Merge pull request #298 from snyk/fix/ecr-image-determination

Amir Moualem · web-flow · commit 1af651f78a2b · 2020-01-19T15:50:30.000+02:00
Fix/ecr image determination
diff --git a/src/scanner/images/credentials.ts b/src/scanner/images/credentials.ts
@@ -3,14 +3,20 @@ import * as aws from 'aws-sdk';
 import logger = require('../../common/logger');
 
 export async function getSourceCredentials(imageSource: string): Promise<string | undefined> {
-  // TODO is this the best way we can determine the image's source?
-  if (imageSource.indexOf('.ecr.') !== -1) {
+  if (isEcrSource(imageSource)) {
     const ecrRegion = ecrRegionFromFullImageName(imageSource);
     return getEcrCredentials(ecrRegion);
   }
   return undefined;
 }
 
+export function isEcrSource(imageSource: string): boolean {
+  // this regex tests the image source against the template:
+  // <SOMETHING>.dkr.ecr.<SOMETHING>.amazonaws.com/<SOMETHING>
+  const ecrImageRegex = new RegExp('\.dkr\.ecr\..*\.amazonaws\.com\/', 'i');
+  return ecrImageRegex.test(imageSource);
+}
+
 function getEcrCredentials(region: string): Promise<string> {
   return new Promise(async (resolve, reject) => {
     const ecr = new aws.ECR({region});
diff --git a/test/unit/scanner/image-registry-credentials.test.ts b/test/unit/scanner/image-registry-credentials.test.ts
@@ -16,3 +16,20 @@ tap.test('ecrRegionFromFullImageName()', async (t) => {
   t.throws(() => {credentials.ecrRegionFromFullImageName('aws_account_id.dkr.ecr.amazonaws.com/my-web-app:latest');}, 'throws on badly formatted images');
   t.throws(() => {credentials.ecrRegionFromFullImageName('aws_account_id.dkr.ecr.region.amazonaws.com');}, 'throws on badly formatted images');
 });
+
+tap.test('isEcrSource()', async (t) => {
+  const sourceCredentialsForRandomImageName = credentials.isEcrSource('derka');
+  t.equals(sourceCredentialsForRandomImageName, false, 'unidentified image source is not ECR');
+
+  const sourceCredentialsForInvalidEcrImage = credentials.isEcrSource('derka.ecr.derka');
+  t.equals(sourceCredentialsForInvalidEcrImage, false, 'image just with .ecr. is not considered from ECR');
+
+  const sourceCredentialsForEcrImage = credentials.isEcrSource('aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app:latest');
+  t.equals(sourceCredentialsForEcrImage, true, 'correct ECR template');
+
+  const sourceCredentialsForEcrImageWithRepo = credentials.isEcrSource('a291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/debian:10');
+  t.equals(sourceCredentialsForEcrImageWithRepo, true, 'correct ECR template');
+
+  const sourceCredentialsForEcrImageMixedCase = credentials.isEcrSource('aws_account_id.dKr.ecR.region.amazonAWS.cOm/my-web-app:latest');
+  t.equals(sourceCredentialsForEcrImageMixedCase, true, 'correct ECR template');
+});
