Skip to content

Commit

Permalink
Merge pull request #90 from GitGuardian/jeremy/2356/scan-docker-with-…
Browse files Browse the repository at this point in the history
…incomplete-config

fix(docker): handle incomplete docker config
  • Loading branch information
jeremyds authored Jul 13, 2021
2 parents 61a7247 + 98ae6b8 commit 71cc491
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 10 deletions.
6 changes: 3 additions & 3 deletions ggshield/scan/docker.py
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ def _get_layer_infos(
{
"filename": filename,
"created": info["created"],
"created_by": info["created_by"],
"created_by": info.get("created_by"),
}
for info, filename in zip(
(layer for layer in config["history"] if not layer.get("empty_layer")),
Expand All @@ -117,7 +117,7 @@ def _should_scan_layer(layer_info: Dict) -> bool:
Only COPY and ADD layers should be scanned.
"""
cmd = layer_info["created_by"]
return LAYER_TO_SCAN_PATTERN.search(cmd) is not None
return LAYER_TO_SCAN_PATTERN.search(cmd) is not None if cmd else True


def _get_layers_files(
Expand All @@ -132,7 +132,7 @@ def _get_layers_files(

def _get_layer_files(archive: tarfile.TarFile, layer_info: Dict) -> Iterable[File]:
"""
Extracts File objects to be scanner for given layer.
Extracts File objects to be scanned for given layer.
"""
layer_filename = layer_info["filename"]
layer_archive = tarfile.TarFile(
Expand Down
Binary file not shown.
16 changes: 11 additions & 5 deletions tests/scan/test_scan_docker.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@


DOCKER_EXAMPLE_PATH = Path(__file__).parent.parent / "data" / "docker-example.tar.xz"
DOCKER__INCOMPLETE_MANIFEST_EXAMPLE_PATH = (
Path(__file__).parent.parent / "data" / "docker-incomplete-manifest-example.tar.xz"
)


class ManifestMock:
Expand Down Expand Up @@ -74,16 +77,19 @@ def test_get_config(self, members, match):
with pytest.raises(InvalidDockerArchiveException, match=match):
_get_config(tarfile)

def test_get_files_from_docker_archive(self):
files = get_files_from_docker_archive(DOCKER_EXAMPLE_PATH)
@pytest.mark.parametrize(
"image_path", [DOCKER_EXAMPLE_PATH, DOCKER__INCOMPLETE_MANIFEST_EXAMPLE_PATH]
)
def test_get_files_from_docker_archive(self, image_path: Path):
files = get_files_from_docker_archive(image_path)

expected_files = {
"Dockerfile or build-args": None, # noqa: E501
DOCKER_EXAMPLE_PATH
image_path
/ "64a345482d74ea1c0699988da4b4fe6cda54a2b0ad5da49853a9739f7a7e5bbc/layer.tar/app/file_one": "Hello, I am the first file!\n", # noqa: E501
DOCKER_EXAMPLE_PATH
image_path
/ "2d185b802fb3c2e6458fe1ac98e027488cd6aedff2e3d05eb030029c1f24d60f/layer.tar/app/file_three.sh": "echo Life is beautiful.\n", # noqa: E501
DOCKER_EXAMPLE_PATH
image_path
/ "2d185b802fb3c2e6458fe1ac98e027488cd6aedff2e3d05eb030029c1f24d60f/layer.tar/app/file_two.py": """print("Hi! I'm the second file but I'm happy.")\n""", # noqa: E501
}

Expand Down
18 changes: 16 additions & 2 deletions tests/test_docker.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@


DOCKER_EXAMPLE_PATH = Path(__file__).parent / "data" / "docker-example.tar.xz"
DOCKER__INCOMPLETE_MANIFEST_EXAMPLE_PATH = (
Path(__file__).parent / "data" / "docker-incomplete-manifest-example.tar.xz"
)


class TestDockerPull:
Expand Down Expand Up @@ -137,16 +140,27 @@ def test_docker_scan_failed_to_save(
assert result.exit_code == 1

@patch("ggshield.docker.get_files_from_docker_archive")
@pytest.mark.parametrize(
"image_path", [DOCKER_EXAMPLE_PATH, DOCKER__INCOMPLETE_MANIFEST_EXAMPLE_PATH]
)
def test_docker_scan_archive(
self, get_files_mock: Mock, cli_fs_runner: click.testing.CliRunner
self,
get_files_mock: Mock,
cli_fs_runner: click.testing.CliRunner,
image_path: Path,
):
get_files_mock.return_value = Files(
files=[File(document=_SIMPLE_SECRET, filename="file_secret")]
)
with my_vcr.use_cassette("test_scan_file_secret"):
result = cli_fs_runner.invoke(
cli,
["-v", "scan", "docker-archive", str(DOCKER_EXAMPLE_PATH)],
[
"-v",
"scan",
"docker-archive",
str(image_path),
],
)
get_files_mock.assert_called_once()
assert "1 incident has been found in file file_secret" in result.output
Expand Down

0 comments on commit 71cc491

Please sign in to comment.