def _CreateFilterFromImagesDescribeArgs(image, args):
r"""Parses `docker images describe` arguments into a filter to send to containeranalysis API.
The returned filter will combine the user-provided filter specified by
the --metadata-filter flag and occurrence kind filters specified by flags
such as --show-package-vulnerability.
Returns None if there is no information to fetch from containeranalysis API.
Args:
image: the fully-qualified path of a docker image.
args: user provided command line arguments.
Returns:
A filter string to send to the containeranalysis API.
For example, given a user input:
gcloud docker images describe \
us-west1-docker.pkg.dev/my-project/my-repo/ubuntu@sha256:abc \
--show-package-vulnerability \
--show-image-basis \
--metadata-filter='createTime>"2019-04-10T"'
this method will create a filter:
'''
((kind="VULNERABILITY") OR (kind="IMAGE")) AND
(createTime>"2019-04-10T") AND
(resourceUrl=us-west1-docker.pkg.dev/my-project/my-repo/ubuntu@sha256:abc'))
'''
"""
occ_filter = filter_util.ContainerAnalysisFilter()
filter_kinds = []
# We don't need to filter on kinds when showing all metadata
if not args.show_all_metadata:
if args.show_build_details:
filter_kinds.append('BUILD')
if args.show_package_vulnerability:
filter_kinds.append('VULNERABILITY')
filter_kinds.append('DISCOVERY')
if args.show_image_basis:
filter_kinds.append('IMAGE')
if args.show_deployment:
filter_kinds.append('DEPLOYMENT')
# args include none of the occurrence types, there's no need to call the
# containeranalysis API.
if not filter_kinds:
return None
occ_filter.WithKinds(filter_kinds)
occ_filter.WithCustomFilter(args.metadata_filter)
occ_filter.WithResources([image])
return occ_filter.GetFilter()
def _CreateFilterForImages(repo_or_image, custom_filter, images):
"""Creates a list of filters from a docker image prefix, a custom filter and fully-qualified image URLs.
Args:
repo_or_image: an instance of DockerImage or DockerRepo.
custom_filter: user provided filter string.
images: fully-qualified docker image URLs. Only metadata of these images
will be retrieved.
Returns:
A filter string to send to the containeranalysis API.
"""
occ_filter = filter_util.ContainerAnalysisFilter()
occ_filter.WithResourcePrefix(repo_or_image.GetDockerString())
occ_filter.WithResources(images)
occ_filter.WithCustomFilter(custom_filter)
return occ_filter.GetChunkifiedFilters()
def _CreateFilterForImages(prefix, custom_filter, images):
"""Creates a list of filters from a docker image prefix, a custom filter and fully-qualified image URLs.
Args:
prefix: an URL prefix. Only metadata of images with this prefix will be
retrieved.
custom_filter: user provided filter string.
images: fully-qualified docker image URLs. Only metadata of these images
will be retrieved.
Returns:
A filter string to send to the containeranalysis API.
"""
occ_filter = filter_util.ContainerAnalysisFilter()
occ_filter.WithResourcePrefix(prefix)
occ_filter.WithResources(images)
occ_filter.WithCustomFilter(custom_filter)
return occ_filter.GetChunkifiedFilters()
def GetContainerAnalysisMetadata(docker_version, args):
"""Retrieves metadata for a docker image."""
metadata = ContainerAnalysisMetadata()
docker_str = docker_version.GetDockerString()
occ_filter = _CreateFilterFromImagesDescribeArgs(docker_str, args)
if occ_filter is None:
return metadata
occurrences = ca_requests.ListOccurrences(docker_version.project,
occ_filter)
for occ in occurrences:
metadata.AddOccurrence(occ)
if metadata.vulnerability.vulnerabilities:
vuln_summary = ca_requests.GetVulnerabilitySummary(
docker_version.project,
filter_util.ContainerAnalysisFilter().WithResources(
[docker_str]).GetFilter())
metadata.vulnerability.AddSummary(vuln_summary)
return metadata
def GetContainerAnalysisMetadataForImages(repo_or_image, occurrence_filter,
images):
"""Retrieves metadata for all images with a given path prefix."""
metadata = collections.defaultdict(ContainerAnalysisMetadata)
prefix = 'https://{}'.format(repo_or_image.GetDockerString())
occ_filters = _CreateFilterForImages(prefix, occurrence_filter, images)
occurrences = ca_requests.ListOccurrencesWithFilters(
repo_or_image.project, occ_filters)
for occ in occurrences:
metadata.setdefault(occ.resourceUri,
ContainerAnalysisMetadata()).AddOccurrence(occ)
summary_filters = filter_util.ContainerAnalysisFilter().WithResourcePrefix(
prefix).WithResources(images).GetChunkifiedFilters()
summaries = ca_requests.GetVulnerabilitySummaryWithFilters(
repo_or_image.project, summary_filters)
for summary in summaries:
for count in summary.counts:
metadata.setdefault(
count.resourceUri,
ContainerAnalysisMetadata()).vulnerability.AddCount(count)
return metadata
