oscap-docker: don't start images to scan them

Starting images to scan them has downsides, including that the image must be able to be started and stay running, which isn't always easy. For example, not all images contain `bash` or a shell at all.

By instead using the approach taken by `oscap-podman` and extracting the image then scanning it (instead of starting the container and scanning the resulting mount), the container never needs to be run.

This approach allows `oscap-docker` to scan any image (including those without `bash`).

Author: candrews

utils/oscap_docker_python/oscap_docker_util.py

@@ -19,6 +19,10 @@
 from __future__ import print_function
 
 import os
+import io
+from pathlib import Path
+from itertools import chain
+import tarfile
 import tempfile
 import shutil
 from oscap_docker_python.get_cve_input import getInputCVE
@@ -45,63 +49,51 @@ def __init__(self, target, is_image=False, oscap_binary='oscap'):
         # init docker high level API (to deal with start/stop/run containers/image)
         self.client_api = docker.from_env()
         self.is_image = is_image
-        self.stop_at_end = False  # stop the container after scan if True
         self.oscap_binary = oscap_binary or 'oscap'
         self.container_name = None
         self.image_name = None
+        self.extracted_container = False
 
         # init docker low level api (useful for deep details like container pid)
         self.client = self.client_api.api
 
         if self.is_image:
             self.image_name, self.config = self._get_image_name_and_config(target)
             if self.image_name:
-                print("Running given image in a temporary container ...")
+                print("Creating a temporary container for the image...")
                 self.container_name = "tmp_oscap_" + str(uuid.uuid1())
 
                 try:
                     tmp_cont = self.client.create_container(
-                        self.image_name, 'bash', name=self.container_name, tty=True)
-                    # tty=True is required in order to keep the container running
-                    self.client.start(container=tmp_cont.get('Id'))
+                        self.image_name, name=self.container_name)
 
                     self.config = self.client.inspect_container(self.container_name)
-                    if int(self.config["State"]["Pid"]) == 0:
-                        sys.stderr.write("Cannot run image {0}.\n".format(self.image_name))
-                    else:
-                        self.pid = int(self.config["State"]["Pid"])
                 except Exception as e:
-                    sys.stderr.write("Cannot run image {0}.\n".format(self.image_name))
+                    sys.stderr.write("Cannot create container for image {0}.\n".format(self.image_name))
                     raise e
+                
+                self._extract_container()
             else:
                 raise ValueError("Image {0} not found.\n".format(target))
 
         else:
             self.container_name, self.config = \
                 self._get_container_name_and_config(target)
+            if not self.container_name:
+                raise ValueError("Container {0} not found.\n".format(target))
 
             # is the container running ?
             if int(self.config["State"]["Pid"]) == 0:
-                print("Container {0} is stopped, running it temporarily ..."
+                print("Container {0} is stopped"
                       .format(self.container_name))
 
-                self.client_api.containers.get(self.container_name).start()
-                self.container_name, self.config = \
-                    self._get_container_name_and_config(target)
-
-                if int(self.config["State"]["Pid"]) == 0:
-                    sys.stderr.write(
-                        "Cannot keep running container {0}, skip it.\n \
-                        Please start this container before scan it.\n"
-                        .format(self.container_name))
-                else:
-                    self.stop_at_end = True
-
-            # now we are sure that the container is running, get its PID
-            self.pid = int(self.config["State"]["Pid"])
+                self._extract_container()
+            else:
+                print("Container {0} is running, using its existing mount..."
+                      .format(self.container_name))
+                self.mountpoint = "/proc/{0}/root".format(self.config["State"]["Pid"])
 
         if self._check_container_mountpoint():
-            self.mountpoint = "/proc/{0}/root".format(self.pid)
             print("Docker container {0} ready to be scanned."
                   .format(self.container_name))
         else:
@@ -113,14 +105,27 @@ def __init__(self, target, is_image=False, oscap_binary='oscap'):
 
     def _end(self):
         if self.is_image:
-            # stop and remove the temporary container
-            self.client.stop(self.container_name)
+            # remove the temporary container
             self.client.remove_container(self.container_name)
             print("Temporary container {0} cleaned".format(self.container_name))
-        else:
-            if self.stop_at_end:
-                # just stop the container if the tool have started it.
-                self.client.stop(self.container_name)
+        if self.extracted_container:
+            print("Cleaning temporary extracted container...")
+            shutil.rmtree(self.mountpoint)
+
+    def _extract_container(self):
+        '''
+        Extracts the container and sets mountpoint to the extracted directory
+        '''
+        with tempfile.TemporaryFile() as tar:
+            for chunk in self.client.export(self.container_name):
+                tar.write(chunk)
+            tar.seek(0)
+            self.mountpoint = tempfile.mkdtemp()
+            self.extracted_container = True
+            with tarfile.open(fileobj=tar) as tf:
+                tf.extractall(path=self.mountpoint)
+            Path(os.path.join(self.mountpoint, '.dockerenv')).touch()
+
 
     def _get_image_name_and_config(self, target):
         '''
@@ -159,7 +164,7 @@ def _check_container_mountpoint(self):
         '''
         Ensure that the container fs is well mounted and return its path
         '''
-        return os.access("/proc/{0}/root".format(self.pid), os.R_OK)
+        return os.access(self.mountpoint, os.R_OK)
 
     def scan_cve(self, scan_args):
         '''
@@ -210,7 +215,7 @@ def scan(self, scan_args):
         Wrapper function forwarding oscap args for an offline scan
         '''
         scan_result = oscap_chroot(
-            "/proc/{0}/root".format(self.pid),
+            self.mountpoint,
             self.oscap_binary, scan_args,
             self.image_name or self.container_name,
             self.config["Config"].get("Env", []) or []  # because Env can exists but be None