Improved Docker curation to use docker pull and add Accept headers for manifest requests

basel1322 · basel1322 · commit c6939ff721bf · 2025-12-10T23:20:52.000+02:00
diff --git a/cli/docs/flags.go b/cli/docs/flags.go
@@ -141,7 +141,7 @@ const (
 	// Unique curation flags
 	CurationOutput  = "curation-format"
 	DockerImageName = "image"
-	SolutionPath   = "solution-path"
+	SolutionPath    = "solution-path"
 
 	// Unique git flags
 	InputFile       = "input-file"
@@ -195,7 +195,7 @@ var commandFlags = map[string][]string{
 		StaticSca, XrayLibPluginBinaryCustomPath, AnalyzerManagerCustomPath, AddSastRules,
 	},
 	CurationAudit: {
-		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit, SolutionPath,DockerImageName,
+		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit, SolutionPath, DockerImageName,
 	},
 	GitCountContributors: {
 		InputFile, ScmType, ScmApiUrl, Token, Owner, RepoName, Months, DetailedSummary, InsecureTls,
@@ -316,7 +316,7 @@ var flagsMap = map[string]components.Flag{
 	AddSastRules: components.NewStringFlag(AddSastRules, "Incorporate any additional SAST rules (in JSON format, with absolute path) into this local scan."),
 
 	// Docker flags
-	DockerImageName: components.NewStringFlag(DockerImageName, "[Docker] Defines the Docker image name to audit. Format: 'repo/path/image:tag'. For example: 'curation-docker/dweomer/nginx-auth-ldap:1.13.5' or 'repo/image:tag'. If no tag is provided, 'latest' is used."),
+	DockerImageName: components.NewStringFlag(DockerImageName, "[Docker] Defines the Docker image name to audit. Uses the same format as Docker client with Artifactory. Examples: 'acme.jfrog.io/docker-local/nginx:1.21' (repository path) or 'acme-docker-local.jfrog.io/nginx:1.21' (subdomain). Supports all Artifactory hosting methods."),
 
 	// Git flags
 	InputFile:       components.NewStringFlag(InputFile, "Path to an input file in YAML format contains multiple git providers. With this option, all other scm flags will be ignored and only git servers mentioned in the file will be examined.."),
diff --git a/commands/curation/curationaudit.go b/commands/curation/curationaudit.go
@@ -853,6 +853,9 @@ func (nc *treeAnalyzer) fetchNodeStatus(node xrayUtils.GraphNode, p *sync.Map) e
 	if scope != "" {
 		name = scope + "/" + name
 	}
+	if nc.tech == techutils.Docker {
+		nc.httpClientDetails.Headers["Accept"] = "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json"
+	}
 	for _, packageUrl := range packageUrls {
 		resp, _, err := nc.rtManager.Client().SendHead(packageUrl, &nc.httpClientDetails)
 		if err != nil {
@@ -1161,32 +1164,21 @@ func getDockerNameScopeAndVersion(id, artiUrl, repo string) (downloadUrls []stri
 	}
 
 	id = strings.TrimPrefix(id, "docker://")
-	var lastColonIndex int
-	if strings.Contains(id, ":sha256:") {
-		sha256Index := strings.Index(id, ":sha256:")
-		if sha256Index > 0 {
-			lastColonIndex = sha256Index
-		} else {
-			lastColonIndex = strings.LastIndex(id, ":")
-		}
-	} else {
-		lastColonIndex = strings.LastIndex(id, ":")
-	}
 
-	if lastColonIndex > 0 {
-		name = id[:lastColonIndex]
-		version = id[lastColonIndex+1:]
+	if idx := strings.Index(id, ":sha256:"); idx > 0 {
+		name, version = id[:idx], id[idx+1:]
+	} else if idx := strings.LastIndex(id, ":"); idx > 0 {
+		name, version = id[:idx], id[idx+1:]
 	} else {
-		name = id
-		version = "latest"
+		name, version = id, "latest"
 	}
 
 	if artiUrl != "" && repo != "" {
 		downloadUrls = []string{fmt.Sprintf("%s/api/docker/%s/v2/%s/manifests/%s",
 			strings.TrimSuffix(artiUrl, "/"), repo, name, version)}
 	}
 
-	return
+	return downloadUrls, name, scope, version
 }
 
 func GetCurationOutputFormat(formatFlagVal string) (format outFormat.OutputFormat, err error) {
diff --git a/sca/bom/buildinfo/technologies/docker/docker.go b/sca/bom/buildinfo/technologies/docker/docker.go
@@ -1,11 +1,9 @@
 package docker
 
 import (
-	"encoding/json"
 	"fmt"
 	"os/exec"
 	"regexp"
-	"runtime"
 	"strings"
 
 	"github.com/jfrog/jfrog-cli-core/v2/common/project"
@@ -24,19 +22,10 @@ type DockerImageInfo struct {
 	Tag      string
 }
 
-type dockerManifestList struct {
-	Manifests []struct {
-		Digest   string `json:"digest"`
-		Platform struct {
-			Architecture string `json:"architecture"`
-			OS           string `json:"os"`
-		} `json:"platform"`
-	} `json:"manifests"`
-}
-
 var (
 	jfrogSubdomainPattern = regexp.MustCompile(`^([a-zA-Z0-9]+)-([a-zA-Z0-9-]+)\.jfrog\.io$`)
 	ipAddressPattern      = regexp.MustCompile(`^\d+\.`)
+	hexDigestPattern      = regexp.MustCompile(`[a-fA-F0-9]{64}`)
 )
 
 func ParseDockerImage(imageName string) (*DockerImageInfo, error) {
@@ -141,33 +130,34 @@ func BuildDependencyTree(params technologies.BuildInfoBomGeneratorParams) ([]*xr
 }
 
 func getArchDigestUsingDocker(fullImageName string) (string, error) {
-	cmd := exec.Command("docker", "buildx", "imagetools", "inspect", "--raw", fullImageName)
-	output, err := cmd.CombinedOutput()
+	log.Debug(fmt.Sprintf("Pulling Docker image: %s", fullImageName))
+	pullCmd := exec.Command("docker", "pull", fullImageName)
+	output, err := pullCmd.CombinedOutput()
 	if err != nil {
 		outputStr := string(output)
-		if strings.Contains(outputStr, "403") || strings.Contains(outputStr, "Forbidden") {
-			return "", nil
+		if strings.Contains(outputStr, "curation service") {
+			return extractDigestFromBlockedMessage(outputStr), nil
 		}
-		return "", fmt.Errorf("%s", strings.TrimSpace(outputStr))
+		return "", fmt.Errorf("docker pull failed: %s", strings.TrimSpace(outputStr))
 	}
 
-	var manifestList dockerManifestList
-	if err := json.Unmarshal(output, &manifestList); err != nil {
+	inspectCmd := exec.Command("docker", "inspect", fullImageName, "--format", "{{index .RepoDigests 0}}")
+	output, err = inspectCmd.CombinedOutput()
+	if err != nil {
 		return "", nil
 	}
-
-	if len(manifestList.Manifests) == 0 {
-		return "", nil
+	repoDigest := strings.TrimSpace(string(output))
+	if idx := strings.Index(repoDigest, "@"); idx > 0 {
+		return repoDigest[idx+1:], nil
 	}
+	return "", nil
+}
 
-	currentArch := runtime.GOARCH
-	for _, manifest := range manifestList.Manifests {
-		if manifest.Platform.Architecture == currentArch && manifest.Digest != "" {
-			return manifest.Digest, nil
-		}
+func extractDigestFromBlockedMessage(output string) string {
+	if match := hexDigestPattern.FindString(output); match != "" {
+		return "sha256:" + match
 	}
-
-	return "", nil
+	return ""
 }
 
 func GetDockerRepositoryConfig(serverDetails *config.ServerDetails, imageName string) (*project.RepositoryConfig, error) {
