@cyclonedx/cdxgen 12.2.0 → 12.3.0

package/lib/managers/binary.js

@@ -2,6 +2,7 @@ import {
   lstatSync,
   mkdtempSync,
   readFileSync,
+  realpathSync,
   rmSync,
   statSync,
 } from "node:fs";
@@ -18,6 +19,8 @@ import process from "node:process";
 
 import { PackageURL } from "packageurl-js";
 
+import { createContainerRiskProperties } from "../helpers/containerRisk.js";
+import { createGtfoBinsProperties } from "../helpers/gtfobins.js";
 import {
   adjustLicenseInformation,
   collectExecutables,
@@ -454,7 +457,7 @@ export async function getOSPackages(src, imageConfig) {
   const bundledSdks = new Set();
   const bundledRuntimes = new Set();
   let binPaths = extractPathEnv(imageConfig?.Env);
-  if (!binPaths?.length && DEBUG_MODE) {
+  if (!binPaths?.length) {
     const rootBinPaths = getDirs(src, "{sbin,bin}", true, false);
     const usrBinPaths = getDirs(
       src,
@@ -462,10 +465,19 @@ export async function getOSPackages(src, imageConfig) {
       true,
       true,
     );
-    binPaths = binPaths
-      .concat(rootBinPaths)
-      .concat(usrBinPaths)
-      .map((f) => relative(src, f));
+    binPaths = Array.from(
+      new Set(
+        rootBinPaths
+          .concat(usrBinPaths)
+          .map((f) => relative(src, f))
+          .filter(Boolean),
+      ),
+    ).sort();
+    if (DEBUG_MODE && binPaths.length) {
+      console.log(
+        `Falling back to inferred binary paths for ${src}: ${binPaths.join(", ")}`,
+      );
+    }
   }
   if (TRIVY_BIN) {
     let imageType = "image";
@@ -1173,6 +1185,16 @@ async function fileComponents(basePath, fileList, fileType) {
       f = `/${f}`;
     }
     const name = basename(f);
+    let linkedName;
+    try {
+      const resolvedPath = realpathSync(join(basePath, f.replace(/^\/+/, "")));
+      const linkStats = lstatSync(join(basePath, f.replace(/^\/+/, "")));
+      if (linkStats?.isSymbolicLink()) {
+        linkedName = basename(resolvedPath);
+      }
+    } catch (_e) {
+      // ignore
+    }
     const purl = `pkg:generic/${name}`;
     let isExecutable;
     let isSetuid;
@@ -1206,6 +1228,8 @@ async function fileComponents(basePath, fileList, fileType) {
     if (isSticky) {
       properties.push({ name: "internal:has_sticky", value: "true" });
     }
+    properties.push(...createContainerRiskProperties(name, linkedName));
+    properties.push(...createGtfoBinsProperties(name, linkedName));
     components.push({
       name,
       type: "file",

package/lib/managers/docker.js

@@ -6,6 +6,7 @@ import {
   readdirSync,
   readFileSync,
   rmSync,
+  writeFileSync,
 } from "node:fs";
 import { platform as _platform, userInfo as _userInfo, homedir } from "node:os";
 import { basename, join, resolve, win32 } from "node:path";
@@ -616,9 +617,21 @@ export const parseImageName = (fullImageName) => {
  *
  * @returns boolean true if we should use the cli. false otherwise
  */
+const getContainerCliCmd = () => {
+  if (process.env.DOCKER_CMD?.trim()) {
+    return process.env.DOCKER_CMD.trim();
+  }
+  detectRancherDesktop() || detectColima();
+  if (isNerdctl) {
+    return "nerdctl";
+  }
+  return "docker";
+};
+
 const needsCliFallback = () => {
   if (
     ["true", "1"].includes(process.env.DOCKER_USE_CLI) ||
+    process.env.DOCKER_CMD?.trim() ||
     (_platform() === "darwin" && (detectRancherDesktop() || detectColima()))
   ) {
     return true;
@@ -646,20 +659,14 @@ export const getImage = async (fullImageName) => {
   if (tag === "" && digest === "") {
     fullImageName = `${fullImageName}:latest`;
   }
-  if (isContainerd) {
+  if (isContainerd && !needsCliFallback()) {
     console.log(
       "containerd/nerdctl is currently unsupported. Export the image manually and run cdxgen against the tar image.",
     );
     return undefined;
   }
   if (needsCliFallback()) {
-    let dockerCmd = process.env.DOCKER_CMD || "docker";
-    if (!process.env.DOCKER_CMD) {
-      detectRancherDesktop() || detectColima();
-      if (isNerdctl) {
-        dockerCmd = "nerdctl";
-      }
-    }
+    const dockerCmd = getContainerCliCmd();
     let needsPull = true;
     // Let's check the local cache first
     let result = safeSpawnSync(dockerCmd, ["images", "--format=json"]);
@@ -697,19 +704,21 @@ export const getImage = async (fullImageName) => {
       if (result.stderr) {
         console.log(result.stderr);
       }
-      return localData;
-    }
-    try {
-      const stdout = result.stdout;
-      if (stdout) {
-        const inspectData = JSON.parse(Buffer.from(stdout).toString());
-        if (inspectData && Array.isArray(inspectData)) {
-          return inspectData[0];
+      // Continue with the daemon client when the CLI fallback is unavailable
+      // or unable to inspect the image.
+    } else {
+      try {
+        const stdout = result.stdout;
+        if (stdout) {
+          const inspectData = JSON.parse(Buffer.from(stdout).toString());
+          if (inspectData && Array.isArray(inspectData)) {
+            return inspectData[0];
+          }
+          return inspectData;
         }
-        return inspectData;
+      } catch (_err) {
+        // continue regardless of error
       }
-    } catch (_err) {
-      // continue regardless of error
     }
   }
   try {
@@ -1017,6 +1026,101 @@ export const extractTar = async (fullImageName, dir, options) => {
   }
 };
 
+const readArchiveJson = (jsonFile) => {
+  if (!jsonFile || !safeExistsSync(jsonFile)) {
+    return undefined;
+  }
+  return JSON.parse(
+    readFileSync(jsonFile, {
+      encoding: "utf-8",
+    }),
+  );
+};
+
+const tryReadArchiveJson = (jsonFile) => {
+  try {
+    return readArchiveJson(jsonFile);
+  } catch (_err) {
+    return undefined;
+  }
+};
+
+const digestToBlobPath = (digest) => {
+  if (!digest?.startsWith("sha256:")) {
+    return undefined;
+  }
+  return join("blobs", "sha256", digest.replace("sha256:", ""));
+};
+
+const archiveBlobPath = (tempDir, digest) => {
+  const blobPath = digestToBlobPath(digest);
+  return blobPath ? join(tempDir, blobPath) : undefined;
+};
+
+const toManifestEntry = (manifestBlob) => {
+  const configBlob = digestToBlobPath(manifestBlob?.config?.digest);
+  const layers =
+    manifestBlob?.layers
+      ?.map((layer) => digestToBlobPath(layer?.digest))
+      .filter(Boolean) || [];
+  if (!configBlob && !layers.length) {
+    return undefined;
+  }
+  return {
+    Config: configBlob,
+    Layers: layers,
+  };
+};
+
+const resolveArchiveManifest = (manifestData, tempDir) => {
+  if (Array.isArray(manifestData)) {
+    return manifestData;
+  }
+  if (!manifestData || typeof manifestData !== "object") {
+    return [];
+  }
+  if (Array.isArray(manifestData.manifests)) {
+    const resolvedManifests = manifestData.manifests
+      .map((manifestEntry) => {
+        if (manifestEntry?.Layers?.length || manifestEntry?.Config) {
+          return manifestEntry;
+        }
+        const manifestBlob = tryReadArchiveJson(
+          archiveBlobPath(tempDir, manifestEntry?.digest),
+        );
+        const resolvedEntry = toManifestEntry(manifestBlob);
+        return resolvedEntry
+          ? {
+              ...manifestEntry,
+              ...resolvedEntry,
+            }
+          : manifestEntry;
+      })
+      .filter(Boolean);
+    return resolvedManifests.length
+      ? resolvedManifests
+      : manifestData.manifests;
+  }
+  const manifestEntry = toManifestEntry(manifestData);
+  return manifestEntry ? [manifestEntry] : [];
+};
+
+const discoverManifestFromBlobs = (tempDir) => {
+  const blobsDir = join(tempDir, "blobs", "sha256");
+  if (!safeExistsSync(blobsDir)) {
+    return undefined;
+  }
+  const blobFiles = readdirSync(blobsDir);
+  for (const blobFile of blobFiles) {
+    const manifestBlob = tryReadArchiveJson(join(blobsDir, blobFile));
+    const manifestEntry = toManifestEntry(manifestBlob);
+    if (manifestEntry?.Layers?.length || manifestEntry?.Config) {
+      return [manifestEntry];
+    }
+  }
+  return undefined;
+};
+
 /**
  * Method to export a container image archive.
  * Returns the location of the layers with additional packages related metadata
@@ -1032,10 +1136,46 @@ export const exportArchive = async (fullImageName, options = {}) => {
   const blobsDir = join(tempDir, "blobs", "sha256");
   safeMkdirSync(allLayersExplodedDir);
   const manifestFile = join(tempDir, "manifest.json");
+  const manifestIndexFile = join(tempDir, "index.json");
+  const synthesizedManifestFile = join(tempDir, "synthetic-manifest.json");
   try {
     await extractTar(fullImageName, tempDir, options);
+    if (safeExistsSync(manifestFile)) {
+      // docker archive manifest file
+      return await extractFromManifest(
+        manifestFile,
+        {},
+        tempDir,
+        allLayersExplodedDir,
+        options,
+      );
+    }
+    if (safeExistsSync(manifestIndexFile)) {
+      return await extractFromManifest(
+        manifestIndexFile,
+        {},
+        tempDir,
+        allLayersExplodedDir,
+        options,
+      );
+    }
     // podman use blobs dir
     if (safeExistsSync(blobsDir)) {
+      const discoveredManifest = discoverManifestFromBlobs(tempDir);
+      if (discoveredManifest?.length) {
+        writeFileSync(
+          synthesizedManifestFile,
+          JSON.stringify(discoveredManifest),
+          "utf-8",
+        );
+        return await extractFromManifest(
+          synthesizedManifestFile,
+          {},
+          tempDir,
+          allLayersExplodedDir,
+          options,
+        );
+      }
       if (DEBUG_MODE) {
         console.log(
           `Image archive ${fullImageName} successfully exported to directory ${tempDir}`,
@@ -1061,16 +1201,6 @@ export const exportArchive = async (fullImageName, options = {}) => {
       exportData.pkgPathList = getPkgPathList(exportData, lastWorkingDir);
       return exportData;
     }
-    if (safeExistsSync(manifestFile)) {
-      // docker manifest file
-      return await extractFromManifest(
-        manifestFile,
-        {},
-        tempDir,
-        allLayersExplodedDir,
-        options,
-      );
-    }
     console.log(`Unable to extract image archive to ${tempDir}`);
     options.failOnError && process.exit(1);
   } catch (_err) {
@@ -1105,28 +1235,23 @@ export const extractFromManifest = async (
   // Example of manifests
   // [{"Config":"blobs/sha256/dedc100afa8d6718f5ac537730dd4a5ceea3563e695c90f1a8ac6df32c4cb291","RepoTags":["shiftleft/core:latest"],"Layers":["blobs/sha256/eaead16dc43bb8811d4ff450935d607f9ba4baffda4fc110cc402fa43f601d83","blobs/sha256/2039af03c0e17a3025b989335e9414149577fa09e7d0dcbee80155333639d11f"]}]
   // {"schemaVersion":2,"manifests":[{"mediaType":"application/vnd.docker.distribution.manifest.list.v2+json","digest":"sha256:7706ac20c7587081dc7a00e0ec65a6633b0bb3788e0048a3e971d3eae492db63","size":318,"annotations":{"io.containerd.image.name":"docker.io/shiftleft/scan-slim:latest","org.opencontainers.image.ref.name":"latest"}}]}
-  let manifest = JSON.parse(
-    readFileSync(manifestFile, {
-      encoding: "utf-8",
-    }),
-  );
+  let manifest = readArchiveJson(manifestFile);
   let lastLayerConfig = {};
   let lastLayerConfigFile = "";
+  let selectedManifest;
   let lastWorkingDir = "";
-  // Extract the manifest for the new containerd syntax
-  if (Object.keys(manifest).length !== 0 && manifest.manifests) {
-    manifest = manifest.manifests;
-  }
+  manifest = resolveArchiveManifest(manifest, tempDir);
   if (Array.isArray(manifest)) {
+    selectedManifest = manifest[manifest.length - 1];
     if (manifest.length !== 1) {
       if (DEBUG_MODE) {
         console.log(
           "Multiple image tags was downloaded. Only the last one would be used",
         );
-        console.log(manifest[manifest.length - 1]);
+        console.log(selectedManifest);
       }
     }
-    const layers = manifest[manifest.length - 1]["Layers"] || [];
+    const layers = selectedManifest?.Layers || [];
     if (!layers.length && safeExistsSync(tempDir)) {
       const blobFiles = readdirSync(join(tempDir, "blobs", "sha256"));
       if (blobFiles?.length) {
@@ -1164,10 +1289,10 @@ export const extractFromManifest = async (
         }
       }
     }
-    if (manifest.Config) {
-      lastLayerConfigFile = join(tempDir, manifest.Config);
+    if (selectedManifest?.Config) {
+      lastLayerConfigFile = join(tempDir, selectedManifest.Config);
     }
-    if (lastLayer.includes("layer.tar")) {
+    if (!lastLayerConfigFile && lastLayer?.includes("layer.tar")) {
       lastLayerConfigFile = join(
         tempDir,
         lastLayer.replace("layer.tar", "json"),
@@ -1188,9 +1313,17 @@ export const extractFromManifest = async (
       }
     }
   }
-  const binPaths = extractPathEnv(localData?.Config?.Env);
+  const inspectData = localData?.Config
+    ? localData
+    : lastLayerConfig?.config
+      ? {
+          ...localData,
+          Config: lastLayerConfig.config,
+        }
+      : localData;
+  const binPaths = extractPathEnv(inspectData?.Config?.Env);
   const exportData = {
-    inspectData: localData,
+    inspectData,
     manifest,
     allLayersDir: tempDir,
     allLayersExplodedDir,
@@ -1233,13 +1366,7 @@ export const exportImage = async (fullImageName, options) => {
   // On Windows or on mac with Rancher Desktop, fallback to invoking cli
   if (needsCliFallback()) {
     const imageTarFile = join(tempDir, "image.tar");
-    let dockerCmd = process.env.DOCKER_CMD || "docker";
-    if (!process.env.DOCKER_CMD) {
-      detectRancherDesktop() || detectColima();
-      if (isNerdctl) {
-        dockerCmd = "nerdctl";
-      }
-    }
+    const dockerCmd = getContainerCliCmd();
     console.log(
       `About to export image ${fullImageName} to ${imageTarFile} using ${dockerCmd} cli`,
     );