mirror of
https://github.com/project-zot/zot.git
synced 2026-06-15 20:07:55 +08:00
search/cve: exclude unsupported images from fixed-tag list.
If image vulnerability scan does not support any media type, considering those images as an infected image and now this images will not be shown in fixed images list. Fixes issue #130
This commit is contained in:
Shivam Mishra
@@ -7,7 +7,6 @@ import (
|
||||
"path"
|
||||
"strings"
|
||||
|
||||
"github.com/anuvu/zot/errors"
|
||||
"github.com/anuvu/zot/pkg/log"
|
||||
|
||||
cveinfo "github.com/anuvu/zot/pkg/extensions/search/cve"
|
||||
@@ -59,12 +58,6 @@ func (r *queryResolver) CVEListForImage(ctx context.Context, image string) (*CVE
|
||||
if !isValidImage {
|
||||
r.cveInfo.Log.Debug().Msg("Image media type not supported for scanning")
|
||||
|
||||
return &CVEResultForImage{}, errors.ErrScanNotSupported
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
r.cveInfo.Log.Error().Err(err).Msg("Error scanning image repository")
|
||||
|
||||
return &CVEResultForImage{}, err
|
||||
}
|
||||
|
||||
@@ -157,25 +150,6 @@ func (r *queryResolver) ImageListForCve(ctx context.Context, id string) ([]*ImgR
|
||||
for _, repo := range repoList {
|
||||
r.cveInfo.Log.Info().Str("Extracting list of tags available in image", repo).Msg("")
|
||||
|
||||
isValidImage, err := r.cveInfo.IsValidImageFormat(path.Join(r.dir, repo))
|
||||
if !isValidImage {
|
||||
r.cveInfo.Log.Debug().Str("Image media type not supported for scanning", repo)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
r.cveInfo.Log.Error().Err(err).Str("Error reading image media type", repo)
|
||||
|
||||
return cveResult, err
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
r.cveInfo.Log.Error().Err(err).Str("Error reading image media type", repo)
|
||||
|
||||
return cveResult, err
|
||||
}
|
||||
|
||||
tagList, err := r.imgStore.GetImageTags(repo)
|
||||
if err != nil {
|
||||
r.cveInfo.Log.Error().Err(err).Msg("Not able to get list of Image Tag")
|
||||
@@ -188,6 +162,13 @@ func (r *queryResolver) ImageListForCve(ctx context.Context, id string) ([]*ImgR
|
||||
for _, tag := range tagList {
|
||||
r.cveInfo.CveTrivyConfig.TrivyConfig.Input = path.Join(r.dir, repo+":"+tag)
|
||||
|
||||
isValidImage, _ := r.cveInfo.IsValidImageFormat(r.cveInfo.CveTrivyConfig.TrivyConfig.Input)
|
||||
if !isValidImage {
|
||||
r.cveInfo.Log.Debug().Str("Image media type not supported for scanning", repo)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
r.cveInfo.Log.Info().Str("Scanning Image", path.Join(r.dir, repo+":"+tag)).Msg("")
|
||||
|
||||
results, err := cveinfo.ScanImage(r.cveInfo.CveTrivyConfig)
|
||||
@@ -224,20 +205,9 @@ func (r *queryResolver) ImageListWithCVEFixed(ctx context.Context, id string, im
|
||||
|
||||
r.cveInfo.Log.Info().Str("Extracting list of tags available in image", image).Msg("")
|
||||
|
||||
isValidImage, err := r.cveInfo.IsValidImageFormat(path.Join(r.dir, image))
|
||||
if !isValidImage {
|
||||
r.cveInfo.Log.Debug().Msg("Image media type not supported for scanning")
|
||||
|
||||
return imgResultForFixedCVE, errors.ErrScanNotSupported
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return imgResultForFixedCVE, err
|
||||
}
|
||||
|
||||
tagsInfo, err := r.cveInfo.GetImageTagsWithTimestamp(r.dir, image)
|
||||
if err != nil {
|
||||
r.cveInfo.Log.Error().Err(err).Msg("Error while readling image media type")
|
||||
r.cveInfo.Log.Error().Err(err).Msg("Error while readling image tags")
|
||||
|
||||
return imgResultForFixedCVE, err
|
||||
}
|
||||
@@ -249,6 +219,15 @@ func (r *queryResolver) ImageListWithCVEFixed(ctx context.Context, id string, im
|
||||
for _, tag := range tagsInfo {
|
||||
r.cveInfo.CveTrivyConfig.TrivyConfig.Input = path.Join(r.dir, image+":"+tag.Name)
|
||||
|
||||
isValidImage, _ := r.cveInfo.IsValidImageFormat(r.cveInfo.CveTrivyConfig.TrivyConfig.Input)
|
||||
if !isValidImage {
|
||||
r.cveInfo.Log.Debug().Msg("Image media type not supported for scanning, adding as a infected image")
|
||||
|
||||
infectedTags = append(infectedTags, cveinfo.TagInfo{Name: tag.Name, Timestamp: tag.Timestamp})
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
r.cveInfo.Log.Info().Str("Scanning image", path.Join(r.dir, image+":"+tag.Name)).Msg("")
|
||||
|
||||
results, err := cveinfo.ScanImage(r.cveInfo.CveTrivyConfig)
|
||||
@@ -275,27 +254,35 @@ func (r *queryResolver) ImageListWithCVEFixed(ctx context.Context, id string, im
|
||||
}
|
||||
}
|
||||
|
||||
var finalTagList []*TagInfo
|
||||
|
||||
if len(infectedTags) != 0 {
|
||||
r.cveInfo.Log.Info().Msg("Comparing fixed tags timestamp")
|
||||
|
||||
fixedTags := cveinfo.GetFixedTags(tagsInfo, infectedTags)
|
||||
|
||||
finalTagList := make([]*TagInfo, 0)
|
||||
finalTagList = getGraphqlCompatibleTags(fixedTags)
|
||||
} else {
|
||||
r.cveInfo.Log.Info().Msg("Input image does not contain any tag that have given cve")
|
||||
|
||||
for _, tag := range fixedTags {
|
||||
copyTag := tag.Name
|
||||
|
||||
copyTimeStamp := tag.Timestamp
|
||||
|
||||
finalTagList = append(finalTagList, &TagInfo{Name: ©Tag, Timestamp: ©TimeStamp})
|
||||
}
|
||||
|
||||
imgResultForFixedCVE = &ImgResultForFixedCve{Tags: finalTagList}
|
||||
|
||||
return imgResultForFixedCVE, nil
|
||||
finalTagList = getGraphqlCompatibleTags(tagsInfo)
|
||||
}
|
||||
|
||||
r.cveInfo.Log.Info().Msg("Input image does not contain any tag that does not have given cve")
|
||||
imgResultForFixedCVE = &ImgResultForFixedCve{Tags: finalTagList}
|
||||
|
||||
return imgResultForFixedCVE, nil
|
||||
}
|
||||
|
||||
func getGraphqlCompatibleTags(fixedTags []cveinfo.TagInfo) []*TagInfo {
|
||||
finalTagList := make([]*TagInfo, 0)
|
||||
|
||||
for _, tag := range fixedTags {
|
||||
copyTag := tag.Name
|
||||
|
||||
copyTimeStamp := tag.Timestamp
|
||||
|
||||
finalTagList = append(finalTagList, &TagInfo{Name: ©Tag, Timestamp: ©TimeStamp})
|
||||
}
|
||||
|
||||
return finalTagList
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user