Merge pull request #175 from snyk/fix/unique-tmp-files

fix: pull images to uniquely-named files

Author: ivanstanev

src/images/index.ts

@@ -3,39 +3,56 @@ import { pull as dockerPull } from './docker';
 import { pull as skopeoCopy, getDestinationForImage } from './skopeo';
 import { unlink } from 'fs';
 import { isStaticAnalysisEnabled } from '../common/features';
+import { IPullableImage } from './types';
 
-export { getDestinationForImage };
-
-export async function pullImages(images: string[]): Promise<string[]> {
-  const pulledImages: string[] = [];
+export async function pullImages(images: IPullableImage[]): Promise<IPullableImage[]> {
+  const pulledImages: IPullableImage[] = [];
 
   for (const image of images) {
+    const {imageName, fileSystemPath} = image;
     try {
       if (isStaticAnalysisEnabled()) {
-        await skopeoCopy(image);
+        if (!fileSystemPath) {
+          throw new Error('Missing required parameter fileSystemPath for static analysis');
+        }
+        await skopeoCopy(imageName, fileSystemPath);
       } else {
-        await dockerPull(image);
+        await dockerPull(imageName);
       }
       pulledImages.push(image);
     } catch (error) {
-      logger.error({error, image}, 'failed to pull image');
+      logger.error({error, image: imageName}, 'failed to pull image');
     }
   }
 
   return pulledImages;
 }
 
-export async function removePulledImages(images: string[]) {
+/**
+ * TODO: For Docker (dynamic scanning) it returns the image but with an empty file system path
+ * (because Docker does not pull images to a temporary directory). This will no longer be true
+ * when static analysis becomes the only option, but worth nothing it here to avoid confusion!
+ * @param images a list of images for which to generate a file system path
+ */
+export function getImagesWithFileSystemPath(images: string[]): IPullableImage[] {
+  return isStaticAnalysisEnabled()
+    ? images.map((image) => ({ imageName: image, fileSystemPath: getDestinationForImage(image) }))
+    : images.map((image) => ({ imageName: image }));
+}
+
+export async function removePulledImages(images: IPullableImage[]) {
   if (!isStaticAnalysisEnabled()) {
     return;
   }
 
-  for (const image of images) {
+  for (const {imageName, fileSystemPath} of images) {
     try {
-      const destination = getDestinationForImage(image);
-      await new Promise((resolve) => unlink(destination, resolve));
+      if (!fileSystemPath) {
+        throw new Error('Missing required parameter fileSystemPath for static analysis');
+      }
+      await new Promise((resolve) => unlink(fileSystemPath, resolve));
     } catch (error) {
-      logger.warn({error, image}, 'failed to delete pulled image');
+      logger.warn({error, image: imageName}, 'failed to delete pulled image');
     }
   }
 }

src/images/skopeo.ts

@@ -3,9 +3,18 @@ import { SpawnPromiseResult } from 'child-process-promise';
 import { exec } from '../cli/process';
 import config = require('../common/config');
 
+function getUniqueIdentifier(): string {
+  const [seconds, nanoseconds] = process.hrtime();
+  return `${seconds}_${nanoseconds}`;
+}
+
 export function getDestinationForImage(image: string): string {
   const normalisedImageName = image.replace(/\W/g, '_');
-  return `${config.IMAGE_STORAGE_ROOT}/${normalisedImageName}.tar`;
+  // If two workloads contain the same image and if the snyk-monitor attempts to pull the two images at the same time,
+  // this can result in a problem where both actions try to work with the same file resulting in a nasty crash.
+  // This is why we try to make the name of the temporary file unique for every workload analysis.
+  const uniqueIdentifier = getUniqueIdentifier();
+  return `${config.IMAGE_STORAGE_ROOT}/${normalisedImageName}_${uniqueIdentifier}.tar`;
 }
 
 function prefixRespository(target: string, type: SkopeoRepositoryType) {
@@ -21,12 +30,10 @@ function prefixRespository(target: string, type: SkopeoRepositoryType) {
 
 export function pull(
   image: string,
+  destination: string,
 ): Promise<SpawnPromiseResult> {
-  const source = image;
-  const destination = getDestinationForImage(image);
-
   return exec('skopeo', 'copy',
-    prefixRespository(source, SkopeoRepositoryType.ImageRegistry),
+    prefixRespository(image, SkopeoRepositoryType.ImageRegistry),
     prefixRespository(destination, SkopeoRepositoryType.DockerArchive),
   );
 }

src/images/types.ts

@@ -0,0 +1,4 @@
+export interface IPullableImage {
+  imageName: string;
+  fileSystemPath?: string;
+}

src/kube-scanner/image-scanner.ts

@@ -1,8 +1,8 @@
 import * as plugin from 'snyk-docker-plugin';
 import logger = require('../common/logger');
-import { getDestinationForImage } from '../images';
 import { IStaticAnalysisOptions, StaticAnalysisImageType } from './types';
 import { isStaticAnalysisEnabled } from '../common/features';
+import { IPullableImage } from '../images/types';
 
 export interface IScanResult {
   image: string;
@@ -23,44 +23,50 @@ function getImageTag(imageWithTag: string): string {
   return '';
 }
 
-function constructStaticAnalysisOptions(image: string): { staticAnalysisOptions: IStaticAnalysisOptions } {
+function constructStaticAnalysisOptions(
+  fileSystemPath: string | undefined,
+): { staticAnalysisOptions: IStaticAnalysisOptions } {
+  if (!fileSystemPath) {
+    throw new Error('Missing path for image for static analysis');
+  }
+
   return {
     staticAnalysisOptions: {
-      imagePath: getDestinationForImage(image),
+      imagePath: fileSystemPath,
       imageType: StaticAnalysisImageType.DockerArchive,
     },
   };
 }
 
-export async function scanImages(images: string[]): Promise<IScanResult[]> {
+export async function scanImages(images: IPullableImage[]): Promise<IScanResult[]> {
   const scannedImages: IScanResult[] = [];
 
   const dockerfile = undefined;
 
-  for (const image of images) {
+  for (const {imageName, fileSystemPath} of images) {
     try {
       const options = isStaticAnalysisEnabled()
-        ? constructStaticAnalysisOptions(image)
+        ? constructStaticAnalysisOptions(fileSystemPath)
         : undefined;
 
-      const result = await plugin.inspect(image, dockerfile, options);
+      const result = await plugin.inspect(imageName, dockerfile, options);
 
       if (!result || !result.package || !result.package.dependencies) {
         throw Error('Unexpected empty result from docker-plugin');
       }
 
       result.imageMetadata = {
-        image: removeTagFromImage(image),
-        imageTag: getImageTag(image),
+        image: removeTagFromImage(imageName),
+        imageTag: getImageTag(imageName),
       };
 
       scannedImages.push({
-        image: removeTagFromImage(image),
-        imageWithTag: image,
+        image: removeTagFromImage(imageName),
+        imageWithTag: imageName,
         pluginResult: result,
       });
     } catch (error) {
-      logger.warn({error, image}, 'failed to scan image');
+      logger.warn({error, image: imageName}, 'failed to scan image');
     }
   }
 

src/kube-scanner/index.ts

@@ -1,16 +1,10 @@
-/***
- * consider using https://www.npmjs.com/package/kubernetes-client
- * currently it's better to not use this lib since version 9.0 is about to be
- * released and merged with oficial @kubernetes/client-node.
- * IMPORTANT:
- * see: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/#-strong-api-overview-strong-
- */
 import logger = require('../common/logger');
-import { pullImages, removePulledImages } from '../images';
+import { pullImages, removePulledImages, getImagesWithFileSystemPath } from '../images';
 import { scanImages, IScanResult } from './image-scanner';
 import { deleteHomebaseWorkload, sendDepGraph } from '../transmitter';
 import { constructHomebaseDeleteWorkloadPayload, constructHomebaseDepGraphPayloads } from '../transmitter/payload';
 import { IDepGraphPayload, IWorkload, ILocalWorkloadLocator } from '../transmitter/types';
+import { IPullableImage } from '../images/types';
 
 export = class WorkloadWorker {
   private readonly name: string;
@@ -26,7 +20,8 @@ export = class WorkloadWorker {
     const uniqueImages = [...new Set<string>(allImages)];
 
     logger.info({workloadName, imageCount: uniqueImages.length}, 'pulling unique images');
-    const pulledImages = await pullImages(uniqueImages);
+    const imagesWithFileSystemPath = getImagesWithFileSystemPath(uniqueImages);
+    const pulledImages = await pullImages(imagesWithFileSystemPath);
     if (pulledImages.length === 0) {
       logger.info({workloadName}, 'no images were pulled, halting scanner process.');
       return;
@@ -48,7 +43,7 @@ export = class WorkloadWorker {
 
   private async scanImagesAndSendResults(
     workloadName: string,
-    pulledImages: string[],
+    pulledImages: IPullableImage[],
     workloadMetadata: IWorkload[],
   ): Promise<void> {
     const scannedImages: IScanResult[] = await scanImages(pulledImages);
@@ -63,8 +58,10 @@ export = class WorkloadWorker {
     const depGraphPayloads: IDepGraphPayload[] = constructHomebaseDepGraphPayloads(scannedImages, workloadMetadata);
     await sendDepGraph(...depGraphPayloads);
 
+    const pulledImagesNames = pulledImages.map((image) => image.imageName);
     const pulledImageMetadata = workloadMetadata.filter((meta) =>
-      pulledImages.includes(meta.imageName));
+      pulledImagesNames.includes(meta.imageName),
+    );
 
     logger.info({workloadName, imageCount: pulledImageMetadata.length}, 'processed images');
   }

test/unit/images.test.ts

@@ -0,0 +1,71 @@
+import * as tap from 'tap';
+import { getImagesWithFileSystemPath, pullImages } from '../../src/images';
+const config = require('../../src/common/config');
+
+tap.test('getImagesWithFileSystemPath()', async (t) => {
+  const noImages: string[] = [];
+  const noImagesResult = getImagesWithFileSystemPath(noImages);
+  t.same(noImagesResult, [], 'correctly maps an empty array');
+
+  // Cache the last value of STATIC_ANALYSIS, we return it back to normal once the test completes
+  const lastStaticAnalysisValue = config.STATIC_ANALYSIS;
+
+  // First try without static analysis set
+  config.STATIC_ANALYSIS = false;
+  const imageWithoutStaticAnalysis = ['redis:latest'];
+  const imageWithoutStaticAnalysisResult = getImagesWithFileSystemPath(imageWithoutStaticAnalysis);
+  t.same(
+    imageWithoutStaticAnalysisResult,
+    [{ imageName: 'redis:latest' }],
+    'correctly returns an image without a file system path',
+  );
+
+  // Next try with static analysis set
+  config.STATIC_ANALYSIS = true;
+  const imageWithStaticAnalysis = ['nginx:latest'];
+  const imageWithStaticAnalysisResult = getImagesWithFileSystemPath(imageWithStaticAnalysis);
+  t.same(imageWithStaticAnalysisResult.length, 1, 'expected 1 item');
+
+  const resultWithExpectedPath = imageWithStaticAnalysisResult[0];
+  t.same(
+    resultWithExpectedPath.imageName,
+    'nginx:latest',
+    'correctly returns an image without a file system path',
+  );
+  const fileSystemPath = resultWithExpectedPath.fileSystemPath!;
+  t.ok(fileSystemPath, 'file system path exists on the result');
+  t.ok(fileSystemPath.endsWith('.tar'), 'file system path ends in .tar');
+
+  const expectedPattern = fileSystemPath.indexOf(`${config.IMAGE_STORAGE_ROOT}/nginx_latest_`) !== -1;
+  t.ok(expectedPattern, 'the file system path starts with an expected pattern');
+
+  // Finally ensure that two consecutive calls do not return the same file system path
+  config.STATIC_ANALYSIS = true;
+  const someImage = ['centos:latest'];
+  const firstCallResult = getImagesWithFileSystemPath(someImage)[0];
+  const secondCallResult = getImagesWithFileSystemPath(someImage)[0];
+  t.ok(
+    firstCallResult.fileSystemPath !== secondCallResult.fileSystemPath,
+    'consecutive calls to the function with the same data return different file system paths',
+  );
+
+  // Restore the old value
+  config.STATIC_ANALYSIS = lastStaticAnalysisValue;
+});
+
+tap.test('pullImages() skips on missing file system path in static analysis', async (t) => {
+  // Cache the last value of STATIC_ANALYSIS, we return it back to normal once the test completes
+  const lastStaticAnalysisValue = config.STATIC_ANALYSIS;
+
+  config.STATIC_ANALYSIS = true;
+  const badStaticAnalysisImage = [
+    {
+      imageName: 'nginx:latest',
+    },
+  ];
+  const result = await pullImages(badStaticAnalysisImage);
+  t.same(result, [], 'expect to skip images on static analysis set but missing file system path');
+
+  // Restore the old value
+  config.STATIC_ANALYSIS = lastStaticAnalysisValue;
+});