fix: remove backup option to pull oci archive

Skopeo is capable of pulling an OCI image and it doesn't need a backup to pull an OCI archive. If the Docker archive pulling fails for some reason, the OCI archive pulling won't be able to succeed either. This backup option was introduced by mistake thinking that skopeo cannot handle certain images as Docker archives. The underlying problem was that the image itself was not OCI compliant and couldn't be pulled, so OCI archive pulling wouldn't have helped.

Author: ivanstanev

package-lock.json

@@ -47,7 +47,7 @@
     "needle": "^3.0.0",
     "sleep-promise": "^9.1.0",
     "snyk-config": "5.0.0",
-    "snyk-docker-plugin": "^4.33.2",
+    "snyk-docker-plugin": "^4.34.2",
     "source-map-support": "^0.5.21",
     "tunnel": "0.0.6",
     "typescript": "^4.5.2",

package.json

@@ -4,7 +4,7 @@ import { DepGraph, legacy } from '@snyk/dep-graph';
 
 import { logger } from '../../common/logger';
 import { pull as skopeoCopy, getDestinationForImage } from './skopeo';
-import { IPullableImage, IScanImage, SkopeoRepositoryType } from './types';
+import { IPullableImage, IScanImage } from './types';
 import { IScanResult } from '../types';
 import {
   buildDockerPropertiesOnDepTree,
@@ -22,23 +22,11 @@ async function pullImageBySkopeoRepo(
 ): Promise<IPullableImage> {
   // Scan image by digest if exists, other way fallback tag
   const scanId = imageToPull.imageWithDigest ?? imageToPull.imageName;
-  imageToPull.skopeoRepoType = SkopeoRepositoryType.DockerArchive;
-  try {
-    // copy docker archive image
-    await skopeoCopy(
-      scanId,
-      imageToPull.fileSystemPath,
-      imageToPull.skopeoRepoType,
-    );
-  } catch (dockerError) {
-    imageToPull.skopeoRepoType = SkopeoRepositoryType.OciArchive;
-    // copy oci archive image
-    await skopeoCopy(
-      scanId,
-      imageToPull.fileSystemPath,
-      imageToPull.skopeoRepoType,
-    );
-  }
+  await skopeoCopy(
+    scanId,
+    imageToPull.fileSystemPath,
+    imageToPull.skopeoRepoType,
+  );
   return imageToPull;
 }
 
@@ -120,22 +108,13 @@ export async function scanImages(
 ): Promise<IScanResult[]> {
   const scannedImages: IScanResult[] = [];
 
-  for (const {
-    imageName,
-    fileSystemPath,
-    imageWithDigest,
-    skopeoRepoType,
-  } of images) {
+  for (const { imageName, fileSystemPath, imageWithDigest } of images) {
     try {
       const shouldIncludeAppVulns = true;
-      const archiveType =
-        skopeoRepoType == SkopeoRepositoryType.DockerArchive
-          ? 'docker-archive'
-          : 'oci-archive';
-      const dockerArchivePath = `${archiveType}:${fileSystemPath}`;
+      const archivePath = `docker-archive:${fileSystemPath}`;
 
       const pluginResponse = await scan({
-        path: dockerArchivePath,
+        path: archivePath,
         imageNameAndTag: imageName,
         'app-vulns': shouldIncludeAppVulns,
       });

src/scanner/images/index.ts

@@ -26,7 +26,6 @@ function prefixRespository(target: string, type: SkopeoRepositoryType): string {
     case SkopeoRepositoryType.ImageRegistry:
       return `${type}://${target}`;
     case SkopeoRepositoryType.DockerArchive:
-    case SkopeoRepositoryType.OciArchive:
       return `${type}:${target}`;
     default:
       throw new Error(`Unhandled Skopeo repository type ${type}`);

src/scanner/images/skopeo.ts

@@ -16,7 +16,5 @@ export interface IPullableImage {
  */
 export enum SkopeoRepositoryType {
   DockerArchive = 'docker-archive',
-  OciArchive = 'oci',
   ImageRegistry = 'docker',
-  Directory = 'dir', // Note, skopeo marks this as a non-standard format
 }

src/scanner/images/types.ts

@@ -17,7 +17,11 @@ import {
   ILocalWorkloadLocator,
   Telemetry,
 } from '../transmitter/types';
-import { IPullableImage, IScanImage } from './images/types';
+import {
+  IPullableImage,
+  IScanImage,
+  SkopeoRepositoryType,
+} from './images/types';
 import {
   getWorkloadAlreadyScanned,
   getWorkloadImageAlreadyScanned,
@@ -29,7 +33,7 @@ export async function processWorkload(
 ): Promise<void> {
   // every workload metadata references the same workload name, grab it from the first one
   const workloadName = workloadMetadata[0].name;
-  const uniqueImages: IScanImage[] = getUniqueImages(workloadMetadata);
+  const uniqueImages = getUniqueImages(workloadMetadata);
 
   logger.info(
     { workloadName, imageCount: uniqueImages.length },
@@ -74,42 +78,37 @@ export async function sendDeleteWorkloadRequest(
 }
 
 export function getUniqueImages(workloadMetadata: IWorkload[]): IScanImage[] {
-  const uniqueImages: { [key: string]: IScanImage } = workloadMetadata.reduce(
-    (accum, meta) => {
-      logger.info(
-        {
-          workloadName: workloadMetadata[0].name,
-          name: meta.imageName,
-          id: meta.imageId,
-        },
-        'image metadata',
-      );
-      // example: For DCR "redis:latest"
-      // example: For GCR "gcr.io/test-dummy/redis:latest"
-      // example: For ECR "291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/redis:latest"
-      // meta.imageName can be different depends on CR
-      const { imageName } = getImageParts(meta.imageName);
-      // meta.imageId can be different depends on CR
-      // example: For DCR "docker.io/library/redis@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
-      // example: For GCR "sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
-      // example: For ECR "sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
-      let digest: string | undefined = undefined;
-      if (
-        meta.imageId.lastIndexOf('@') > -1 ||
-        meta.imageId.startsWith('sha')
-      ) {
-        digest = meta.imageId.substring(meta.imageId.lastIndexOf('@') + 1);
-      }
-
-      accum[meta.imageName] = {
-        imageWithDigest: digest && `${imageName}@${digest}`,
-        imageName: meta.imageName, // Image name with tag
-      };
-
-      return accum;
-    },
-    {},
-  );
+  const uniqueImages = workloadMetadata.reduce((accum, meta) => {
+    logger.info(
+      {
+        workloadName: workloadMetadata[0].name,
+        name: meta.imageName,
+        id: meta.imageId,
+      },
+      'image metadata',
+    );
+    // example: For DCR "redis:latest"
+    // example: For GCR "gcr.io/test-dummy/redis:latest"
+    // example: For ECR "291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/redis:latest"
+    // meta.imageName can be different depends on CR
+    const { imageName } = getImageParts(meta.imageName);
+    // meta.imageId can be different depends on CR
+    // example: For DCR "docker.io/library/redis@sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
+    // example: For GCR "sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
+    // example: For ECR "sha256:8e9f8546050da8aae393a41d65ad37166b4f0d8131d627a520c0f0451742e9d6"
+    let digest: string | undefined = undefined;
+    if (meta.imageId.lastIndexOf('@') > -1 || meta.imageId.startsWith('sha')) {
+      digest = meta.imageId.substring(meta.imageId.lastIndexOf('@') + 1);
+    }
+
+    accum[meta.imageName] = {
+      imageWithDigest: digest && `${imageName}@${digest}`,
+      imageName: meta.imageName, // Image name with tag
+      skopeoRepoType: SkopeoRepositoryType.DockerArchive,
+    };
+
+    return accum;
+  }, {} as Record<string, IScanImage>);
 
   return Object.values(uniqueImages);
 }

src/scanner/index.ts

@@ -270,7 +270,10 @@ test('Kubernetes-Monitor with KinD', async (jestDoneCallback) => {
                 { type: 'imageOsReleasePrettyName', data: expect.any(String) },
               ]),
               target: { image: 'docker-image|docker.io/library/java' },
-              identity: { type: 'deb', args: { platform: 'linux/amd64' } },
+              identity: {
+                type: 'deb',
+                args: { platform: 'linux/amd64' },
+              },
             },
             {
               facts: [