Sync with origin/lint_python 8e54c3c5ba101c4bc25092d890157641e75a3787

.github/workflows/dev_release.yaml

@@ -91,18 +91,6 @@ jobs:
         with:
           go-version-file: go.mod
 
-      - name: Set up Python 3.x
-        uses: actions/setup-python@v4
-        with:
-            python-version: '3.9'
-
-      - name: Set up Python scripts
-        run: |
-          # set up python requirements and scripts on PR branch
-          python3 -m venv ve1
-          cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
-          cd scripts && ../ve1/bin/python3 setup.py install && cd ..
-
       - name: Build container images
         id: build_container_images
         run: |
@@ -115,7 +103,7 @@ jobs:
         with:
           image: my-chart-verifier
           tags: |
-            $DEV_RELEASE
+            ${{ env.DEV_RELEASE }}
           registry: quay.io/mgoerens
           username: ${{ secrets.QUAY_BOT_USERNAME }}
           password: ${{ secrets.QUAY_BOT_TOKEN }}

Makefile

@@ -51,7 +51,7 @@ bin_win:
 
 .PHONY: test
 test:
-	go test -v ./...
+	go test -v -coverprofile=coverage.out ./...
 
 # Build the container image. Usage: make build-image IMAGE_TAG=my_tag
 # If IMAGE_TAG is not provided, use the COMMIT_ID

internal/chartverifier/checks/checks.go

@@ -341,7 +341,9 @@ func SignatureIsValid(opts *CheckOptions) (Result, error) {
 		resp, err := http.Get(provFile)
 		if err != nil {
 			return NewResult(false, fmt.Sprintf("%s : get error was %v", SignatureFailure, err)), nil
-		} else if resp.StatusCode == 404 {
+		}
+
+		if resp.StatusCode == 404 {
 			return NewSkippedResult(fmt.Sprintf("%s : %s", ChartNotSigned, SignatureIsNotPresentSuccess)), nil
 		} else if resp.StatusCode != 200 {
 			return NewResult(false, fmt.Sprintf("%s. get prov file response code was %d", SignatureFailure, resp.StatusCode)), nil
@@ -467,12 +469,8 @@ func getOCPRange(kubeVersionRange string) (string, error) {
 }
 
 func downloadFile(fileURL *url.URL, directory string) (string, error) {
-	urlPath := fileURL.Path
-	segments := strings.Split(urlPath, "/")
-	fileName := segments[len(segments)-1]
-
 	// Create blank file
-	filePath := path.Join(directory, fileName)
+	filePath := path.Join(directory, path.Base(fileURL.Path))
 	// #nosec G304
 	file, err := os.Create(filePath)
 	if err != nil {
@@ -514,23 +512,29 @@ func certifyImages(r Result, opts *CheckOptions, registry string) Result {
 	}
 
 	images, err := getImageReferences(opts.URI, opts.Values, kubeVersion)
-
 	if err != nil {
 		r.SetResult(false, fmt.Sprintf("%s : Failed to get images, error running helm template : %v", ImageCertifyFailed, err))
-	} else if len(images) == 0 {
+	}
+
+	if len(images) == 0 {
 		r.SetResult(true, NoImagesToCertify)
 	} else {
 		for _, image := range images {
-			err = nil
-			imageRef := parseImageReference(image)
+			// skip to evaluate next image, if current image is an empty string
+			if strings.Trim(image, " ") == "" {
+				r.AddResult(false, "ImageCertify() = empty image found")
+				continue
+			}
 
+			imageRef := parseImageReference(image)
 			if len(imageRef.Registries) == 0 {
 				imageRef.Registries, err = pyxis.GetImageRegistries(imageRef.Repository)
+				if err != nil {
+					r.AddResult(false, fmt.Sprintf("%s : %s : %v", ImageNotCertified, image, err))
+				}
 			}
 
-			if err != nil {
-				r.AddResult(false, fmt.Sprintf("%s : %s : %v", ImageNotCertified, image, err))
-			} else if len(imageRef.Registries) == 0 {
+			if len(imageRef.Registries) == 0 {
 				r.AddResult(false, fmt.Sprintf("%s : %s", ImageNotCertified, image))
 			} else {
 				certified, checkImageErr := pyxis.IsImageInRegistry(imageRef)

internal/chartverifier/checks/checks_test.go

@@ -367,43 +367,92 @@ func TestHelmLint(t *testing.T) {
 }
 
 func TestImageCertify(t *testing.T) {
-	checkImages(t, ImagesAreCertified, false)
-
-	checkImages(t, ImagesAreCertified_V1_1, true)
+	checkImages(t)
 }
 
-func checkImages(t *testing.T, fn func(*CheckOptions) (Result, error), version1_1 bool) {
-	type testCase struct {
+func checkImages(t *testing.T) {
+	tests := []struct {
 		description string
 		uri         string
+		fn          CheckFunc
 		numErrors   int
 		numPasses   int
 		numSkips    int
+	}{
+		{
+			description: "chart-0.1.0-v3.valid.tgz check images passes",
+			uri:         "chart-0.1.0-v3.valid.tgz",
+			fn:          ImagesAreCertified,
+			numErrors:   0,
+			numPasses:   5,
+		},
+		{
+			description: "Helm check images fails",
+			uri:         "chart-0.1.0-v3.with-crd.tgz",
+			fn:          ImagesAreCertified,
+			numErrors:   4,
+			numPasses:   0,
+		},
+		{
+			description: "Helm check images fails",
+			uri:         "chart-0.1.0-v3.with-csi.tgz",
+			fn:          ImagesAreCertified,
+			numErrors:   2,
+			numPasses:   0,
+		},
+		{
+			description: "chart-0.1.0-v3.valid.tgz check images passes",
+			uri:         "chart-0.1.0-v3.valid.tgz",
+			fn:          ImagesAreCertified_V1_1,
+			numErrors:   0,
+			numPasses:   5,
+			numSkips:    0,
+		},
+		{
+			description: "chart-0.1.0-v3.valid-skipped-images.tgz check images passes",
+			uri:         "chart-0.1.0-v3.valid-skipped-images.tgz",
+			fn:          ImagesAreCertified_V1_1,
+			numErrors:   0,
+			numPasses:   3,
+			numSkips:    2,
+		},
+		{
+			description: "chart-0.1.0-v3.failed-skipped-images.tgz check images passes",
+			uri:         "chart-0.1.0-v3.failed-skipped-images.tgz",
+			fn:          ImagesAreCertified_V1_1,
+			numErrors:   1,
+			numPasses:   0,
+			numSkips:    4,
+		},
+		{
+			description: "chart-0.1.0-v3.skipped-images.tgz check images passes",
+			uri:         "chart-0.1.0-v3.skipped-images.tgz",
+			fn:          ImagesAreCertified_V1_1,
+			numErrors:   0,
+			numPasses:   0,
+			numSkips:    5,
+		},
+		{
+			description: "Helm check images fails",
+			uri:         "chart-0.1.0-v3.with-crd.tgz",
+			fn:          ImagesAreCertified_V1_1,
+			numErrors:   4,
+			numPasses:   0,
+			numSkips:    0,
+		},
+		{
+			description: "Helm check images fails",
+			uri:         "chart-0.1.0-v3.with-csi.tgz",
+			fn:          ImagesAreCertified_V1_1,
+			numErrors:   2,
+			numPasses:   0,
+			numSkips:    0,
+		},
 	}
 
-	var testCases []testCase
-
-	if !version1_1 {
-		testCases = []testCase{
-			{description: "chart-0.1.0-v3.valid.tgz check images passes", uri: "chart-0.1.0-v3.valid.tgz", numErrors: 0, numPasses: 5},
-			{description: "Helm check images fails", uri: "chart-0.1.0-v3.with-crd.tgz", numErrors: 2, numPasses: 0},
-			{description: "Helm check images fails", uri: "chart-0.1.0-v3.with-csi.tgz", numErrors: 1, numPasses: 0},
-		}
-	} else {
-		testCases = []testCase{
-			{description: "chart-0.1.0-v3.valid.tgz check images passes", uri: "chart-0.1.0-v3.valid.tgz", numErrors: 0, numPasses: 5, numSkips: 0},
-			{description: "chart-0.1.0-v3.valid-skipped-images.tgz check images passes", uri: "chart-0.1.0-v3.valid-skipped-images.tgz", numErrors: 0, numPasses: 3, numSkips: 2},
-			{description: "chart-0.1.0-v3.failed-skipped-images.tgz check images passes", uri: "chart-0.1.0-v3.failed-skipped-images.tgz", numErrors: 1, numPasses: 0, numSkips: 4},
-			{description: "chart-0.1.0-v3.skipped-images.tgz check images passes", uri: "chart-0.1.0-v3.skipped-images.tgz", numErrors: 0, numPasses: 0, numSkips: 5},
-			{description: "Helm check images fails", uri: "chart-0.1.0-v3.with-crd.tgz", numErrors: 2, numPasses: 0, numSkips: 0},
-			{description: "Helm check images fails", uri: "chart-0.1.0-v3.with-csi.tgz", numErrors: 1, numPasses: 0, numSkips: 0},
-		}
-	}
-
-	for _, tc := range testCases {
+	for _, tc := range tests {
 		t.Run(tc.description, func(t *testing.T) {
-			config := viper.New()
-			r, err := fn(&CheckOptions{URI: tc.uri, ViperConfig: config, HelmEnvSettings: cli.New()})
+			r, err := tc.fn(&CheckOptions{URI: tc.uri, ViperConfig: viper.New(), HelmEnvSettings: cli.New()})
 			require.NoError(t, err)
 			require.NotNil(t, r)
 			if tc.numErrors == 0 {
@@ -594,11 +643,13 @@ func TestSignatureIsValid(t *testing.T) {
 		},
 	}
 
+	config := viper.New()
+	var base64Key string
+	var encodeErr error
+
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			config := viper.New()
-			base64Key := ""
-			var encodeErr error
+			base64Key = ""
 			if len(tc.keyFile) > 0 {
 				base64Key, encodeErr = tool.GetEncodedKey(tc.keyFile)
 				require.NoError(t, encodeErr)

internal/chartverifier/checks/helm.go

@@ -17,7 +17,6 @@
 package checks
 
 import (
-	"bufio"
 	"fmt"
 	"io"
 	"net/http"
@@ -28,8 +27,6 @@ import (
 	"regexp"
 	"strings"
 
-	"gopkg.in/yaml.v3"
-
 	"helm.sh/helm/v3/pkg/chartutil"
 
 	"helm.sh/helm/v3/pkg/chart"
@@ -224,49 +221,28 @@ func getImageReferences(chartURI string, vals map[string]interface{}, kubeVersio
 	return getImagesFromContent(txt)
 }
 
+// getImagesFromContent evaluates generated templates from
+// helm and extracts images which are returned in a slice
 func getImagesFromContent(content string) ([]string, error) {
-	imagesMap := make(map[string]bool)
-
-	type ImageRef struct {
-		Ref string `yaml:"image"`
+	re, err := regexp.Compile(`\s+image\:\s+(?P<image>.*)\n`)
+	if err != nil {
+		return nil, fmt.Errorf("error getting images; %v", err)
 	}
-
-	r := strings.NewReader(content)
-	reader := bufio.NewReader(r)
-	line, err := getNextLine(reader)
-	for err == nil {
-		var imageRef ImageRef
-		yamlErr := yaml.Unmarshal([]byte(line), &imageRef)
-		if yamlErr == nil {
-			if len(imageRef.Ref) > 0 && !imagesMap[imageRef.Ref] {
-				imagesMap[imageRef.Ref] = true
-			}
-		}
-		line, err = getNextLine(reader)
-		if err == io.EOF {
-			err = nil
-			break
-		}
+	matches := re.FindAllStringSubmatch(content, -1)
+	imageMap := make(map[string]struct{})
+	for _, match := range matches {
+		image := strings.TrimSpace(match[re.SubexpIndex("image")])
+		image = strings.Trim(image, "\"")
+		image = strings.Trim(image, "'")
+		imageMap[image] = struct{}{}
 	}
 
-	images := make([]string, 0, len(imagesMap))
-	for image := range imagesMap {
-		images = append(images, image)
+	var images []string
+	for k := range imageMap {
+		images = append(images, k)
 	}
 
-	return images, err
-}
-
-func getNextLine(reader *bufio.Reader) (string, error) {
-	nextLine, isPrefix, err := reader.ReadLine()
-	if isPrefix && err == nil {
-		for isPrefix && err == nil {
-			var partLine []byte
-			partLine, isPrefix, err = reader.ReadLine()
-			nextLine = append(nextLine, partLine...)
-		}
-	}
-	return string(nextLine), err
+	return images, nil
 }
 
 func getCacheDir(opts *CheckOptions) string {

internal/chartverifier/checks/helm_test.go

@@ -19,6 +19,7 @@ package checks
 import (
 	"context"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/spf13/viper"
@@ -188,3 +189,41 @@ func TestLongLineTemplate(t *testing.T) {
 	require.Contains(t, images, "1.1.1/cv-test/image1:tag-123")
 	require.Contains(t, images, "1.1.2/cv-test/image2:tag-223")
 }
+
+func TestGetImagesFromContent(t *testing.T) {
+	test := struct {
+		name    string
+		content string
+		want    []string
+	}{
+		name: "find images in yaml",
+		content: `
+	image: "registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-161"
+	image: 'busybox'
+	image:  "  "
+	image: registry.redhat.io/cpopen/ibmcloud-object-storage-driver@sha256:fc17bb3e89d00b3eb0f50b3ea83aa75c52e43d8e56cf2e0f17475e934eeeeb5f
+`,
+		want: []string{
+			"registry.access.redhat.com/rhscl/postgresql-10-rhel7:1-161",
+			"busybox",
+			"",
+			"registry.redhat.io/cpopen/ibmcloud-object-storage-driver@sha256:fc17bb3e89d00b3eb0f50b3ea83aa75c52e43d8e56cf2e0f17475e934eeeeb5f",
+		},
+	}
+
+	t.Run(test.name, func(t *testing.T) {
+		got, err := getImagesFromContent(test.content)
+		require.Nil(t, err)
+		if testing.Verbose() {
+			t.Logf("got %d images", len(got))
+		}
+		if len(got) != len(test.want) {
+			t.Errorf("got %d images but, want %d", len(got), len(test.want))
+		}
+		for _, image := range got {
+			if strings.TrimSpace(image) == "" {
+				t.Logf("Found empty image")
+			}
+		}
+	})
+}