cleanup

Signed-off-by: Kyle Quest <[email protected]>

Author: kcq

README.md

@@ -273,19 +273,17 @@ If you don't specify any command `mint` will start in the interactive prompt mod
 
 ### COMMANDS
 
+- `slim` - Create a minimal container image for your selected image generating the supported security profiles. This is the most popular command. (aka `build`)
 - `debug` - Debug minimal or regular container images running in Docker, Podman, Kubernetes and ContainerD.
 - `xray` - Performs static analysis for the target container image (including 'reverse engineering' the Dockerfile for the image). Use this command if you want to know what's inside of your container image and what makes it fat.
 - `lint` - Analyzes container instructions in Dockerfiles (Docker image support is WIP)
-- `build` - Analyzes, profiles and optimizes your container image generating the supported security profiles. This is the most popular command.
 - `registry` - Execute registry operations (`pull`, `push`, `copy`, `server`).
 - `profile` - Performs basic container image analysis and dynamic container analysis, but it doesn't generate an optimized image.
 - `run` - Runs one or more containers (for now runs a single container similar to `docker run`)
 - `merge` - Merge two container images (optimized to merge minified images).
 - `images` - Get information about container images (example: `mint --quiet images`).
 - `vulnerability` - Execute vulnerability related tools and operations (`epss`).
-- `version` - Shows the version information.
-- `appbom` - Shows the application BOM (app composition/dependencies).
-- `update` - Updates Mint to the latest version.
+- `app` - Execute app management, maintenance, debugging and query operations (`bom`, `version`, `remove-sensor-volumes`, `update`, `install` operations).
 - `help` - Show the available commands and global flags
 
 Example: `mint build my/sample-app`
@@ -300,18 +298,16 @@ If you run `mint` without any parameters you'll get an interactive prompt that w
 
 Commands:
 
+- `slim` - Create a minimal container image for your selected image generating the supported security profiles. (aka `build`)
 - `debug` - Debug minimal or regular container images running in Docker, Podman, Kubernetes and ContainerD.
 - `xray` - Show what's in the container image and reverse engineer its Dockerfile
 - `lint` - Lint the target Dockerfile (or image, in the future)
-- `build` - Analyze the target container image along with its application and build an optimized image from it
 - `registry` - Execute registry operations (`pull`, `push`, `copy`, `server`).
 - `profile` - Collect fat image information and generate a fat container report
 - `merge` - Merge two container images (optimized to merge minified images)
 - `images` - Get information about container images.
 - `vulnerability` - Execute vulnerability related tools and operations (`epss`).
-- `appbom` - Shows the application BOM (app composition/dependencies)
-- `version` - Show app and docker version information
-- `update` - Update the app
+- `app` - Execute app management, maintenance, debugging and query operations (`bom`, `version`, `remove-sensor-volumes`, `update`, `install` operations).
 - `help` - Show help info
 
 Global options:
@@ -357,6 +353,7 @@ To disable the version checks set the global `--check-version` flag to `false` (
 
 ### `XRAY` COMMAND OPTIONS
 
+- `--runtime` - Runtime environment type (values: `docker`, `podman` and a special meta runtime `auto`, which auto-selects the runtime based on the installed runtime; defaults to `auto`)
 - `--target` - Target container image (name or ID)
 - `--pull` - Try pulling target if it's not available locally (default: false).
 - `--docker-config-path` - Set the docker config path used to fetch registry credentials (used with the `--pull` flag).

pkg/app/master/command/app/cli.go

@@ -11,7 +11,7 @@ import (
 
 const (
 	Name  = "app"
-	Usage = "Execute app management, maintanance, debugging and query operations"
+	Usage = "Execute app management, maintenance, debugging and query operations"
 	Alias = "a"
 
 	BomCmdName      = "bom"

pkg/app/master/command/build/cli.go

@@ -16,7 +16,7 @@ import (
 
 const (
 	Name   = "slim"
-	Usage  = "Creates a slim version of your container image auto-generating Seccomp and AppArmor security profiles"
+	Usage  = "Shrinks your container image auto-generating Seccomp and AppArmor security profiles"
 	AliasA = "build"
 	AliasB = "b"
 )

pkg/app/master/inspectors/image/image_inspector.go

@@ -56,7 +56,7 @@ func NewInspector(apiClient crt.InspectorAPIClient, imageRef string /*, artifact
 // NoImage returns true if the target image doesn't exist
 func (i *Inspector) NoImage() (bool, error) {
 	//first, do a simple exact match lookup
-	ii, err := i.APIClient.HasImage(i.ImageRef) // := dockerutil.HasImage(i.APIClient, i.ImageRef)
+	ii, err := i.APIClient.HasImage(i.ImageRef)
 	if err == nil {
 		log.Tracef("image.inspector.NoImage: ImageRef=%v ImageIdentity=%#v", i.ImageRef, ii)
 		return false, nil
@@ -73,15 +73,17 @@ func (i *Inspector) NoImage() (bool, error) {
 	//this will return/save the first available tag
 	if err == crt.ErrNotFound &&
 		!strings.Contains(i.ImageRef, ":") {
+		log.Debugf("image.inspector.NoImage: no default 'latest' tag / i.ImageRef='%s'", i.ImageRef)
 		//check if there are any tags for the target image
-		matches, err := i.APIClient.ListImages(i.ImageRef) // dockerutil.ListImages(i.APIClient, i.ImageRef)
+		matches, err := i.APIClient.ListImages(i.ImageRef)
 		if err != nil {
 			log.Errorf("image.inspector.NoImage: err=%v", err)
 			return true, err
 		}
 
+		log.Debugf("image.inspector.NoImage: matching image tag count - %d / i.ImageRef='%s'", len(matches), i.ImageRef)
 		for ref, props := range matches {
-			log.Debugf("image.inspector.NoImage: match.ref=%s match.props=%#v", ref, props)
+			log.Debugf("image.inspector.NoImage: match.ref='%s' match.props=%#v", ref, props)
 			i.ImageRef = ref
 			return false, nil
 		}
@@ -122,10 +124,6 @@ func (i *Inspector) Pull(showPullLog bool, dockerConfigPath, registryAccount, re
 		//warn, attempt pull anyway, needs to work for public registries
 	}
 
-	//if authConfig == nil {
-	//	authConfig = &docker.AuthConfiguration{}
-	//}
-
 	err = i.APIClient.PullImage(input, authConfig)
 	if err != nil {
 		log.Debugf("image.inspector.Pull: client.PullImage err=%v", err)
@@ -141,120 +139,13 @@ func (i *Inspector) Pull(showPullLog bool, dockerConfigPath, registryAccount, re
 	return nil
 }
 
-/*
-func getRegistryCredential(registryAccount, registrySecret, dockerConfigPath, registry string) (cred *docker.AuthConfiguration, err error) {
-	if registryAccount != "" && registrySecret != "" {
-		cred = &docker.AuthConfiguration{
-			Username: registryAccount,
-			Password: registrySecret,
-		}
-		return
-	}
-
-	missingAuthConfigErr := fmt.Errorf("could not find an auth config for registry - %s", registry)
-	if dockerConfigPath != "" {
-		dAuthConfigs, err := docker.NewAuthConfigurationsFromFile(dockerConfigPath)
-		if err != nil {
-			log.Warnf(
-				"image.inspector.Pull: getDockerCredential - failed to acquire local docker config path=%s err=%s",
-				dockerConfigPath,
-				err.Error(),
-			)
-			return nil, err
-		}
-		r, found := dAuthConfigs.Configs[registry]
-		if !found {
-			return nil, missingAuthConfigErr
-		}
-		cred = &r
-		return cred, nil
-	}
-
-	cred, err = docker.NewAuthConfigurationsFromCredsHelpers(registry)
-	if err != nil {
-		log.Warnf(
-			"image.inspector.Pull: failed to acquire local docker credential helpers for %s err=%s",
-			registry,
-			err.Error(),
-		)
-		return nil, err
-	}
-
-	// could not find a credentials' helper, check auth configs
-	if cred == nil {
-		dConfigs, err := docker.NewAuthConfigurationsFromDockerCfg()
-		if err != nil {
-			log.Debugf("image.inspector.Pull: getDockerCredential err extracting docker auth configs - %s", err.Error())
-			return nil, err
-		}
-		r, found := dConfigs.Configs[registry]
-		if !found {
-			return nil, missingAuthConfigErr
-		}
-		cred = &r
-	}
-
-	log.Debugf("loaded registry auth config %+v", cred)
-	return cred, nil
-}
-*/
-
-/*
-func extractRegistry(repo string) string {
-	var scheme string
-	if strings.Contains(repo, https) {
-		scheme = https
-		repo = strings.TrimPrefix(repo, https)
-	}
-	if strings.Contains(repo, http) {
-		scheme = http
-		repo = strings.TrimPrefix(repo, http)
-	}
-	registry := strings.Split(repo, "/")[0]
-
-	domain := `((?:[a-z\d](?:[a-z\d-]{0,63}[a-z\d])?|\*)\.)+[a-z\d][a-z\d-]{0,63}[a-z\d]`
-	ipv6 := `^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$`
-	ipv4 := `^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})`
-	ipv4Port := `([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\:?([0-9]{1,5})?`
-	ipv6Port := `(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))`
-
-	if registry == "localhost" || strings.Contains(registry, "localhost:") {
-		return scheme + registry
-	}
-
-	validDomain := regexp.MustCompile(domain)
-	validIpv4 := regexp.MustCompile(ipv4)
-	validIpv6 := regexp.MustCompile(ipv6)
-	validIpv4WithPort := regexp.MustCompile(ipv4Port)
-	validIpv6WithPort := regexp.MustCompile(ipv6Port)
-
-	if validIpv6WithPort.MatchString(registry) {
-		return scheme + registry
-	}
-	if validIpv4WithPort.MatchString(registry) {
-		return scheme + registry
-	}
-	if validIpv6.MatchString(registry) {
-		return scheme + registry
-	}
-	if validIpv4.MatchString(registry) {
-		return scheme + registry
-	}
-
-	if !validDomain.MatchString(registry) {
-		return https + "index.docker.io"
-	}
-	return scheme + registry
-}
-*/
-
 // Inspect starts the target image inspection
 func (i *Inspector) Inspect() error {
 	var err error
 	i.ImageInfo, err = i.APIClient.InspectImage(i.ImageRef)
 	if err != nil {
 		if err == crt.ErrNotFound { // docker.ErrNoSuchImage {
-			log.Info("could not find target image")
+			log.Infof("could not find target image - i.ImageRef='%s'", i.ImageRef)
 		}
 		return err
 	}
@@ -269,15 +160,16 @@ func (i *Inspector) Inspect() error {
 	log.Tracef("image.Inspector.Inspect: imageList.size=%v", len(imageList))
 	for _, r := range imageList {
 		log.Tracef("image.Inspector.Inspect: target=%v record=%#v", i.ImageInfo.ID, r)
-		if r.ID == i.ImageInfo.ID {
+		if strings.Contains(i.ImageInfo.ID, r.ID) {
 			i.ImageRecordInfo = r
 			break
 		}
 	}
 
 	if i.ImageRecordInfo.ID == "" {
-		log.Info("could not find target image in the image list")
-		return crt.ErrNotFound //docker.ErrNoSuchImage
+		log.Infof("could not find target image in the image list - i.ImageRef='%s' / i.ImageInfo.ID='%s'",
+			i.ImageRef, i.ImageInfo.ID)
+		return crt.ErrNotFound
 	}
 
 	return nil

pkg/app/master/version/version.go

@@ -41,7 +41,7 @@ func PrintCheckVersion(
 	printPrefix string,
 	info *CheckVersionInfo) {
 	if info != nil && info.Status == "success" && info.Outdated {
-		msg := "Your version of SlimToolkit is out of date! Use `slim update` to get the latest version."
+		msg := "Your version of MinToolkit is out of date! Use `mint update` to get the latest version."
 		if xc == nil {
 			fmt.Printf("%s info=version status=OUTDATED local=%s current=%s\n", printPrefix, v.Tag(), info.Current)
 			fmt.Printf("%s info=message message='%s'\n", printPrefix, msg)
@@ -154,7 +154,7 @@ func Print(xc *app.ExecutionContext, cmdNameParam string, logger *log.Entry, cli
 
 // Check checks the app version
 func Check(inContainer, isDSImage bool) *CheckVersionInfo {
-	logger := log.WithFields(log.Fields{"app": "slim"})
+	logger := log.WithFields(log.Fields{"app": "mint"})
 
 	client := http.Client{
 		Timeout: 13 * time.Second,

pkg/crt/clients.go

@@ -6,12 +6,11 @@ import (
 	"regexp"
 	"strings"
 	"time"
-	//log "github.com/sirupsen/logrus"
 )
 
 var (
-	ErrBadParam = errors.New("bad parameter")
-	ErrNotFound = errors.New("not found")
+	ErrBadParam = errors.New("crt - bad parameter")
+	ErrNotFound = errors.New("crt - not found")
 )
 
 type ImageIdentity struct {

pkg/crt/docker/dockercrtclient/dockercrtclient.go

@@ -2,7 +2,6 @@ package dockercrtclient
 
 import (
 	"fmt"
-	"strings"
 
 	docker "github.com/fsouza/go-dockerclient"
 	log "github.com/sirupsen/logrus"
@@ -50,7 +49,7 @@ func (ref *Instance) ListImagesAll() ([]crt.BasicImageInfo, error) {
 	var imageList []crt.BasicImageInfo
 	for _, r := range pimages {
 		imageList = append(imageList, crt.BasicImageInfo{
-			ID:          strings.TrimPrefix(r.ID, "sha256:"),
+			ID:          r.ID,
 			Size:        r.Size,
 			Created:     r.Created,
 			VirtualSize: r.VirtualSize,

pkg/crt/docker/dockerutil/dockerutil.go

@@ -190,13 +190,13 @@ func ListImages(dclient *dockerapi.Client, imageNameFilter string) (map[string]B
 	for _, imageInfo := range imageList {
 		for _, repo := range imageInfo.RepoTags {
 			info := BasicImageProps{
-				ID:      strings.TrimPrefix(imageInfo.ID, "sha256:"),
+				ID:      imageInfo.ID,
 				Size:    imageInfo.Size,
 				Created: imageInfo.Created,
 			}
 
 			if repo == "<none>:<none>" {
-				repo = strings.TrimPrefix(imageInfo.ID, "sha256:")
+				repo = imageInfo.ID
 				images[repo] = info
 				break
 			}

pkg/crt/podman/podmancrtclient/podmancrtclient.go

@@ -55,7 +55,7 @@ func (ref *Instance) ListImagesAll() ([]crt.BasicImageInfo, error) {
 	var imageList []crt.BasicImageInfo
 	for _, r := range pimages {
 		imageList = append(imageList, crt.BasicImageInfo{
-			ID:          strings.TrimPrefix(r.ID, "sha256:"),
+			ID:          r.ID,
 			Size:        r.Size,
 			Created:     r.Created,
 			VirtualSize: r.VirtualSize,

pkg/crt/podman/podmanutil/podmanutil.go

@@ -210,13 +210,13 @@ func ListImages(client context.Context, imageNameFilter string) (map[string]Basi
 	for _, imageInfo := range imageList {
 		for _, repo := range imageInfo.RepoTags {
 			info := BasicImageProps{
-				ID:      strings.TrimPrefix(imageInfo.ID, "sha256:"),
+				ID:      imageInfo.ID,
 				Size:    imageInfo.Size,
 				Created: imageInfo.Created,
 			}
 
 			if repo == "<none>:<none>" {
-				repo = strings.TrimPrefix(imageInfo.ID, "sha256:")
+				repo = imageInfo.ID
 				images[repo] = info
 				break
 			}