def execute_docker_image(args): '''Execution path if given a Docker image''' logger.debug('Setting up...') image_string = args.docker_image if not args.raw_image: # don't check docker daemon for raw images container.check_docker_setup() else: image_string = args.raw_image report.setup(image_tag_string=image_string) # attempt to get built image metadata full_image = report.load_full_image(image_string) if full_image.origins.is_empty(): # image loading was successful # Add an image origin here full_image.origins.add_notice_origin( formats.docker_image.format(imagetag=image_string)) # analyze image analyze(full_image, args) # generate report report.report_out(args, full_image) else: # we cannot load the full image logger.warning('Cannot retrieve full image metadata') if not args.keep_wd: report.clean_image_tars(full_image) logger.debug('Teardown...') report.teardown() if not args.keep_wd: report.clean_working_dir()
def execute_image(args): """Execution path for container images""" logger.debug('Starting analysis...') image_type, image_string = extract_image(args) # If the image has been extracted, load the metadata if image_type and image_string: full_image = cimage.load_full_image( image_string, image_type, args.load_until_layer) # check if the image was loaded successfully if full_image.origins.is_empty(): # Add an image origin here full_image.origins.add_notice_origin( formats.docker_image.format(imagetag=image_string)) # Set up for analysis setup(full_image) # analyze image cimage.default_analyze(full_image, args) # report out report.report_out(args, full_image) # clean up teardown(full_image) else: # we cannot load the full image logger.error('Cannot retrieve full image metadata') if not args.keep_wd: prep.clean_image_tars(full_image)
def execute_dockerfile(args, locking=False): """Execution path for Dockerfiles""" dfile = '' if locking: dfile = args.lock else: dfile = args.dockerfile image_list = [] logger.debug("Parsing Dockerfile...") dfobj = parse.get_dockerfile_obj(dfile) # expand potential ARG values so base image tag is correct parse.expand_arg(dfobj) parse.expand_vars(dfobj) # Store dockerfile path and commands so we can access it during execution lock.load_docker_commands(dfobj) if dfobj.is_multistage: image_list = analyze_multistage_dockerfile(dfobj, args) else: image_list = analyze_single_dockerfile(dfile, args) # generate report based on what images were created if image_list: if not locking: report.report_out(args, *image_list) else: logger.debug('Generating locked Dockerfile...') # we can only lock one image for now locked_dfobj = lock.lock_dockerfile(dfobj, image_list[0]) output = lock.create_locked_dockerfile(locked_dfobj) lock.write_locked_dockerfile(output, args.output_file)
def execute_docker_image(args): # pylint: disable=too-many-branches '''Execution path if given a Docker image''' logger.debug('Starting analysis...') image_string = '' image_digest = '' if args.docker_image: # extract the docker image image_attrs = docker_api.dump_docker_image(args.docker_image) if image_attrs: if image_attrs['RepoTags']: image_string = image_attrs['RepoTags'][0] if image_attrs['RepoDigests']: image_digest = image_attrs['RepoDigests'][0] else: logger.critical("Cannot extract Docker image") elif args.raw_image: # for now we assume that the raw image tarball is always # the product of "docker save", hence it will be in # the docker style layout if rootfs.extract_tarfile(args.raw_image, rootfs.get_working_dir()): image_string = args.raw_image else: logger.critical("Cannot extract raw image") # If the image has been extracted, load the metadata if image_string: full_image = report.load_full_image(image_string, image_digest) # check if the image was loaded successfully if full_image.origins.is_empty(): # Add an image origin here full_image.origins.add_notice_origin( formats.docker_image.format(imagetag=image_string)) # analyze image analyze(full_image, args) # report out report.report_out(args, full_image) else: # we cannot load the full image logger.error('Cannot retrieve full image metadata') # cleanup if not args.keep_wd: prep.clean_image_tars(full_image)
def execute_dockerfile(args, locking=False): """Execution path for Dockerfiles""" dfile = '' if locking: dfile = args.lock else: dfile = args.dockerfile logger.debug("Parsing Dockerfile...") dfobj = parse.get_dockerfile_obj(dfile) # expand potential ARG values so base image tag is correct parse.expand_arg(dfobj) parse.expand_vars(dfobj) # Store dockerfile path and commands so we can access it during execution lock.load_docker_commands(dfobj) # attempt to build the image logger.debug('Building Docker image...') image_info = docker_api.build_and_dump(dfile) image_list = [] if image_info: logger.debug('Docker image successfully built. Analyzing...') # analyze the full image image_list = full_image_analysis(dfile, args.redo, args.driver, args.keep_wd, args.extend) else: # cannot build the image logger.warning('Cannot build image') # analyze the base image and any RUN lines in the Dockerfile image_list = base_and_run_analysis(dfile, args.redo, args.driver, args.keep_wd, args.extend) # generate report based on what images were created if image_list: if not locking: report.report_out(args, *image_list) else: logger.debug('Generating locked Dockerfile...') # we can only lock based on a fully built image for now locked_dfobj = lock.lock_dockerfile(dfobj, image_list[0]) output = lock.create_locked_dockerfile(locked_dfobj) lock.write_locked_dockerfile(output, args.output_file)
def execute_dockerfile(args): # noqa C901,R0912 '''Execution path if given a dockerfile''' container.check_docker_setup() logger.debug('Setting up...') dfile = '' dfile_lock = False if args.name == 'report': dfile = args.dockerfile else: dfile = args.lock dfile_lock = True dfobj = dockerfile.get_dockerfile_obj(dfile) # expand potential ARG values so base image tag is correct dockerfile.expand_arg(dfobj) dockerfile.expand_vars(dfobj) report.setup(dfobj=dfobj) # attempt to build the image logger.debug('Building Docker image...') # placeholder to check if we can analyze the full image completed = True build, _ = dhelper.is_build() if build: # attempt to get built image metadata image_tag_string = dhelper.get_dockerfile_image_tag() full_image = report.load_full_image(image_tag_string) if full_image.origins.is_empty(): # image loading was successful # Add an image origin here full_image.origins.add_notice_origin( formats.dockerfile_image.format(dockerfile=dfile)) # analyze image analyze(full_image, args, dfile_lock, dfobj) else: # we cannot load the full image logger.warning('Cannot retrieve full image metadata') completed = False # clean up image container.remove_image(full_image.repotag) if not args.keep_wd: report.clean_image_tars(full_image) else: # cannot build the image logger.warning('Cannot build image') completed = False # check if we have analyzed the full image or not if not completed: # get the base image logger.debug('Loading base image...') base_image = report.load_base_image() if base_image.origins.is_empty(): # image loading was successful # add a notice stating failure to build image base_image.origins.add_notice_to_origins( dfile, Notice(formats.image_build_failure, 'warning')) # analyze image analyze(base_image, args, dfile_lock, dfobj) else: # we cannot load the base image logger.warning('Cannot retrieve base image metadata') stub_image = get_dockerfile_packages() if args.name == 'report': if not args.keep_wd: report.clean_image_tars(base_image) # generate report based on what images were created if not dfile_lock: if completed: report.report_out(args, full_image) else: report.report_out(args, base_image, stub_image) else: logger.debug('Parsing Dockerfile to generate report...') output = dockerfile.create_locked_dockerfile(dfobj) dockerfile.write_locked_dockerfile(output, args.output_file) logger.debug('Teardown...') report.teardown() if args.name == 'report': if not args.keep_wd: report.clean_working_dir()
def execute_dockerfile(args): '''Execution path if given a dockerfile''' container.check_docker_setup() logger.debug('Setting up...') report.setup(dockerfile=args.dockerfile) # attempt to build the image logger.debug('Building Docker image...') # placeholder to check if we can analyze the full image completed = True build, _ = dhelper.is_build() if build: # attempt to get built image metadata image_tag_string = dhelper.get_dockerfile_image_tag() full_image = report.load_full_image(image_tag_string) if full_image.origins.is_empty(): # image loading was successful # Add an image origin here full_image.origins.add_notice_origin( formats.dockerfile_image.format(dockerfile=args.dockerfile)) # analyze image analyze(full_image, args, True) else: # we cannot load the full image logger.warning('Cannot retrieve full image metadata') completed = False # clean up image container.remove_image(full_image.repotag) if not args.keep_wd: report.clean_image_tars(full_image) else: # cannot build the image logger.warning('Cannot build image') completed = False # check if we have analyzed the full image or not if not completed: # get the base image logger.debug('Loading base image...') base_image = report.load_base_image() if base_image.origins.is_empty(): # image loading was successful # add a notice stating failure to build image base_image.origins.add_notice_to_origins( args.dockerfile, Notice(formats.image_build_failure, 'warning')) # analyze image analyze(base_image, args) else: # we cannot load the base image logger.warning('Cannot retrieve base image metadata') # run through commands in the Dockerfile logger.debug('Parsing Dockerfile to generate report...') stub_image = get_dockerfile_packages() if not args.keep_wd: report.clean_image_tars(base_image) # generate report based on what images were created if completed: report.report_out(args, full_image) else: report.report_out(args, base_image, stub_image) logger.debug('Teardown...') report.teardown() if not args.keep_wd: report.clean_working_dir(args.bind_mount)
def execute_dockerfile(args): # noqa C901,R0912 '''Execution path if given a dockerfile''' dfile = '' dfile_lock = False if args.name == 'report': dfile = args.dockerfile else: dfile = args.lock dfile_lock = True logger.debug("Parsing Dockerfile...") dfobj = dockerfile.get_dockerfile_obj(dfile) # expand potential ARG values so base image tag is correct dockerfile.expand_arg(dfobj) dockerfile.expand_vars(dfobj) # Store dockerfile path and commands so we can access it during execution dhelper.load_docker_commands(dfobj) # attempt to build the image logger.debug('Building Docker image...') image_info = docker_api.build_and_dump(dfile) if image_info: # attempt to load the built image metadata full_image = report.load_full_image(dfile, '') if full_image.origins.is_empty(): # image loading was successful # Add an image origin here full_image.origins.add_notice_origin( formats.dockerfile_image.format(dockerfile=dfile)) # analyze image analyze(full_image, args, dfile_lock, dfobj) completed = True else: # we cannot analyze the full image, but maybe we can # analyze the base image logger.warning('Cannot retrieve full image metadata') # clean up image tarballs if not args.keep_wd: prep.clean_image_tars(full_image) else: # cannot build the image logger.warning('Cannot build image') # check if we have analyzed the full image or not if not completed: # Try to analyze the base image logger.debug('Analyzing base image...') base_image = report.load_base_image() if base_image.origins.is_empty(): # image loading was successful # add a notice stating failure to build image base_image.origins.add_notice_to_origins( dfile, Notice( formats.image_build_failure, 'warning')) # analyze image analyze(base_image, args, dfile_lock, dfobj) else: # we cannot load the base image logger.warning('Cannot retrieve base image metadata') stub_image = get_dockerfile_packages() if args.name == 'report': if not args.keep_wd: report.clean_image_tars(base_image) # generate report based on what images were created if not dfile_lock: if completed: report.report_out(args, full_image) else: report.report_out(args, base_image, stub_image) else: logger.debug('Parsing Dockerfile to generate report...') output = dockerfile.create_locked_dockerfile(dfobj) dockerfile.write_locked_dockerfile(output, args.output_file) # cleanup if not args.keep_wd: prep.clean_image_tars(full_image)