Fix container-images flag to support prefix syntax advanced parsing (AST-108903) #1318
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cx-shaked-karta
requested review from
cx-anjali-deore,
cx-anurag-dalke and
cx-umesh-waghode
as code owners
|
Great job! No new security vulnerabilities introduced in this pull request |
cx-shaked-karta
force-pushed
the
bug/ast-108903
branch
from
277b814 to
5e2934c
Compare
cx-shaked-karta
changed the title
Contributor
Author
🔄 Update: Automatic Local Resolution for Tar FilesAdded automatic enforcement of New BehaviorWhen using
Implementation DetailsNew Functions:
Warning Message: Examples# Tar file without --containers-local-resolution
# → Warning printed, flag auto-enabled
cx scan create --container-images "alpine.tar" -s . --project-name test
# Tar file with --containers-local-resolution already set
# → No warning, proceeds normally
cx scan create --container-images "alpine.tar" --containers-local-resolution -s . --project-name test
# Mixed tar + regular images
# → Warning printed, flag auto-enabled for all
cx scan create --container-images "nginx:latest,alpine.tar,ubuntu:20.04" -s . --project-name testTest CoverageAdded comprehensive test coverage:
All tests passing ✅ |
Contributor
Author
🚀 Latest Updates - Complete OCI Directory Support & Advanced Image Processing✨ Major New Features1. Full OCI Directory Support (Skopeo Integration)
Example Usage: # Create OCI directory with Skopeo
skopeo copy --override-arch amd64 docker://alpine:latest oci:docker.io/library/alpine:latest
# Scan with CxOne CLI (no tag in CLI command)
cx scan create --container-images "oci-dir:docker.io/library/alpine" --containers-local-resolution2. Zero-Package Image Filtering
3. Enhanced Tar File Handling
4. Automatic Local Resolution for Tar Files
🏗️ Architecture ImprovementsCross-Project Changesast-cli (
containers-resolver (
containers-syft-packages-extractor (
🧪 Comprehensive Test CoverageNew Tests Addedcontainers-syft-packages-extractor:
ast-cli:
All tests passing: ✅ 100% pass rate 📊 Processing Flow📝 Documentation Updates
📖 Documentation: Container Images Flag Validation Logic 🔧 Bug Fixes
✅ Validation ExamplesValid Inputs: # Standard images
--container-images "nginx:latest,alpine:3.18"
# OCI directories (tag from index.json)
--container-images "oci-dir:docker.io/library/alpine"
--container-images "oci-dir:./my-alpine-image"
# Tar files (with auto local-resolution)
--container-images "alpine.tar"
--container-images "file:./images/nginx.tar"
--container-images "docker-archive:saved-image.tar"
# Daemon sources
--container-images "docker:nginx:latest,podman:alpine:3.18"
# Mixed formats
--container-images "nginx:latest,oci-dir:./alpine,file:ubuntu.tar"Invalid Inputs (with helpful errors): # Missing tag
--container-images "nginx"
# ❌ Error: image does not have a tag
# OCI dir without tag annotation
--container-images "oci-dir:path/to/oci-dir"
# ⚠️ Warning: no image tag found in OCI index.json annotations (image skipped)
# Compressed tar
--container-images "image.tar.gz"
# ❌ Error: file is compressed, use non-compressed format (tar)
# OCI dir with explicit tag (NOT SUPPORTED)
--container-images "oci-dir:./my-image:latest"
# ❌ Will fail - tags must be in index.json, not CLI command📈 Stats
🔗 Related Links
Ready for review! ✅ All tests passing, documentation complete, zero linting issues. |
cx-shaked-karta
force-pushed
the
bug/ast-108903
branch
from
eeedfc1 to
ed1a861
Compare
added 16 commits
October 13, 2025 17:07
…ngle images - Add support for Syft-compatible prefix syntax (docker:, podman:, containerd:, registry:, docker-archive:, oci-archive:, oci-dir:, file:) - Restrict scanning to single images only (prevent bulk directory/registry scanning) - Remove singularity support - Add comprehensive validation for all supported formats - Maintain backward compatibility with traditional image:tag format Fixes AST-108903
- Add helpful error message for .tar files with paths suggesting file: prefix - Add specific filenames to file existence error messages - Detect when users input file paths without proper prefix format - Prevent customer confusion about format requirements Examples: - 'empty/alpine.tar' → suggests 'file:empty/alpine.tar' - 'file:missing.tar' → shows 'file missing.tar does not exist' (not just 'file does not exist') This addresses customer usability issues and makes error messages more actionable.
- Add transformContainerImagesForSyft function to strip file: prefix before passing to syft extractor - Syft expects just the file path, not the file: prefix for local file sources - Other prefixes (docker:, podman:, etc.) are passed through unchanged - Fixes customer issue where file:empty/alpine.tar caused syft provider errors This resolves the original panic and syft parsing issues reported in AST-108903.
- Replace simple prefix stripping with proper scheme extraction logic - Mimic stereoscope.ExtractSchemeSource behavior exactly like syft CLI does - Extract valid schemes (file:, docker:, registry:, etc.) and pass stripped input to syft - Leave invalid or missing schemes unchanged (e.g., nginx:latest stays as-is) - Supports all syft source provider schemes: file, dir, docker, podman, containerd, registry, docker-archive, oci-archive, oci-dir, singularity This matches syft's exact behavior where both 'file:path' and 'path' work identically. Resolves AST-108903 syft compatibility issues.
- Add isFilePath() function to detect file paths vs image references - Automatically append ':latest' tag to file paths without tags - Prevents 'index out of range' panic in containers-syft-packages-extractor - Handles file extensions: .tar, .tar.gz, .tgz and paths with / or - Preserves existing tags when present (e.g., 'file.tar:v1.0' unchanged) WORKAROUND for vendor library bug where it expects image:tag format but file paths don't naturally have tags. Resolves AST-108903 panic issue.
The approach of adding ':latest' tags to file paths causes syft to look for files with colons in the filename (e.g., 'empty/alpine.tar:latest' instead of 'empty/alpine.tar'). Current status: - ✅ Scheme extraction works correctly (file: prefix handling) - ✅ Validation accepts file paths with and without schemes - ❌ Vendor library panic still occurs for untagged file paths WORKAROUND: Customers should add explicit tags to file paths: --container-images 'file:empty/alpine.tar:latest,file:empty/alpine.tar.gz:latest' TODO: Fix vendor library panic at the appropriate layer (not in CLI processing)
… (AST-112118)
- Implement unified validation logic for all container image formats
* Support for image:tag format with proper tag validation
* Support for .tar files with existence checks
* Detection and rejection of compressed tar files (.tar.gz, .tar.bz2, .tar.xz, .tgz)
* Support for all syft/stereoscope prefixes (docker:, podman:, containerd:, registry:,
docker-archive:, oci-archive:, oci-dir:, file:)
* Explicit rejection of 'dir:' prefix to prevent directory scanning
- Consolidate validation error messages
* Collect all validation errors before returning
* Present errors in a single, user-friendly message with header and bullet points
* Show both input and specific error for each failed validation
- Add helpful hints for common user mistakes
* Detect compressed tar files and suggest using .tar format
* Detect incorrect tar file extensions (e.g., .tar.bz) and ask if user meant to scan tar
* Detect archive prefixes used with image names and suggest correct usage
* Clear guidance on expected formats in error messages
- Improve input normalization
* Trim spaces from comma-separated inputs
* Strip single and double quotes from inputs
* Handle quotes after prefixes (e.g., file:'/path/to/file')
* Skip empty entries in comma-separated lists
- Add comprehensive test coverage
* 40+ test cases covering all validation scenarios
* Tests for all prefix types (daemon, archive, registry, oci-dir)
* Tests for error cases with helpful hints
* Tests for input normalization edge cases
* Tests for quote handling and special characters
- Code cleanup
* Remove obsolete validateTraditionalContainerImage function
* Remove unused isFilePathForVendorLibrary helper
* Improve code comments for clarity
* Remove outdated TODO comments
- Update dependencies
* Remove unused containers-resolver dependency from go.sum
…ata, while retaining build artifacts and manifest directories.
…n and helper functions - Introduce comprehensive validation for container image formats, including image:tag, tar files, and various prefixes (docker:, podman:, etc.). - Add detailed comments to clarify the purpose and functionality of key functions related to container image processing. - Implement helper functions for prefix extraction and validation, improving code readability and maintainability. - Ensure all new functions are aligned with container-security scan-type requirements.
…d maintainability - Introduce dedicated validation functions for different container image prefixes: archive, oci-dir, registry, and daemon. - Consolidate error handling and validation checks into specific functions to streamline the validation process. - Enhance code clarity with detailed comments explaining the purpose of each validation function. - Ensure all changes align with container-security scan-type requirements and improve overall code structure.
… validation - Update error messages for clarity and consistency in the validateCreateScanFlags and validateRegistryPrefix functions. - Replace hardcoded indices with named constants for better readability in the validateRegistryPrefix and validateDaemonPrefix functions. - Enhance overall code maintainability by improving variable naming conventions.
- Update test assertions to check for consolidated error messages in the container image validation logic. - Ensure error messages provide clearer feedback on user input errors, including specific issues with image tags and unsupported prefixes. - Enhance test coverage for various error scenarios to improve robustness of validation checks.
added 5 commits
October 13, 2025 17:07
- Introduce `isTarFileReference` function to identify tar file references in container images. - Implement `enforceLocalResolutionForTarFiles` function to automatically enable local resolution when tar files are detected in the `--container-images` flag. - Enhance test coverage with new test cases for tar file detection and local resolution enforcement. - Ensure integration with the scan create command to validate behavior with tar files.
- Replace magic number 2 with named constant minPartsForTaggedImage - Fix tar file detection to reject invalid formats (e.g., file.tar:tag) - Update test cases to reflect correct behavior (tar files cannot have tags) - Add comprehensive test coverage for tar file detection and local resolution enforcement
- Allow oci-dir: prefix to reference directories without requiring tags - Allow file:, docker-archive:, oci-archive: prefixes without tags - Add comprehensive test coverage for oci-dir validation - Fixes issue where skopeo-generated OCI directories were incorrectly rejected - Test cases cover: oci-dir without tag, with tag, with tar files, missing directories The OCI directory layout stores tag information internally, so requiring a tag in the CLI input is incorrect. This fix allows commands like: cx scan create --container-images "oci-dir:my-alpine-image" ... to work correctly with skopeo-generated OCI directories.
- Upgrade containers-resolver to v1.0.23 and containers-syft-packages-extractor to v1.0.19 in go.mod and go.sum. - Refactor container image processing logic to pass images as-is to syft, removing the previous prefix-stripping functionality. - Consolidate container image prefix constants for improved readability and maintainability. - Enhance validation logic for container image formats by utilizing defined constants instead of hardcoded strings.
- Upgrade containers-resolver to v1.0.24 and containers-syft-packages-extractor to v1.0.20 in go.mod and go.sum for improved functionality and security.
cx-anurag-dalke
force-pushed
the
bug/ast-108903
branch
from
ed1a861 to
9605e76
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes the container-images flag to support Syft-compatible prefix syntax while restricting scanning to single images only.
Changes Made
✅ Added Prefix Syntax Support
🚫 Added Restrictions
🗑️ Removed Features
🧪 Testing
Backward Compatibility
Example Usage
Fixes: https://checkmarx.atlassian.net/browse/AST-108903