fix(detectExecuteScan): sanitize container image name before saving (#4834)

* fix(detectExecuteScan): sanitize container image name before saving Co-authored-by: Philipp Stehle <philipp.stehle@sap.com> * mock docker client during unit tests Co-authored-by: Pavel Busko <pavel.busko@sap.com> Co-authored-by: Philipp Stehle <philipp.stehle@sap.com> --------- Co-authored-by: Philipp Stehle <philipp.stehle@sap.com>
2025-03-03 15:02:35 +02:00 · 2024-02-20 12:56:37 +01:00 · 2024-02-20 12:56:37 +01:00 · 38fa25795a
commit 38fa25795a
parent b644bf7e15
2 changed files with 48 additions and 5 deletions
--- a/cmd/detectExecuteScan.go
+++ b/cmd/detectExecuteScan.go
@ -14,6 +14,7 @@ import (

 	bd "github.com/SAP/jenkins-library/pkg/blackduck"
 	"github.com/SAP/jenkins-library/pkg/command"
+	piperDocker "github.com/SAP/jenkins-library/pkg/docker"
 	piperGithub "github.com/SAP/jenkins-library/pkg/github"
 	"github.com/SAP/jenkins-library/pkg/golang"
 	piperhttp "github.com/SAP/jenkins-library/pkg/http"
@ -49,6 +50,7 @@ type detectUtils interface {
 	GetIssueService() *github.IssuesService
 	GetSearchService() *github.SearchService
 	GetProvider() orchestrator.ConfigProvider
+	GetDockerClient(options piperDocker.ClientOptions) piperDocker.Download
 }

 type detectUtilsBundle struct {
@ -72,6 +74,13 @@ func (d *detectUtilsBundle) GetProvider() orchestrator.ConfigProvider {
 	return d.provider
 }

+func (d *detectUtilsBundle) GetDockerClient(options piperDocker.ClientOptions) piperDocker.Download {
+	client := &piperDocker.Client{}
+	client.SetOptions(options)
+
+	return client
+}
+
 type blackduckSystem struct {
 	Client bd.Client
 }
@ -266,22 +275,26 @@ func mapDetectError(err error, config detectExecuteScanOptions, utils detectUtil
 }

 func runDetectImages(ctx context.Context, config detectExecuteScanOptions, utils detectUtils, sys *blackduckSystem, influx *detectExecuteScanInflux, blackduckSystem *blackduckSystem) error {
-	var err error
 	log.Entry().Infof("Scanning %d images", len(config.ImageNameTags))
 	for _, image := range config.ImageNameTags {
 		// Download image to be scanned
 		log.Entry().Debugf("Scanning image: %q", image)
-		tarName := fmt.Sprintf("%s.tar", strings.Split(image, ":")[0])

-		options := containerSaveImageOptions{
+		options := &containerSaveImageOptions{
 			ContainerRegistryURL:      config.RegistryURL,
 			ContainerImage:            image,
 			ContainerRegistryPassword: config.RepositoryPassword,
 			ContainerRegistryUser:     config.RepositoryUsername,
-			FilePath:                  tarName,
 			ImageFormat:               "legacy",
 		}
-		containerSaveImage(options, &telemetry.CustomData{})
+
+		dClientOptions := piperDocker.ClientOptions{ImageName: options.ContainerImage, RegistryURL: options.ContainerRegistryURL, ImageFormat: options.ImageFormat}
+		dClient := utils.GetDockerClient(dClientOptions)
+
+		tarName, err := runContainerSaveImage(options, &telemetry.CustomData{}, "./cache", "", dClient, utils)
+		if err != nil {
+			return err
+		}

 		args := []string{"./detect.sh"}
 		args, err = addDetectArgsImages(args, config, utils, sys, tarName)
--- a/cmd/detectExecuteScan_test.go
+++ b/cmd/detectExecuteScan_test.go
@ -15,6 +15,7 @@ import (
 	"testing"

 	bd "github.com/SAP/jenkins-library/pkg/blackduck"
+	piperDocker "github.com/SAP/jenkins-library/pkg/docker"
 	piperGithub "github.com/SAP/jenkins-library/pkg/github"
 	piperhttp "github.com/SAP/jenkins-library/pkg/http"
 	"github.com/SAP/jenkins-library/pkg/mock"
@ -22,6 +23,7 @@ import (

 	"github.com/google/go-github/v45/github"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 type detectTestUtilsBundle struct {
@ -31,6 +33,7 @@ type detectTestUtilsBundle struct {
 	*mock.FilesMock
 	customEnv    []string
 	orchestrator *orchestratorConfigProviderMock
+	dClient      *mock.DownloadMock
 }

 func (d *detectTestUtilsBundle) GetProvider() orchestrator.ConfigProvider {
@ -45,6 +48,10 @@ func (d *detectTestUtilsBundle) GetSearchService() *github.SearchService {
 	return nil
 }

+func (d *detectTestUtilsBundle) GetDockerClient(options piperDocker.ClientOptions) piperDocker.Download {
+	return d.dClient
+}
+
 type orchestratorConfigProviderMock struct {
 	orchestrator.UnknownOrchestratorConfigProvider
 	isPullRequest bool
@ -289,6 +296,7 @@ func newDetectTestUtilsBundle(isPullRequest bool) *detectTestUtilsBundle {
 		ShellMockRunner: &mock.ShellMockRunner{},
 		FilesMock:       &mock.FilesMock{},
 		orchestrator:    &orchestratorConfigProviderMock{isPullRequest: isPullRequest},
+		dClient:         &mock.DownloadMock{},
 	}
 	return &utilsBundle
 }
@ -344,6 +352,28 @@ func TestRunDetect(t *testing.T) {
 		expectedParam := "\"--detect.maven.build.command=--global-settings global-settings.xml --settings project-settings.xml -Dmaven.repo.local=" + absoluteLocalPath + "\""
 		assert.Contains(t, utilsMock.Calls[0], expectedParam)
 	})
+
+	t.Run("images scan", func(t *testing.T) {
+		t.Parallel()
+		ctx := context.Background()
+		utilsMock := newDetectTestUtilsBundle(false)
+		utilsMock.CurrentDir = "root_folder"
+		utilsMock.AddFile("detect.sh", []byte(""))
+		err := runDetect(ctx, detectExecuteScanOptions{
+			ScanContainerDistro: "ubuntu",
+			ImageNameTags:       []string{"foo/bar:latest", "bar/bazz:latest"},
+		}, utilsMock, &detectExecuteScanInflux{})
+
+		assert.NoError(t, err)
+		assert.Equal(t, ".", utilsMock.Dir, "Wrong execution directory used")
+		require.Equal(t, 3, len(utilsMock.Calls))
+
+		expectedParam1 := "--detect.docker.tar=./foo_bar_latest.tar --detect.target.type=IMAGE --detect.tools.excluded=DETECTOR --detect.docker.passthrough.shared.dir.path.local=/opt/blackduck/blackduck-imageinspector/shared/ --detect.docker.passthrough.shared.dir.path.imageinspector=/opt/blackduck/blackduck-imageinspector/shared --detect.docker.passthrough.imageinspector.service.distro.default=ubuntu --detect.docker.passthrough.imageinspector.service.start=false --detect.docker.passthrough.output.include.squashedimage=false --detect.docker.passthrough.imageinspector.service.url=http://localhost:8082"
+		assert.Contains(t, utilsMock.Calls[1], expectedParam1)
+
+		expectedParam2 := "--detect.docker.tar=./bar_bazz_latest.tar --detect.target.type=IMAGE --detect.tools.excluded=DETECTOR --detect.docker.passthrough.shared.dir.path.local=/opt/blackduck/blackduck-imageinspector/shared/ --detect.docker.passthrough.shared.dir.path.imageinspector=/opt/blackduck/blackduck-imageinspector/shared --detect.docker.passthrough.imageinspector.service.distro.default=ubuntu --detect.docker.passthrough.imageinspector.service.start=false --detect.docker.passthrough.output.include.squashedimage=false --detect.docker.passthrough.imageinspector.service.url=http://localhost:8082"
+		assert.Contains(t, utilsMock.Calls[2], expectedParam2)
+	})
 }

 func TestAddDetectArgs(t *testing.T) {