Add detection of additional packages

Signed-off-by: Christian Dupuis <cd@atomist.com>

Author: cdupuis

sbom/addition.go

@@ -0,0 +1,86 @@
+/*
+ * Copyright © 2022 Docker, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sbom
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/anchore/syft/syft/source"
+	"github.com/docker/index-cli-plugin/types"
+)
+
+type PackageDetector = func(packages []types.Package, image source.Source, lm types.LayerMapping) []types.Package
+
+var detectors []PackageDetector
+
+func init() {
+	detectors = []PackageDetector{nodePackageDetector}
+}
+
+func detectAdditionalPackages(packages []types.Package, image source.Source, lm types.LayerMapping) []types.Package {
+	additionalPackages := make([]types.Package, 0)
+	for _, d := range detectors {
+		additionalPackages = append(additionalPackages, d(packages, image, lm)...)
+	}
+	return additionalPackages
+}
+
+func nodePackageDetector(_ []types.Package, image source.Source, lm types.LayerMapping) []types.Package {
+	var path []string
+	var nodeVersion string
+
+	env := image.Image.Metadata.Config.Config.Env
+	for _, e := range env {
+		k := strings.Split(e, "=")[0]
+		v := strings.Split(e, "=")[1]
+		switch k {
+		case "NODE_VERSION":
+			nodeVersion = v
+		case "PATH":
+			path = strings.Split(v, ":")
+		}
+	}
+
+	if nodeVersion != "" && len(path) > 0 {
+		res, _ := image.FileResolver(source.SquashedScope)
+		for _, p := range path {
+			fp := fmt.Sprintf("%s/node", p)
+			if locations, err := res.FilesByPath(fp); err == nil && len(locations) > 0 {
+				loc := locations[0]
+				return []types.Package{{
+					Type:        "github",
+					Namespace:   "nodejs",
+					Name:        "node",
+					Version:     nodeVersion,
+					Purl:        fmt.Sprintf("pkg:github/nodejs/node@%s", nodeVersion),
+					Author:      "Node.js Project",
+					Description: "Node.js JavaScript runtime",
+					Licenses:    []string{"MIT"},
+					Url:         "https://nodejs.org",
+					Locations: []types.Location{{
+						Path:   fp,
+						DiffId: loc.FileSystemID,
+						Digest: lm.ByDiffId[loc.FileSystemID],
+					}},
+				}}
+			}
+		}
+	}
+
+	return []types.Package{}
+}

sbom/addition_test.go

@@ -0,0 +1,47 @@
+/*
+ * Copyright © 2022 Docker, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sbom
+
+import (
+	"testing"
+
+	stereoscopeimage "github.com/anchore/stereoscope/pkg/image"
+	"github.com/anchore/syft/syft/source"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/index-cli-plugin/registry"
+	"github.com/docker/index-cli-plugin/types"
+)
+
+func TestNodeDetector(t *testing.T) {
+	cmd, _ := command.NewDockerCli()
+	img, ociPath, _ := registry.SaveImage("node@sha256:2b00d259f3b07d8aa694b298a7dcf4655571aea2ab91375b5adb8e5a905d3ee2", cmd.Client())
+	lm := createLayerMapping(img)
+	i := source.Input{
+		Scheme:      source.ImageScheme,
+		ImageSource: stereoscopeimage.OciDirectorySource,
+		Location:    ociPath,
+	}
+	src, _, _ := source.New(i, nil, nil)
+	packages := nodePackageDetector([]types.Package{}, *src, lm)
+	if len(packages) != 1 {
+		t.Errorf("Expected package missing")
+	}
+	node := packages[0]
+	if node.Purl != "pkg:github/nodejs/node@19.0.0" {
+		t.Errorf("Wrong nodejs version detected")
+	}
+}

sbom/diff.go

@@ -19,6 +19,7 @@ package sbom
 import (
 	"fmt"
 	"strings"
+	"sync"
 
 	"github.com/anchore/packageurl-go"
 	"github.com/docker/docker/client"
@@ -58,13 +59,23 @@ func init() {
 }
 
 func DiffImages(image1 string, image2 string, client client.APIClient, workspace string, apikey string) error {
-	resultChan1 := make(chan ImageIndexResult)
-	resultChan2 := make(chan ImageIndexResult)
-	go indexImageAsync(image1, client, resultChan1)
-	go indexImageAsync(image2, client, resultChan2)
-
-	result1 := <-resultChan1
-	result2 := <-resultChan2
+	resultChan := make(chan ImageIndexResult, 2)
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go indexImageAsync(&wg, image1, client, resultChan)
+	go indexImageAsync(&wg, image2, client, resultChan)
+	wg.Wait()
+	close(resultChan)
+
+	var result1, result2 ImageIndexResult
+	for result := range resultChan {
+		switch result.Input {
+		case image1:
+			result1 = result
+		case image2:
+			result2 = result
+		}
+	}
 
 	diffPackages(result1, result2)
 	diffCves(result1, result2)
@@ -154,7 +165,7 @@ func diffPackages(result1, result2 ImageIndexResult) {
 
 	t.SetColumnConfigs([]table.ColumnConfig{
 		{Name: "Package", AutoMerge: true},
-		{Name: "Version", AutoMerge: true},
+		{Name: "Version", AutoMerge: true, Align: text.AlignRight},
 		{Number: 3, Align: text.AlignCenter, AlignFooter: text.AlignCenter, AlignHeader: text.AlignCenter},
 		{Number: 4, Align: text.AlignCenter, AlignFooter: text.AlignCenter, AlignHeader: text.AlignCenter},
 	})
@@ -239,33 +250,30 @@ func colorizeSeverity(severity string) string {
 }
 
 func toSeverity(cve types.Cve) string {
-	if cve.Cve != nil {
-		for _, r := range cve.Cve.References {
-			if r.Source == "atomist" {
-				for _, s := range r.Scores {
-					if s.Type == "atm_severity" {
-						v := s.Value
-						if v != "SEVERITY_UNSPECIFIED" {
-							return v
-						}
-					}
-				}
-			}
+	findSeverity := func(adv *types.Advisory) (string, bool) {
+		if adv == nil {
+			return "", false
 		}
-	}
-	if cve.Advisory != nil {
-		for _, r := range cve.Advisory.References {
+		for _, r := range (*adv).References {
 			if r.Source == "atomist" {
 				for _, s := range r.Scores {
 					if s.Type == "atm_severity" {
 						v := s.Value
 						if v != "SEVERITY_UNSPECIFIED" {
-							return v
+							return v, true
 						}
 					}
 				}
 			}
 		}
+		return "", false
+	}
+
+	if severity, ok := findSeverity(cve.Cve); ok {
+		return severity
+	}
+	if severity, ok := findSeverity(cve.Advisory); ok {
+		return severity
 	}
 
 	return "IN TRIAGE"

sbom/index.go

@@ -22,6 +22,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"github.com/atomist-skills/go-skill"
 	"github.com/docker/docker/client"
@@ -35,18 +36,21 @@ import (
 )
 
 type ImageIndexResult struct {
+	Input string
 	Image *v1.Image
 	Sbom  *types.Sbom
 	Error error
 }
 
-func indexImageAsync(image string, client client.APIClient, resultChan chan<- ImageIndexResult) {
+func indexImageAsync(wg *sync.WaitGroup, image string, client client.APIClient, resultChan chan<- ImageIndexResult) {
+	defer wg.Done()
 	sbom, img, err := IndexImage(image, client)
 	cves, err := query.QueryCves(sbom, "", "", "")
 	if err == nil {
 		sbom.Vulnerabilities = *cves
 	}
 	resultChan <- ImageIndexResult{
+		Input: image,
 		Image: img,
 		Sbom:  sbom,
 		Error: err,

sbom/index_test.go

@@ -43,7 +43,7 @@ func TestMergePackages(t *testing.T) {
 			DiffId: "sha256:5678",
 		}},
 	}
-	packages := mergePackages(types.IndexResult{
+	packages := types.MergePackages(types.IndexResult{
 		Status:   types.Success,
 		Packages: []types.Package{pkga},
 	}, types.IndexResult{

sbom/syft.go

@@ -107,6 +107,8 @@ func syftSbom(ociPath string, lm types.LayerMapping, resultChan chan<- types.Ind
 		pkg := toPackage(p, packageRelationships, qualifiers, lm, pm)
 		result.Packages = append(result.Packages, pkg...)
 	}
+
+	result.Packages = append(result.Packages, detectAdditionalPackages(result.Packages, *src, lm)...)
 	resultChan <- result
 }