFILE # noqa: CCE003 # a static attribute

def should_scan_file(self, filename: str) -> bool:
Expand All @@ -33,7 +38,7 @@ def run(
files: list[str] | None = None,
runner_filter: RunnerFilter | None = None,
collect_skip_comments: bool = True,
) -> Report:
) -> Report | list[Report]:
runner_filter = runner_filter or RunnerFilter()
if not runner_filter.show_progress_bar:
self.pbar.turn_off_progress_bar()
Expand Down Expand Up @@ -86,8 +91,8 @@ def run(
if result_configuration:
if isinstance(result_configuration, list):
for res in result_configuration:
startline = res['startline']
endline = res['endline']
startline = res[DOCKERFILE_STARTLINE]
endline = res[DOCKERFILE_ENDLINE]
result_instruction = res["instruction"]
self.build_record(report,
definitions_raw,
Expand All @@ -99,8 +104,8 @@ def run(
endline,
result_instruction)
else:
startline = result_configuration['startline']
endline = result_configuration['endline']
startline = result_configuration[DOCKERFILE_STARTLINE]
endline = result_configuration[DOCKERFILE_ENDLINE]
result_instruction = result_configuration["instruction"]
self.build_record(report,
definitions_raw,
Expand All @@ -123,6 +128,22 @@ def run(
result_instruction)
self.pbar.update()
self.pbar.close()

if runner_filter.run_image_referencer:
if files:
# 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form
root_folder = os.path.split(os.path.commonprefix(files))[0]

image_report = self.check_container_image_references(
root_path=root_folder,
runner_filter=runner_filter,
definitions=definitions,
)

if image_report:
# due too many tests failing only return a list, if there is an image report
return [report, image_report]

return report

def calc_record_codeblock(
Expand All @@ -142,7 +163,7 @@ def build_record(
definitions_raw: dict[str, list[str]],
docker_file_path: str,
file_abs_path: str,
check: BaseDockerfileCheck,
check: BaseCheck,
check_result: _CheckResult,
startline: int,
endline: int,
Expand All @@ -168,11 +189,23 @@ def build_record(
record.set_guideline(check.guideline)
report.add_record(record=record)

def extract_images(
self, graph_connector: DiGraph | None = None, definitions: dict[str, Any] | None = None
gruebel marked this conversation as resolved.
Show resolved Hide resolved
) -> list[Image]:
if not definitions:
# should not happen
return []

manager = DockerfileImageReferencerManager(definitions=definitions)
images = manager.extract_images_from_resources()

return images


def get_files_definitions(
files: list[str], filepath_fn: Callable[[str], str] | None = None
) -> tuple[dict[str, DictNode], dict[str, list[str]]]:
def _parse_file(file: str) -> tuple[str, tuple[dict[str, list[dict[str, int | str]]], list[str]] | None]:
) -> tuple[dict[str, dict[str, list[_Instruction]]], dict[str, list[str]]]:
def _parse_file(file: str) -> tuple[str, tuple[dict[str, list[_Instruction]], list[str]] | None]:
try:
return file, parse(file)
except TypeError:
Expand Down
9 changes: 9 additions & 0 deletions checkov/dockerfile/utils.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
from __future__ import annotations

from typing import TYPE_CHECKING

if TYPE_CHECKING:
from typing_extensions import Literal

DOCKERFILE_STARTLINE: Literal["startline"] = "startline"
DOCKERFILE_ENDLINE: Literal["endline"] = "endline"
5 changes: 5 additions & 0 deletions extra_stubs/dockerfile_parse/__init__.pyi
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
from .parser import DockerfileParser

__all__ = [
"DockerfileParser",
]
3 changes: 3 additions & 0 deletions extra_stubs/dockerfile_parse/constants.pyi
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
from typing_extensions import Literal

COMMENT_INSTRUCTION: Literal["COMMENT"]
29 changes: 29 additions & 0 deletions extra_stubs/dockerfile_parse/parser.pyi
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
from typing import TextIO

from typing_extensions import TypedDict


class _Instruction(TypedDict):
instruction: str
startline: int
endline: int
content: str
value: str


class DockerfileParser:
def __init__(
self,
path: str | None = ...,
cache_content: bool = ...,
env_replace: bool = ...,
parent_env: dict[str, str] | None = None,
fileobj: TextIO | None = None,
build_args: dict[str, str] | None = None,
) -> None: ...

@property
def lines(self) -> list[str]: ...

@property
def structure(self) -> list[_Instruction]: ...
2 changes: 2 additions & 0 deletions mypy.ini
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
[mypy]
mypy_path = extra_stubs

files = checkov
exclude = checkov/(arm|cloudformation|dockerfile|gitlab_ci|github_actions|bitbucket|helm|kubernetes|kustomize|sca_package|serverless|terraform)
strict = True
Expand Down
Empty file.
Loading