feat: normalize all paths used to support scanning on Windows

The plugin currently works only with Unix/POSIX-style paths and cannot scan container images while running on Windows.

Author: ivanstanev

lib/analyzer/docker-analyzer.ts

@@ -1,4 +1,5 @@
 import * as Debug from "debug";
+import { normalize as normalizePath } from "path";
 import { DockerOptions } from "../docker";
 import * as dockerFile from "../docker-file";
 import * as binariesAnalyzer from "../inputs/binaries/docker";
@@ -83,7 +84,9 @@ export async function analyze(
     osRelease,
     results: pkgManagerAnalysis,
     binaries: binariesAnalysis,
-    imageLayers: imageInspection.RootFS && imageInspection.RootFS.Layers,
+    imageLayers:
+      imageInspection.RootFS &&
+      imageInspection.RootFS.Layers.map((layer) => normalizePath(layer)),
   };
 }
 

lib/docker-file.ts

@@ -1,5 +1,6 @@
 import { DockerfileParser } from "dockerfile-ast";
 import * as fs from "fs";
+import { normalize as normalizePath } from "path";
 import {
   DockerFileLayers,
   DockerFilePackages,
@@ -23,7 +24,7 @@ async function readDockerfileAndAnalyse(
     return undefined;
   }
 
-  const contents = await readFile(targetFilePath);
+  const contents = await readFile(normalizePath(targetFilePath));
   return analyseDockerfile(contents);
 }
 

lib/experimental.ts

@@ -115,7 +115,7 @@ async function getStaticAnalysisResult(
 export function fullImageSavePath(imageSavePath: string | undefined): string {
   let imagePath = tmp.dirSync().name;
   if (imageSavePath) {
-    imagePath = imageSavePath;
+    imagePath = path.normalize(imageSavePath);
   }
 
   return path.join(imagePath, uuidv4());

lib/extractor/docker-archive/index.ts

@@ -1,9 +1,10 @@
+import { normalize as normalizePath } from "path";
 import { DockerArchiveManifest } from "../types";
 
 export { extractArchive } from "./layer";
 
 export function getManifestLayers(manifest: DockerArchiveManifest) {
-  return manifest.Layers;
+  return manifest.Layers.map((layer) => normalizePath(layer));
 }
 
 export function getImageIdFromManifest(

lib/extractor/docker-archive/layer.ts

@@ -1,7 +1,7 @@
 import * as Debug from "debug";
 import { createReadStream } from "fs";
 import * as gunzip from "gunzip-maybe";
-import { basename } from "path";
+import { basename, normalize as normalizePath } from "path";
 import { Readable } from "stream";
 import { extract, Extract } from "tar-stream";
 import { streamToJson } from "../../stream-utils";
@@ -32,17 +32,18 @@ export async function extractArchive(
 
     tarExtractor.on("entry", async (header, stream, next) => {
       if (header.type === "file") {
-        if (isTarFile(header.name)) {
+        const normalizedName = normalizePath(header.name);
+        if (isTarFile(normalizedName)) {
           try {
-            layers[header.name] = await extractImageLayer(
+            layers[normalizedName] = await extractImageLayer(
               stream,
               extractActions,
             );
           } catch (error) {
             debug(`Error extracting layer content from: '${error}'`);
             reject(new Error("Error reading tar archive"));
           }
-        } else if (isManifestFile(header.name)) {
+        } else if (isManifestFile(normalizedName)) {
           manifest = await getManifestFile(stream);
         }
       }
@@ -77,9 +78,11 @@ function getLayersContentAndArchiveManifest(
   // skip (ignore) non-existent layers
   // get the layers content without the name
   // reverse layers order from last to first
-  const filteredLayers = manifest.Layers.filter(
-    (layersName) => layers[layersName],
-  )
+  const layersWithNormalizedNames = manifest.Layers.map((layersName) =>
+    normalizePath(layersName),
+  );
+  const filteredLayers = layersWithNormalizedNames
+    .filter((layersName) => layers[layersName])
     .map((layerName) => layers[layerName])
     .reverse();
 

lib/extractor/layer.ts

@@ -1,5 +1,5 @@
 import * as gunzip from "gunzip-maybe";
-import { resolve as resolvePath } from "path";
+import * as path from "path";
 import { Readable } from "stream";
 import { extract, Extract } from "tar-stream";
 import { applyCallbacks } from "./callbacks";
@@ -21,7 +21,7 @@ export async function extractImageLayer(
 
     tarExtractor.on("entry", async (headers, stream, next) => {
       if (headers.type === "file") {
-        const absoluteFileName = resolvePath("/", headers.name);
+        const absoluteFileName = path.join(path.sep, headers.name);
         // TODO wouldn't it be simpler to first check
         // if the filename matches any patterns?
         const processedResult = await extractFileAndProcess(

lib/extractor/oci-archive/layer.ts

@@ -1,6 +1,7 @@
 import * as Debug from "debug";
 import { createReadStream } from "fs";
 import * as gunzip from "gunzip-maybe";
+import { normalize as normalizePath, sep as pathSeparator } from "path";
 import { PassThrough } from "stream";
 import { extract, Extract } from "tar-stream";
 import { streamToJson } from "../../stream-utils";
@@ -37,7 +38,8 @@ export async function extractArchive(
 
     tarExtractor.on("entry", async (header, stream, next) => {
       if (header.type === "file") {
-        if (isImageIndexFile(header.name)) {
+        const normalizedHeaderName = normalizePath(header.name);
+        if (isImageIndexFile(normalizedHeaderName)) {
           imageIndex = await streamToJson<OciImageIndex>(stream);
         } else {
           const jsonStream = new PassThrough();
@@ -55,7 +57,7 @@ export async function extractArchive(
 
           // header format is /blobs/hash_name/hash_value
           // we're extracting hash_name:hash_value format to match manifest digest
-          const headerParts = header.name.split("/");
+          const headerParts = normalizedHeaderName.split(pathSeparator);
           const hashName = headerParts[1];
           const hashValue = headerParts[headerParts.length - 1];
           const digest = `${hashName}:${hashValue}`;

lib/image-type.ts

@@ -1,3 +1,4 @@
+import { normalize as normalizePath } from "path";
 import { ImageType } from "./types";
 
 export function getImageType(targetImage: string): ImageType {
@@ -15,14 +16,16 @@ export function getImageType(targetImage: string): ImageType {
 }
 
 export function getArchivePath(targetImage: string): string {
-  // strip the "docker-archive:" or "oci-archive:" prefix
-
-  const path = targetImage.split(":")[1];
-  if (!path) {
+  if (
+    !targetImage.startsWith("docker-archive:") &&
+    !targetImage.startsWith("oci-archive:")
+  ) {
     throw new Error(
       'The provided archive path is missing image specific prefix, eg."docker-archive:" or "oci-archive:"',
     );
   }
 
-  return path;
+  return targetImage.indexOf("docker-archive:") !== -1
+    ? normalizePath(targetImage.substring("docker-archive:".length))
+    : normalizePath(targetImage.substring("oci-archive:".length));
 }

lib/inputs/apk/static.ts

@@ -1,10 +1,12 @@
+import { normalize as normalizePath } from "path";
 import { getContentAsString } from "../../extractor";
 import { ExtractAction, ExtractedLayers } from "../../extractor/types";
 import { streamToString } from "../../stream-utils";
 
 export const getApkDbFileContentAction: ExtractAction = {
   actionName: "apk-db",
-  filePathMatches: (filePath) => filePath === "/lib/apk/db/installed",
+  filePathMatches: (filePath) =>
+    filePath === normalizePath("/lib/apk/db/installed"),
   callback: streamToString,
 };
 

lib/inputs/apt/static.ts

@@ -1,17 +1,20 @@
+import { normalize as normalizePath } from "path";
 import { IAptFiles } from "../../analyzer/types";
 import { getContentAsString } from "../../extractor";
 import { ExtractAction, ExtractedLayers } from "../../extractor/types";
 import { streamToString } from "../../stream-utils";
 
 export const getDpkgFileContentAction: ExtractAction = {
   actionName: "dpkg",
-  filePathMatches: (filePath) => filePath === "/var/lib/dpkg/status",
+  filePathMatches: (filePath) =>
+    filePath === normalizePath("/var/lib/dpkg/status"),
   callback: streamToString,
 };
 
 export const getExtFileContentAction: ExtractAction = {
   actionName: "ext",
-  filePathMatches: (filePath) => filePath === "/var/lib/apt/extended_states",
+  filePathMatches: (filePath) =>
+    filePath === normalizePath("/var/lib/apt/extended_states"),
   callback: streamToString,
 };
 

lib/inputs/distroless/static.ts

@@ -1,9 +1,11 @@
+import { normalize as normalizePath } from "path";
 import { ExtractAction, ExtractedLayers } from "../../extractor/types";
 import { streamToString } from "../../stream-utils";
 
 export const getDpkgPackageFileContentAction: ExtractAction = {
   actionName: "dpkg",
-  filePathMatches: (filePath) => filePath.startsWith("/var/lib/dpkg/status.d/"),
+  filePathMatches: (filePath) =>
+    filePath.startsWith(normalizePath("/var/lib/dpkg/status.d/")),
   callback: streamToString, // TODO replace with a parser for apt data extractor
 };
 

lib/inputs/os-release/static.ts

@@ -1,53 +1,62 @@
+import { normalize as normalizePath } from "path";
 import { getContentAsString } from "../../extractor";
 import { ExtractAction, ExtractedLayers } from "../../extractor/types";
 import { streamToString } from "../../stream-utils";
 import { OsReleaseFilePath } from "../../types";
 
 const getOsReleaseAction: ExtractAction = {
   actionName: "os-release",
-  filePathMatches: (filePath) => filePath === OsReleaseFilePath.Linux,
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(OsReleaseFilePath.Linux),
   callback: streamToString,
 };
 
 const getFallbackOsReleaseAction: ExtractAction = {
   actionName: "os-release-fallback",
-  filePathMatches: (filePath) => filePath === OsReleaseFilePath.LinuxFallback,
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(OsReleaseFilePath.LinuxFallback),
   callback: streamToString,
 };
 
 const getLsbReleaseAction: ExtractAction = {
   actionName: "lsb-release",
-  filePathMatches: (filePath) => filePath === OsReleaseFilePath.Lsb,
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(OsReleaseFilePath.Lsb),
   callback: streamToString,
 };
 
 const getDebianVersionAction: ExtractAction = {
   actionName: "debian-version",
-  filePathMatches: (filePath) => filePath === OsReleaseFilePath.Debian,
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(OsReleaseFilePath.Debian),
   callback: streamToString,
 };
 
 const getAlpineReleaseAction: ExtractAction = {
   actionName: "alpine-release",
-  filePathMatches: (filePath) => filePath === OsReleaseFilePath.Alpine,
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(OsReleaseFilePath.Alpine),
   callback: streamToString,
 };
 
 const getRedHatReleaseAction: ExtractAction = {
   actionName: "redhat-release",
-  filePathMatches: (filePath) => filePath === OsReleaseFilePath.RedHat,
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(OsReleaseFilePath.RedHat),
   callback: streamToString,
 };
 
 const getCentosReleaseAction: ExtractAction = {
   actionName: "centos-release",
-  filePathMatches: (filePath) => filePath === OsReleaseFilePath.Centos,
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(OsReleaseFilePath.Centos),
   callback: streamToString,
 };
 
 const getOracleReleaseAction: ExtractAction = {
   actionName: "oracle-release",
-  filePathMatches: (filePath) => filePath === OsReleaseFilePath.Oracle,
+  filePathMatches: (filePath) =>
+    filePath === normalizePath(OsReleaseFilePath.Oracle),
   callback: streamToString,
 };
 

lib/inputs/rpm/static.ts

@@ -1,5 +1,6 @@
 import { getPackages } from "@snyk/rpm-parser";
 import * as Debug from "debug";
+import { normalize as normalizePath } from "path";
 import { getContentAsBuffer } from "../../extractor";
 import { ExtractAction, ExtractedLayers } from "../../extractor/types";
 import { streamToBuffer } from "../../stream-utils";
@@ -8,7 +9,8 @@ const debug = Debug("snyk");
 
 export const getRpmDbFileContentAction: ExtractAction = {
   actionName: "rpm-db",
-  filePathMatches: (filePath) => filePath === "/var/lib/rpm/Packages",
+  filePathMatches: (filePath) =>
+    filePath === normalizePath("/var/lib/rpm/Packages"),
   callback: streamToBuffer,
 };