readme updates, not stripping hash prefix from image IDs in dockerutil.SaveImage calls

kcq · kcq · commit 8889f5e88163 · 2024-06-28T23:27:01.000-07:00
Signed-off-by: Kyle Quest &lt;kcq.public@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -548,7 +548,7 @@ In the interactive CLI prompt mode you must specify the target image using the `
 - `--image-build-engine` - Select image build engine: `internal` | `docker` | `none` (`internal` - build the output image without using Docker [default behavior], `docker` - build the output image with Docker, `none` - don't build the output image, allows you to do your own build with the tools you want to use, which you'll be able to do by pointing to the artifact directory where the `files.tar` and `Dockerfile` artifacts are located for the output image)
 - `--image-build-arch` - Select output image build architecture (use the standard container image names for the architectures without the OS part)
 - `--obfuscate-metadata` - Obfuscate the operating system and application metadata to make it more challenging to identify the image components including OS and application packages. As a side effect using this flag will hide vulnerabilities from vulnerability scanners that rely on the OS and programming language specific package metadata to identify vulnerabilities in container images. This flag can be used to prevent vulnerability scanners from detecting vulnerabilities. This flag also prevents some SBOM generation tools from detecting operating system and application packages.
-- `--obfuscate-app-package-names` - Select the obfuscation mode for the application package names. Available modes: `none` | `empty` | `prefix` | `random` (`none` - Do no app package name obfuscation; `empty` - Replace the app package names with empty values; `prefix` - Prefix app package names with a string; `random` - Replace app package names with random values). This flag changes package names, so the packages can't be recognized by vulnerability scanning and SBOM generation tools. The "empty" mode completely hides the packages from the vulnerability scanners and from SBOM tools. This flag can be used with the `--obfuscate-metadata` flag.
+- `--obfuscate-app-package-names` - Select the obfuscation mode for the application package names. Available modes: `none` | `empty` | `prefix` | `random` (`none` - Do no app package name obfuscation; `empty` - Replace the app package names with empty values; `prefix` - Prefix app package names with a string; `random` - Replace app package names with random values). This flag changes package names, so the packages can't be recognized by vulnerability scanning and SBOM generation tools. The "empty" mode completely hides the packages from vulnerability scanners and from SBOM tools. This flag can be used with the `--obfuscate-metadata` flag.
 - `--enable-mondel` - Enable monitor data event log for sensor monitors to log/stream the events captured by those monitors (default: false)
 - `--command-params-file` -  JSON file with all command parameters - the JSON file can use a snake case formatted commands example `--docker-config-path` would be `docker_config_path`
 
diff --git a/pkg/app/master/command/build/flags.go b/pkg/app/master/command/build/flags.go
@@ -235,8 +235,8 @@ const (
 	FlagCBONetworkUsage          = "Networking mode to use for the RUN instructions at build-time"
 	FlagCBOCacheFromUsage        = "Add an image to the build cache"
 
-	FlagObfuscateMetadataUsage        = "Obfuscate the standard system and application metadata to make it more challenging to identify the image components"
-	FlagObfuscateAppPackageNamesUsage = "Select app package name obfuscate mode: none | empty | prefix | random"
+	FlagObfuscateMetadataUsage        = "Obfuscate the operating system and application metadata to make it hard or impossible to identify the target image components. Using this flag will hide vulnerabilities from vulnerability scanners that rely on the OS and programming language specific package metadata to identify vulnerabilities in container images. This flag can be used to prevent vulnerability scanners from detecting vulnerabilities. This flag also prevents some SBOM generation tools from detecting operating system and application packages."
+	FlagObfuscateAppPackageNamesUsage = "Select app package name obfuscate mode: none | empty | prefix | random. This flag changes package names, so the packages can't be recognized by vulnerability scanning and SBOM generation tools. The 'empty' mode completely hides the packages from vulnerability scanners and from SBOM tools."
 )
 
 var Flags = map[string]cli.Flag{
diff --git a/pkg/docker/dockerutil/dockerutil.go b/pkg/docker/dockerutil/dockerutil.go
@@ -286,7 +286,8 @@ func SaveImage(dclient *dockerapi.Client, imageRef, local string, extract, remov
 		}
 	}
 
-	imageRef = CleanImageID(imageRef)
+	//don't strip the hash prefix (alternative ExportImage API call implementations want full image IDs)
+	//imageRef = CleanImageID(imageRef)
 
 	//todo: 'pull' the image if it's not available locally yet
 	//note: HasImage() doesn't work with image IDs

Original file line number	Diff line number	Diff line change
`@@ -235,8 +235,8 @@ const (`
`235`	`235`	`FlagCBONetworkUsage = "Networking mode to use for the RUN instructions at build-time"`
`236`	`236`	`FlagCBOCacheFromUsage = "Add an image to the build cache"`
`237`	`237`
`238`		`- FlagObfuscateMetadataUsage = "Obfuscate the standard system and application metadata to make it more challenging to identify the image components"`
`239`		`- FlagObfuscateAppPackageNamesUsage = "Select app package name obfuscate mode: none \| empty \| prefix \| random"`
	`238`	+ FlagObfuscateMetadataUsage = "Obfuscate the operating system and application metadata to make it hard or impossible to identify the target image components. Using this flag will hide vulnerabilities from vulnerability scanners that rely on the OS and programming language specific package metadata to identify vulnerabilities in container images. This flag can be used to prevent vulnerability scanners from detecting vulnerabilities. This flag also prevents some SBOM generation tools from detecting operating system and application packages."
	`239`	`+ FlagObfuscateAppPackageNamesUsage = "Select app package name obfuscate mode: none \| empty \| prefix \| random. This flag changes package names, so the packages can't be recognized by vulnerability scanning and SBOM generation tools. The 'empty' mode completely hides the packages from vulnerability scanners and from SBOM tools."`
`240`	`240`	`)`
`241`	`241`
`242`	`242`	`var Flags = map[string]cli.Flag{`
Original file line number	Diff line number	Diff line change
`@@ -286,7 +286,8 @@ func SaveImage(dclient *dockerapi.Client, imageRef, local string, extract, remov`
`286`	`286`	`}`
`287`	`287`	`}`
`288`	`288`
`289`		`- imageRef = CleanImageID(imageRef)`
	`289`	`+ //don't strip the hash prefix (alternative ExportImage API call implementations want full image IDs)`
	`290`	`+ //imageRef = CleanImageID(imageRef)`
`290`	`291`
`291`	`292`	`//todo: 'pull' the image if it's not available locally yet`
`292`	`293`	`//note: HasImage() doesn't work with image IDs`