feat(extractor): switch to layer ID of origin layer (fanal#93)

knqyf263 · simar7 · web-flow · commit 5d7149d6cff5 · 2020-03-17T20:10:56.000+02:00
* feat(extractor): switch to layer ID of origin layer

* integration: update golden file for vuln-image

This file was updated during a COVID-19 crisis.

Signed-off-by: Simarpreet Singh &lt;simar@linux.com&gt;

* test(docker): sort applications

* test(docker): fix order

Co-authored-by: Simarpreet Singh &lt;simar@linux.com&gt;
diff --git a/extractor/docker/docker.go b/extractor/docker/docker.go
@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"
 
+	godeptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
+
 	"github.com/aquasecurity/fanal/extractor/image/token/ecr"
 	"github.com/aquasecurity/fanal/extractor/image/token/gcr"
 	digest "github.com/opencontainers/go-digest"
@@ -84,6 +86,49 @@ func newDockerExtractor(ctx context.Context, imgRef image.Reference, transports
 	}, cleanup, nil
 }
 
+func containsPackage(e types.Package, s []types.Package) bool {
+	for _, a := range s {
+		if a.Name == e.Name && a.Version == e.Version && a.Release == e.Release {
+			return true
+		}
+	}
+	return false
+}
+
+func containsLibrary(e godeptypes.Library, s []types.LibraryInfo) bool {
+	for _, a := range s {
+		if e.Name == a.Library.Name && e.Version == a.Library.Version {
+			return true
+		}
+	}
+	return false
+}
+
+func lookupOriginLayerForPkg(pkg types.Package, layers []types.LayerInfo) digest.Digest {
+	for _, layer := range layers {
+		for _, info := range layer.PackageInfos {
+			if containsPackage(pkg, info.Packages) {
+				return layer.ID
+			}
+		}
+	}
+	return ""
+}
+
+func lookupOriginLayerForLib(filePath string, lib godeptypes.Library, layers []types.LayerInfo) digest.Digest {
+	for _, layer := range layers {
+		for _, layerApp := range layer.Applications {
+			if filePath != layerApp.FilePath {
+				continue
+			}
+			if containsLibrary(lib, layerApp.Libraries) {
+				return layer.ID
+			}
+		}
+	}
+	return ""
+}
+
 func ApplyLayers(layers []types.LayerInfo) types.ImageDetail {
 	sep := "/"
 	nestedMap := nested.Nested{}
@@ -102,15 +147,9 @@ func ApplyLayers(layers []types.LayerInfo) types.ImageDetail {
 		}
 
 		for _, pkgInfo := range layer.PackageInfos {
-			for i := range pkgInfo.Packages {
-				pkgInfo.Packages[i].LayerID = layer.ID
-			}
 			nestedMap.SetByString(pkgInfo.FilePath, sep, pkgInfo)
 		}
 		for _, app := range layer.Applications {
-			for i := range app.Libraries {
-				app.Libraries[i].LayerID = layer.ID
-			}
 			nestedMap.SetByString(app.FilePath, sep, app)
 		}
 	}
@@ -125,6 +164,18 @@ func ApplyLayers(layers []types.LayerInfo) types.ImageDetail {
 		return nil
 	})
 
+	for i, pkg := range mergedLayer.Packages {
+		originLayerID := lookupOriginLayerForPkg(pkg, layers)
+		mergedLayer.Packages[i].LayerID = originLayerID
+	}
+
+	for _, app := range mergedLayer.Applications {
+		for i, libInfo := range app.Libraries {
+			originLayerID := lookupOriginLayerForLib(app.FilePath, libInfo.Library, layers)
+			app.Libraries[i].LayerID = originLayerID
+		}
+	}
+
 	return mergedLayer
 }
 
diff --git a/extractor/docker/docker_test.go b/extractor/docker/docker_test.go
@@ -85,7 +85,7 @@ func TestApplyLayers(t *testing.T) {
 									Version: "1.2.3",
 									Release: "4.5.6",
 								},
-								{
+								{ // added
 									Name:    "musl",
 									Version: "1.2.4",
 									Release: "4.5.7",
@@ -95,6 +95,27 @@ func TestApplyLayers(t *testing.T) {
 					},
 					WhiteoutFiles: []string{"app/composer.lock"},
 				},
+				{
+					SchemaVersion: 1,
+					ID:            "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4",
+					PackageInfos: []types.PackageInfo{
+						{
+							FilePath: "lib/apk/db/installed",
+							Packages: []types.Package{
+								{
+									Name:    "openssl",
+									Version: "1.2.3",
+									Release: "4.5.6",
+								},
+								{
+									Name:    "musl",
+									Version: "1.2.4",
+									Release: "4.5.8", // updated
+								},
+							},
+						},
+					},
+				},
 			},
 			expectedImageDetail: types.ImageDetail{
 				OS: &types.OS{
@@ -105,14 +126,14 @@ func TestApplyLayers(t *testing.T) {
 					{
 						Name:    "musl",
 						Version: "1.2.4",
-						Release: "4.5.7",
-						LayerID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
+						Release: "4.5.8",
+						LayerID: "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4",
 					},
 					{
 						Name:    "openssl",
 						Version: "1.2.3",
 						Release: "4.5.6",
-						LayerID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
+						LayerID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
 				},
 				Applications: []types.Application{
@@ -132,6 +153,129 @@ func TestApplyLayers(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path with removed and updated lockfile",
+			inputLayers: []types.LayerInfo{
+				{
+					SchemaVersion: 1,
+					ID:            "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					OS: &types.OS{
+						Family: "alpine",
+						Name:   "3.10",
+					},
+					Applications: []types.Application{
+						{
+							Type:     "gem",
+							FilePath: "app/Gemfile.lock",
+							Libraries: []types.LibraryInfo{
+								{
+									Library: godeptypes.Library{
+										Name:    "rails",
+										Version: "5.0.0",
+									},
+								},
+								{
+									Library: godeptypes.Library{
+										Name:    "rack",
+										Version: "4.0.0",
+									},
+								},
+							},
+						},
+						{
+							Type:     "composer",
+							FilePath: "app/composer.lock",
+							Libraries: []types.LibraryInfo{
+								{
+									Library: godeptypes.Library{
+										Name:    "phplibrary1",
+										Version: "6.6.6",
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					SchemaVersion: 1,
+					ID:            "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
+					Applications: []types.Application{
+						{
+							Type:     "gem",
+							FilePath: "app/Gemfile.lock",
+							Libraries: []types.LibraryInfo{
+								{
+									Library: godeptypes.Library{
+										Name:    "rails",
+										Version: "6.0.0",
+									},
+								},
+								{
+									Library: godeptypes.Library{
+										Name:    "rack",
+										Version: "4.0.0",
+									},
+								},
+							},
+						},
+						{
+							Type:     "composer",
+							FilePath: "app/composer2.lock",
+							Libraries: []types.LibraryInfo{
+								{
+									Library: godeptypes.Library{
+										Name:    "phplibrary1",
+										Version: "6.6.6",
+									},
+								},
+							},
+						},
+					},
+					WhiteoutFiles: []string{"app/composer.lock"},
+				},
+			},
+			expectedImageDetail: types.ImageDetail{
+				OS: &types.OS{
+					Family: "alpine",
+					Name:   "3.10",
+				},
+				Applications: []types.Application{
+					{
+						Type:     "gem",
+						FilePath: "app/Gemfile.lock",
+						Libraries: []types.LibraryInfo{
+							{
+								Library: godeptypes.Library{
+									Name:    "rack",
+									Version: "4.0.0",
+								},
+								LayerID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+							},
+							{
+								Library: godeptypes.Library{
+									Name:    "rails",
+									Version: "6.0.0",
+								},
+								LayerID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
+							},
+						},
+					},
+					{
+						Type:     "composer",
+						FilePath: "app/composer2.lock",
+						Libraries: []types.LibraryInfo{
+							{
+								Library: godeptypes.Library{
+									Name:    "phplibrary1",
+									Version: "6.6.6",
+								},
+								LayerID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "happy path with status.d",
 			inputLayers: []types.LayerInfo{
@@ -211,11 +355,21 @@ func TestApplyLayers(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		gotImageDetail := ApplyLayers(tc.inputLayers)
-		sort.Slice(gotImageDetail.Packages, func(i, j int) bool {
-			return gotImageDetail.Packages[i].Name < gotImageDetail.Packages[j].Name
+		t.Run(tc.name, func(t *testing.T) {
+			gotImageDetail := ApplyLayers(tc.inputLayers)
+			sort.Slice(gotImageDetail.Packages, func(i, j int) bool {
+				return gotImageDetail.Packages[i].Name < gotImageDetail.Packages[j].Name
+			})
+			sort.Slice(gotImageDetail.Applications, func(i, j int) bool {
+				return gotImageDetail.Applications[i].FilePath < gotImageDetail.Applications[j].FilePath
+			})
+			for _, app := range gotImageDetail.Applications {
+				sort.Slice(app.Libraries, func(i, j int) bool {
+					return app.Libraries[i].Library.Name < app.Libraries[j].Library.Name
+				})
+			}
+			assert.Equal(t, tc.expectedImageDetail, gotImageDetail, tc.name)
 		})
-		assert.Equal(t, tc.expectedImageDetail, gotImageDetail, tc.name)
 	}
 }
 
diff --git a/integration/testdata/goldens/packages/knqyf263-vuln-image-1.2.3.json.golden b/integration/testdata/goldens/packages/knqyf263-vuln-image-1.2.3.json.golden
