feat (detectExecuteScan) include side car conditions and use CPE from build steps to run docker scans

cmd/detectExecuteScan.go

@@ -30,6 +30,8 @@ import (
 	"github.com/pkg/errors"
 )
 
+const NO_VERSION_SUFFIX = ""
+
 type detectUtils interface {
 	piperutils.FileUtils
 
@@ -202,7 +204,7 @@ func runDetect(ctx context.Context, config detectExecuteScanOptions, utils detec
 	blackduckSystem := newBlackduckSystem(config)
 
 	args := []string{"./detect.sh"}
-	args, err = addDetectArgs(args, config, utils, blackduckSystem)
+	args, err = addDetectArgs(args, config, utils, blackduckSystem, NO_VERSION_SUFFIX, NO_VERSION_SUFFIX)
 	if err != nil {
 		return err
 	}
@@ -214,7 +216,12 @@ func runDetect(ctx context.Context, config detectExecuteScanOptions, utils detec
 	utils.SetDir(".")
 	utils.SetEnv(envs)
 
-	err = utils.RunShell("/bin/bash", script)
+	if !config.ScanImages {
+		err = mapDetectError(utils.RunShell("/bin/bash", script), config, utils)
+	} else {
+		err = mapDetectError(runDetectImages(ctx, config, utils, blackduckSystem, influx, blackduckSystem), config, utils)
+	}
+
 	reportingErr := postScanChecksAndReporting(ctx, config, influx, utils, blackduckSystem)
 	if reportingErr != nil {
 		if strings.Contains(reportingErr.Error(), "License Policy Violations found") {
@@ -247,6 +254,67 @@ func runDetect(ctx context.Context, config detectExecuteScanOptions, utils detec
 	return err
 }
 
+func mapDetectError(err error, config detectExecuteScanOptions, utils detectUtils) error {
+	if err != nil {
+		// Setting error category based on exit code
+		mapErrorCategory(utils.GetExitCode())
+		if log.GetErrorCategory() == log.ErrorCompliance && !config.FailOnSevereVulnerabilities {
+			err = nil
+			log.Entry().Infof("policy violation(s) found - step will only create data but not fail due to setting failOnSevereVulnerabilities: false")
+		} else {
+			// Error code mapping with more human readable text
+			err = errors.Wrapf(err, exitCodeMapping(utils.GetExitCode()))
+		}
+	}
+	return err
+}
+
+func runDetectImages(ctx context.Context, config detectExecuteScanOptions, utils detectUtils, sys *blackduckSystem, influx *detectExecuteScanInflux, blackduckSystem *blackduckSystem) error {
+	// cpePath := filepath.Join(GeneralConfig.EnvRootPath, "commonPipelineEnvironment")
+	imagesRaw := config.ImageNameTags
+	if len(imagesRaw) == 0 {
+		log.Entry().Debugf("No images found to be scanned")
+		return nil
+	}
+
+	registryUser := config.ContainerRegistryUser
+	registryPassword := config.ContainerRegistryPassword
+	registryURL := config.ContainerRegistryURL
+
+	log.Entry().Infof("Scanning %d images", len(imagesRaw))
+	for _, image := range imagesRaw {
+		// Download image to be scanned
+		log.Entry().Debugf("Scanning image: %q", image)
+		tarName := fmt.Sprintf("%s.tar", strings.Split(image, ":")[0])
+
+		options := containerSaveImageOptions{
+			ContainerRegistryURL:      registryURL,
+			ContainerImage:            image,
+			ContainerRegistryPassword: registryPassword,
+			ContainerRegistryUser:     registryUser,
+			FilePath:                  tarName,
+			ImageFormat:               "legacy",
+		}
+		containerSaveImage(options, &telemetry.CustomData{})
+
+		args := []string{"./detect.sh"}
+		args, err := addDetectArgsImages(args, config, utils, sys, tarName)
+		if err != nil {
+			return err
+		}
+		script := strings.Join(args, " ")
+
+		err = utils.RunShell("/bin/bash", script)
+		err = mapDetectError(err, config, utils)
+
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // Get proper error category
 func mapErrorCategory(exitCodeKey int) {
 	switch exitCodeKey {
@@ -331,8 +399,13 @@ func getDetectScript(config detectExecuteScanOptions, utils detectUtils) error {
 	return nil
 }
 
-func addDetectArgs(args []string, config detectExecuteScanOptions, utils detectUtils, sys *blackduckSystem) ([]string, error) {
+func addDetectArgs(args []string, config detectExecuteScanOptions, utils detectUtils, sys *blackduckSystem, versionSuffix, locationSuffix string) ([]string, error) {
 	detectVersionName := getVersionName(config)
+
+	if versionSuffix != NO_VERSION_SUFFIX {
+		detectVersionName = fmt.Sprintf("%s-%s", detectVersionName, versionSuffix)
+	}
+
 	// Split on spaces, the scanPropeties, so that each property is available as a single string
 	// instead of all properties being part of a single string
 	config.ScanProperties = piperutils.SplitAndTrim(config.ScanProperties, " ")
@@ -467,6 +540,44 @@ func addDetectArgs(args []string, config detectExecuteScanOptions, utils detectU
 	return args, nil
 }
 
+func addDetectArgsImages(args []string, config detectExecuteScanOptions, utils detectUtils, sys *blackduckSystem, imageTar string) ([]string, error) {
+	// suffix := strings.Split(imageTar, ".")[0]
+	// In order to preserve source scan result
+	config.Unmap = false
+	args, err := addDetectArgs(args, config, utils, sys, NO_VERSION_SUFFIX, fmt.Sprintf("image-%s", strings.Split(imageTar, ".")[0]))
+	if err != nil {
+		return []string{}, err
+	}
+
+	args = append(args, fmt.Sprintf("--detect.docker.tar=./%s", imageTar))
+	args = append(args, "--detect.target.type=IMAGE")
+	// https://community.synopsys.com/s/article/Docker-image-scanning-CLI-examples-and-some-Q-As
+	args = append(args, "--detect.tools.excluded=DETECTOR")
+	args = append(args, "--detect.docker.passthrough.shared.dir.path.local=/opt/blackduck/blackduck-imageinspector/shared")
+	args = append(args, "--detect.docker.passthrough.shared.dir.path.imageinspector=/opt/blackduck/blackduck-imageinspector/shared")
+	//args = append(args, "--detect.docker.passthrough.shared.dir.path.local=/home/scanner")
+	//args = append(args, "--detect.docker.passthrough.shared.dir.path.imageinspector=/home/scanner")
+	args = append(args, fmt.Sprintf("--detect.docker.passthrough.imageinspector.service.distro.default=%s", config.ContainerDistro))
+	args = append(args, "--detect.docker.passthrough.imageinspector.service.start=false")
+	args = append(args, "--detect.docker.passthrough.output.include.squashedimage=false")
+	//args = append(args, "--detect.docker.passthrough.cleanup.inspector.container=false")
+	//args = append(args, "--logging.level.com.synopsys=DEBUG")
+	//args = append(args, "--detect.diagnostic")
+
+	switch config.ContainerDistro {
+	case "ubuntu":
+		args = append(args, "--detect.docker.passthrough.imageinspector.service.url=http://localhost:9002")
+	case "centos":
+		args = append(args, "--detect.docker.passthrough.imageinspector.service.url=http://localhost:9001")
+	case "alpine":
+		args = append(args, "--detect.docker.passthrough.imageinspector.service.url=http://localhost:9000")
+	default:
+		return nil, fmt.Errorf("unknown container distro %q", config.ContainerDistro)
+	}
+
+	return args, nil
+}
+
 func getVersionName(config detectExecuteScanOptions) string {
 	detectVersionName := config.CustomScanVersion
 	if len(detectVersionName) > 0 {

pkg/config/stepmeta.go

@@ -235,8 +235,17 @@ func (m *StepData) GetContextParameterFilters() StepFilters {
 		contextFilters = append(contextFilters, parameterKeys...)
 	}
 	if len(m.Spec.Sidecars) > 0 {
+		parameterKeysForSideCar := []string{"containerName", "containerPortMappings", "dockerName", "sidecarEnvVars", "sidecarImage", "sidecarName", "sidecarOptions", "sidecarPullImage", "sidecarReadyCommand", "sidecarVolumeBind", "sidecarWorkspace"}
+		for _, sidecar := range m.Spec.Sidecars {
+			for _, condition := range sidecar.Conditions {
+				for _, dependentParam := range condition.Params {
+					parameterKeysForSideCar = append(parameterKeysForSideCar, dependentParam.Value)
+					parameterKeysForSideCar = append(parameterKeysForSideCar, dependentParam.Name)
+				}
+			}
+		}
 		//ToDo: support fallback for "dockerName" configuration property -> via aliasing?
-		contextFilters = append(contextFilters, []string{"containerName", "containerPortMappings", "dockerName", "sidecarEnvVars", "sidecarImage", "sidecarName", "sidecarOptions", "sidecarPullImage", "sidecarReadyCommand", "sidecarVolumeBind", "sidecarWorkspace"}...)
+		contextFilters = append(contextFilters, parameterKeysForSideCar...)
 		//ToDo: add condition param.Value and param.Name to filter as for Containers
 	}
 
@@ -302,11 +311,33 @@ func (m *StepData) GetContextDefaults(stepName string) (io.ReadCloser, error) {
 	}
 
 	if len(m.Spec.Sidecars) > 0 {
-		if len(m.Spec.Sidecars[0].Command) > 0 {
-			root["sidecarCommand"] = m.Spec.Sidecars[0].Command[0]
+		for _, sideCar := range m.Spec.Sidecars {
+			key := ""
+			conditionParam := ""
+			if len(sideCar.Conditions) > 0 {
+				key = sideCar.Conditions[0].Params[0].Value
+				conditionParam = sideCar.Conditions[0].Params[0].Name
+			}
+			p := map[string]interface{}{}
+			if key != "" {
+				root[key] = p
+				//add default for condition parameter if available
+				for _, inputParam := range m.Spec.Inputs.Parameters {
+					if inputParam.Name == conditionParam {
+						root[conditionParam] = inputParam.Default
+					}
+				}
+			} else {
+				p = root
+			}
+			if len(sideCar.Command) > 0 {
+				root["sidecarCommand"] = sideCar.Command[0]
+			}
+
+			putStringIfNotEmpty(root, "sidecarReadyCommand", sideCar.ReadyCommand)
+			sideCar.commonConfiguration("sidecar", &p)
+
 		}
-		m.Spec.Sidecars[0].commonConfiguration("sidecar", &root)
-		putStringIfNotEmpty(root, "sidecarReadyCommand", m.Spec.Sidecars[0].ReadyCommand)
 
 		// not filled for now since this is not relevant in Kubernetes case
 		//putStringIfNotEmpty(root, "containerPortMappings", m.Spec.Sidecars[0].)