fix: improve image parts regex according to spec

Author: shaimendel

src/scanner/images/index.ts

@@ -42,32 +42,27 @@ export async function removePulledImages(images: IPullableImage[]): Promise<void
 
 // Exported for testing
 export function getImageParts(imageWithTag: string) : {imageName: string, imageTag: string} {
-  // we're matching pattern: <registry:port_number>(optional)/<image_name>(mandatory)@<tag_identifier>(optional):<image_tag>(optional)
-  const regex = /((?:.*(:\d{4})?\/)?(?:[a-z0-9-]+))([@|:].+)?/ig;
+  // we're matching pattern: <registry:port_number>(optional)/<image_name>(mandatory):<image_tag>(optional)@<tag_identifier>(optional)
+  // extracted from https://github.com/docker/distribution/blob/master/reference/regexp.go
+  const regex = /^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?\/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:\/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][A-Fa-f0-9]{32,}))?$/ig;
   const groups  = regex.exec(imageWithTag);
 
   if(!groups){
     logger.error({image: imageWithTag}, 'Image with tag is malformed, cannot extract valid parts');
     return {imageName: imageWithTag, imageTag: ''};
   }
 
+  const IMAGE_NAME_GROUP = 1;
+  const IMAGE_TAG_GROUP = 2;
+  const IMAGE_DIGEST_GROUP = 3;
+
   return {
-    imageName: groups[1],
-    imageTag: validateAndExtractImageTag(groups[3])
+    imageName: groups[IMAGE_NAME_GROUP],
+    // prefer tag over digest
+    imageTag: groups[IMAGE_TAG_GROUP] || groups[IMAGE_DIGEST_GROUP] || '',
   };
 }
 
-function validateAndExtractImageTag(imageTagGroup: string | undefined): string {
-  if(imageTagGroup === undefined){
-    return '';
-  }
-
-  const imageTagParts: string[]= imageTagGroup.split(':');
-
-  //valid formats: image@sha256:hash or image:tag
-  return imageTagParts.length === 2 ? imageTagParts[1] : '';
-}
-
 // Exported for testing
 export function constructStaticAnalysisOptions(
   fileSystemPath: string,

test/unit/scanner/images.test.ts

@@ -59,9 +59,9 @@ tap.test('constructStaticAnalysisOptions() tests', async (t) => {
 tap.test('extracted image tag tests', async (t) => {
   t.plan(6);
 
-  const imageWithSha = 'nginx@sha256:1234567890abcdef';
+  const imageWithSha = 'nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2';
   const imageWithShaResult = scannerImages.getImageParts(imageWithSha);
-  t.same(imageWithShaResult.imageTag, '1234567890abcdef', 'image sha is returned');
+  t.same(imageWithShaResult.imageTag, 'sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2', 'image sha is returned');
 
   const imageWithTag = 'nginx:latest';
   const imageWithTagResult = scannerImages.getImageParts(imageWithTag);
@@ -88,9 +88,9 @@ tap.test('extracted image name tests', async (t) => {
   t.plan(5);
 
   t.same(scannerImages.getImageParts('nginx:latest').imageName, 'nginx', 'removed image:tag');
-  t.same(scannerImages.getImageParts('nginx:@sha256:1234567890abcdef').imageName, 'nginx', 'removed malformed image:@sha:hex');
   t.same(scannerImages.getImageParts('node@sha256:215a9fbef4df2c1ceb7c79481d3cfd94ad8f1f0105bade39f3be907bf386c5e1').imageName, 'node', 'removed image@sha:hex');
   t.same(scannerImages.getImageParts('kind-registry:5000/python:rc-buster').imageName, 'kind-registry:5000/python', 'removed repository/image:tag');
   // Verify support on image names that contain dashes
   t.same(scannerImages.getImageParts('kind-registry:5000/python-27:rc-buster').imageName, 'kind-registry:5000/python-27', 'removed repository/image:tag');
+  t.same(scannerImages.getImageParts('kind-registry:5000/test/python-27:rc-buster').imageName, 'kind-registry:5000/test/python-27', 'removed repository/image:tag');
 });