feat(image): add logic to guess base layer for docker-cis scan #4344

DmitriyLewen · 2023-05-12T07:36:22Z

Description

Add logic to guess base layer for docker-cis scan.
See more in #3834.

Related issues

Close Add base image layer detection to compliance scanning #3834

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).
I've added usage information (if the PR introduces new options)
I've included a "before" and "after" example to the description (if the PR is a user interface change).

knqyf263 · 2023-05-22T13:54:24Z

pkg/fanal/artifact/image/image.go

@@ -550,3 +527,31 @@ func (a Artifact) guessBaseLayers(diffIDs []string, configFile *v1.ConfigFile) [
 	}
 	return baseDiffIDs
 }
+
+func GuessBaseImageIndex(histories []v1.History) int {


Can we move it under fanal/image/? The existing file image.go or a new file, history.go

I don't think that we need to create new file for 1 function.
I moved function to fanal/image/image.go in b2cce5f

knqyf263 · 2023-05-23T06:23:10Z

pkg/fanal/image/image.go

@@ -128,3 +129,31 @@ func LayerIDs(img v1.Image) ([]string, error) {
 	}
 	return layerIDs, nil
 }
+
+func GuessBaseImageIndex(histories []v1.History) int {


I think this comment should be moved to this function as the main logic exists here.

trivy/pkg/fanal/artifact/image/image.go

Lines 473 to 501 in 87844ca

// Guess layers in base image (call base layers).

//

// e.g. In the following example, we should detect layers in debian:8.

//

// FROM debian:8

// RUN apt-get update

// COPY mysecret /

// ENTRYPOINT ["entrypoint.sh"]

// CMD ["somecmd"]

//

// debian:8 may be like

//

// ADD file:5d673d25da3a14ce1f6cf66e4c7fd4f4b85a3759a9d93efb3fd9ff852b5b56e4 in /

// CMD ["/bin/sh"]

//

// In total, it would be like:

//

// ADD file:5d673d25da3a14ce1f6cf66e4c7fd4f4b85a3759a9d93efb3fd9ff852b5b56e4 in /

// CMD ["/bin/sh"] # empty layer (detected)

// RUN apt-get update

// COPY mysecret /

// ENTRYPOINT ["entrypoint.sh"] # empty layer (skipped)

// CMD ["somecmd"] # empty layer (skipped)

//

// This method tries to detect CMD in the second line and assume the first line is a base layer.

// 1. Iterate histories from the bottom.

// 2. Skip all the empty layers at the bottom. In the above example, "entrypoint.sh" and "somecmd" will be skipped

// 3. If it finds CMD, it assumes that it is the end of base layers.

// 4. It gets all the layers as base layers above the CMD found in #3.

Maybe keep the first line only in Artifact.guessBaseLayers().

You are right. Made this in d8c4002

…ecurity#4344)

add logic to guess base layer for imgconf

39ae2d3

DmitriyLewen marked this pull request as ready for review May 12, 2023 10:30

DmitriyLewen requested a review from knqyf263 as a code owner May 12, 2023 10:30

knqyf263 assigned DmitriyLewen May 15, 2023

knqyf263 reviewed May 22, 2023

View reviewed changes

DmitriyLewen added 2 commits May 23, 2023 10:10

move GuessBaseImageIndex to pkg/fanal/image.go

b2cce5f

fix linter error

87844ca

knqyf263 reviewed May 23, 2023

View reviewed changes

move comments

d8c4002

knqyf263 approved these changes May 24, 2023

View reviewed changes

knqyf263 merged commit 09db1d4 into aquasecurity:main May 24, 2023

AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Aug 10, 2023

feat(image): add logic to guess base layer for docker-cis scan (aquas…

d0ff2ca

…ecurity#4344)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(image): add logic to guess base layer for docker-cis scan #4344

feat(image): add logic to guess base layer for docker-cis scan #4344

DmitriyLewen commented May 12, 2023

knqyf263 May 22, 2023

DmitriyLewen May 23, 2023

knqyf263 May 23, 2023

knqyf263 May 23, 2023

DmitriyLewen May 24, 2023

	// Guess layers in base image (call base layers).
	//
	// e.g. In the following example, we should detect layers in debian:8.
	//
	// FROM debian:8
	// RUN apt-get update
	// COPY mysecret /
	// ENTRYPOINT ["entrypoint.sh"]
	// CMD ["somecmd"]
	//
	// debian:8 may be like
	//
	// ADD file:5d673d25da3a14ce1f6cf66e4c7fd4f4b85a3759a9d93efb3fd9ff852b5b56e4 in /
	// CMD ["/bin/sh"]
	//
	// In total, it would be like:
	//
	// ADD file:5d673d25da3a14ce1f6cf66e4c7fd4f4b85a3759a9d93efb3fd9ff852b5b56e4 in /
	// CMD ["/bin/sh"] # empty layer (detected)
	// RUN apt-get update
	// COPY mysecret /
	// ENTRYPOINT ["entrypoint.sh"] # empty layer (skipped)
	// CMD ["somecmd"] # empty layer (skipped)
	//
	// This method tries to detect CMD in the second line and assume the first line is a base layer.
	// 1. Iterate histories from the bottom.
	// 2. Skip all the empty layers at the bottom. In the above example, "entrypoint.sh" and "somecmd" will be skipped
	// 3. If it finds CMD, it assumes that it is the end of base layers.
	// 4. It gets all the layers as base layers above the CMD found in #3.

feat(image): add logic to guess base layer for docker-cis scan #4344

feat(image): add logic to guess base layer for docker-cis scan #4344

Conversation

DmitriyLewen commented May 12, 2023

Description

Related issues

Checklist

knqyf263 May 22, 2023

Choose a reason for hiding this comment

DmitriyLewen May 23, 2023

Choose a reason for hiding this comment

knqyf263 May 23, 2023

Choose a reason for hiding this comment

knqyf263 May 23, 2023

Choose a reason for hiding this comment

DmitriyLewen May 24, 2023

Choose a reason for hiding this comment