fix: fallback to tag if digest missing

Author: dkontorovskyy

src/scanner/images/index.ts

@@ -10,13 +10,15 @@ export async function pullImages(images: IPullableImage[]): Promise<IPullableIma
   const pulledImages: IPullableImage[] = [];
 
   for (const image of images) {
-    const {imageWithDigest, fileSystemPath} = image;
+    const { imageName, imageWithDigest, fileSystemPath } = image;
     if (!fileSystemPath) {
       continue;
     }
 
     try {
-      await skopeoCopy(imageWithDigest, fileSystemPath);
+      // Scan image by digest if exists, other way fallback tag
+      const scanId = imageWithDigest ?? imageName;
+      await skopeoCopy(scanId, fileSystemPath);
       pulledImages.push(image);
     } catch (error) {
       logger.error({error, image: imageWithDigest}, 'failed to pull image');
@@ -93,11 +95,12 @@ export async function scanImages(images: IPullableImage[]): Promise<IScanResult[
       }
 
       const imageParts = getImageParts(imageName);
+      const imageDigest = imageWithDigest && getImageParts(imageWithDigest).imageDigest;
 
       result.imageMetadata = {
         image: imageParts.imageName,
         imageTag: imageParts.imageTag,
-        imageDigest: getImageParts(imageWithDigest).imageDigest,
+        imageDigest,
       };
 
       scannedImages.push({

src/scanner/images/types.ts

@@ -1,11 +1,11 @@
 export interface IScanImage {
   imageName: string;
-  imageWithDigest: string;
+  imageWithDigest?: string;
 }
 
 export interface IPullableImage {
   imageName: string;
-  imageWithDigest: string;
+  imageWithDigest?: string;
   fileSystemPath: string;
 }
 

src/scanner/index.ts

@@ -8,7 +8,7 @@ import { IPullableImage, IScanImage } from './images/types';
 export async function processWorkload(workloadMetadata: IWorkload[]): Promise<void> {
   // every workload metadata references the same workload name, grab it from the first one
   const workloadName = workloadMetadata[0].name;
-  const uniqueImages = getUniqueImages(workloadMetadata);
+  const uniqueImages: IScanImage[] = getUniqueImages(workloadMetadata);
 
   logger.info({ workloadName, imageCount: uniqueImages.length }, 'pulling unique images');
   const imagesWithFileSystemPath = getImagesWithFileSystemPath(uniqueImages);
@@ -35,6 +35,11 @@ export async function sendDeleteWorkloadRequest(workloadName: string, localWorkl
 
 export function getUniqueImages(workloadMetadata: IWorkload[]): IScanImage[] {
   const uniqueImages: { [key: string]: IScanImage } = workloadMetadata.reduce((accum, meta) => {
+    logger.info({
+      workloadName: workloadMetadata[0].name,
+      name: meta.imageName,
+      id: meta.imageId
+    }, 'image metadata');
     // example: For DCR "redis:latest"
     // example: For GCR "gcr.io/test-dummy/redis:latest"
     // example: For ECR "291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/redis:latest"
@@ -44,11 +49,13 @@ export function getUniqueImages(workloadMetadata: IWorkload[]): IScanImage[] {
     // example: For DCR "docker.io/library/redis@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
     // example: For GCR "sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
     // example: For ECR "sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
-    const digest = meta.imageId.substring(meta.imageId.lastIndexOf('@') + 1);
-    const imageWithDigest = `${imageName}@${digest}`;
+    let digest: string | undefined = undefined;
+    if (meta.imageId.lastIndexOf('@') > -1 || meta.imageId.startsWith('sha')) {
+      digest = meta.imageId.substring(meta.imageId.lastIndexOf('@') + 1);
+    }
 
-    accum[imageWithDigest] = {
-      imageWithDigest,
+    accum[meta.imageName] = {
+      imageWithDigest: digest && `${imageName}@${digest}`,
       imageName: meta.imageName, // Image name with tag
     };
 

src/scanner/types.ts

@@ -1,6 +1,6 @@
 export interface IScanResult {
   image: string;
-  imageWithDigest: string;
+  imageWithDigest?: string;
   imageWithTag: string;
   pluginResult: any;
 }

src/transmitter/types.ts

@@ -25,7 +25,7 @@ export interface IWorkloadMetadata {
 
 export interface IImageLocator extends IWorkloadLocator {
   imageId: string;
-  imageWithDigest: string;
+  imageWithDigest?: string;
 }
 
 export interface IKubernetesMonitorMetadata {

test/unit/scanner/index.test.ts

@@ -15,15 +15,15 @@ tap.test('getUniqueImages()', async (t) => {
             imageName: 'redis:latest',
             imageId: 'docker.io/library/redis@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6'
         },
-        // 3. Duplicate without tag
+        // 3. With SHA instead of tag
         {
-            imageName: 'redis',
+            imageName: 'redis@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6',
             imageId: 'docker.io/library/redis@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6'
         },
-        // 4. Duplicate with SHA instead of tag
+        // 4. With SHA missing in imageId
         {
-            imageName: 'redis@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6',
-            imageId: 'docker.io/library/redis@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6'
+            imageName: 'redis:prod',
+            imageId: 'docker.io/library/redis:eaa6f054e4a140bc3a1696cc7b1e84529e7e9567',
         },
         // 5. GCR
         {
@@ -35,21 +35,42 @@ tap.test('getUniqueImages()', async (t) => {
             imageName: '291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/redis:latest',
             imageId: 'sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6'
         },
+        // 7. With docker-pullable as protocol in imageId
+        {
+            imageName: 'redis:some-tag',
+            imageId: 'docker-pullable://name@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6',
+        },
+        // 8. With docker as protocol in imageId
+        {
+            imageName: 'redis:another-tag',
+            imageId: 'docker://name@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6'
+        }
     ];
 
     const result = scanner.getUniqueImages(workload as any);
 
-    t.strictEqual(result.length, 3, 'removed duplicate image');
-    result.map((metaData) => {
-        t.ok(metaData.imageWithDigest.includes('redis'), 'has name in imageWithDigest');
-        t.ok(metaData.imageWithDigest.includes('sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6'), 'has digest');
+    t.strictEqual(result.length, 7, 'removed duplicate image');
+    const resultWithDigest = result.filter(({imageWithDigest}) => imageWithDigest);
+    const resultWithoutDigest = result.filter(({imageWithDigest}) => !imageWithDigest);
+
+    t.strictEqual(resultWithDigest.length, 6, 'correct amount with digest');
+    t.strictEqual(resultWithoutDigest.length, 1, 'correct amount without digest');
+
+    resultWithDigest.map((metaData) => {
+        t.ok(metaData.imageWithDigest!.includes('redis'), 'has name in imageWithDigest');
+        t.ok(metaData.imageWithDigest!.includes('sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6'), 'has digest');
 
-        if (metaData.imageWithDigest.includes('gcr')) {
-            t.ok(metaData.imageWithDigest.includes('/'), 'contains / in GCR imageWithDigest');
+        if (metaData.imageWithDigest!.includes('gcr')) {
+            t.ok(metaData.imageWithDigest!.includes('/'), 'contains / in GCR imageWithDigest');
         }
 
-        if (metaData.imageWithDigest.includes('ecr')) {
-            t.ok(metaData.imageWithDigest.includes('/'), 'contains / in ECR imageWithDigest');
+        if (metaData.imageWithDigest!.includes('ecr')) {
+            t.ok(metaData.imageWithDigest!.includes('/'), 'contains / in ECR imageWithDigest');
         }
     });
+
+    resultWithoutDigest.map((metadata) => {
+        t.ok(metadata.imageName.includes('redis'));
+        t.notOk(metadata.imageWithDigest);
+    });
 });