#1894 Improve docker reference handling

Lukas Fischer · Lukas Fischer · commit ca73a550f7aa · 2023-10-19T19:18:33.000+02:00
Move docker reference normalization to the kubernetes side, it fits
better there. Several places of the code need different parts of the
docker reference of the running containers. This simplifies the access
to those properties and uses them in a more consistent way. The scans
now only use the actual image name for their name, so that there is
space for information other than docker-io-. The hashmap of running
containers now uses a normalized reference string instead of the
ImageInfo objects, which makes it less error prone with the included
reference information.

Signed-off-by: Lukas Fischer &lt;lukas.fischer@iteratec.com&gt;
diff --git a/auto-discovery/cloud-aws/cmd/service/main_test.go b/auto-discovery/cloud-aws/cmd/service/main_test.go
@@ -34,9 +34,9 @@ var _ = Describe("Integration tests", func() {
 	)
 
 	// Templates to check the actual state against
-	juiceShopScanName1 := "docker-io-bkimminich-test-scan-at-163482fed1f8e7c8558cc476a512b13768a8d2f7a04b8aab407ab02987c42382"
+	juiceShopScanName1 := "bkimminich-juice-sho-test-scan-at-163482fed1f8e7c8558cc476a512b13768a8d2f7a04b8aab407ab02987c42382"
 	juiceShopScanName1 = juiceShopScanName1[:62]
-	juiceShopScanName2 := "docker-io-bkimminich-test-scan-two-at-163482fed1f8e7c8558cc476a512b13768a8d2f7a04b8aab407ab02987c42382"
+	juiceShopScanName2 := "bkimminich-juice-sho-test-scan-two-at-163482fed1f8e7c8558cc476a512b13768a8d2f7a04b8aab407ab02987c42382"
 	juiceShopScanName2 = juiceShopScanName2[:62]
 
 	juiceShopScanGoTemplate := scanGoTemplate{
@@ -51,9 +51,9 @@ var _ = Describe("Integration tests", func() {
 		nil,
 	}
 
-	helloWorldScanName1 := "docker-io-library-he-test-scan-at-7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"
+	helloWorldScanName1 := "library-hello-world-test-scan-at-7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"
 	helloWorldScanName1 = helloWorldScanName1[:62]
-	helloWorldScanName2 := "docker-io-library-he-test-scan-two-at-7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"
+	helloWorldScanName2 := "library-hello-world-test-scan-two-at-7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3"
 	helloWorldScanName2 = helloWorldScanName2[:62]
 
 	helloWorldScanGoTemplate := scanGoTemplate{
diff --git a/auto-discovery/cloud-aws/pkg/aws/ecs_events.go b/auto-discovery/cloud-aws/pkg/aws/ecs_events.go
@@ -9,7 +9,6 @@ import (
 
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ecs"
-	dockerparser "github.com/novln/docker-parser"
 	"github.com/secureCodeBox/secureCodeBox/auto-discovery/cloud-aws/pkg/kubernetes"
 )
 
@@ -29,21 +28,7 @@ func handleEcsEvent(rawMessage string) ([]kubernetes.Request, error) {
 
 	requests := make([]kubernetes.Request, len(stateChange.Detail.Containers))
 	for idx, container := range stateChange.Detail.Containers {
-		name := *container.Image
-
-		// To prevent misdetection of containers using the same digest but different tags (i.e. none
-		// and latest or 22.04 and jammy), remove the tag from the image if we have a digest so that
-		// these images will occupy the same spot in the "set"
-		// Technically we could also take a tag from the image reference if it includes one, but all
-		// the libraries to work with image references don't allow accessing that properly
-		if container.ImageDigest != nil && *container.ImageDigest != "" {
-			reference, err := dockerparser.Parse(*container.Image)
-			if err != nil {
-				return nil, err
-			}
-
-			name = reference.Repository()
-		} else {
+		if container.ImageDigest == nil {
 			container.ImageDigest = awssdk.String("")
 		}
 
@@ -52,7 +37,7 @@ func handleEcsEvent(rawMessage string) ([]kubernetes.Request, error) {
 			Container: kubernetes.ContainerInfo{
 				Id: *container.ContainerArn,
 				Image: kubernetes.ImageInfo{
-					Name:   name,
+					Name:   *container.Image,
 					Digest: *container.ImageDigest,
 				},
 			},
diff --git a/auto-discovery/cloud-aws/pkg/aws/events_test.go b/auto-discovery/cloud-aws/pkg/aws/events_test.go
@@ -42,7 +42,7 @@ var _ = Describe("AWS Events unit tests", func() {
 			Container: kubernetes.ContainerInfo{
 				Id: "VeryUniqueId",
 				Image: kubernetes.ImageInfo{
-					Name:   "docker.io/bkimminich/juice-shop",
+					Name:   "bkimminich/juice-shop:v15.0.0",
 					Digest: "sha256:163482fed1f8e7c8558cc476a512b13768a8d2f7a04b8aab407ab02987c42382",
 				},
 			},
diff --git a/auto-discovery/cloud-aws/pkg/kubernetes/docker_reference.go b/auto-discovery/cloud-aws/pkg/kubernetes/docker_reference.go
@@ -0,0 +1,121 @@
+// SPDX-FileCopyrightText: the secureCodeBox authors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package kubernetes
+
+import (
+	"strings"
+
+	dockerparser "github.com/novln/docker-parser"
+)
+
+type ImageInfo struct {
+	Name   string
+	Digest string
+	parsed *dockerparser.Reference
+}
+
+func (image *ImageInfo) normalize() error {
+	// To prevent misdetection of containers using the same digest but different tags (i.e. none
+	// and latest or 22.04 and jammy), remove the tag from the image if we have a digest so that
+	// these images will occupy the same spot in the "set"
+	parsed, err := dockerparser.Parse(image.Name)
+	if err != nil {
+		return err
+	}
+
+	// Store the result for later
+	image.parsed = parsed
+
+	return nil
+}
+
+// Get a short, representative name for the image
+func (image *ImageInfo) appName() string {
+	// If the image is parsed or parsing works use library function
+	if image.parsed != nil || image.normalize() == nil {
+		return image.parsed.ShortName()
+	}
+
+	// Parsing failed, try to salvage this somehow by returning what we have
+	name := image.Name
+
+	// If name contains a port, domain or localhost remove that
+	split := strings.Split(name, "/")
+	if strings.Contains(split[0], ":") || strings.Contains(split[0], ".") || split[0] == "localhost" {
+		name = strings.Join(split[1:], "")
+	}
+
+	// Remove tag or digest
+	if strings.Contains(name, ":") {
+		return strings.Split(name, ":")[0]
+	} else if strings.Contains(name, "@") {
+		return strings.Split(name, "@")[0]
+	} else {
+		return name
+	}
+}
+
+// Get an identifier for the version of the app, either a tag if available or the digest
+func (image *ImageInfo) version() string {
+	// If the image is parsed or parsing works use library function
+	if image.parsed != nil || image.normalize() == nil {
+		return image.parsed.Tag()
+	}
+
+	// Parsing failed, try to salvage this somehow by returning what we have
+	// Check if we have a tag by getting the last component of the reference and checking for :
+	split := strings.Split(image.Name, "/")
+	last := split[len(split)-1]
+	if strings.Contains(last, ":") {
+		split = strings.Split(last, ":")
+		return split[len(split)-1]
+	} else if strings.Contains(last, "@") {
+		split = strings.Split(last, "@")
+		return split[len(split)-1]
+	} else {
+		return "latest"
+	}
+}
+
+// Get the digest without prefix
+func (image *ImageInfo) hash() string {
+	digest := image.Digest
+	// Try to use a digest from the reference if there is one and the separate one is empty
+	if image.Digest == "" {
+		// If the image is parsed or parsing works use library function
+		if image.parsed != nil || image.normalize() == nil {
+			// The library stores digest and tag in the same way, wonderfully convenient
+			maybeDigest := image.parsed.Tag()
+			if strings.Contains(maybeDigest, ":") {
+				digest = maybeDigest
+			}
+		} else {
+			split := strings.Split(image.Name, "@")
+			digest = split[len(split)-1]
+		}
+	}
+
+	split := strings.Split(digest, ":")
+	return split[len(split)-1]
+}
+
+// Get a complete and unique reference to this docker image
+func (image *ImageInfo) reference() string {
+	// If the image is parsed or parsing works use library function
+	if image.parsed != nil || image.normalize() == nil {
+		if image.Digest == "" {
+			return image.parsed.Remote()
+		} else {
+			return image.parsed.Repository() + "@" + image.Digest
+		}
+	}
+
+	// Parsing failed, try to salvage this somehow by returning what we have
+	if image.Digest == "" {
+		return image.Name
+	} else {
+		return image.Name + "@" + image.Digest
+	}
+}
diff --git a/auto-discovery/cloud-aws/pkg/kubernetes/kubernetes.go b/auto-discovery/cloud-aws/pkg/kubernetes/kubernetes.go
@@ -39,28 +39,6 @@ type ContainerInfo struct {
 	Image ImageInfo
 }
 
-type ImageInfo struct {
-	Name   string
-	Digest string
-}
-
-func (image *ImageInfo) getImageName() string {
-	return strings.Split(image.Name, ":")[0]
-}
-
-func (image *ImageInfo) getImageHash() string {
-	split := strings.Split(image.Digest, ":")
-	return split[len(split)-1]
-}
-
-func (image *ImageInfo) getReference() string {
-	if image.Digest == "" {
-		return image.Name
-	} else {
-		return image.Name + "@" + image.Digest
-	}
-}
-
 type AWSReconciler interface {
 	Reconcile(ctx context.Context, req Request) error
 }
@@ -72,7 +50,7 @@ type AWSContainerScanReconciler struct {
 
 	// Track which images are actually running and which instances use them
 	// Technically a HashMap to a HashSet but Go doesn't have sets
-	RunningContainers map[ImageInfo]map[string]struct{}
+	RunningContainers map[string]map[string]struct{}
 }
 
 type ContainerAutoDiscoveryTemplateArgs struct {
@@ -83,7 +61,7 @@ type ContainerAutoDiscoveryTemplateArgs struct {
 }
 
 func (r *AWSContainerScanReconciler) Reconcile(ctx context.Context, req Request) error {
-	r.Log.V(1).Info("Received reconcile request", "State", req.State, "Image", req.Container.Image.getReference())
+	r.Log.V(1).Info("Received reconcile request", "State", req.State, "Image", req.Container.Image.reference())
 
 	// Decide what to do based on the current state we are notified about and the information we
 	// saved about this container
@@ -117,18 +95,18 @@ func NewAWSReconcilerWith(client client.Client, cfg *config.AutoDiscoveryConfig,
 		Client:            client,
 		Config:            cfg,
 		Log:               log,
-		RunningContainers: make(map[ImageInfo]map[string]struct{}),
+		RunningContainers: make(map[string]map[string]struct{}),
 	}
 }
 
 func (r *AWSContainerScanReconciler) handleCreateRequest(ctx context.Context, req Request) error {
 	// Make sure there is at least an empty "set"
-	if r.RunningContainers[req.Container.Image] == nil {
-		r.RunningContainers[req.Container.Image] = make(map[string]struct{})
+	if r.RunningContainers[req.Container.Image.reference()] == nil {
+		r.RunningContainers[req.Container.Image.reference()] = make(map[string]struct{})
 	}
 
 	// Add this container to the "set" for this image
-	r.RunningContainers[req.Container.Image][req.Container.Id] = struct{}{}
+	r.RunningContainers[req.Container.Image.reference()][req.Container.Id] = struct{}{}
 
 	// Create all configured scans
 	var err error = nil
@@ -156,14 +134,14 @@ func (r *AWSContainerScanReconciler) handleCreateRequest(ctx context.Context, re
 }
 
 func (r *AWSContainerScanReconciler) handleDeleteRequest(ctx context.Context, req Request) error {
-	if r.RunningContainers[req.Container.Image] == nil {
+	if r.RunningContainers[req.Container.Image.reference()] == nil {
 		// We received a PENDING/STOPPED event but this container wasn't running before either
 		r.Log.V(1).Info("Container was not running before, nothing to do")
 		return nil
 	}
 
-	delete(r.RunningContainers[req.Container.Image], req.Container.Id)
-	if len(r.RunningContainers[req.Container.Image]) > 0 {
+	delete(r.RunningContainers[req.Container.Image.reference()], req.Container.Id)
+	if len(r.RunningContainers[req.Container.Image.reference()]) > 0 {
 		// More containers using this image are running, keep the ScheduledScan
 		r.Log.V(1).Info("There are still instances of this image running, keeping the ScheduledScan")
 		return nil
@@ -226,7 +204,7 @@ func getScheduledScanForRequest(req Request, cfg *config.AutoDiscoveryConfig, sc
 		Config:     *cfg,
 		ScanConfig: scanConfig,
 		Target:     req.Container,
-		ImageID:    req.Container.Image.getReference(),
+		ImageID:    req.Container.Image.reference(),
 	}
 	scanSpec := util.GenerateScanSpec(scanConfig, templateArgs)
 
@@ -246,10 +224,9 @@ func getScanName(req Request, name string) string {
 	// adapted from the kubernetes container autodiscovery
 	// function builds string like: _appName_-_customScanName_-at-_imageID_HASH_ eg: nginx-myTrivyScan-at-0123456789
 
-	appName := req.Container.Image.getImageName()
-	hash := req.Container.Image.getImageHash()
+	appName := req.Container.Image.appName()
+	hash := req.Container.Image.hash()
 
-	// TODO if image name contains a namespace the actual name will mostly get cut off
 	// cutoff appname if it is longer than 20 chars
 	maxAppLength := 20
 	if len(appName) > maxAppLength {
diff --git a/auto-discovery/cloud-aws/pkg/kubernetes/kubernetes_test.go b/auto-discovery/cloud-aws/pkg/kubernetes/kubernetes_test.go
@@ -10,15 +10,15 @@ import (
 )
 
 var _ = Describe("Kubernetes unit tests", func() {
-	scanName := "docker-io-bkimminich-aws-trivy-sbom-at-163482fed1f8e7c8558cc476a512b13768a8d2f7a04b8aab407ab02987c42382"
+	scanName := "bkimminich-juice-sho-aws-trivy-sbom-at-163482fed1f8e7c8558cc476a512b13768a8d2f7a04b8aab407ab02987c42382"
 	scanName = scanName[:62]
 
 	req := Request{
 		State: "RUNNING",
 		Container: ContainerInfo{
 			Id: "VeryUniqueId",
 			Image: ImageInfo{
-				Name:   "docker.io/bkimminich/juice-shop",
+				Name:   "docker.io/bkimminich/juice-shop:v15.0.0",
 				Digest: "sha256:163482fed1f8e7c8558cc476a512b13768a8d2f7a04b8aab407ab02987c42382",
 			},
 		},
