Docker curation supprot (#608)

Author: basel1322

cli/docs/flags.go

@@ -151,8 +151,9 @@ const (
 	AnalyzerManagerCustomPath     = "analyzer-manager-path"
 
 	// Unique curation flags
-	CurationOutput = "curation-format"
-	SolutionPath   = "solution-path"
+	CurationOutput  = "curation-format"
+	DockerImageName = "image"
+	SolutionPath    = "solution-path"
 
 	// Unique git flags
 	InputFile       = "input-file"
@@ -211,7 +212,7 @@ var commandFlags = map[string][]string{
 		StaticSca, XrayLibPluginBinaryCustomPath, AnalyzerManagerCustomPath, AddSastRules,
 	},
 	CurationAudit: {
-		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit, SolutionPath,
+		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit, SolutionPath, DockerImageName,
 	},
 	GitCountContributors: {
 		InputFile, ScmType, ScmApiUrl, Token, Owner, RepoName, Months, DetailedSummary, InsecureTls,
@@ -336,6 +337,9 @@ var flagsMap = map[string]components.Flag{
 
 	AddSastRules: components.NewStringFlag(AddSastRules, "Incorporate any additional SAST rules (in JSON format, with absolute path) into this local scan."),
 
+	// Docker flags
+	DockerImageName: components.NewStringFlag(DockerImageName, "Specifies the Docker image name to audit. Uses the same format as the Docker CLI, including Artifactory-hosted images."),
+
 	// Git flags
 	InputFile: components.NewStringFlag(InputFile, "Path to an input file in YAML format contains multiple git providers. With this option, all other scm flags will be ignored and only git servers mentioned in the file will be examined.."),
 	ScmType:   components.NewStringFlag(ScmType, fmt.Sprintf("SCM type. Possible values are: %s.", contributors.NewScmType().GetValidScmTypeString()), components.SetMandatory()),

cli/scancommands.go

@@ -697,6 +697,7 @@ func getCurationCommand(c *components.Context) (*curation.CurationAuditCommand,
 		SetNpmScope(c.GetStringFlagValue(flags.DepType)).
 		SetPipRequirementsFile(c.GetStringFlagValue(flags.RequirementsFile)).
 		SetSolutionFilePath(c.GetStringFlagValue(flags.SolutionPath))
+	curationAuditCommand.SetDockerImageName(c.GetStringFlagValue(flags.DockerImageName))
 	return curationAuditCommand, nil
 }
 

commands/curation/curationaudit.go

@@ -37,6 +37,7 @@ import (
 	"github.com/jfrog/jfrog-cli-security/commands/audit"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies"
+	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/docker"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/python"
 	"github.com/jfrog/jfrog-cli-security/utils"
 	"github.com/jfrog/jfrog-cli-security/utils/formats"
@@ -102,6 +103,7 @@ var supportedTech = map[techutils.Technology]func(ca *CurationAuditCommand) (boo
 	techutils.Gem: func(ca *CurationAuditCommand) (bool, error) {
 		return ca.checkSupportByVersionOrEnv(techutils.Gem, MinArtiGradleGemSupport)
 	},
+	techutils.Docker: func(ca *CurationAuditCommand) (bool, error) { return true, nil },
 }
 
 func (ca *CurationAuditCommand) checkSupportByVersionOrEnv(tech techutils.Technology, minArtiVersion string) (bool, error) {
@@ -217,6 +219,7 @@ type CurationAuditCommand struct {
 	workingDirs          []string
 	OriginPath           string
 	parallelRequests     int
+	dockerImageName      string
 	audit.AuditParamsInterface
 }
 
@@ -253,6 +256,15 @@ func (ca *CurationAuditCommand) SetParallelRequests(threads int) *CurationAuditC
 	return ca
 }
 
+func (ca *CurationAuditCommand) DockerImageName() string {
+	return ca.dockerImageName
+}
+
+func (ca *CurationAuditCommand) SetDockerImageName(dockerImageName string) *CurationAuditCommand {
+	ca.dockerImageName = dockerImageName
+	return ca
+}
+
 func (ca *CurationAuditCommand) Run() (err error) {
 	rootDir, err := os.Getwd()
 	if err != nil {
@@ -350,6 +362,10 @@ func getPolicyAndConditionId(policy, condition string) string {
 
 func (ca *CurationAuditCommand) doCurateAudit(results map[string]*CurationReport) error {
 	techs := techutils.DetectedTechnologiesList()
+	if ca.DockerImageName() != "" {
+		log.Debug(fmt.Sprintf("Docker image name '%s' was provided, running Docker curation audit.", ca.DockerImageName()))
+		techs = []string{techutils.Docker.String()}
+	}
 	for _, tech := range techs {
 		supportedFunc, ok := supportedTech[techutils.Technology(tech)]
 		if !ok {
@@ -426,6 +442,8 @@ func (ca *CurationAuditCommand) getBuildInfoParamsByTech() (technologies.BuildIn
 		NpmOverwritePackageLock: true,
 		// Python params
 		PipRequirementsFile: ca.PipRequirementsFile(),
+		// Docker params
+		DockerImageName: ca.DockerImageName(),
 		// NuGet params
 		SolutionFilePath: ca.SolutionFilePath(),
 	}, err
@@ -718,6 +736,16 @@ func (ca *CurationAuditCommand) CommandName() string {
 }
 
 func (ca *CurationAuditCommand) SetRepo(tech techutils.Technology) error {
+	// If the technology is Docker, we need to get the repository config from the Docker image name
+	if tech == techutils.Docker {
+		repoConfig, err := docker.GetDockerRepositoryConfig(ca.DockerImageName())
+		if err != nil {
+			return err
+		}
+		ca.setPackageManagerConfig(repoConfig)
+		return nil
+	}
+
 	resolverParams, err := ca.getRepoParams(techutils.TechToProjectType[tech])
 	if err != nil {
 		return err
@@ -950,6 +978,9 @@ func getUrlNameAndVersionByTech(tech techutils.Technology, node *xrayUtils.Graph
 	case techutils.Nuget:
 		downloadUrls, name, version = getNugetNameScopeAndVersion(node.Id, artiUrl, repo)
 		return
+	case techutils.Docker:
+		downloadUrls, name, version = getDockerNameAndVersion(node.Id, artiUrl, repo)
+		return
 	}
 	return
 }
@@ -1134,6 +1165,39 @@ func buildNpmDownloadUrl(url, repo, name, scope, version string) []string {
 	return []string{packageUrl}
 }
 
+func getDockerNameAndVersion(id, artiUrl, repo string) (downloadUrls []string, name, version string) {
+	if id == "" {
+		return
+	}
+
+	id = strings.TrimPrefix(id, "docker://")
+
+	sha256Idx := strings.Index(id, ":sha256:")
+	tagIdx := strings.LastIndex(id, ":")
+
+	switch {
+	// Example: docker://nginx:sha256:abc123def456
+	case sha256Idx > 0:
+		name = id[:sha256Idx]
+		version = id[sha256Idx+1:]
+	// Example: docker://nginx:1.21
+	case tagIdx > 0:
+		name = id[:tagIdx]
+		version = id[tagIdx+1:]
+	// Example: docker://nginx (no tag specified, defaults to "latest")
+	default:
+		name = id
+		version = "latest"
+	}
+
+	if artiUrl != "" && repo != "" {
+		downloadUrls = []string{fmt.Sprintf("%s/api/docker/%s/v2/%s/manifests/%s",
+			strings.TrimSuffix(artiUrl, "/"), repo, name, version)}
+	}
+
+	return
+}
+
 func GetCurationOutputFormat(formatFlagVal string) (format outFormat.OutputFormat, err error) {
 	// Default print format is table.
 	format = outFormat.Table

commands/curation/curationaudit_test.go

@@ -1187,6 +1187,62 @@ func Test_getGemNameScopeAndVersion(t *testing.T) {
 	}
 }
 
+func Test_getDockerNameAndVersion(t *testing.T) {
+	tests := []struct {
+		name             string
+		id               string
+		artiUrl          string
+		repo             string
+		wantDownloadUrls []string
+		wantName         string
+		wantVersion      string
+	}{
+		{
+			name:             "Basic docker image with tag",
+			id:               "docker://nginx:1.21.0",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/1.21.0"},
+			wantName:         "nginx",
+			wantVersion:      "1.21.0",
+		},
+		{
+			name:             "Docker image with registry prefix",
+			id:               "docker://registry.example.com/nginx:1.21.0",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/registry.example.com/nginx/manifests/1.21.0"},
+			wantName:         "registry.example.com/nginx",
+			wantVersion:      "1.21.0",
+		},
+		{
+			name:             "Docker image with sha256 digest",
+			id:               "docker://nginx:sha256:abc123def456",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/sha256:abc123def456"},
+			wantName:         "nginx",
+			wantVersion:      "sha256:abc123def456",
+		},
+		{
+			name:             "Docker image without version defaults to latest",
+			id:               "docker://nginx",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/latest"},
+			wantName:         "nginx",
+			wantVersion:      "latest",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotDownloadUrls, gotName, gotVersion := getDockerNameAndVersion(tt.id, tt.artiUrl, tt.repo)
+			assert.Equal(t, tt.wantDownloadUrls, gotDownloadUrls, "downloadUrls mismatch")
+			assert.Equal(t, tt.wantName, gotName, "name mismatch")
+			assert.Equal(t, tt.wantVersion, gotVersion, "version mismatch")
+		})
+	}
+}
 func Test_getNugetNameScopeAndVersion(t *testing.T) {
 	tests := []struct {
 		name        string

curation_test.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"sync"
 	"testing"
@@ -105,6 +106,34 @@ func getCurationExpectedResponse(config *config.ServerDetails) []curation.Packag
 	return expectedResp
 }
 
+func TestDockerCurationAudit(t *testing.T) {
+	integration.InitCurationTest(t)
+	if securityTests.ContainerRegistry == nil || *securityTests.ContainerRegistry == "" || runtime.GOOS == "darwin" {
+		t.Skip("Skipping Docker curation test - container registry not configured")
+	}
+	cleanUp := integration.UseTestHomeWithDefaultXrayConfig(t)
+	defer cleanUp()
+
+	testImage := fmt.Sprintf("%s/%s/%s", *securityTests.ContainerRegistry, "docker-curation", "ganodndentcom/drupal")
+
+	output := securityTests.PlatformCli.WithoutCredentials().RunCliCmdWithOutput(t, "curation-audit",
+		"--image="+testImage,
+		"--format="+string(format.Json))
+	bracketIndex := strings.Index(output, "[")
+	require.GreaterOrEqual(t, bracketIndex, 0, "Expected JSON array in output, got: %s", output)
+
+	var results []curation.PackageStatus
+	err := json.Unmarshal([]byte(output[bracketIndex:]), &results)
+	require.NoError(t, err)
+
+	require.NotEmpty(t, results, "Expected at least one blocked package")
+	assert.Equal(t, "blocked", results[0].Action)
+	assert.Equal(t, "ganodndentcom/drupal", results[0].PackageName)
+	assert.Equal(t, curation.BlockingReasonPolicy, results[0].BlockingReason)
+	require.NotEmpty(t, results[0].Policy, "Expected at least one policy violation")
+	assert.Equal(t, "Malicious package", results[0].Policy[0].Condition)
+}
+
 func curationServer(t *testing.T, expectedRequest map[string]bool, requestToFail map[string]bool) (*httptest.Server, *config.ServerDetails) {
 	mapLockReadWrite := sync.Mutex{}
 	serverMock, config, _ := commonTests.CreateRtRestsMockServer(t, func(w http.ResponseWriter, r *http.Request) {

sca/bom/buildinfo/buildinfobom.go

@@ -29,6 +29,7 @@ import (
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/cocoapods"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/conan"
+	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/docker"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/gem"
 	_go "github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/go"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/java"
@@ -225,6 +226,8 @@ func GetTechDependencyTree(params technologies.BuildInfoBomGeneratorParams, arti
 			return depTreeResult, fmt.Errorf("your xray version %s does not allow swift scanning", params.XrayVersion)
 		}
 		depTreeResult.FullDepTrees, uniqueDepsIds, err = swift.BuildDependencyTree(params)
+	case techutils.Docker:
+		depTreeResult.FullDepTrees, uniqueDepsIds, err = docker.BuildDependencyTree(params)
 	default:
 		err = errorutils.CheckErrorf("%s is currently not supported", string(tech))
 	}

sca/bom/buildinfo/technologies/common.go

@@ -58,6 +58,8 @@ type BuildInfoBomGeneratorParams struct {
 	NpmOverwritePackageLock bool
 	// Pnpm params
 	MaxTreeDepth string
+	// Docker params
+	DockerImageName string
 	// NuGet params
 	SolutionFilePath string
 }