internal

PiperOrigin-RevId: 755147565

Author: SCALIBR Team

artifact/image/layerscanning/image/image.go

@@ -17,6 +17,7 @@
 package image
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -28,6 +29,7 @@ import (
 
 	"archive/tar"
 
+	"github.com/docker/docker/client"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
@@ -48,6 +50,9 @@ const (
 	// "8 is __POSIX_SYMLOOP_MAX (the minimum allowed value for SYMLOOP_MAX), and a common limit".
 	DefaultMaxSymlinkDepth = 6
 
+	dockerImageNameSeparator = ":"
+	tarFileNameSeparator     = "_"
+
 	// filePermission represents the permission bits for a file, which are minimal since files in the
 	// layer scanning use case are read-only.
 	filePermission = 0600
@@ -159,6 +164,89 @@ func FromRemoteName(imageName string, config *Config, imageOptions ...remote.Opt
 	return FromV1Image(v1Image, config)
 }
 
+// CreateTarBallFromImage creates a tarball from a local docker image. This is the API version of 'docker save image' command
+func createTarBallFromImage(imageName string) (string, error) {
+
+	dockerClient, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	if err != nil {
+		return "", fmt.Errorf("unable to create docker client to untar image  %s: %w", imageName, err)
+	}
+	inputStream, err := dockerClient.ImageSave(context.Background(), []string{imageName})
+	if err != nil {
+		return "", fmt.Errorf("unable to create docker stream to untar image %s: %w", imageName, err)
+	}
+	defer inputStream.Close()
+	tarFileName := strings.ReplaceAll(imageName, dockerImageNameSeparator, tarFileNameSeparator) + ".tar"
+	log.Infof("Tarfile  name is %s", tarFileName)
+	fileFd, err := os.CreateTemp("", tarFileName)
+	if err != nil {
+		return "", fmt.Errorf("unable to create file to untar image %s: %w", imageName, err)
+	}
+	_, err = io.Copy(fileFd, inputStream)
+	if err != nil {
+		fileFd.Close()
+		errVal := os.Remove(fileFd.Name())
+		if !os.IsNotExist(errVal) {
+			log.Warnf("Unable to remove file %s: %w", fileFd.Name(), errVal)
+		}
+		return "", fmt.Errorf("unable to write to tarfile for image %s: %w", imageName, err)
+	}
+	fileFd.Close()
+	return fileFd.Name(), nil
+}
+
+// Check if the imageName is of the form imageName:imageTag
+func validateImageNameAndTag(imageName string) (bool, error) {
+	dockerClient, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	if err != nil {
+		return false, err
+	}
+	defer dockerClient.Close()
+	_, _, err = dockerClient.ImageInspectWithRaw(context.Background(), imageName)
+	if err != nil {
+		if client.IsErrNotFound(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
+
+// FromLocalDockerImage creates a tarball from a docker image which is on a local hard disk
+// We convert the image to a tarball, and then pass it to the FromTarball function which does all that is necessary
+func FromLocalDockerImage(imageName string, config *Config) (*Image, error) {
+
+	var tarBallName string
+	var img *Image
+	// First, the image name *MUST* always be of the form imageName:imageTag
+	if !strings.Contains(imageName, dockerImageNameSeparator) {
+		return nil, fmt.Errorf("Image name MUST be specified with a tag and be of the form <image_name>:<tag>")
+	}
+	// Now, check if the image actually exists on the local hard disk
+	imageExists, err := validateImageNameAndTag(imageName)
+	if err != nil {
+		return nil, fmt.Errorf("Image %s error while trying to access it: %w", imageName, err)
+	}
+	if !imageExists {
+		return nil, fmt.Errorf("Image %s does not exist", imageName)
+	}
+	// Now, create a tarball out of the image by using the API equivalent of 'docker save image:tag'
+	tarBallName, err = createTarBallFromImage(imageName)
+	if err != nil {
+		errVal := os.Remove(tarBallName)
+		if !os.IsNotExist(errVal) {
+			log.Warnf("Unable to remove file %s: %w", tarBallName, errVal)
+		}
+		return nil, fmt.Errorf("Unable to use image %s: %w", imageName, err)
+	}
+	img, err = FromTarball(tarBallName, config)
+	err = os.Remove(tarBallName)
+	if err != nil {
+		log.Warnf("Unable to remove the tarball %s: %v", tarBallName, err)
+	}
+	return img, err
+}
+
 // FromTarball creates an Image from a tarball file that stores a container image.
 func FromTarball(tarPath string, config *Config) (*Image, error) {
 	// TODO b/381251067: Look into supporting OCI images.

binary/cli/cli.go

@@ -136,6 +136,7 @@ type Flags struct {
 	MaxFileSize                int
 	UseGitignore               bool
 	RemoteImage                string
+	ImageLocal                 string
 	ImageTarball               string
 	ImagePlatform              string
 	GoBinaryVersionFromContent bool
@@ -180,6 +181,12 @@ func ValidateFlags(flags *Flags) error {
 	if flags.ImageTarball != "" && flags.ImagePlatform != "" {
 		return errors.New("--image-tarball cannot be used with --image-platform")
 	}
+	if flags.ImageLocal != "" && flags.RemoteImage != "" {
+		return errors.New("--image-local cannot be used with --remote-image")
+	}
+	if flags.ImageLocal != "" && flags.ImagePlatform != "" {
+		return errors.New("--image-local cannot be used with --image-platform")
+	}
 	if err := validateResultPath(flags.ResultFile); err != nil {
 		return fmt.Errorf("--result %w", err)
 	}
@@ -534,6 +541,11 @@ func (f *Flags) scanRoots() ([]*scalibrfs.ScanRoot, error) {
 	if f.ImageTarball != "" {
 		return nil, nil
 	}
+	// If ImageLocal is set, do not set the root.
+	// It is computed later on by ScanContainer(...) when the tarball is read.
+	if f.ImageLocal != "" {
+		return nil, nil
+	}
 
 	// Compute the default scan roots.
 	var scanRoots []*scalibrfs.ScanRoot

binary/cli/cli_test.go

@@ -210,14 +210,23 @@ func TestValidateFlags(t *testing.T) {
 			wantErr: nil,
 		},
 		{
-			desc: "Remoe Image with Image Tarball",
+			desc: "Remote Image with Image Tarball",
 			flags: &cli.Flags{
 				RemoteImage:  "docker",
 				ImageTarball: "image.tar",
 				ResultFile:   "result.textproto",
 			},
 			wantErr: cmpopts.AnyError,
 		},
+		{
+			desc: "Local Docker Image",
+			flags: &cli.Flags{
+				RemoteImage: "docker",
+				ImageLocal:  "nginx:latest",
+				ResultFile:  "result.textproto",
+			},
+			wantErr: cmpopts.AnyError,
+		},
 	} {
 		t.Run(tc.desc, func(t *testing.T) {
 			err := cli.ValidateFlags(tc.flags)
@@ -273,6 +282,19 @@ func TestGetScanConfig_ScanRoots(t *testing.T) {
 				"windows": nil,
 			},
 		},
+		{
+			desc: "Scan root is null if local image is provided",
+			flags: map[string]*cli.Flags{
+				"darwin":  {ImageLocal: "nginx:latest"},
+				"linux":   {ImageLocal: "nginx:latest"},
+				"windows": {ImageLocal: "nginx:latest"},
+			},
+			wantScanRoots: map[string][]string{
+				"darwin":  nil,
+				"linux":   nil,
+				"windows": nil,
+			},
+		},
 	} {
 		t.Run(tc.desc, func(t *testing.T) {
 			wantScanRoots, ok := tc.wantScanRoots[runtime.GOOS]

binary/scalibr/scalibr.go

@@ -75,6 +75,7 @@ func parseFlags(args []string) (*cli.Flags, error) {
 	useGitignore := fs.Bool("use-gitignore", false, "Skip files declared in .gitignore files in source repos.")
 	remoteImage := fs.String("remote-image", "", "The remote image to scan. If specified, SCALIBR pulls and scans this image instead of the local filesystem.")
 	imageTarball := fs.String("image-tarball", "", "The path to a tarball containing a container image. These are commonly procuded using `docker save`. If specified, SCALIBR scans this image instead of the local filesystem.")
+	imageDockerLocal := fs.String("image-local-docker", "", "The docker image that is available in the local filesystem. These are the images from the output of \"docker image ls\". If specified, SCALIBR scans this image. The name of the image MUST also include the tag of the image <image_name>:<image_tag>.")
 	imagePlatform := fs.String("image-platform", "", "The platform of the remote image to scan. If not specified, the platform of the client is used. Format is os/arch (e.g. linux/arm64)")
 	goBinaryVersionFromContent := fs.Bool("gobinary-version-from-content", false, "Parse the main module version from the binary content. Off by default because this drastically increases latency (~10x).")
 	govulncheckDBPath := fs.String("govulncheck-db", "", "Path to the offline DB for the govulncheck detectors to use. Leave empty to run the detectors in online mode.")
@@ -112,6 +113,7 @@ func parseFlags(args []string) (*cli.Flags, error) {
 		MaxFileSize:                *maxFileSize,
 		UseGitignore:               *useGitignore,
 		RemoteImage:                *remoteImage,
+		ImageLocal:                 *imageDockerLocal,
 		ImageTarball:               *imageTarball,
 		ImagePlatform:              *imagePlatform,
 		GoBinaryVersionFromContent: *goBinaryVersionFromContent,

binary/scanrunner/scanrunner.go

@@ -60,9 +60,24 @@ func RunScan(flags *cli.Flags) int {
 			log.Errorf("Failed to create image from tarball: %v", err)
 			return 1
 		}
+		defer img.CleanUp()
 		result, err = scalibr.New().ScanContainer(context.Background(), img, cfg)
 		if err != nil {
-			log.Errorf("Failed to scan container: %v", err)
+			log.Errorf("Failed to scan tarball: %v", err)
+			return 1
+		}
+	} else if flags.ImageLocal != "" { // We will scan an image in the local hard disk
+		layerCfg := scalibrlayerimage.DefaultConfig()
+		log.Infof("Scanning local image: %s", flags.ImageLocal)
+		img, err := scalibrlayerimage.FromLocalDockerImage(flags.ImageLocal, layerCfg)
+		if err != nil {
+			log.Errorf("Failed to scan local image: %v", err)
+			return 1
+		}
+		defer img.CleanUp()
+		result, err = scalibr.New().ScanContainer(context.Background(), img, cfg)
+		if err != nil {
+			log.Errorf("Failed to scan local image: %v", err)
 			return 1
 		}
 	} else {