fix: enhance how we identify ECR images

Shesekino · Shesekino · commit e54b745a76f3 · 2020-01-19T14:42:14.000+02:00
instead of just checking for ".ecr.", adding a more complicated regular expression testing all the constant parts, as documented by AWS: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html
diff --git a/src/scanner/images/credentials.ts b/src/scanner/images/credentials.ts
@@ -11,8 +11,10 @@ export async function getSourceCredentials(imageSource: string): Promise<string
 }
 
 export function isEcrSource(imageSource: string): boolean {
-  // TODO is this the best way we can determine the image's source?
-  return imageSource.indexOf('.ecr.') !== -1;
+  // this regex tests the image source against the template:
+  // <SOMETHING>.dkr.ecr.<SOMETHING>.amazonaws.com/<SOMETHING>
+  const ecrImageRegex = new RegExp('\.dkr\.ecr\..*\.amazonaws\.com\/', 'i');
+  return ecrImageRegex.test(imageSource);
 }
 
 function getEcrCredentials(region: string): Promise<string> {
diff --git a/test/unit/scanner/image-registry-credentials.test.ts b/test/unit/scanner/image-registry-credentials.test.ts
@@ -22,8 +22,14 @@ tap.test('isEcrSource()', async (t) => {
   t.equals(sourceCredentialsForRandomImageName, false, 'unidentified image source is not ECR');
 
   const sourceCredentialsForInvalidEcrImage = credentials.isEcrSource('derka.ecr.derka');
-  t.equals(sourceCredentialsForInvalidEcrImage, true, 'image with .ecr. is considered ECR');
+  t.equals(sourceCredentialsForInvalidEcrImage, false, 'image just with .ecr. is not considered from ECR');
 
   const sourceCredentialsForEcrImage = credentials.isEcrSource('aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app:latest');
-  t.equals(sourceCredentialsForEcrImage, true, 'image with .ecr. is considered ECR');
+  t.equals(sourceCredentialsForEcrImage, true, 'correct ECR template');
+
+  const sourceCredentialsForEcrImageWithRepo = credentials.isEcrSource('a291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/debian:10');
+  t.equals(sourceCredentialsForEcrImageWithRepo, true, 'correct ECR template');
+
+  const sourceCredentialsForEcrImageMixedCase = credentials.isEcrSource('aws_account_id.dKr.ecR.region.amazonAWS.cOm/my-web-app:latest');
+  t.equals(sourceCredentialsForEcrImageMixedCase, true, 'correct ECR template');
 });

Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,10 @@ export async function getSourceCredentials(imageSource: string): Promise<string`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`export function isEcrSource(imageSource: string): boolean {`
`14`		`- // TODO is this the best way we can determine the image's source?`
`15`		`- return imageSource.indexOf('.ecr.') !== -1;`
	`14`	`+ // this regex tests the image source against the template:`
	`15`	`+ // <SOMETHING>.dkr.ecr.<SOMETHING>.amazonaws.com/<SOMETHING>`
	`16`	`+ const ecrImageRegex = new RegExp('\.dkr\.ecr\..*\.amazonaws\.com\/', 'i');`
	`17`	`+ return ecrImageRegex.test(imageSource);`
`16`	`18`	`}`
`17`	`19`
`18`	`20`	`function getEcrCredentials(region: string): Promise<string> {`