Skip to content

Add support for containers scan in cloud by default (AST-00000) #1024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cx-alex-cohen wants to merge 4 commits into from
Closed

Add support for containers scan in cloud by default (AST-00000) #1024

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
efeaa27
Remove ContainersEngineCLIEnabled Flag
cx-alex-cohen Jan 29, 2025
3f1361a
Remove ContainersEngineCLIEnabled Flag
cx-alex-cohen Jan 29, 2025
51b3e2c
Remove ContainersEngineCLIEnabled Flag
cx-alex-cohen Jan 29, 2025
01b2f6d
Handling Tar and starting cloud flow
cx-alex-cohen Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions internal/commands/result.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1047,10 +1047,8 @@ func setIsSCSEnabled(featureFlagsWrapper wrappers.FeatureFlagsWrapper) {
wrappers.IsSCSEnabled = scsEngineCLIEnabled.Status
}

func setIsContainersEnabled(agent string, featureFlagsWrapper wrappers.FeatureFlagsWrapper) {
agentSupported := !containsIgnoreCase(containerEngineUnsupportedAgents, agent)
containerEngineCLIEnabled, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, wrappers.ContainerEngineCLIEnabled)
wrappers.IsContainersEnabled = containerEngineCLIEnabled.Status && agentSupported
func setIsContainersEnabled(agent string) {
wrappers.IsContainersEnabled = !containsIgnoreCase(containerEngineUnsupportedAgents, agent)
}

func filterResultsByType(results *wrappers.ScanResultsCollection, excludedTypes map[string]struct{}) *wrappers.ScanResultsCollection {
Expand Down Expand Up @@ -1109,7 +1107,7 @@ func CreateScanReport(
reportList := strings.Split(reportTypes, ",")
results := &wrappers.ScanResultsCollection{}
setIsSCSEnabled(featureFlagsWrapper)
setIsContainersEnabled(agent, featureFlagsWrapper)
setIsContainersEnabled(agent)
summary, err := convertScanToResultsSummary(scan, resultsWrapper)
if err != nil {
return nil, err
Expand Down
32 changes: 3 additions & 29 deletions internal/commands/result_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,6 @@ func TestRunGetResultsByScanIdSarifFormat(t *testing.T) {
}
func TestRunGetResultsByScanIdSarifFormatWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "sarif")
// Remove generated sarif file
removeFileBySuffix(t, printer.FormatSarif)
Expand All @@ -334,7 +333,6 @@ func TestRunGetResultsByScanIdSonarFormat(t *testing.T) {

func TestRunGetResultsByScanIdSonarFormatWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "sonar")
// Remove generated sonar file
removeFile(t, fileName+"_"+printer.FormatSonar, printer.FormatJSON)
Expand Down Expand Up @@ -367,7 +365,6 @@ func TestDecodeHTMLEntitiesInResults(t *testing.T) {

func TestRunGetResultsByScanIdJsonFormatWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "json")

// Remove generated json file
Expand All @@ -390,7 +387,6 @@ func TestRunGetResultsByScanIdSummaryJsonFormat(t *testing.T) {

func TestRunGetResultsByScanIdSummaryJsonFormatWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "summaryJSON")

// Remove generated json file
Expand All @@ -406,7 +402,6 @@ func TestRunGetResultsByScanIdSummaryHtmlFormat(t *testing.T) {

func TestRunGetResultsByScanIdSummaryHtmlFormatWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "summaryHTML")

// Remove generated html file
Expand All @@ -425,13 +420,11 @@ func TestRunGetResultsByScanIdSummaryMarkdownFormatWithContainers(t *testing.T)

func TestRunGetResultsByScanIdSummaryConsoleFormatWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "summaryConsole")
}

func TestRunGetResultsByScanIdSummaryMarkdownFormat(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "markdown")
// Remove generated md file
removeFileBySuffix(t, "md")
Expand Down Expand Up @@ -480,7 +473,6 @@ func TestRunGetResultsByScanIdPDFFormat(t *testing.T) {

func TestRunGetResultsByScanIdPDFFormatWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "pdf")
_, err := os.Stat(fmt.Sprintf("%s.%s", fileName, printer.FormatPDF))
assert.NilError(t, err, "Report file should exist for extension "+printer.FormatPDF)
Expand Down Expand Up @@ -759,7 +751,6 @@ func TestSBOMReportXML(t *testing.T) {

func TestSBOMReportJsonWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "sbom")
_, err := os.Stat(fmt.Sprintf("%s.%s", fileName+"_"+printer.FormatSbom, printer.FormatJSON))
assert.NilError(t, err, "Report file should exist for extension "+printer.FormatJSON)
Expand All @@ -769,7 +760,6 @@ func TestSBOMReportJsonWithContainers(t *testing.T) {

func TestSBOMReportXMLWithContainers(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "sbom", "--report-sbom-format", "CycloneDxXml")
_, err := os.Stat(fmt.Sprintf("%s.%s", fileName+"_"+printer.FormatSbom, printer.FormatXML))
assert.NilError(t, err, "Report file should exist for extension "+printer.FormatXML)
Expand All @@ -782,26 +772,17 @@ func TestRunGetResultsByScanIdGLFormat(t *testing.T) {
// Run test for gl-sast report type
os.Remove(fmt.Sprintf("%s.%s", fileName, printer.FormatGLSast))
}

func TestRunResultsShow_ContainersFFIsOn_includeContainersResult(t *testing.T) {
clearFlags()
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "json")
Copy link

@github-actions github-actions bot Jan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider validating the --scan-id flag to ensure that it is not empty and has a proper format before executing the command.

assertTypePresentJSON(t, params.ContainersType, 1)
Copy link

@github-actions github-actions bot Jan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's unclear what assertTypePresentJSON does. Ensure that the function checks for the presence of container scan results in the output as expected by the PR title.

// Remove generated json file
removeFileBySuffix(t, printer.FormatJSON)
Copy link

@github-actions github-actions bot Jan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the generated file should be done in a defer statement immediately after the file creation to ensure it's cleaned up even if the test fails or panics.

}
func TestRunResultsShow_ContainersFFIsOff_excludeContainersResult(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: false}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "json")
assertTypePresentJSON(t, params.ContainersType, 0)
// Remove generated json file
removeFileBySuffix(t, printer.FormatJSON)
}

func TestRunResultsShow_jetbrainsIsNotSupported_excludeContainersResult(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "json", "--agent", "jetbrains")
assertTypePresentJSON(t, params.ContainersType, 0)
// Remove generated json file
Expand All @@ -810,7 +791,6 @@ func TestRunResultsShow_jetbrainsIsNotSupported_excludeContainersResult(t *testi

func TestRunResultsShow_EclipseIsNotSupported_excludeContainersResult(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "json", "--agent", "Eclipse")
assertTypePresentJSON(t, params.ContainersType, 0)
// Remove generated json file
Expand All @@ -819,7 +799,6 @@ func TestRunResultsShow_EclipseIsNotSupported_excludeContainersResult(t *testing

func TestRunResultsShow_VsCodeIsNotSupported_excludeContainersResult(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "json", "--agent", "vs code")
assertTypePresentJSON(t, params.ContainersType, 0)
// Remove generated json file
Expand All @@ -828,7 +807,6 @@ func TestRunResultsShow_VsCodeIsNotSupported_excludeContainersResult(t *testing.

func TestRunResultsShow_VisualStudioIsNotSupported_excludeContainersResult(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "json", "--agent", "Visual Studio")
assertTypePresentJSON(t, params.ContainersType, 0)
// Remove generated json file
Expand Down Expand Up @@ -952,11 +930,7 @@ func assertResultsPresentSummaryJSON(t *testing.T, isResultsEnabled bool, scanTy
assert.Assert(t, false, "%s result summary should be present", scanType)
}
}
func TestRunGetResultsShow_ContainersFFOffAndResultsHasContainersResultsOnly_NilAssertion(t *testing.T) {
clearFlags()
mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: false}
execCmdNilAssertion(t, "results", "show", "--scan-id", "CONTAINERS_ONLY", "--report-format", "summaryConsole")
}

func TestRunGetResultsByScanIdGLSastAndAScaFormat(t *testing.T) {
execCmdNilAssertion(t, "results", "show", "--scan-id", "MOCK", "--report-format", "gl-sast,gl-sca")
// Run test for gl-sast report type
Expand Down
88 changes: 43 additions & 45 deletions internal/commands/scan.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -560,7 +560,8 @@ func scanCreateSubCommand(
"",
fmt.Sprintf("Parameters to use in SCA resolver (requires --%s).", commonParams.ScaResolverFlag),
)
createScanCmd.PersistentFlags().String(commonParams.ContainerImagesFlag, "", "List of container images to scan, ex: manuelbcd/vulnapp:latest,debian:10. (Not supported yet)")
createScanCmd.PersistentFlags().String(commonParams.ContainerResolveLocallyFlag, "", "Execute container resolver locally.")
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The flag commonParams.ContainerResolveLocallyFlag should have a more descriptive help message explaining what it means to execute the container resolver locally and the implications of using this flag.

createScanCmd.PersistentFlags().String(commonParams.ContainerImagesFlag, "", "List of container images to scan, ex: manuelbcd/vulnapp:latest,debian:10.")
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The help message for commonParams.ContainerImagesFlag should mention the new default behavior of scanning containers in the cloud if not specified otherwise.

createScanCmd.PersistentFlags().String(commonParams.ScanTypes, "", "Scan types, ex: (sast,iac-security,sca,api-security)")

createScanCmd.PersistentFlags().String(commonParams.TagList, "", "List of tags, ex: (tagA,tagB:val,etc)")
Expand Down Expand Up @@ -746,7 +747,6 @@ func setupScanTypeProjectAndConfig(
return err
}
}
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the containerEngineCLIEnabled check might cause unintended behavior if the feature flag is still relevant for other parts of the code. Ensure that the removal of this feature flag check does not affect other functionalities that depend on it.

containerEngineCLIEnabled, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, wrappers.ContainerEngineCLIEnabled)

sastConfig := addSastScan(cmd, resubmitConfig)
if sastConfig != nil {
Expand All @@ -764,7 +764,7 @@ func setupScanTypeProjectAndConfig(
if apiSecConfig != nil {
configArr = append(configArr, apiSecConfig)
}
var containersConfig = addContainersScan(containerEngineCLIEnabled.Status)
var containersConfig = addContainersScan()
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the containerEngineCLIEnabled.Status parameter from addContainersScan() call might lead to unintended behavior if the function relies on this status check to determine whether to perform a containers scan. Ensure that the addContainersScan function is updated to handle the default behavior correctly without requiring this parameter.

if containersConfig != nil {
configArr = append(configArr, containersConfig)
}
Expand Down Expand Up @@ -935,8 +935,8 @@ func addScaScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasContain
return nil
}

func addContainersScan(containerEngineCLIEnabled bool) map[string]interface{} {
if !scanTypeEnabled(commonParams.ContainersType) || !containerEngineCLIEnabled {
func addContainersScan() map[string]interface{} {
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the containerEngineCLIEnabled parameter could lead to unintended behavior if the function relies on this flag to determine whether to add container scanning. Ensure that the removal of this parameter aligns with the intended logic and that any necessary checks are still performed elsewhere.

if !scanTypeEnabled(commonParams.ContainersType) {
return nil
}
containerMapConfig := make(map[string]interface{})
Expand Down Expand Up @@ -1071,7 +1071,6 @@ func validateScanTypes(cmd *cobra.Command, jwtWrapper wrappers.JWTWrapper, featu
var scanTypes []string
var SCSScanTypes []string

containerEngineCLIEnabled, _ := featureFlagsWrapper.GetSpecificFlag(wrappers.ContainerEngineCLIEnabled)
allowedEngines, err := jwtWrapper.GetAllowedEngines(featureFlagsWrapper)
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of containerEngineCLIEnabled variable might cause issues if it's used elsewhere in the code. Ensure that this variable is not used in other places or consider deprecating it properly if it's no longer needed.

if err != nil {
err = errors.Errorf("Error validating scan types: %v", err)
Expand All @@ -1088,7 +1087,7 @@ func validateScanTypes(cmd *cobra.Command, jwtWrapper wrappers.JWTWrapper, featu

scanTypes = strings.Split(userScanTypes, ",")
for _, scanType := range scanTypes {
if !allowedEngines[scanType] || (scanType == commonParams.ContainersType && !(containerEngineCLIEnabled.Status)) {
if !allowedEngines[scanType] {
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the condition scanType == commonParams.ContainersType && !(containerEngineCLIEnabled.Status) might introduce a regression if the intent is to ensure that container scanning is only allowed when the containerEngineCLIEnabled.Status is true. Ensure that the new logic correctly reflects the intended behavior for container scan support.

keys := reflect.ValueOf(allowedEngines).MapKeys()
err = errors.Errorf(engineNotAllowed, scanType, scanType, keys)
return err
Expand All @@ -1104,9 +1103,6 @@ func validateScanTypes(cmd *cobra.Command, jwtWrapper wrappers.JWTWrapper, featu

} else {
for k := range allowedEngines {
if k == commonParams.ContainersType && !(containerEngineCLIEnabled.Status) {
continue
}
scanTypes = append(scanTypes, k)
}
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the condition checking containerEngineCLIEnabled.Status might introduce a change in behavior where container scans are allowed even if the feature is not enabled. Ensure that the new default behavior to support container scans in the cloud is intentional and does not conflict with existing feature flags or settings.

}
Expand Down Expand Up @@ -1303,7 +1299,6 @@ func isDirFiltered(filename string, filters []string) (bool, error) {
}
}
}

return false, nil
}

Expand Down Expand Up @@ -1398,17 +1393,16 @@ func addScaResults(zipWriter *zip.Writer) error {
}

func getUploadURLFromSource(cmd *cobra.Command, uploadsWrapper wrappers.UploadsWrapper, featureFlagsWrapper wrappers.FeatureFlagsWrapper) (
url, zipFilePath string,
err error,
) {
url, zipFilePath string, err error) {

var preSignedURL string

sourceDirFilter, _ := cmd.Flags().GetString(commonParams.SourceDirFilterFlag)
userIncludeFilter, _ := cmd.Flags().GetString(commonParams.IncludeFilterFlag)
projectName, _ := cmd.Flags().GetString(commonParams.ProjectName)
containerEngineCLIEnabled, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, wrappers.ContainerEngineCLIEnabled)

containerScanTriggered := strings.Contains(actualScanTypes, commonParams.ContainersType) && containerEngineCLIEnabled.Status
containerScanTriggered := strings.Contains(actualScanTypes, commonParams.ContainersType)
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the containerEngineCLIEnabled check may lead to unintended behavior if the feature flag is still relevant for other parts of the system. Ensure that removing this check does not bypass any intended feature flag controls.

containerResolveLocallyFlag, _ := cmd.Flags().GetString(commonParams.ContainerResolveLocallyFlag)
containerResolveLocally := strings.EqualFold(containerResolveLocallyFlag, "true")
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The containerResolveLocallyFlag is retrieved as a string and then compared using strings.EqualFold. Consider using a boolean flag directly with cmd.Flags().GetBool for clarity and to avoid string comparisons for boolean logic.

scaResolverParams, scaResolver := getScaResolverFlags(cmd)
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variables scaResolverParams and scaResolver are assigned but not used in the provided diff context. If these variables are not used within the scope of the changes, consider removing them to avoid unused variable assignments.


zipFilePath, directoryPath, err := definePathForZipFileOrDirectory(cmd)
Expand All @@ -1419,7 +1413,7 @@ func getUploadURLFromSource(cmd *cobra.Command, uploadsWrapper wrappers.UploadsW
var errorUnzippingFile error
userProvidedZip := len(zipFilePath) > 0

unzip := ((len(sourceDirFilter) > 0 || len(userIncludeFilter) > 0) || containerScanTriggered) && userProvidedZip
unzip := ((len(sourceDirFilter) > 0 || len(userIncludeFilter) > 0) || containerResolveLocally) && userProvidedZip
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable containerResolveLocally is used without being defined or passed as an argument to the function. Ensure that the variable is properly defined and passed to the function if it's intended to be used here.

if unzip {
directoryPath, errorUnzippingFile = UnzipFile(zipFilePath)
if errorUnzippingFile != nil {
Expand All @@ -1429,14 +1423,29 @@ func getUploadURLFromSource(cmd *cobra.Command, uploadsWrapper wrappers.UploadsW

if directoryPath != "" {
var dirPathErr error
resolversErr := runScannerResolvers(cmd, directoryPath, projectName, containerScanTriggered, scaResolver, scaResolverParams)
if resolversErr != nil {
if unzip {
_ = cleanTempUnzipDirectory(directoryPath)

// execute scaResolver only in sca type of scans
if strings.Contains(actualScanTypes, commonParams.ScaType) {
scaErr := runScaResolver(directoryPath, scaResolver, scaResolverParams, projectName)
if scaErr != nil {
if unzip {
_ = cleanTempUnzipDirectory(directoryPath)
}
return "", "", errors.Wrapf(scaErr, "ScaResolver error")
}
}

if containerScanTriggered {
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider handling the error from runContainerResolver in a separate function to avoid code duplication, as the cleanup logic is repeated.

containerResolverError := runContainerResolver(cmd, directoryPath, containerResolveLocally)
if containerResolverError != nil {
if unzip {
_ = cleanTempUnzipDirectory(directoryPath)
}
return "", "", containerResolverError
}
return "", "", resolversErr
}
if isSingleContainerScanTriggered() {

if isSingleContainerScanTriggered() && containerResolveLocally {
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The condition isSingleContainerScanTriggered() && containerResolveLocally may not be sufficient to determine if only the container resolution file should be compressed. Ensure that this logic aligns with the intended behavior for container scans.

logger.PrintIfVerbose("Single container scan triggered: compressing only the container resolution file")
containerResolutionFilePath := filepath.Join(directoryPath, containerResolutionFileName)
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable containerResolutionFileName is used but not defined in the diff. Ensure that it is properly declared and initialized before use.

zipFilePath, dirPathErr = util.CompressFile(containerResolutionFilePath, containerResolutionFileName, directoryCreationPrefix)
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error handling for util.CompressFile is missing. Ensure that any errors returned by this function are properly handled.

Expand All @@ -1462,7 +1471,7 @@ func getUploadURLFromSource(cmd *cobra.Command, uploadsWrapper wrappers.UploadsW
return preSignedURL, zipFilePath, nil
}

func runContainerResolver(cmd *cobra.Command, directoryPath string) error {
func runContainerResolver(cmd *cobra.Command, directoryPath string, containerResolveLocally bool) error {
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new parameter containerResolveLocally is added to the function signature but not used within the function body. Ensure that the parameter is utilized as intended or remove it if it's unnecessary.

containerImages, _ := cmd.Flags().GetString(commonParams.ContainerImagesFlag)
debug, _ := cmd.Flags().GetBool(commonParams.DebugFlag)
var containerImagesList []string
Expand All @@ -1476,26 +1485,11 @@ func runContainerResolver(cmd *cobra.Command, directoryPath string) error {
}
logger.PrintIfVerbose(fmt.Sprintf("User input container images identified: %v", strings.Join(containerImagesList, ", ")))
}
containerResolverERR := containerResolver.Resolve(directoryPath, directoryPath, containerImagesList, debug)
if containerResolverERR != nil {
return containerResolverERR
}
return nil
}

func runScannerResolvers(cmd *cobra.Command, directoryPath, projectName string, containerScanTriggered bool, scaResolver, scaResolverParams string) error {
// Make sure scaResolver only runs in sca type of scans
if strings.Contains(actualScanTypes, commonParams.ScaType) {
dirPathErr := runScaResolver(directoryPath, scaResolver, scaResolverParams, projectName)
if dirPathErr != nil {
return errors.Wrapf(dirPathErr, "ScaResolver error")
}
}

if containerScanTriggered {
containerResolverError := runContainerResolver(cmd, directoryPath)
if containerResolverError != nil {
return containerResolverError
if containerResolveLocally || len(containerImagesList) > 0 {
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable containerResolveLocally is not defined in the provided diff. Ensure that it is properly declared and initialized before use.

containerResolverERR := containerResolver.Resolve(directoryPath, directoryPath, containerImagesList, debug)
if containerResolverERR != nil {
return containerResolverERR
}
}
return nil
Expand Down Expand Up @@ -2743,9 +2737,13 @@ func validateCreateScanFlags(cmd *cobra.Command) error {
}

func validateContainerImageFormat(containerImage string) error {
if strings.HasSuffix(containerImage, ".tar") {
return nil
}

imageParts := strings.Split(containerImage, ":")
if len(imageParts) != 2 || imageParts[0] == "" || imageParts[1] == "" {
Copy link

@github-actions github-actions bot Jan 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The validation logic for the container image format only checks for the presence of a colon and non-empty parts before and after the colon. However, it does not validate the actual format of the image name and tag. Consider adding more robust validation to ensure the image name and tag conform to the expected patterns.

return errors.Errorf("Invalid value for --container-images flag. The value must be in the format <image-name>:<image-tag>")
return errors.Errorf("Invalid value for --container-images flag. The value must be in the format <image-name>:<image-tag> or <image-name>.tar")
}
return nil
}
Expand Down
Loading
Loading