def execute_docker_image(args):
'''Execution path if given a Docker image'''
logger.debug('Setting up...')
image_string = args.docker_image
if not args.raw_image:
# don't check docker daemon for raw images
container.check_docker_setup()
else:
image_string = args.raw_image
report.setup(image_tag_string=image_string)
# attempt to get built image metadata
full_image = report.load_full_image(image_string)
if full_image.origins.is_empty():
# image loading was successful
# Add an image origin here
full_image.origins.add_notice_origin(
formats.docker_image.format(imagetag=image_string))
# analyze image
analyze(full_image, args)
# generate report
report.report_out(args, full_image)
else:
# we cannot load the full image
logger.warning('Cannot retrieve full image metadata')
if not args.keep_wd:
report.clean_image_tars(full_image)
logger.debug('Teardown...')
report.teardown()
if not args.keep_wd:
report.clean_working_dir()
def execute_docker_image(args): # pylint: disable=too-many-branches
'''Execution path if given a Docker image'''
logger.debug('Starting analysis...')
image_string = ''
image_digest = ''
if args.docker_image:
# extract the docker image
image_attrs = docker_api.dump_docker_image(args.docker_image)
if image_attrs:
if image_attrs['RepoTags']:
image_string = image_attrs['RepoTags'][0]
if image_attrs['RepoDigests']:
image_digest = image_attrs['RepoDigests'][0]
else:
logger.critical("Cannot extract Docker image")
elif args.raw_image:
# for now we assume that the raw image tarball is always
# the product of "docker save", hence it will be in
# the docker style layout
if rootfs.extract_tarfile(args.raw_image, rootfs.get_working_dir()):
image_string = args.raw_image
else:
logger.critical("Cannot extract raw image")
# If the image has been extracted, load the metadata
if image_string:
full_image = report.load_full_image(image_string, image_digest)
# check if the image was loaded successfully
if full_image.origins.is_empty():
# Add an image origin here
full_image.origins.add_notice_origin(
formats.docker_image.format(imagetag=image_string))
# analyze image
analyze(full_image, args)
# report out
report.report_out(args, full_image)
else:
# we cannot load the full image
logger.error('Cannot retrieve full image metadata')
# cleanup
if not args.keep_wd:
prep.clean_image_tars(full_image)
def execute_dockerfile(args): # noqa C901,R0912
'''Execution path if given a dockerfile'''
container.check_docker_setup()
logger.debug('Setting up...')
dfile = ''
dfile_lock = False
if args.name == 'report':
dfile = args.dockerfile
else:
dfile = args.lock
dfile_lock = True
dfobj = dockerfile.get_dockerfile_obj(dfile)
# expand potential ARG values so base image tag is correct
dockerfile.expand_arg(dfobj)
dockerfile.expand_vars(dfobj)
report.setup(dfobj=dfobj)
# attempt to build the image
logger.debug('Building Docker image...')
# placeholder to check if we can analyze the full image
completed = True
build, _ = dhelper.is_build()
if build:
# attempt to get built image metadata
image_tag_string = dhelper.get_dockerfile_image_tag()
full_image = report.load_full_image(image_tag_string)
if full_image.origins.is_empty():
# image loading was successful
# Add an image origin here
full_image.origins.add_notice_origin(
formats.dockerfile_image.format(dockerfile=dfile))
# analyze image
analyze(full_image, args, dfile_lock, dfobj)
else:
# we cannot load the full image
logger.warning('Cannot retrieve full image metadata')
completed = False
# clean up image
container.remove_image(full_image.repotag)
if not args.keep_wd:
report.clean_image_tars(full_image)
else:
# cannot build the image
logger.warning('Cannot build image')
completed = False
# check if we have analyzed the full image or not
if not completed:
# get the base image
logger.debug('Loading base image...')
base_image = report.load_base_image()
if base_image.origins.is_empty():
# image loading was successful
# add a notice stating failure to build image
base_image.origins.add_notice_to_origins(
dfile, Notice(formats.image_build_failure, 'warning'))
# analyze image
analyze(base_image, args, dfile_lock, dfobj)
else:
# we cannot load the base image
logger.warning('Cannot retrieve base image metadata')
stub_image = get_dockerfile_packages()
if args.name == 'report':
if not args.keep_wd:
report.clean_image_tars(base_image)
# generate report based on what images were created
if not dfile_lock:
if completed:
report.report_out(args, full_image)
else:
report.report_out(args, base_image, stub_image)
else:
logger.debug('Parsing Dockerfile to generate report...')
output = dockerfile.create_locked_dockerfile(dfobj)
dockerfile.write_locked_dockerfile(output, args.output_file)
logger.debug('Teardown...')
report.teardown()
if args.name == 'report':
if not args.keep_wd:
report.clean_working_dir()
parser.add_argument('--shell',
default='/bin/sh',
help='The shell executable that the image uses')
parser.add_argument('--package',
default='',
help='A package name that the command needs to '
'execute with. Useful when testing commands in the '
'snippet library')
args = parser.parse_args()
# do initial setup to analyze docker image
container.check_docker_setup()
# set some global variables
rootfs.set_mount_dir()
# try to load the image
image_obj = report.load_full_image(args.image)
if image_obj.origins.is_empty():
# image loading was successful
# proceed mounting diff filesystems
rootfs.set_up()
if len(image_obj.layers) == 1:
# mount only one layer
target = rootfs.mount_base_layer(image_obj.layers[0].tar_file)
else:
target = analyze.mount_overlay_fs(image_obj,
len(image_obj.layers) - 1)
rootfs.prep_rootfs(target)
# invoke commands in chroot
# if we're looking up the snippets library
# we should see 'snippets' in the keys
if 'snippets' in args.keys and 'packages' in args.keys:
def execute_dockerfile(args):
'''Execution path if given a dockerfile'''
container.check_docker_setup()
logger.debug('Setting up...')
report.setup(dockerfile=args.dockerfile)
# attempt to build the image
logger.debug('Building Docker image...')
# placeholder to check if we can analyze the full image
completed = True
build, _ = dhelper.is_build()
if build:
# attempt to get built image metadata
image_tag_string = dhelper.get_dockerfile_image_tag()
full_image = report.load_full_image(image_tag_string)
if full_image.origins.is_empty():
# image loading was successful
# Add an image origin here
full_image.origins.add_notice_origin(
formats.dockerfile_image.format(dockerfile=args.dockerfile))
# analyze image
analyze(full_image, args, True)
else:
# we cannot load the full image
logger.warning('Cannot retrieve full image metadata')
completed = False
# clean up image
container.remove_image(full_image.repotag)
if not args.keep_wd:
report.clean_image_tars(full_image)
else:
# cannot build the image
logger.warning('Cannot build image')
completed = False
# check if we have analyzed the full image or not
if not completed:
# get the base image
logger.debug('Loading base image...')
base_image = report.load_base_image()
if base_image.origins.is_empty():
# image loading was successful
# add a notice stating failure to build image
base_image.origins.add_notice_to_origins(
args.dockerfile, Notice(formats.image_build_failure,
'warning'))
# analyze image
analyze(base_image, args)
else:
# we cannot load the base image
logger.warning('Cannot retrieve base image metadata')
# run through commands in the Dockerfile
logger.debug('Parsing Dockerfile to generate report...')
stub_image = get_dockerfile_packages()
if not args.keep_wd:
report.clean_image_tars(base_image)
# generate report based on what images were created
if completed:
report.report_out(args, full_image)
else:
report.report_out(args, base_image, stub_image)
logger.debug('Teardown...')
report.teardown()
if not args.keep_wd:
report.clean_working_dir(args.bind_mount)
def execute_dockerfile(args): # noqa C901,R0912
'''Execution path if given a dockerfile'''
dfile = ''
dfile_lock = False
if args.name == 'report':
dfile = args.dockerfile
else:
dfile = args.lock
dfile_lock = True
logger.debug("Parsing Dockerfile...")
dfobj = dockerfile.get_dockerfile_obj(dfile)
# expand potential ARG values so base image tag is correct
dockerfile.expand_arg(dfobj)
dockerfile.expand_vars(dfobj)
# Store dockerfile path and commands so we can access it during execution
dhelper.load_docker_commands(dfobj)
# attempt to build the image
logger.debug('Building Docker image...')
image_info = docker_api.build_and_dump(dfile)
if image_info:
# attempt to load the built image metadata
full_image = report.load_full_image(dfile, '')
if full_image.origins.is_empty():
# image loading was successful
# Add an image origin here
full_image.origins.add_notice_origin(
formats.dockerfile_image.format(dockerfile=dfile))
# analyze image
analyze(full_image, args, dfile_lock, dfobj)
completed = True
else:
# we cannot analyze the full image, but maybe we can
# analyze the base image
logger.warning('Cannot retrieve full image metadata')
# clean up image tarballs
if not args.keep_wd:
prep.clean_image_tars(full_image)
else:
# cannot build the image
logger.warning('Cannot build image')
# check if we have analyzed the full image or not
if not completed:
# Try to analyze the base image
logger.debug('Analyzing base image...')
base_image = report.load_base_image()
if base_image.origins.is_empty():
# image loading was successful
# add a notice stating failure to build image
base_image.origins.add_notice_to_origins(
dfile, Notice(
formats.image_build_failure, 'warning'))
# analyze image
analyze(base_image, args, dfile_lock, dfobj)
else:
# we cannot load the base image
logger.warning('Cannot retrieve base image metadata')
stub_image = get_dockerfile_packages()
if args.name == 'report':
if not args.keep_wd:
report.clean_image_tars(base_image)
# generate report based on what images were created
if not dfile_lock:
if completed:
report.report_out(args, full_image)
else:
report.report_out(args, base_image, stub_image)
else:
logger.debug('Parsing Dockerfile to generate report...')
output = dockerfile.create_locked_dockerfile(dfobj)
dockerfile.write_locked_dockerfile(output, args.output_file)
# cleanup
if not args.keep_wd:
prep.clean_image_tars(full_image)
