Shuffle things around

Signed-off-by: Christian Dupuis <[email protected]>

Author: cdupuis

commands/cmd.go

@@ -28,7 +28,7 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/plugin"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/index-cli-plugin/internal"
+	"github.com/docker/index-cli-plugin/format"
 	"github.com/docker/index-cli-plugin/query"
 	"github.com/docker/index-cli-plugin/sbom"
 	"github.com/docker/index-cli-plugin/types"
@@ -225,67 +225,10 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 				return err
 			}
 
-			if len(*cves) > 0 {
-				for _, c := range *cves {
-					types.FormatCve(sb, &c)
-
-					if !remediate {
-						continue
-					}
-
-					var remediation = make([]string, 0)
-					layerIndex := -1
-					for _, p := range sb.Artifacts {
-						if p.Purl == c.Purl {
-							loc := p.Locations[0]
-							for i, l := range sb.Source.Image.Config.RootFS.DiffIDs {
-								if l.String() == loc.DiffId && layerIndex < i {
-									layerIndex = i
-								}
-							}
-
-							if rem := types.FormatPackageRemediation(p, c); rem != "" {
-								remediation = append(remediation, rem)
-							}
-						}
-					}
-
-					// see if the package comes in via the base image
-					s := internal.StartInfoSpinner("Detecting base image", dockerCli.Out().IsTerminal())
-					defer s.Stop()
-					baseImages, index, _ := query.Detect(img, true, workspace, apiKey)
-					s.Stop()
-					var baseImage *types.Image
-					if layerIndex <= index && baseImages != nil && len(*baseImages) > 0 {
-						baseImage = &(*baseImages)[0]
-
-						fmt.Println("")
-						fmt.Println("installed in base image")
-						fmt.Println("")
-						fmt.Println(types.FormatImage(baseImage))
-					}
-
-					if baseImage != nil {
-						s := internal.StartInfoSpinner("Finding alternative base images", dockerCli.Out().IsTerminal())
-						defer s.Stop()
-						aBaseImage, _ := query.ForBaseImageWithoutCve(c.SourceId, baseImage.Repository.Name, img, workspace, apiKey)
-						s.Stop()
-						if aBaseImage != nil && len(*aBaseImage) > 0 {
-							e := []string{fmt.Sprintf("Update base image\n\nAlternative base images not vulnerable to %s", c.SourceId)}
-							for _, a := range *aBaseImage {
-								e = append(e, types.FormatImage(&a))
-							}
-							remediation = append(remediation, strings.Join(e, "\n\n"))
-						}
-					}
-
-					types.FormatRemediation(remediation)
-				}
+			format.Cves(cve, cves, img, sb, remediate, dockerCli, workspace, apiKey)
 
+			if len(*cves) > 0 {
 				os.Exit(1)
-			} else {
-				fmt.Println(fmt.Sprintf("%s not detected", cve))
-				os.Exit(0)
 			}
 			return nil
 		},
@@ -303,7 +246,15 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		},
 	}
 
-	cmd.AddCommand(loginCommand, logoutCommand, sbomCommand, cveCommand, uploadCommand, diffCommand)
+	watchCommand := &cobra.Command{
+		Use:   "watch",
+		Short: "Watch for new images and trigger indexing",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return sbom.WatchImages(dockerCli)
+		},
+	}
+
+	cmd.AddCommand(loginCommand, logoutCommand, sbomCommand, cveCommand, uploadCommand, diffCommand, watchCommand)
 	return cmd
 }
 

format/cve.go

@@ -0,0 +1,108 @@
+/*
+ * Copyright © 2022 Docker, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package format
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/index-cli-plugin/internal"
+	"github.com/docker/index-cli-plugin/query"
+	"github.com/docker/index-cli-plugin/types"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+func Cves(cve string, cves *[]types.Cve, img *v1.Image, sb *types.Sbom, remediate bool, dockerCli command.Cli, workspace string, apiKey string) {
+	if len(*cves) > 0 {
+		for _, c := range *cves {
+			Cve(sb, &c)
+
+			if !remediate {
+				continue
+			}
+
+			var remediation = make([]string, 0)
+			layerIndex := -1
+			for _, p := range sb.Artifacts {
+				if p.Purl == c.Purl {
+					loc := p.Locations[0]
+					for i, l := range sb.Source.Image.Config.RootFS.DiffIDs {
+						if l.String() == loc.DiffId && layerIndex < i {
+							layerIndex = i
+						}
+					}
+
+					if rem := PackageRemediation(p, c); rem != "" {
+						remediation = append(remediation, rem)
+					}
+				}
+			}
+
+			// see if the package comes in via the base image
+			s := internal.StartInfoSpinner("Detecting base image", dockerCli.Out().IsTerminal())
+			defer s.Stop()
+			baseImages, index, _ := query.Detect(img, true, workspace, apiKey)
+			s.Stop()
+			var baseImage *types.Image
+			if layerIndex <= index && baseImages != nil && len(*baseImages) > 0 {
+				baseImage = &(*baseImages)[0]
+
+				fmt.Println("")
+				fmt.Println("installed in base image")
+				fmt.Println("")
+				fmt.Println(Image(baseImage, true))
+			}
+
+			if baseImage != nil {
+				s := internal.StartInfoSpinner("Finding alternative base images", dockerCli.Out().IsTerminal())
+				defer s.Stop()
+				aBaseImage, _ := query.ForBaseImageWithoutCve(c.SourceId, baseImage.Repository.Name, img, workspace, apiKey)
+				s.Stop()
+
+				if aBaseImage != nil && len(*aBaseImage) > 0 {
+					// attempt to filter the list to only include tags we know about
+					mBaseImages := make([]types.Image, 0)
+					for _, bi := range *aBaseImage {
+						bTags := types.Tags(&bi)
+						for _, t := range baseImage.Tags {
+							if internal.Contains(bTags, t) {
+								mBaseImages = append(mBaseImages, bi)
+								break
+							}
+						}
+					}
+
+					e := []string{fmt.Sprintf("Update base image\n\nAlternative base images not vulnerable to %s", c.SourceId)}
+					if len(mBaseImages) > 0 {
+						for _, a := range mBaseImages {
+							e = append(e, Image(&a, false))
+						}
+					} else {
+						for _, a := range *aBaseImage {
+							e = append(e, Image(&a, false))
+						}
+					}
+					remediation = append(remediation, strings.Join(e, "\n\n"))
+				}
+			}
+			Remediation(remediation)
+		}
+	} else {
+		fmt.Println(fmt.Sprintf("%s not detected", cve))
+	}
+}

types/format.go renamed to format/format.go

@@ -14,14 +14,15 @@
  * limitations under the License.
  */
 
-package types
+package format
 
 import (
 	"fmt"
-	"sort"
 	"strconv"
 	"strings"
 
+	"github.com/docker/index-cli-plugin/internal"
+	"github.com/docker/index-cli-plugin/types"
 	"github.com/gookit/color"
 	"github.com/xeonx/timeago"
 )
@@ -64,22 +65,26 @@ func init() {
 	}
 }
 
-func FormatImage(image *Image) string {
+func Image(image *types.Image, imageTags bool) string {
 	e := ""
 	if image.Repository.Host != "hub.docker.com" {
 		e += image.Repository.Host + "/"
 	}
 	e += image.Repository.Name
 	e = defaultColors.green.Sprintf(e)
-	if tags := Tags(image); len(tags) > 0 {
+	tags := types.Tags(image)
+	if imageTags {
+		tags = types.ImageTags(image)
+	}
+	if len(tags) > 0 {
 		for i, t := range tags {
 			tags[i] = defaultColors.cyan.Sprintf(t)
 		}
 		e += ":" + strings.Join(tags, ", ")
 	}
 	if oc := officialContent(image); oc != "" {
 		e += " " + defaultColors.blue.Sprintf(oc)
-		if st := SupportedTag(image); st != "" {
+		if st := types.SupportedTag(image); st != "" {
 			e += " " + defaultColors.red.Sprintf(st)
 		}
 	}
@@ -97,7 +102,7 @@ func FormatImage(image *Image) string {
 	return e
 }
 
-func officialContent(image *Image) string {
+func officialContent(image *types.Image) string {
 	switch image.Repository.Badge {
 	case "open_source":
 		return " Sponsored OSS "
@@ -111,60 +116,19 @@ func officialContent(image *Image) string {
 	return ""
 }
 
-func Tags(image *Image) []string {
-	currentTags := make([]string, 0)
-	for _, tag := range image.Tag {
-		currentTags = append(currentTags, tag.Name)
-	}
-	for _, manifestList := range image.ManifestList {
-		for _, tag := range manifestList.Tags {
-			currentTags = append(currentTags, tag.Name)
-		}
-	}
-	sort.Slice(currentTags, func(i, j int) bool {
-		return len(currentTags[i]) < len(currentTags[j])
-	})
-	return currentTags
-}
-
-func SupportedTag(image *Image) string {
-	if tagCount := len(image.Repository.SupportedTags); tagCount > 0 {
-		unsupportedTags := make([]string, 0)
-		for _, tag := range image.Tags {
-			if !contains(image.Repository.SupportedTags, tag) {
-				unsupportedTags = append(unsupportedTags, tag)
-			}
-		}
-		if len(unsupportedTags) == len(image.Tags) {
-			return " unsupported tag "
-		}
-	}
-	return ""
-}
-
-func CurrentTag(image *Image) string {
-	currentTags := Tags(image)
+func CurrentTag(image *types.Image) string {
+	currentTags := types.Tags(image)
 	if len(currentTags) > 0 {
 		for _, tag := range image.Tags {
-			if contains(currentTags, tag) {
+			if internal.Contains(currentTags, tag) {
 				return ""
 			}
 		}
 	}
 	return " tag moved "
 }
 
-func contains(s []string, str string) bool {
-	for _, v := range s {
-		if v == str {
-			return true
-		}
-	}
-
-	return false
-}
-
-func RenderCommit(image *Image) string {
+func RenderCommit(image *types.Image) string {
 	if image.TeamId == "A11PU8L1C" {
 		return fmt.Sprintf("https://dso.docker.com/images/%s/digests/%s", image.Repository.Name, image.Digest)
 	} else if image.Commit.Sha != "" {
@@ -177,7 +141,7 @@ func RenderCommit(image *Image) string {
 	return ""
 }
 
-func RenderVulnerabilities(image *Image) string {
+func RenderVulnerabilities(image *types.Image) string {
 	if len(image.Report) > 0 {
 		report := image.Report[0]
 		if report.Total == -1 {
@@ -203,7 +167,7 @@ func RenderVulnerabilities(image *Image) string {
 	return ""
 }
 
-func FormatCve(sb *Sbom, c *Cve) {
+func Cve(sb *types.Sbom, c *types.Cve) {
 	sourceId := c.SourceId
 	if c.Cve != nil {
 		sourceId = c.Cve.SourceId
@@ -228,7 +192,7 @@ func FormatCve(sb *Sbom, c *Cve) {
 	}
 }
 
-func FormatRemediation(remediation []string) {
+func Remediation(remediation []string) {
 	if len(remediation) > 0 {
 		fmt.Println("")
 		fmt.Println(defaultColors.underline.Sprintf("Suggested remediation"))
@@ -238,8 +202,8 @@ func FormatRemediation(remediation []string) {
 	}
 }
 
-func FormatPackageRemediation(p Package, c Cve) string {
-	purl, _ := ToPackageUrl(p.Purl)
+func PackageRemediation(p types.Package, c types.Cve) string {
+	purl, _ := types.ToPackageUrl(p.Purl)
 	if c.FixedBy != "not fixed" {
 		switch purl.Type {
 		case "alpine":
@@ -298,8 +262,8 @@ func ColorizeSeverity(severity string) string {
 	}
 }
 
-func ToSeverity(cve Cve) string {
-	findSeverity := func(adv *Advisory) (string, bool) {
+func ToSeverity(cve types.Cve) string {
+	findSeverity := func(adv *types.Advisory) (string, bool) {
 		if adv == nil {
 			return "", false
 		}
@@ -328,7 +292,7 @@ func ToSeverity(cve Cve) string {
 	return "IN TRIAGE"
 }
 
-func ToSeverityInt(cve Cve) int {
+func ToSeverityInt(cve types.Cve) int {
 	severity := ToSeverity(cve)
 	switch severity {
 	case "CRITICAL":