Merge pull request #396 from snyk/feat/distroless

feat: docker-plugin with Distroless scanning support

Author: Amir Moualem

package-lock.json

@@ -39,7 +39,7 @@
     "needle": "^2.4.0",
     "sleep-promise": "^8.0.1",
     "snyk-config": "3.0.0",
-    "snyk-docker-plugin": "2.2.4",
+    "snyk-docker-plugin": "2.6.1",
     "source-map-support": "^0.5.16",
     "typescript": "^3.8.3",
     "ws": "^7.2.1",

package.json

@@ -5,7 +5,7 @@ import logger = require('../../common/logger');
 import { pull as skopeoCopy, getDestinationForImage } from './skopeo';
 import config = require('../../common/config');
 import { IPullableImage } from './types';
-import { IStaticAnalysisOptions, StaticAnalysisImageType, IScanResult } from '../types';
+import { IStaticAnalysisOptions, StaticAnalysisImageType, IScanResult, IPluginOptions } from '../types';
 
 export async function pullImages(images: IPullableImage[]): Promise<IPullableImage[]> {
   const pulledImages: IPullableImage[] = [];
@@ -59,13 +59,11 @@ export function getImageTag(imageWithTag: string): string {
 // Exported for testing
 export function constructStaticAnalysisOptions(
   fileSystemPath: string,
-): { staticAnalysisOptions: IStaticAnalysisOptions } {
+): IStaticAnalysisOptions {
   return {
-    staticAnalysisOptions: {
-      imagePath: fileSystemPath,
-      imageType: StaticAnalysisImageType.DockerArchive,
-      tmpDirPath: config.IMAGE_STORAGE_ROOT,
-    },
+    imagePath: fileSystemPath,
+    imageType: StaticAnalysisImageType.DockerArchive,
+    tmpDirPath: config.IMAGE_STORAGE_ROOT,
   };
 }
 
@@ -76,7 +74,11 @@ export async function scanImages(images: IPullableImage[]): Promise<IScanResult[
 
   for (const {imageName, fileSystemPath} of images) {
     try {
-      const options = constructStaticAnalysisOptions(fileSystemPath);
+      const staticAnalysisOptions = constructStaticAnalysisOptions(fileSystemPath);
+      const options: IPluginOptions = {
+        staticAnalysisOptions,
+        experimental: true,
+      };
 
       const result = await plugin.inspect(imageName, dockerfile, options);
 

src/scanner/images/index.ts

@@ -8,6 +8,11 @@ export enum StaticAnalysisImageType {
   DockerArchive = 'docker-archive',
 }
 
+export interface IPluginOptions {
+  staticAnalysisOptions: IStaticAnalysisOptions;
+  experimental: boolean;
+}
+
 export interface IStaticAnalysisOptions {
   imagePath: string;
   imageType: StaticAnalysisImageType;

src/scanner/types.ts

@@ -106,7 +106,7 @@ tap.test('snyk-monitor sends data to kubernetes-upstream', async (t) => {
   t.ok('busybox' in depGraphScratchImage.dependencyGraphResults, 'busybox was scanned');
   const busyboxPluginResult = JSON.parse(depGraphScratchImage.dependencyGraphResults.busybox);
   t.same(busyboxPluginResult.package.packageFormatVersion, 'linux:0.0.1', 'the version of the package format');
-  t.same(busyboxPluginResult.package.targetOS, {name: 'unknown', version: '0.0'}, 'busybox operating system unknown');
+  t.same(busyboxPluginResult.package.targetOS, {name: 'unknown', version: '0.0', prettyName: ""}, 'busybox operating system unknown');
   t.same(busyboxPluginResult.plugin.packageManager, 'linux', 'linux is the default package manager for scratch containers');
 });
 

test/integration/kubernetes.test.ts

@@ -49,11 +49,9 @@ tap.test('constructStaticAnalysisOptions() tests', async (t) => {
   const somePath = '/var/tmp/file.tar';
   const options = scannerImages.constructStaticAnalysisOptions(somePath);
   const expectedResult = {
-    staticAnalysisOptions: {
-      imagePath: somePath,
-      imageType: 'docker-archive',
-      tmpDirPath: '/var/tmp',
-    },
+    imagePath: somePath,
+    imageType: 'docker-archive',
+    tmpDirPath: '/var/tmp',
   };
 
   t.deepEqual(options, expectedResult, 'returned options match expectations');