improved the code

Author: basel1322

cli/scancommands.go

@@ -648,8 +648,8 @@ func getCurationCommand(c *components.Context) (*curation.CurationAuditCommand,
 		SetInsecureTls(c.GetBoolFlagValue(flags.InsecureTls)).
 		SetNpmScope(c.GetStringFlagValue(flags.DepType)).
 		SetPipRequirementsFile(c.GetStringFlagValue(flags.RequirementsFile)).
-		SetDockerImageName(c.GetStringFlagValue(flags.DockerImageName)).
 		SetSolutionFilePath(c.GetStringFlagValue(flags.SolutionPath))
+	curationAuditCommand.SetDockerImageName(c.GetStringFlagValue(flags.DockerImageName))
 	return curationAuditCommand, nil
 }
 

commands/audit/auditbasicparams.go

@@ -49,8 +49,6 @@ type AuditParamsInterface interface {
 	AllowPartialResults() bool
 	GetXrayVersion() string
 	GetConfigProfile() *xscservices.ConfigProfile
-	DockerImageName() string
-	SetDockerImageName(dockerImageName string) *AuditBasicParams
 	SolutionFilePath() string
 	SetSolutionFilePath(solutionFilePath string) *AuditBasicParams
 }
@@ -83,7 +81,6 @@ type AuditBasicParams struct {
 	xrayVersion                      string
 	xscVersion                       string
 	configProfile                    *xscservices.ConfigProfile
-	dockerImageName                  string
 	solutionFilePath                 string
 }
 
@@ -337,15 +334,6 @@ func (abp *AuditBasicParams) GetConfigProfile() *xscservices.ConfigProfile {
 	return abp.configProfile
 }
 
-func (abp *AuditBasicParams) DockerImageName() string {
-	return abp.dockerImageName
-}
-
-func (abp *AuditBasicParams) SetDockerImageName(dockerImageName string) *AuditBasicParams {
-	abp.dockerImageName = dockerImageName
-	return abp
-}
-
 func (abp *AuditBasicParams) SolutionFilePath() string {
 	return abp.solutionFilePath
 }

commands/audit/auditparams.go

@@ -232,8 +232,6 @@ func (params *AuditParams) ToBuildInfoBomGenParams() (bomParams technologies.Bui
 		PipRequirementsFile: params.PipRequirementsFile(),
 		// Pnpm params
 		MaxTreeDepth: params.MaxTreeDepth(),
-		// Docker params
-		DockerImageName: params.DockerImageName(),
 	}
 	return
 }

commands/curation/curationaudit.go

@@ -219,6 +219,7 @@ type CurationAuditCommand struct {
 	workingDirs          []string
 	OriginPath           string
 	parallelRequests     int
+	dockerImageName      string
 	audit.AuditParamsInterface
 }
 
@@ -255,6 +256,15 @@ func (ca *CurationAuditCommand) SetParallelRequests(threads int) *CurationAuditC
 	return ca
 }
 
+func (ca *CurationAuditCommand) DockerImageName() string {
+	return ca.dockerImageName
+}
+
+func (ca *CurationAuditCommand) SetDockerImageName(dockerImageName string) *CurationAuditCommand {
+	ca.dockerImageName = dockerImageName
+	return ca
+}
+
 func (ca *CurationAuditCommand) Run() (err error) {
 	rootDir, err := os.Getwd()
 	if err != nil {
@@ -353,6 +363,7 @@ func getPolicyAndConditionId(policy, condition string) string {
 func (ca *CurationAuditCommand) doCurateAudit(results map[string]*CurationReport) error {
 	techs := techutils.DetectedTechnologiesList()
 	if ca.DockerImageName() != "" {
+		log.Debug(fmt.Sprintf("Docker image name '%s' was provided, running Docker curation audit.", ca.DockerImageName()))
 		techs = []string{techutils.Docker.String()}
 	}
 	for _, tech := range techs {
@@ -968,7 +979,8 @@ func getUrlNameAndVersionByTech(tech techutils.Technology, node *xrayUtils.Graph
 		downloadUrls, name, version = getNugetNameScopeAndVersion(node.Id, artiUrl, repo)
 		return
 	case techutils.Docker:
-		return getDockerNameScopeAndVersion(node.Id, artiUrl, repo)
+		downloadUrls, name, version = getDockerNameAndVersion(node.Id, artiUrl, repo)
+		return
 	}
 	return
 }
@@ -1153,20 +1165,27 @@ func buildNpmDownloadUrl(url, repo, name, scope, version string) []string {
 	return []string{packageUrl}
 }
 
-func getDockerNameScopeAndVersion(id, artiUrl, repo string) (downloadUrls []string, name, scope, version string) {
+func getDockerNameAndVersion(id, artiUrl, repo string) (downloadUrls []string, name, version string) {
 	if id == "" {
 		return
 	}
 
 	id = strings.TrimPrefix(id, "docker://")
 
-	if idx := strings.Index(id, ":sha256:"); idx > 0 {
-		name = id[:idx]
-		version = id[idx+1:]
-	} else if idx := strings.LastIndex(id, ":"); idx > 0 {
-		name = id[:idx]
-		version = id[idx+1:]
-	} else {
+	sha256Idx := strings.Index(id, ":sha256:")
+	tagIdx := strings.LastIndex(id, ":")
+
+	switch {
+	// Example: docker://nginx:sha256:abc123def456
+	case sha256Idx > 0:
+		name = id[:sha256Idx]
+		version = id[sha256Idx+1:]
+	// Example: docker://nginx:1.21
+	case tagIdx > 0:
+		name = id[:tagIdx]
+		version = id[tagIdx+1:]
+	// Example: docker://nginx (no tag specified, defaults to "latest")
+	default:
 		name = id
 		version = "latest"
 	}
@@ -1176,7 +1195,7 @@ func getDockerNameScopeAndVersion(id, artiUrl, repo string) (downloadUrls []stri
 			strings.TrimSuffix(artiUrl, "/"), repo, name, version)}
 	}
 
-	return downloadUrls, name, scope, version
+	return
 }
 
 func GetCurationOutputFormat(formatFlagVal string) (format outFormat.OutputFormat, err error) {

commands/curation/curationaudit_test.go

@@ -1187,15 +1187,14 @@ func Test_getGemNameScopeAndVersion(t *testing.T) {
 	}
 }
 
-func Test_getDockerNameScopeAndVersion(t *testing.T) {
+func Test_getDockerNameAndVersion(t *testing.T) {
 	tests := []struct {
 		name             string
 		id               string
 		artiUrl          string
 		repo             string
 		wantDownloadUrls []string
 		wantName         string
-		wantScope        string
 		wantVersion      string
 	}{
 		{
@@ -1205,7 +1204,6 @@ func Test_getDockerNameScopeAndVersion(t *testing.T) {
 			repo:             "docker-remote",
 			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/1.21.0"},
 			wantName:         "nginx",
-			wantScope:        "",
 			wantVersion:      "1.21.0",
 		},
 		{
@@ -1215,7 +1213,6 @@ func Test_getDockerNameScopeAndVersion(t *testing.T) {
 			repo:             "docker-remote",
 			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/registry.example.com/nginx/manifests/1.21.0"},
 			wantName:         "registry.example.com/nginx",
-			wantScope:        "",
 			wantVersion:      "1.21.0",
 		},
 		{
@@ -1225,7 +1222,6 @@ func Test_getDockerNameScopeAndVersion(t *testing.T) {
 			repo:             "docker-remote",
 			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/sha256:abc123def456"},
 			wantName:         "nginx",
-			wantScope:        "",
 			wantVersion:      "sha256:abc123def456",
 		},
 		{
@@ -1235,16 +1231,14 @@ func Test_getDockerNameScopeAndVersion(t *testing.T) {
 			repo:             "docker-remote",
 			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/latest"},
 			wantName:         "nginx",
-			wantScope:        "",
 			wantVersion:      "latest",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			gotDownloadUrls, gotName, gotScope, gotVersion := getDockerNameScopeAndVersion(tt.id, tt.artiUrl, tt.repo)
+			gotDownloadUrls, gotName, gotVersion := getDockerNameAndVersion(tt.id, tt.artiUrl, tt.repo)
 			assert.Equal(t, tt.wantDownloadUrls, gotDownloadUrls, "downloadUrls mismatch")
 			assert.Equal(t, tt.wantName, gotName, "name mismatch")
-			assert.Equal(t, tt.wantScope, gotScope, "scope mismatch")
 			assert.Equal(t, tt.wantVersion, gotVersion, "version mismatch")
 		})
 	}

curation_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/jfrog/jfrog-cli-security/cli"
 	"github.com/jfrog/jfrog-cli-security/commands/curation"
 	securityTests "github.com/jfrog/jfrog-cli-security/tests"
 	securityTestUtils "github.com/jfrog/jfrog-cli-security/tests/utils"
@@ -114,16 +113,12 @@ func TestDockerCurationAudit(t *testing.T) {
 	}
 	cleanUp := integration.UseTestHomeWithDefaultXrayConfig(t)
 	defer cleanUp()
-	integration.CreateJfrogHomeConfig(t, "", securityTests.XrDetails, true)
-
-	testCli := integration.GetXrayTestCli(cli.GetJfrogCliSecurityApp(), false)
 
 	testImage := fmt.Sprintf("%s/%s/%s", *securityTests.ContainerRegistry, "docker-curation", "ganodndentcom/drupal")
 
-	output := testCli.WithoutCredentials().RunCliCmdWithOutput(t, "curation-audit",
+	output := securityTests.PlatformCli.WithoutCredentials().RunCliCmdWithOutput(t, "curation-audit",
 		"--image="+testImage,
 		"--format="+string(format.Json))
-
 	bracketIndex := strings.Index(output, "[")
 	require.GreaterOrEqual(t, bracketIndex, 0, "Expected JSON array in output, got: %s", output)
 

sca/bom/buildinfo/technologies/docker/docker.go

@@ -56,9 +56,7 @@ func ParseDockerImage(imageName string) (*DockerImageInfo, error) {
 	}
 
 	info.Registry = parts[0]
-	repo, image := parseRegistryAndExtract(info.Registry, parts[1])
-	info.Repo = repo
-	info.Image = image
+	info.Repo, info.Image = parseRegistryAndExtract(info.Registry, parts[1])
 
 	log.Debug(fmt.Sprintf("Parsed Docker image - Registry: %s, Repo: %s, Image: %s, Tag: %s",
 		info.Registry, info.Repo, info.Image, info.Tag))
@@ -121,6 +119,8 @@ func BuildDependencyTree(params technologies.BuildInfoBomGeneratorParams) ([]*xr
 
 	log.Debug(fmt.Sprintf("Docker image reference: %s", imageRef))
 
+	// Note: It does NOT extract the actual dependencies/packages inside the Docker image layers.
+	// The graph contains just the image reference to verify if it's blocked by curation policies.
 	rootId := imageInfo.Image + ":" + imageInfo.Tag
 	return []*xrayUtils.GraphNode{{Id: rootId, Nodes: []*xrayUtils.GraphNode{{Id: imageRef}}}},
 		[]string{imageRef}, nil
@@ -150,6 +150,7 @@ func getArchDigestUsingDocker(fullImageName string) (string, error) {
 	localArch := parts[1]
 
 	log.Debug(fmt.Sprintf("Local platform: %s/%s", localOS, localArch))
+	// In case the image is found locally, we need to get the digest of the image using the buildx.
 
 	buildxCmd := exec.Command("docker", "buildx", "imagetools", "inspect", fullImageName, "--raw")
 	buildxOutput, buildxErr := buildxCmd.CombinedOutput()

sca/bom/buildinfo/technologies/docker/docker_test.go

@@ -138,9 +138,32 @@ func TestBuildDependencyTree(t *testing.T) {
 		name            string
 		dockerImageName string
 		expectError     bool
+		errorContains   string
 	}{
-		{name: "Empty image name", dockerImageName: "", expectError: true},
-		{name: "No registry", dockerImageName: "image:tag", expectError: true},
+		{
+			name:            "Empty image name",
+			dockerImageName: "",
+			expectError:     true,
+			errorContains:   "docker image name is required",
+		},
+		{
+			name:            "No registry - single part image",
+			dockerImageName: "nginx",
+			expectError:     true,
+			errorContains:   "invalid docker image format",
+		},
+		{
+			name:            "No registry - image with tag only",
+			dockerImageName: "nginx:1.21",
+			expectError:     true,
+			errorContains:   "invalid docker image format",
+		},
+		{
+			name:            "Whitespace only",
+			dockerImageName: "   ",
+			expectError:     true,
+			errorContains:   "invalid docker image format",
+		},
 	}
 
 	for _, tt := range tests {
@@ -149,6 +172,11 @@ func TestBuildDependencyTree(t *testing.T) {
 			_, _, err := BuildDependencyTree(params)
 			if tt.expectError {
 				assert.Error(t, err)
+				if tt.errorContains != "" {
+					assert.Contains(t, err.Error(), tt.errorContains)
+				}
+			} else {
+				assert.NoError(t, err)
 			}
 		})
 	}