fix: upgrade docker-plugin to handle breaking change

This is a major version bump but the new plugin response is shimmed back to its old format to preserve backwards compatibility.
This is done in preparation for switching to using the new plugin response completely.

Author: ivanstanev

package-lock.json

@@ -28,6 +28,7 @@
   "private": true,
   "dependencies": {
     "@kubernetes/client-node": "^0.12.2",
+    "@snyk/dep-graph": "1.21.0",
     "@types/async": "^3.2.3",
     "@types/child-process-promise": "^2.2.1",
     "@types/lru-cache": "^5.1.0",
@@ -43,7 +44,7 @@
     "needle": "^2.5.0",
     "sleep-promise": "^8.0.1",
     "snyk-config": "4.0.0",
-    "snyk-docker-plugin": "2.8.0",
+    "snyk-docker-plugin": "4.12.0",
     "source-map-support": "^0.5.16",
     "tunnel": "0.0.6",
     "typescript": "^3.8.3",

package.json

@@ -0,0 +1,210 @@
+import * as depGraphLib from '@snyk/dep-graph';
+import { ManifestFile, PluginResponse, ScanResult } from 'snyk-docker-plugin';
+
+export interface PluginMetadata {
+  name: 'snyk-docker-plugin';
+  runtime: string | undefined;
+  packageManager: string;
+  dockerImageId: string;
+  imageLayers: string[];
+}
+
+/** @deprecated */
+export interface LegacyPluginResponse {
+  plugin: PluginMetadata;
+  package: DependencyTree;
+  manifestFiles: ManifestFile[];
+  hashes: string[];
+
+  /**
+   * WARNING! This field was added by kubernetes-monitor.
+   * It is not part of the normal plugin response. */
+  imageMetadata: {
+    image: string;
+    imageTag: string;
+    imageDigest?: string;
+  };
+}
+
+interface ExtractedFacts {
+  depGraph: depGraphLib.DepGraph;
+  manifestFiles?: ManifestFile[];
+  hashes?: string[];
+  imageLayers?: string[];
+  rootFs?: string[];
+  imageId?: string;
+  imageOsReleasePrettyName?: string;
+  platform?: string;
+}
+
+/** @deprecated */
+export interface DependencyTree {
+  name: string;
+  type: string;
+  targetOS?: {
+    name: string;
+    prettyName: string;
+    version: string;
+  };
+  targetFile?: string;
+  testedFiles?: string[];
+  dependencies: any;
+  version: string | undefined;
+  dockerImageId?: string;
+  docker?: {
+    dockerImageId?: string;
+    imageLayers?: string[];
+    rootFs?: string[];
+    imageName?: string;
+    hashes?: string[];
+  };
+  rootFs?: string[];
+  meta?: Meta;
+}
+
+/**
+ * Meta is an object that eventually gets passed to project.monitor.meta in Registry
+ * and gets persisted in the database. It is currently passed unmodified straight
+ * to the database.
+ *
+ * The project.monitor.meta table is an HSTORE (key-value strings) so we must ensure
+ * that we pass exactly this type of data to avoid mistakes.
+ */
+export interface Meta extends Partial<Record<string, string>> {
+  platform?: string;
+}
+
+export function extractFactsFromDockerPluginResponse(
+  pluginResponse: PluginResponse,
+): ExtractedFacts {
+  const depGraph: depGraphLib.DepGraph = pluginResponse.scanResults[0].facts.find(
+    (fact) => fact.type === 'depGraph',
+  )?.data;
+
+  const manifestFiles:
+    | ManifestFile[]
+    | undefined = pluginResponse.scanResults[0].facts.find(
+    (fact) => fact.type === 'imageManifestFiles',
+  )?.data;
+
+  const hashes: string[] | undefined = pluginResponse.scanResults[0].facts.find(
+    (fact) => fact.type === 'keyBinariesHashes',
+  )?.data;
+
+  const imageLayers:
+    | string[]
+    | undefined = pluginResponse.scanResults[0].facts.find(
+    (fact) => fact.type === 'imageLayers',
+  )?.data;
+
+  const rootFs: string[] | undefined = pluginResponse.scanResults[0].facts.find(
+    (fact) => fact.type === 'rootFs',
+  )?.data;
+
+  const imageId: string | undefined = pluginResponse.scanResults[0].facts.find(
+    (fact) => fact.type === 'imageId',
+  )?.data;
+
+  const imageOsReleasePrettyName:
+    | string
+    | undefined = pluginResponse.scanResults[0].facts.find(
+    (fact) => fact.type === 'imageOsReleasePrettyName',
+  )?.data;
+
+  const platform = pluginResponse.scanResults[0].identity.args?.platform;
+
+  return {
+    depGraph,
+    manifestFiles,
+    hashes,
+    imageLayers,
+    rootFs,
+    imageId,
+    imageOsReleasePrettyName,
+    platform,
+  };
+}
+
+export function buildDockerPropertiesOnDepTree(
+  depTree: depGraphLib.legacy.DepTree,
+  dockerPluginFacts: ExtractedFacts,
+  image: string,
+): DependencyTree {
+  const {
+    hashes,
+    imageLayers,
+    rootFs,
+    imageId,
+    imageOsReleasePrettyName,
+    platform,
+  } = dockerPluginFacts;
+
+  const mutatedDepTree = depTree as DependencyTree;
+  mutatedDepTree.docker = {
+    hashes,
+    imageLayers,
+    rootFs,
+    dockerImageId: imageId,
+    imageName: image,
+  };
+
+  mutatedDepTree.dockerImageId = imageId || '';
+  if (mutatedDepTree.targetOS) {
+    mutatedDepTree.targetOS.prettyName = imageOsReleasePrettyName || '';
+  }
+
+  if (!mutatedDepTree.meta) {
+    mutatedDepTree.meta = {};
+  }
+  mutatedDepTree.meta.platform = platform;
+
+  return mutatedDepTree;
+}
+
+/**
+ * Produces a DependencyTree (DepsDiscoveryResult) for every ScanResult
+ * that contains a dependency graph. ScanResults with other data are ignored
+ * because the data cannot be resolved to a DepTree.
+ */
+export async function getApplicationDependencyTrees(
+  applicationScanResults: ScanResult[],
+): Promise<DependencyTree[]> {
+  const dependencyTrees: DependencyTree[] = [];
+
+  for (const scanResult of applicationScanResults) {
+    const appDepGraph: depGraphLib.DepGraph | undefined = scanResult.facts.find(
+      (fact) => fact.type === 'depGraph',
+    )?.data;
+
+    // Skip this ScanResult if we could not read a dependency graph.
+    // Some ScanResults like Java will not contain a graph but instead a list of hashes.
+    // These are not supported by the current API.
+    if (appDepGraph === undefined) {
+      continue;
+    }
+
+    const appDepTree = await depGraphLib.legacy.graphToDepTree(
+      appDepGraph,
+      appDepGraph.pkgManager.name,
+    );
+
+    if (!appDepTree.name || !appDepTree.type) {
+      continue;
+    }
+
+    const testedFiles: string[] | undefined = scanResult.facts.find(
+      (fact) => fact.type === 'testedFiles',
+    )?.data;
+
+    dependencyTrees.push({
+      name: appDepTree.name,
+      version: appDepTree.version,
+      type: appDepTree.type,
+      dependencies: appDepTree.dependencies,
+      targetFile: scanResult.identity.targetFile,
+      testedFiles,
+    });
+  }
+
+  return dependencyTrees;
+}

src/scanner/images/docker-plugin-shim.ts

@@ -1,10 +1,17 @@
 import { unlink } from 'fs';
-import * as plugin from 'snyk-docker-plugin';
+import { PluginResponse, scan } from 'snyk-docker-plugin';
+import { DepGraph, legacy } from '@snyk/dep-graph';
 
 import logger = require('../../common/logger');
 import { pull as skopeoCopy, getDestinationForImage } from './skopeo';
 import { IPullableImage, IScanImage } from './types';
-import { IStaticAnalysisOptions, StaticAnalysisImageType, IScanResult, IPluginOptions } from '../types';
+import { IScanResult } from '../types';
+import {
+  buildDockerPropertiesOnDepTree,
+  DependencyTree,
+  extractFactsFromDockerPluginResponse,
+  LegacyPluginResponse,
+} from './docker-plugin-shim';
 
 export async function pullImages(images: IPullableImage[]): Promise<IPullableImage[]> {
   const pulledImages: IPullableImage[] = [];
@@ -65,43 +72,34 @@ export function getImageParts(imageWithTag: string) : {imageName: string, imageT
   };
 }
 
-// Exported for testing
-export function constructStaticAnalysisOptions(
-  fileSystemPath: string,
-): IStaticAnalysisOptions {
-  return {
-    imagePath: fileSystemPath,
-    imageType: StaticAnalysisImageType.DockerArchive,
-  };
-}
-
 export async function scanImages(images: IPullableImage[]): Promise<IScanResult[]> {
   const scannedImages: IScanResult[] = [];
 
-  const dockerfile = undefined;
-
   for (const { imageName, fileSystemPath, imageWithDigest } of images) {
     try {
-      const staticAnalysisOptions = constructStaticAnalysisOptions(fileSystemPath);
-      const options: IPluginOptions = {
-        staticAnalysisOptions,
-        experimental: true,
-      };
+      const shouldIncludeAppVulns = false;
+      const dockerArchivePath = `docker-archive:${fileSystemPath}`;
 
-      const result = await plugin.inspect(imageName, dockerfile, options);
+      const pluginResponse = await scan({
+        path: dockerArchivePath,
+        imageNameAndTag: imageName,
+        'app-vulns': shouldIncludeAppVulns,
+      });
 
-      if (!result || !result.package || !result.package.dependencies) {
+      if (
+        !pluginResponse ||
+        !Array.isArray(pluginResponse.scanResults) ||
+        pluginResponse.scanResults.length === 0
+      ) {
         throw Error('Unexpected empty result from docker-plugin');
       }
 
+      const depTree = await getDependencyTreeFromPluginResponse(pluginResponse, imageName);
+
       const imageParts = getImageParts(imageName);
       const imageDigest = imageWithDigest && getImageParts(imageWithDigest).imageDigest;
 
-      result.imageMetadata = {
-        image: imageParts.imageName,
-        imageTag: imageParts.imageTag,
-        imageDigest,
-      };
+      const result: LegacyPluginResponse = getLegacyPluginResponse(depTree, imageParts, imageDigest);
 
       scannedImages.push({
         image: imageParts.imageName,
@@ -116,3 +114,61 @@ export async function scanImages(images: IPullableImage[]): Promise<IScanResult[
 
   return scannedImages;
 }
+
+function getLegacyPluginResponse(
+  depTree: DependencyTree,
+  imageParts: { imageName: string; imageTag: string; imageDigest: string },
+  imageDigest: string | undefined,
+): LegacyPluginResponse {
+  return {
+    package: depTree,
+    manifestFiles: [],
+    plugin: {
+      name: 'snyk-docker-plugin',
+      imageLayers: depTree.docker?.imageLayers || [],
+      dockerImageId:
+        depTree.dockerImageId || depTree.docker?.dockerImageId || '',
+      packageManager: depTree.type,
+      runtime: undefined,
+    },
+    imageMetadata: {
+      image: imageParts.imageName,
+      imageTag: imageParts.imageTag,
+      imageDigest,
+    },
+    hashes: depTree.docker?.hashes || [],
+  };
+}
+
+/**
+ * Converts from the new plugin format back to the old DependencyTree format.
+ * May throw if the expected data is missing.
+ */
+async function getDependencyTreeFromPluginResponse(
+  pluginResponse: PluginResponse,
+  imageName: string,
+): Promise<DependencyTree> {
+  const osDepGraph:
+    | DepGraph
+    | undefined = pluginResponse.scanResults[0].facts.find(
+    (fact) => fact.type === 'depGraph',
+  )?.data;
+
+  if (!osDepGraph) {
+    throw new Error('Missing dependency graph');
+  }
+
+  const depTree = await legacy.graphToDepTree(
+    osDepGraph,
+    osDepGraph.pkgManager.name,
+  );
+  const osScanResultFacts = extractFactsFromDockerPluginResponse(
+    pluginResponse,
+  );
+  const dockerDepTree = buildDockerPropertiesOnDepTree(
+    depTree,
+    osScanResultFacts,
+    imageName,
+  );
+  return dockerDepTree;
+}

src/scanner/images/index.ts

@@ -1,20 +1,8 @@
+import { LegacyPluginResponse } from './images/docker-plugin-shim';
+
 export interface IScanResult {
   image: string;
   imageWithDigest?: string;
   imageWithTag: string;
-  pluginResult: any;
-}
-
-export enum StaticAnalysisImageType {
-  DockerArchive = 'docker-archive',
-}
-
-export interface IPluginOptions {
-  staticAnalysisOptions: IStaticAnalysisOptions;
-  experimental: boolean;
-}
-
-export interface IStaticAnalysisOptions {
-  imagePath: string;
-  imageType: StaticAnalysisImageType;
+  pluginResult: LegacyPluginResponse;
 }