Add query for image details

Author: cdupuis

query/async.go

@@ -24,12 +24,13 @@ import (
 
 type queryResult struct {
 	Cves       []types.Cve
-	BaseImages []types.BaseImage
+	BaseImages []types.BaseImageMatch
+	Image      *types.BaseImage
 	Error      error
 }
 
 func ForCvesAndBaseImagesAsync(sb *types.Sbom, includeCves bool, includeBaseImages bool, workspace string, apiKey string) *types.Sbom {
-	resultChan := make(chan queryResult, 2)
+	resultChan := make(chan queryResult, 3)
 	var wg sync.WaitGroup
 	if includeCves {
 		wg.Add(1)
@@ -49,7 +50,7 @@ func ForCvesAndBaseImagesAsync(sb *types.Sbom, includeCves bool, includeBaseImag
 		}()
 	}
 	if includeBaseImages {
-		wg.Add(1)
+		wg.Add(2)
 		go func() {
 			defer wg.Done()
 			bi, err := ForBaseImageInGraphQL(sb.Source.Image.Config, true)
@@ -64,6 +65,20 @@ func ForCvesAndBaseImagesAsync(sb *types.Sbom, includeCves bool, includeBaseImag
 				}
 			}
 		}()
+		go func() {
+			defer wg.Done()
+			bi, err := ForImageInGraphQL(sb)
+			if err != nil {
+				resultChan <- queryResult{
+					Error: err,
+				}
+			}
+			if bi != nil && bi.ImageDetailsByDigest.Digest != "" {
+				resultChan <- queryResult{
+					Image: &bi.ImageDetailsByDigest,
+				}
+			}
+		}()
 	}
 	wg.Wait()
 	close(resultChan)
@@ -75,6 +90,9 @@ func ForCvesAndBaseImagesAsync(sb *types.Sbom, includeCves bool, includeBaseImag
 		if result.Cves != nil {
 			sb.Vulnerabilities = result.Cves
 		}
+		if result.Image != nil {
+			sb.Source.Image.Details = result.Image
+		}
 	}
 
 	return sb

query/base.go

@@ -246,12 +246,7 @@ func ForBaseImageInGraphQL(cfg *v1.ConfigFile, excludeSelf bool) (*types.BaseIma
 	for ii, _ := range q.ImagesByDiffIds {
 		for bi, _ := range q.ImagesByDiffIds[ii].Images {
 			count++
-			if q.ImagesByDiffIds[ii].Images[bi].Repository.Host == "hub.docker.com" && strings.Index(q.ImagesByDiffIds[ii].Images[bi].Repository.Repo, "/") < 0 {
-				q.ImagesByDiffIds[ii].Images[bi].Repository.Badge = "OFFICIAL"
-			}
-			if q.ImagesByDiffIds[ii].Images[bi].Repository.Badge != "" {
-				q.ImagesByDiffIds[ii].Images[bi].Repository.Badge = strings.ToLower(q.ImagesByDiffIds[ii].Images[bi].Repository.Badge)
-			}
+			q.ImagesByDiffIds[ii].Images[bi].Repository = normalizeRepository(&q.ImagesByDiffIds[ii].Images[bi]).Repository
 		}
 	}
 	if count == 1 {
@@ -261,3 +256,35 @@ func ForBaseImageInGraphQL(cfg *v1.ConfigFile, excludeSelf bool) (*types.BaseIma
 	}
 	return &q, nil
 }
+
+func ForImageInGraphQL(sb *types.Sbom) (*types.ImageByDigestQuery, error) {
+	url := "https://api.dso.docker.com/v1/graphql"
+	client := graphql.NewClient(url, nil)
+	variables := map[string]interface{}{
+		"digest":       sb.Source.Image.Digest,
+		"os":           sb.Source.Image.Platform.Os,
+		"architecture": sb.Source.Image.Platform.Architecture,
+		"variant":      sb.Source.Image.Platform.Variant,
+	}
+
+	var q types.ImageByDigestQuery
+	err := client.Query(context.Background(), &q, variables)
+	if err != nil {
+		fmt.Sprintf("error %v", err)
+		return nil, errors.Wrapf(err, "failed to run query")
+	}
+	if q.ImageDetailsByDigest.Digest != "" {
+		q.ImageDetailsByDigest.Repository = normalizeRepository(&q.ImageDetailsByDigest).Repository
+	}
+	return &q, nil
+}
+
+func normalizeRepository(image *types.BaseImage) *types.BaseImage {
+	if image.Repository.Host == "hub.docker.com" && strings.Index(image.Repository.Repo, "/") < 0 {
+		image.Repository.Badge = "OFFICIAL"
+	}
+	if image.Repository.Badge != "" {
+		image.Repository.Badge = strings.ToLower(image.Repository.Badge)
+	}
+	return image
+}

registry/save.go

@@ -64,8 +64,11 @@ func (i ImageId) String() string {
 }
 
 type ImageCache struct {
-	Digest    string
-	Name      string
+	Id     string
+	Digest string
+	Name   string
+	Tags   []string
+
 	Image     *v1.Image
 	ImagePath string
 	Ref       *name.Reference
@@ -180,57 +183,75 @@ func SaveImage(image string, cli command.Cli) (*ImageCache, error) {
 		return tarFileName, nil
 	}
 
-	desc, err := remote.Get(ref, withAuth())
-	if err != nil {
+	// check local first because it is the fastest
+	im, _, err := cli.Client().ImageInspectWithRaw(context.Background(), image)
+	if err == nil {
 		img, err := daemon.Image(ImageId{name: image}, daemon.WithClient(cli.Client()))
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to pull image: %s", image)
-		} else {
-			im, _, err := cli.Client().ImageInspectWithRaw(context.Background(), image)
-			if err != nil {
-				return nil, errors.Wrapf(err, "failed to get local image: %s", image)
-			}
-			imagePath, err := createPaths(im.ID)
-			if err != nil {
-				return nil, errors.Wrapf(err, "failed to create cache paths")
-			}
-			return &ImageCache{
-				Digest:    im.ID,
-				Name:      image,
-				Image:     &img,
-				Ref:       &ref,
-				ImagePath: imagePath,
-				copy:      true,
-				cli:       cli,
-			}, nil
 		}
-	} else {
-		img, err := desc.Image()
+		imagePath, err := createPaths(im.ID)
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to pull image: %s", image)
+			return nil, errors.Wrapf(err, "failed to create cache paths")
 		}
-		var digest string
-		identifier := ref.Identifier()
-		if strings.HasPrefix(identifier, "sha256:") {
-			digest = identifier
-		} else {
-			digestHash, _ := img.Digest()
-			digest = digestHash.String()
+		var name, digest string
+		tags := make([]string, 0)
+		for _, d := range im.RepoDigests {
+			name = strings.Split(d, "@")[0]
+			digest = strings.Split(d, "@")[1]
 		}
-		imagePath, err := createPaths(digest)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to create cache paths")
+		for _, t := range im.RepoTags {
+			name = strings.Split(t, ":")[0]
+			tags = append(tags, strings.Split(t, ":")[1])
 		}
 		return &ImageCache{
-			Digest:    digest,
-			Name:      image,
+			Id:     im.ID,
+			Digest: digest,
+			Name:   name,
+			Tags:   tags,
+
 			Image:     &img,
 			Ref:       &ref,
 			ImagePath: imagePath,
 			copy:      true,
 			cli:       cli,
 		}, nil
 	}
+	// try remote image next
+	desc, err := remote.Get(ref, withAuth())
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to pull image: %s", image)
+	}
+	img, err := desc.Image()
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to pull image: %s", image)
+	}
+	var digest string
+	tags := make([]string, 0)
+	identifier := ref.Identifier()
+	if strings.HasPrefix(identifier, "sha256:") {
+		digest = identifier
+	} else {
+		digestHash, _ := img.Digest()
+		digest = digestHash.String()
+		tags = append(tags, identifier)
+	}
+	imagePath, err := createPaths(digest)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to create cache paths")
+	}
+	return &ImageCache{
+		Id:     digest,
+		Digest: digest,
+		Name:   image,
+		Image:  &img,
+		Tags:   tags,
+
+		Ref:       &ref,
+		ImagePath: imagePath,
+		copy:      true,
+		cli:       cli,
+	}, nil
 }
 
 func withAuth() remote.Option {

sbom/index.go

@@ -30,7 +30,6 @@ import (
 	"github.com/docker/index-cli-plugin/query"
 	"github.com/docker/index-cli-plugin/registry"
 	"github.com/docker/index-cli-plugin/types"
-	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/pkg/errors"
 )
@@ -80,7 +79,7 @@ func IndexImage(image string, cli command.Cli) (*types.Sbom, error) {
 
 func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, error) {
 	configFilePath := cli.ConfigFile().Filename
-	sbomFilePath := filepath.Join(filepath.Dir(configFilePath), "sbom", "sha256", cache.Digest[7:], "sbom.json")
+	sbomFilePath := filepath.Join(filepath.Dir(configFilePath), "sbom", "sha256", cache.Id[7:], "sbom.json")
 	if sbom := cachedSbom(sbomFilePath); sbom != nil {
 		return sbom, nil
 	}
@@ -118,27 +117,14 @@ func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, error
 	config, _ := (*cache.Image).RawConfigFile()
 	c, _ := (*cache.Image).ConfigFile()
 	m, _ := (*cache.Image).Manifest()
-	d, _ := (*cache.Image).Digest()
-
-	var tag []string
-	if cache.Name != "" {
-		ref, err := name.ParseReference(cache.Name)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to parse reference: %s", cache.Name)
-		}
-		cache.Name = ref.Context().String()
-		if !strings.HasPrefix(ref.Identifier(), "sha256:") {
-			tag = []string{ref.Identifier()}
-		}
-	}
 
 	sbom := types.Sbom{
 		Artifacts: packages,
 		Source: types.Source{
 			Type: "image",
 			Image: types.ImageSource{
 				Name:        cache.Name,
-				Digest:      d.String(),
+				Digest:      cache.Digest,
 				Manifest:    m,
 				Config:      c,
 				RawManifest: base64.StdEncoding.EncodeToString(manifest),
@@ -159,8 +145,8 @@ func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, error
 		},
 	}
 
-	if len(tag) > 0 {
-		sbom.Source.Image.Tags = &tag
+	if len(cache.Tags) > 0 {
+		sbom.Source.Image.Tags = &cache.Tags
 	}
 
 	js, err := json.MarshalIndent(sbom, "", "  ")

types/graphql_types.go

@@ -1,44 +1,50 @@
 package types
 
 type BaseImage struct {
-	DiffIds []string `graphql:"matches" json:"diff_ids,omitempty"`
-	Images  []struct {
-		CreatedAt  string `graphql:"createdAt" json:"created_at,omitempty"`
-		Digest     string `graphql:"digest" json:"digest,omitempty"`
-		Repository struct {
-			Badge         string   `graphql:"badge" json:"badge,omitempty"`
-			Host          string   `graphql:"hostName" json:"host,omitempty"`
-			Repo          string   `graphql:"repoName" json:"repo,omitempty"`
-			SupportedTags []string `graphql:"supportedTags" json:"supported_tags,omitempty"`
-			PreferredTags []string `graphql:"preferredTags" json:"preferred_tags,omitempty"`
-		} `graphql:"repository" json:"repository"`
-		Tags []struct {
-			Current   bool   `graphql:"current" json:"current"`
-			Name      string `graphql:"name" json:"name,omitempty"`
-			Supported bool   `graphql:"supported" json:"supported"`
-		} `graphql:"tags" json:"tags,omitempty"`
-		DockerFile struct {
-			Commit struct {
-				Repository struct {
-					Org  string `graphql:"orgName" json:"org,omitempty"`
-					Repo string `graphql:"repoName" json:"repo,omitempty"`
-				} `graphql:"repository" json:"repository,omitempty"`
-				Sha string `graphql:"sha" json:"sha,omitempty"`
-			} `json:"commit,omitempty"`
-			Path string `graphql:"path" json:"path,omitempty"`
-		} `graphql:"dockerFile" json:"docker_file,omitempty"`
-		PackageCount        int `graphql:"packageCount" json:"package_count,omitempty"`
-		VulnerabilityReport struct {
-			Critical    int `graphql:"critical" json:"critical,omitempty"`
-			High        int `graphql:"high" json:"high,omitempty"`
-			Medium      int `graphql:"medium" json:"medium,omitempty"`
-			Low         int `graphql:"low" json:"low,omitempty"`
-			Unspecified int `graphql:"unspecified" json:"unspecified,omitempty"`
-			Total       int `graphql:"total" json:"total,omitempty"`
-		} `graphql:"vulnerabilityReport" json:"vulnerability_report"`
-	} `graphql:"images" json:"images,omitempty"`
+	CreatedAt  string `graphql:"createdAt" json:"created_at,omitempty"`
+	Digest     string `graphql:"digest" json:"digest,omitempty"`
+	Repository struct {
+		Badge         string   `graphql:"badge" json:"badge,omitempty"`
+		Host          string   `graphql:"hostName" json:"host,omitempty"`
+		Repo          string   `graphql:"repoName" json:"repo,omitempty"`
+		SupportedTags []string `graphql:"supportedTags" json:"supported_tags,omitempty"`
+		PreferredTags []string `graphql:"preferredTags" json:"preferred_tags,omitempty"`
+	} `graphql:"repository" json:"repository"`
+	Tags []struct {
+		Current   bool   `graphql:"current" json:"current"`
+		Name      string `graphql:"name" json:"name,omitempty"`
+		Supported bool   `graphql:"supported" json:"supported"`
+	} `graphql:"tags" json:"tags,omitempty"`
+	DockerFile struct {
+		Commit struct {
+			Repository struct {
+				Org  string `graphql:"orgName" json:"org,omitempty"`
+				Repo string `graphql:"repoName" json:"repo,omitempty"`
+			} `graphql:"repository" json:"repository,omitempty"`
+			Sha string `graphql:"sha" json:"sha,omitempty"`
+		} `json:"commit,omitempty"`
+		Path string `graphql:"path" json:"path,omitempty"`
+	} `graphql:"dockerFile" json:"docker_file,omitempty"`
+	PackageCount        int `graphql:"packageCount" json:"package_count,omitempty"`
+	VulnerabilityReport struct {
+		Critical    int `graphql:"critical" json:"critical,omitempty"`
+		High        int `graphql:"high" json:"high,omitempty"`
+		Medium      int `graphql:"medium" json:"medium,omitempty"`
+		Low         int `graphql:"low" json:"low,omitempty"`
+		Unspecified int `graphql:"unspecified" json:"unspecified,omitempty"`
+		Total       int `graphql:"total" json:"total,omitempty"`
+	} `graphql:"vulnerabilityReport" json:"vulnerability_report"`
+}
+
+type BaseImageMatch struct {
+	DiffIds []string    `graphql:"matches" json:"diff_ids,omitempty"`
+	Images  []BaseImage `graphql:"images" json:"images,omitempty"`
 }
 
 type BaseImagesByDiffIdsQuery struct {
-	ImagesByDiffIds []BaseImage `graphql:"imagesByDiffIds(context: {}, diffIds: $diffIds)"`
+	ImagesByDiffIds []BaseImageMatch `graphql:"imagesByDiffIds(context: {}, diffIds: $diffIds)"`
+}
+
+type ImageByDigestQuery struct {
+	ImageDetailsByDigest BaseImage `graphql:"imageDetailsByDigest(context: {}, digest: $digest, platform: {os: $os, architecture: $architecture, variant: $variant})"`
 }

types/types.go

@@ -114,6 +114,7 @@ type ImageSource struct {
 	Distro      Distro         `json:"distro"`
 	Platform    Platform       `json:"platform"`
 	Size        int64          `json:"size"`
+	Details     *BaseImage     `json:"details,omitempty""`
 }
 
 type Descriptor struct {
@@ -123,9 +124,9 @@ type Descriptor struct {
 }
 
 type Source struct {
-	Type       string      `json:"type"`
-	Image      ImageSource `json:"image"`
-	BaseImages []BaseImage `json:"base_images,omitempty"`
+	Type       string           `json:"type"`
+	Image      ImageSource      `json:"image"`
+	BaseImages []BaseImageMatch `json:"base_images,omitempty"`
 }
 
 type Sbom struct {