fix: buildImageMetadata when containers miss from the spec

Shesekino · Shesekino · commit 79689b0fbd31 · 2019-12-04T18:35:10.000+02:00
this commit gives up supporting sidecar containers injected dynamically by collecting metadata for images only if they appear in both the spec and the status
diff --git a/src/kube-scanner/metadata-extractor.ts b/src/kube-scanner/metadata-extractor.ts
@@ -26,7 +26,12 @@ export function buildImageMetadata(
     containerNameToStatus[containerStatus.name] = containerStatus;
   }
 
-  const images = containerStatuses.map(({ name: containerName }) => ({
+  const images: IWorkload[] = [];
+  for (const containerStatus of containerStatuses) {
+    if (!(containerStatus.name in containerNameToSpec)) {
+      continue
+    }
+    images.push({
       type: kind,
       name: name || 'unknown',
       namespace,
@@ -35,14 +40,15 @@ export function buildImageMetadata(
       uid,
       specLabels: specMeta.labels || {},
       specAnnotations: specMeta.annotations || {},
-      containerName,
-      imageName: containerNameToSpec[containerName].image,
-      imageId: containerNameToStatus[containerName].imageID,
+      containerName: containerStatus.name,
+      imageName: containerNameToSpec[containerStatus.name].image,
+      imageId: containerNameToStatus[containerStatus.name].imageID,
       cluster: currentClusterName,
       revision,
       podSpec,
-    } as IWorkload),
-  );
+    } as IWorkload);
+  }
+
   return images;
 }
 
diff --git a/test/unit/metadata-extractor.test.ts b/test/unit/metadata-extractor.test.ts
@@ -72,8 +72,26 @@ tap.test('buildImageMetadata', async (t) => {
     podSpec: deploymentObject.spec!.template.spec!,
   }
 
-  t.throws(() => metadataExtractor.buildImageMetadata(
+  const imageMetadataResult = metadataExtractor.buildImageMetadata(
     deploymentWeirdWrapper,
     podObject.status!.containerStatuses!,
-  ), 'buildImageMetadata can\'t handle discrepancies between spec and status');
+  );
+
+  t.ok(Array.isArray(imageMetadataResult), 'returns an array');
+  t.equals(
+    imageMetadataResult.length,
+    1,
+    'the size of the container status array that also appears in the spec',
+  );
+  t.equals(imageMetadataResult[0].type, 'Deployment', 'with the workload type of the parent');
+  t.equals(
+    imageMetadataResult[0].imageId,
+    'docker-pullable://eu.gcr.io/cookie/hello-world@sha256:1ac413b2756364b7b856c64d557fdedb97a4ba44ca16fc656e08881650848fe2',
+    'the image ID of the first container'
+  );
+  t.equals(
+    imageMetadataResult[0].imageName,
+    'eu.gcr.io/cookie/hello-world:1.20191125.132107-4664980',
+    'the image name of the first container'
+  );
 });
