Add Docker curation support

Author: basel1322

cli/docs/flags.go

@@ -139,7 +139,8 @@ const (
 	AnalyzerManagerCustomPath     = "analyzer-manager-path"
 
 	// Unique curation flags
-	CurationOutput = "curation-format"
+	CurationOutput  = "curation-format"
+	DockerImageName = "image"
 	SolutionPath   = "solution-path"
 
 	// Unique git flags
@@ -194,7 +195,7 @@ var commandFlags = map[string][]string{
 		StaticSca, XrayLibPluginBinaryCustomPath, AnalyzerManagerCustomPath, AddSastRules,
 	},
 	CurationAudit: {
-		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit, SolutionPath,
+		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit, SolutionPath,DockerImageName,
 	},
 	GitCountContributors: {
 		InputFile, ScmType, ScmApiUrl, Token, Owner, RepoName, Months, DetailedSummary, InsecureTls,
@@ -314,6 +315,9 @@ var flagsMap = map[string]components.Flag{
 
 	AddSastRules: components.NewStringFlag(AddSastRules, "Incorporate any additional SAST rules (in JSON format, with absolute path) into this local scan."),
 
+	// Docker flags
+	DockerImageName: components.NewStringFlag(DockerImageName, "[Docker] Defines the Docker image name to audit. Format: 'repo/path/image:tag'. For example: 'curation-docker/dweomer/nginx-auth-ldap:1.13.5' or 'repo/image:tag'. If no tag is provided, 'latest' is used."),
+
 	// Git flags
 	InputFile:       components.NewStringFlag(InputFile, "Path to an input file in YAML format contains multiple git providers. With this option, all other scm flags will be ignored and only git servers mentioned in the file will be examined.."),
 	ScmType:         components.NewStringFlag(ScmType, fmt.Sprintf("SCM type. Possible values are: %s.", contributors.NewScmType().GetValidScmTypeString()), components.SetMandatory()),

cli/scancommands.go

@@ -647,6 +647,7 @@ func getCurationCommand(c *components.Context) (*curation.CurationAuditCommand,
 		SetInsecureTls(c.GetBoolFlagValue(flags.InsecureTls)).
 		SetNpmScope(c.GetStringFlagValue(flags.DepType)).
 		SetPipRequirementsFile(c.GetStringFlagValue(flags.RequirementsFile)).
+		SetDockerImageName(c.GetStringFlagValue(flags.DockerImageName)).
 		SetSolutionFilePath(c.GetStringFlagValue(flags.SolutionPath))
 	return curationAuditCommand, nil
 }

commands/audit/auditbasicparams.go

@@ -49,6 +49,8 @@ type AuditParamsInterface interface {
 	AllowPartialResults() bool
 	GetXrayVersion() string
 	GetConfigProfile() *xscservices.ConfigProfile
+	DockerImageName() string
+	SetDockerImageName(dockerImageName string) *AuditBasicParams
 	SolutionFilePath() string
 	SetSolutionFilePath(solutionFilePath string) *AuditBasicParams
 }
@@ -81,6 +83,7 @@ type AuditBasicParams struct {
 	xrayVersion                      string
 	xscVersion                       string
 	configProfile                    *xscservices.ConfigProfile
+	dockerImageName                  string
 	solutionFilePath                 string
 }
 
@@ -334,6 +337,15 @@ func (abp *AuditBasicParams) GetConfigProfile() *xscservices.ConfigProfile {
 	return abp.configProfile
 }
 
+func (abp *AuditBasicParams) DockerImageName() string {
+	return abp.dockerImageName
+}
+
+func (abp *AuditBasicParams) SetDockerImageName(dockerImageName string) *AuditBasicParams {
+	abp.dockerImageName = dockerImageName
+	return abp
+}
+
 func (abp *AuditBasicParams) SolutionFilePath() string {
 	return abp.solutionFilePath
 }

commands/audit/auditparams.go

@@ -227,6 +227,8 @@ func (params *AuditParams) ToBuildInfoBomGenParams() (bomParams technologies.Bui
 		PipRequirementsFile: params.PipRequirementsFile(),
 		// Pnpm params
 		MaxTreeDepth: params.MaxTreeDepth(),
+		// Docker params
+		DockerImageName: params.DockerImageName(),
 	}
 	return
 }

commands/curation/curationaudit.go

@@ -37,6 +37,7 @@ import (
 	"github.com/jfrog/jfrog-cli-security/commands/audit"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies"
+	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/docker"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/python"
 	"github.com/jfrog/jfrog-cli-security/utils"
 	"github.com/jfrog/jfrog-cli-security/utils/formats"
@@ -102,6 +103,9 @@ var supportedTech = map[techutils.Technology]func(ca *CurationAuditCommand) (boo
 	techutils.Gem: func(ca *CurationAuditCommand) (bool, error) {
 		return ca.checkSupportByVersionOrEnv(techutils.Gem, MinArtiGradleGemSupport)
 	},
+	techutils.Docker: func(ca *CurationAuditCommand) (bool, error) {
+		return ca.checkDockerSupport()
+	},
 }
 
 func (ca *CurationAuditCommand) checkSupportByVersionOrEnv(tech techutils.Technology, minArtiVersion string) (bool, error) {
@@ -128,6 +132,17 @@ func (ca *CurationAuditCommand) checkSupportByVersionOrEnv(tech techutils.Techno
 	return true, nil
 }
 
+func (ca *CurationAuditCommand) checkDockerSupport() (bool, error) {
+	dockerImageName := ca.DockerImageName()
+	if dockerImageName == "" {
+		return false, nil
+	}
+	if !strings.Contains(dockerImageName, "/") {
+		return false, errorutils.CheckErrorf("invalid docker image format: '%s'. Expected format: 'repo/image:tag' or 'repo/path/image:tag'", dockerImageName)
+	}
+	return true, nil
+}
+
 func (ca *CurationAuditCommand) getRtVersion(tech techutils.Technology) (string, error) {
 	rtManager, _, err := ca.getRtManagerAndAuth(tech)
 	if err != nil {
@@ -350,6 +365,9 @@ func getPolicyAndConditionId(policy, condition string) string {
 
 func (ca *CurationAuditCommand) doCurateAudit(results map[string]*CurationReport) error {
 	techs := techutils.DetectedTechnologiesList()
+	if ca.DockerImageName() != "" {
+		techs = []string{techutils.Docker.String()}
+	}
 	for _, tech := range techs {
 		supportedFunc, ok := supportedTech[techutils.Technology(tech)]
 		if !ok {
@@ -390,8 +408,20 @@ func (ca *CurationAuditCommand) getRtManagerAndAuth(tech techutils.Technology) (
 
 func (ca *CurationAuditCommand) GetAuth(tech techutils.Technology) (serverDetails *config.ServerDetails, err error) {
 	if ca.PackageManagerConfig == nil {
-		if err = ca.SetRepo(tech); err != nil {
-			return
+		if tech == techutils.Docker {
+			serverDetails, err = ca.ServerDetails()
+			if err != nil {
+				return
+			}
+			repoConfig, err := docker.GetDockerRepositoryConfig(serverDetails, ca.DockerImageName())
+			if err != nil {
+				return nil, err
+			}
+			ca.setPackageManagerConfig(repoConfig)
+		} else {
+			if err = ca.SetRepo(tech); err != nil {
+				return
+			}
 		}
 	}
 	serverDetails, err = ca.PackageManagerConfig.ServerDetails()
@@ -426,6 +456,8 @@ func (ca *CurationAuditCommand) getBuildInfoParamsByTech() (technologies.BuildIn
 		NpmOverwritePackageLock: true,
 		// Python params
 		PipRequirementsFile: ca.PipRequirementsFile(),
+		// Docker params
+		DockerImageName: ca.DockerImageName(),
 		// NuGet params
 		SolutionFilePath: ca.SolutionFilePath(),
 	}, err
@@ -950,6 +982,8 @@ func getUrlNameAndVersionByTech(tech techutils.Technology, node *xrayUtils.Graph
 	case techutils.Nuget:
 		downloadUrls, name, version = getNugetNameScopeAndVersion(node.Id, artiUrl, repo)
 		return
+	case techutils.Docker:
+		return getDockerNameScopeAndVersion(node.Id, artiUrl, repo)
 	}
 	return
 }
@@ -1121,6 +1155,40 @@ func buildNpmDownloadUrl(url, repo, name, scope, version string) []string {
 	return []string{packageUrl}
 }
 
+func getDockerNameScopeAndVersion(id, artiUrl, repo string) (downloadUrls []string, name, scope, version string) {
+	if id == "" {
+		return
+	}
+
+	id = strings.TrimPrefix(id, "docker://")
+	var lastColonIndex int
+	if strings.Contains(id, ":sha256:") {
+		sha256Index := strings.Index(id, ":sha256:")
+		if sha256Index > 0 {
+			lastColonIndex = sha256Index
+		} else {
+			lastColonIndex = strings.LastIndex(id, ":")
+		}
+	} else {
+		lastColonIndex = strings.LastIndex(id, ":")
+	}
+
+	if lastColonIndex > 0 {
+		name = id[:lastColonIndex]
+		version = id[lastColonIndex+1:]
+	} else {
+		name = id
+		version = "latest"
+	}
+
+	if artiUrl != "" && repo != "" {
+		downloadUrls = []string{fmt.Sprintf("%s/api/docker/%s/v2/%s/manifests/%s",
+			strings.TrimSuffix(artiUrl, "/"), repo, name, version)}
+	}
+
+	return
+}
+
 func GetCurationOutputFormat(formatFlagVal string) (format outFormat.OutputFormat, err error) {
 	// Default print format is table.
 	format = outFormat.Table

commands/curation/curationaudit_test.go

@@ -427,7 +427,7 @@ func TestDoCurationAudit(t *testing.T) {
 			cleanUp := createCurationTestEnv(t, basePathToTests, tt, config)
 			defer cleanUp()
 			// Create audit command, and run it
-			results, err := createCurationCmdAndRun(tt)
+			results, err := createCurationCmdAndRun(tt, config)
 			// Validate the results
 			if tt.requestToError == nil {
 				assert.NoError(t, err)
@@ -505,14 +505,19 @@ func runPreTestExec(t *testing.T, basePathToTests string, testCase testCase) {
 	callbackPreTest()
 }
 
-func createCurationCmdAndRun(tt testCase) (cmdResults map[string]*CurationReport, err error) {
+func createCurationCmdAndRun(tt testCase, serverDetails *config.ServerDetails) (cmdResults map[string]*CurationReport, err error) {
 	curationCmd := NewCurationAuditCommand()
 	curationCmd.SetIsCurationCmd(true)
 	curationCmd.parallelRequests = 3
 	// For tests, we use localhost http server (nuget have issues without setting insecureTls)
 	curationCmd.SetInsecureTls(true)
 	curationCmd.SetIgnoreConfigFile(tt.shouldIgnoreConfigFile)
 	curationCmd.SetInsecureTls(tt.allowInsecureTls)
+	if tt.dockerImageName != "" {
+		curationCmd.SetDockerImageName(tt.dockerImageName)
+		// Docker requires server details to be set explicitly
+		curationCmd.SetServerDetails(serverDetails)
+	}
 	cmdResults = map[string]*CurationReport{}
 	err = curationCmd.doCurateAudit(cmdResults)
 	return
@@ -568,6 +573,7 @@ type testCase struct {
 	tech                     techutils.Technology
 	createServerWithoutCreds bool
 	allowInsecureTls         bool
+	dockerImageName          string
 }
 
 func (tc testCase) getPathToTests() string {
@@ -983,6 +989,43 @@ func getTestCasesForDoCurationAudit() []testCase {
 			},
 			allowInsecureTls: true,
 		},
+		{
+			name:            "docker tree - one blocked package",
+			tech:            techutils.Docker,
+			pathToProject:   filepath.Join("projects", "package-managers", "docker", "curation-project"),
+			dockerImageName: "repo-test-docker/dweomer/nginx-auth-ldap:1.13.5-on-alpine-3.5",
+			requestToFail: map[string]bool{
+				"/api/docker/repo-test-docker/v2/dweomer/nginx-auth-ldap/manifests/1.13.5-on-alpine-3.5": true,
+			},
+			expectedRequest: map[string]bool{
+				"/api/docker/repo-test-docker/v2/dweomer/nginx-auth-ldap/manifests/1.13.5-on-alpine-3.5": false,
+			},
+			expectedResp: map[string]*CurationReport{
+				"root:latest": {
+					packagesStatus: []*PackageStatus{
+						{
+							Action:            "blocked",
+							ParentName:        "dweomer/nginx-auth-ldap",
+							ParentVersion:     "1.13.5-on-alpine-3.5",
+							BlockedPackageUrl: "/api/docker/repo-test-docker/v2/dweomer/nginx-auth-ldap/manifests/1.13.5-on-alpine-3.5",
+							PackageName:       "dweomer/nginx-auth-ldap",
+							PackageVersion:    "1.13.5-on-alpine-3.5",
+							DepRelation:       "direct",
+							PkgType:           "docker",
+							BlockingReason:    "Policy violations",
+							Policy: []Policy{
+								{
+									Policy:    "pol1",
+									Condition: "cond1",
+								},
+							},
+						},
+					},
+					totalNumberOfPackages: 0,
+				},
+			},
+			allowInsecureTls: true,
+		},
 	}
 	return tests
 }
@@ -1185,6 +1228,99 @@ func Test_getGemNameScopeAndVersion(t *testing.T) {
 	}
 }
 
+func Test_getDockerNameScopeAndVersion(t *testing.T) {
+	tests := []struct {
+		name             string
+		id               string
+		artiUrl          string
+		repo             string
+		wantDownloadUrls []string
+		wantName         string
+		wantScope        string
+		wantVersion      string
+	}{
+		{
+			name:             "Basic docker image with tag",
+			id:               "docker://nginx:1.21.0",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/1.21.0"},
+			wantName:         "nginx",
+			wantScope:        "",
+			wantVersion:      "1.21.0",
+		},
+		{
+			name:             "Docker image with registry prefix",
+			id:               "docker://registry.example.com/nginx:1.21.0",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/registry.example.com/nginx/manifests/1.21.0"},
+			wantName:         "registry.example.com/nginx",
+			wantScope:        "",
+			wantVersion:      "1.21.0",
+		},
+		{
+			name:             "Docker image with sha256 digest",
+			id:               "docker://nginx:sha256:abc123def456",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/sha256:abc123def456"},
+			wantName:         "nginx",
+			wantScope:        "",
+			wantVersion:      "sha256:abc123def456",
+		},
+		{
+			name:             "Docker image without version defaults to latest",
+			id:               "docker://nginx",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/latest"},
+			wantName:         "nginx",
+			wantScope:        "",
+			wantVersion:      "latest",
+		},
+		{
+			name:             "Empty id returns empty values",
+			id:               "",
+			artiUrl:          "http://test.jfrog.io/artifactory",
+			repo:             "docker-remote",
+			wantDownloadUrls: nil,
+			wantName:         "",
+			wantScope:        "",
+			wantVersion:      "",
+		},
+		{
+			name:             "Without artiUrl and repo, no download URL",
+			id:               "docker://nginx:1.21.0",
+			artiUrl:          "",
+			repo:             "",
+			wantDownloadUrls: nil,
+			wantName:         "nginx",
+			wantScope:        "",
+			wantVersion:      "1.21.0",
+		},
+		{
+			name:             "Artifactory URL with trailing slash",
+			id:               "docker://nginx:1.21.0",
+			artiUrl:          "http://test.jfrog.io/artifactory/",
+			repo:             "docker-remote",
+			wantDownloadUrls: []string{"http://test.jfrog.io/artifactory/api/docker/docker-remote/v2/nginx/manifests/1.21.0"},
+			wantName:         "nginx",
+			wantScope:        "",
+			wantVersion:      "1.21.0",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotDownloadUrls, gotName, gotScope, gotVersion := getDockerNameScopeAndVersion(tt.id, tt.artiUrl, tt.repo)
+			assert.Equal(t, tt.wantDownloadUrls, gotDownloadUrls, "downloadUrls mismatch")
+			assert.Equal(t, tt.wantName, gotName, "name mismatch")
+			assert.Equal(t, tt.wantScope, gotScope, "scope mismatch")
+			assert.Equal(t, tt.wantVersion, gotVersion, "version mismatch")
+		})
+	}
+}
+
 func Test_getNugetNameScopeAndVersion(t *testing.T) {
 	tests := []struct {
 		name        string