npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.1 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/README.md +69 -25
package/bin/audit.js +21 -7
package/bin/cdxgen.js +270 -127
package/bin/convert.js +34 -15
package/bin/hbom.js +495 -0
package/bin/repl.js +592 -37
package/bin/validate.js +31 -4
package/bin/verify.js +18 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/cyclonedx-2.0-bundled.schema.json +7182 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +210 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +527 -99
package/lib/cli/index.poku.js +1469 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/bomUtils.js +155 -1
package/lib/helpers/bomUtils.poku.js +79 -1
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +350 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +209 -45
package/lib/helpers/protobom.poku.js +183 -5
package/lib/helpers/protobomLoader.js +43 -0
package/lib/helpers/protobomLoader.poku.js +31 -0
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +4 -28
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +406 -8
package/lib/stages/postgen/postgen.poku.js +484 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/lib/validator/bomValidator.js +90 -38
package/lib/validator/bomValidator.poku.js +90 -0
package/lib/validator/complianceRules.js +4 -2
package/lib/validator/index.poku.js +14 -0
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts +1 -1
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/bomUtils.d.ts +10 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +76 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +5 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/protobomLoader.d.ts +17 -0
package/types/lib/helpers/protobomLoader.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/node.d.ts +23 -0
package/types/lib/third-party/arborist/lib/node.d.ts.map +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/managers/docker.js CHANGED Viewed

@@ -20,8 +20,12 @@ import {
   getAllFiles,
   getTmpDir,
   isDryRun,
+  readEnvironmentVariable,
   recordActivity,
+  recordDecisionActivity,
+  recordSensitiveFileRead,
   safeExistsSync,
+  safeExtractArchive,
   safeMkdirSync,
   safeMkdtempSync,
   safeRmSync,
@@ -404,8 +408,34 @@ const REQUEST_TIMEOUT_SECS = 60000;
  */
 const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
   let authTokenSet = false;
+  const credentialSourceEvaluations = [];
+  let selectedCredentialSource;
+  const noteCredentialSource = (source, outcome, detail = undefined) => {
+    credentialSourceEvaluations.push({
+      detail,
+      outcome,
+      source,
+    });
+    if (outcome === "selected") {
+      selectedCredentialSource = source;
+    }
+  };
+  const dockerServerAddress = readEnvironmentVariable("DOCKER_SERVER_ADDRESS");
+  const dockerConfig = readEnvironmentVariable("DOCKER_CONFIG");
+  const dockerAuthConfig = readEnvironmentVariable("DOCKER_AUTH_CONFIG", {
+    sensitive: true,
+  });
+  const dockerUser = readEnvironmentVariable("DOCKER_USER", {
+    sensitive: true,
+  });
+  const dockerPassword = readEnvironmentVariable("DOCKER_PASSWORD", {
+    sensitive: true,
+  });
+  const dockerEmail = readEnvironmentVariable("DOCKER_EMAIL", {
+    sensitive: true,
+  });
   if (!forRegistry) {
-    forRegistry = process.env.DOCKER_SERVER_ADDRESS ?? DOCKER_HUB_REGISTRY;
+    forRegistry = dockerServerAddress ?? DOCKER_HUB_REGISTRY;
   }
   requestedRegistryRef = resolveRequestedRegistryRef(
     forRegistry,
@@ -413,6 +443,11 @@ const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
   );
   const normalizedForRegistry =
     parseRegistryReference(forRegistry)?.authority ?? forRegistry;
+  const authDecisionTarget =
+    requestedRegistryRef ||
+    normalizedForRegistry ||
+    forRegistry ||
+    DOCKER_HUB_REGISTRY;
   const opts = {
     enableUnixSockets: true,
     throwHttpErrors: true,
@@ -429,41 +464,57 @@ const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
     hooks: { beforeError: [] },
     mutableDefaults: true,
   };
-  const DOCKER_CONFIG = process.env.DOCKER_CONFIG || join(homedir(), ".docker");
+  const DOCKER_CONFIG = dockerConfig || join(homedir(), ".docker");
+  const dockerConfigFile = join(DOCKER_CONFIG, "config.json");
   // Support for private registry
-  if (process.env.DOCKER_AUTH_CONFIG) {
+  if (dockerAuthConfig) {
     opts.headers = {
-      "X-Registry-Auth": process.env.DOCKER_AUTH_CONFIG,
+      "X-Registry-Auth": dockerAuthConfig,
     };
     authTokenSet = true;
+    noteCredentialSource("DOCKER_AUTH_CONFIG", "selected");
+  } else {
+    noteCredentialSource("DOCKER_AUTH_CONFIG", "skipped", "not set");
   }
   if (
     !authTokenSet &&
-    process.env.DOCKER_USER &&
-    process.env.DOCKER_PASSWORD &&
-    process.env.DOCKER_EMAIL &&
+    dockerUser &&
+    dockerPassword &&
+    dockerEmail &&
     normalizedForRegistry
   ) {
     const authPayload = {
-      username: process.env.DOCKER_USER,
-      email: process.env.DOCKER_EMAIL,
+      username: dockerUser,
+      email: dockerEmail,
       serveraddress: normalizedForRegistry,
     };
-    if (process.env.DOCKER_USER === "<token>") {
-      authPayload.IdentityToken = process.env.DOCKER_PASSWORD;
+    if (dockerUser === "<token>") {
+      authPayload.IdentityToken = dockerPassword;
     } else {
-      authPayload.password = process.env.DOCKER_PASSWORD;
+      authPayload.password = dockerPassword;
     }
     opts.headers = {
       "X-Registry-Auth": toBase64Url(JSON.stringify(authPayload)),
     };
     authTokenSet = true;
-  }
-  if (!authTokenSet && safeExistsSync(join(DOCKER_CONFIG, "config.json"))) {
-    const configData = readFileSync(
-      join(DOCKER_CONFIG, "config.json"),
-      "utf-8",
+    noteCredentialSource(
+      "DOCKER_USER/DOCKER_PASSWORD/DOCKER_EMAIL",
+      "selected",
     );
+  } else if (!authTokenSet) {
+    noteCredentialSource(
+      "DOCKER_USER/DOCKER_PASSWORD/DOCKER_EMAIL",
+      "skipped",
+      dockerUser || dockerPassword || dockerEmail
+        ? "incomplete environment credentials"
+        : "not set",
+    );
+  }
+  if (!authTokenSet && safeExistsSync(dockerConfigFile)) {
+    const configData = readFileSync(dockerConfigFile, "utf-8");
+    recordSensitiveFileRead(dockerConfigFile, {
+      label: "Docker credential file",
+    });
     if (configData) {
       try {
         const configJson = JSON.parse(configData);
@@ -490,6 +541,11 @@ const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
                 "X-Registry-Auth": toBase64Url(JSON.stringify(authPayload)),
               };
               authTokenSet = true;
+              noteCredentialSource(
+                "docker-config-auth",
+                "selected",
+                serverAddress,
+              );
               break;
             }
             if (configJson.credsStore) {
@@ -502,6 +558,11 @@ const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
                   "X-Registry-Auth": helperAuthToken,
                 };
                 authTokenSet = true;
+                noteCredentialSource(
+                  `docker-credential-helper:${configJson.credsStore}`,
+                  "selected",
+                  serverAddress,
+                );
                 break;
               }
             }
@@ -522,22 +583,40 @@ const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
                   "X-Registry-Auth": helperAuthToken,
                 };
                 authTokenSet = true;
+                noteCredentialSource(
+                  `docker-credential-helper:${configJson.credHelpers[serverAddress]}`,
+                  "selected",
+                  serverAddress,
+                );
                 break;
               }
             }
           }
         }
+        if (!authTokenSet) {
+          noteCredentialSource(
+            "docker-config",
+            "skipped",
+            "no matching config.json auth entry",
+          );
+        }
       } catch (_err) {
         // pass
+        noteCredentialSource("docker-config", "skipped", "config parse failed");
       }
     }
+  } else if (!authTokenSet) {
+    noteCredentialSource("docker-config", "skipped", "config.json not found");
   }
   const userInfo = _userInfo();
   opts.podmanPrefixUrl = isWin ? "" : "http://unix:/run/podman/podman.sock:";
   opts.podmanRootlessPrefixUrl = isWin
     ? ""
     : `http://unix:/run/user/${userInfo.uid}/podman/podman.sock:`;
-  if (!process.env.DOCKER_HOST) {
+  const dockerHost = readEnvironmentVariable("DOCKER_HOST");
+  const dockerCertPath = readEnvironmentVariable("DOCKER_CERT_PATH");
+  const dockerTlsVerify = readEnvironmentVariable("DOCKER_TLS_VERIFY");
+  if (!dockerHost) {
     if (isPodman) {
       opts.prefixUrl = isPodmanRootless
         ? opts.podmanRootlessPrefixUrl
@@ -561,7 +640,7 @@ const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
       }
     }
   } else {
-    let hostStr = process.env.DOCKER_HOST;
+    let hostStr = dockerHost;
     if (hostStr.startsWith("unix:///")) {
       hostStr = hostStr.replace("unix:///", "http://unix:/");
       if (hostStr.includes("docker.sock")) {
@@ -570,29 +649,54 @@ const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
       }
     }
     opts.prefixUrl = hostStr;
-    if (process.env.DOCKER_CERT_PATH) {
+    if (dockerCertPath) {
+      const dockerCertFile = join(dockerCertPath, "cert.pem");
+      const dockerKeyFile = join(dockerCertPath, "key.pem");
+      const dockerCertificate = readFileSync(dockerCertFile, "utf8");
+      recordSensitiveFileRead(dockerCertFile, {
+        label: "Docker client certificate",
+      });
+      const dockerKey = readFileSync(dockerKeyFile, "utf8");
+      recordSensitiveFileRead(dockerKeyFile, {
+        label: "Docker client private key",
+      });
       opts.https = {
-        certificate: readFileSync(
-          join(process.env.DOCKER_CERT_PATH, "cert.pem"),
-          "utf8",
-        ),
-        key: readFileSync(
-          join(process.env.DOCKER_CERT_PATH, "key.pem"),
-          "utf8",
-        ),
+        certificate: dockerCertificate,
+        key: dockerKey,
       };
       // Disable tls on empty values
       // From the docker docs: Setting the DOCKER_TLS_VERIFY environment variable to any value other than the empty string is equivalent to setting the --tlsverify flag
-      if (
-        process.env.DOCKER_TLS_VERIFY &&
-        process.env.DOCKER_TLS_VERIFY === ""
-      ) {
+      if (dockerTlsVerify === "") {
         opts.https.rejectUnauthorized = false;
         console.log("TLS Verification disabled for", hostStr);
       }
     }
   }
+  if (!selectedCredentialSource) {
+    noteCredentialSource(
+      "anonymous",
+      "selected",
+      "no credential source resolved",
+    );
+  }
+  const skippedSources = credentialSourceEvaluations
+    .filter((entry) => entry.outcome !== "selected")
+    .map((entry) =>
+      entry.detail ? `${entry.source} (${entry.detail})` : entry.source,
+    );
+  recordDecisionActivity(`docker-auth:${authDecisionTarget}`, {
+    metadata: {
+      decisionType: "credential-source-selection",
+      evaluatedSources: credentialSourceEvaluations.map(
+        ({ detail, outcome, source }) =>
+          detail ? `${source}:${outcome}:${detail}` : `${source}:${outcome}`,
+      ),
+      selectedSource: selectedCredentialSource,
+    },
+    reason: `Selected Docker auth source '${selectedCredentialSource}' for ${authDecisionTarget}. Skipped: ${skippedSources.length ? skippedSources.join(", ") : "none"}.`,
+  });
   return opts;
 };
@@ -611,7 +715,20 @@ const getDefaultOptions = (forRegistry, requestedRegistryRef = forRegistry) => {
  *   daemon base URL, or `undefined`
  */
 export const getConnection = async (options, forRegistry) => {
+  if (isContainerd || isNerdctl) {
+    return undefined;
+  }
   if (isDryRun) {
+    try {
+      getDefaultOptions(forRegistry);
+    } catch (error) {
+      recordActivity({
+        kind: "read",
+        reason: `Dry run mode failed while tracing Docker credential inputs: ${error.message}`,
+        status: "failed",
+        target: error?.path || forRegistry || "container-daemon",
+      });
+    }
     recordActivity({
       kind: "network",
       reason:
@@ -621,9 +738,6 @@ export const getConnection = async (options, forRegistry) => {
     });
     return undefined;
   }
-  if (isContainerd || isNerdctl) {
-    return undefined;
-  }
   if (!dockerConn) {
     const defaultOptions = getDefaultOptions(forRegistry);
     const podmanRootlessUrl = defaultOptions.podmanRootlessPrefixUrl;
@@ -1204,34 +1318,36 @@ const EXTRACT_EXCLUDE_TYPES = new Set([
  *   empty or a non-fatal error was encountered
  */
 export const extractTar = async (fullImageName, dir, options) => {
-  if (isDryRun) {
-    recordActivity({
-      kind: "untar",
-      reason:
-        "Dry run mode blocks untar and layer extraction operations because they create files on disk.",
-      status: "blocked",
-      target: `${fullImageName} -> ${dir}`,
-    });
-    return false;
-  }
   try {
-    await stream.pipeline(
-      createReadStream(fullImageName),
-      x({
-        sync: false,
-        preserveOwner: false,
-        noMtime: true,
-        noChmod: true,
-        strict: !NON_STRICT_TAR_EXTRACT,
-        C: dir,
-        portable: true,
-        unlink: true,
-        onwarn: handleTarWarning,
-        onReadEntry: handleAbsolutePath,
-        filter: tarFilter,
-      }),
+    return await safeExtractArchive(
+      fullImageName,
+      dir,
+      async () =>
+        await stream.pipeline(
+          createReadStream(fullImageName),
+          x({
+            sync: false,
+            preserveOwner: false,
+            noMtime: true,
+            noChmod: true,
+            strict: !NON_STRICT_TAR_EXTRACT,
+            C: dir,
+            portable: true,
+            unlink: true,
+            onwarn: handleTarWarning,
+            onReadEntry: handleAbsolutePath,
+            filter: tarFilter,
+          }),
+        ),
+      "untar",
+      {
+        blockedReason:
+          "Dry run mode blocks untar and layer extraction operations because they create files on disk.",
+        metadata: {
+          archiveFormat: "tar",
+        },
+      },
     );
-    return true;
   } catch (err) {
     if (err.code === "EPERM" && err.syscall === "symlink") {
       console.log(
@@ -1605,7 +1721,22 @@ export const extractFromManifest = async (
  * Returns the location of the layers with additional packages related metadata
  */
 export const exportImage = async (fullImageName, options) => {
+  // Safely ignore local directories
+  if (
+    !fullImageName ||
+    fullImageName === "." ||
+    safeExistsSync(resolve(fullImageName))
+  ) {
+    return undefined;
+  }
   if (isDryRun) {
+    const imageDetails = parseImageName(fullImageName);
+    const requestedRegistryRef = imageDetails.registry
+      ? imageDetails.repo
+        ? `${imageDetails.registry}/${imageDetails.repo}`
+        : imageDetails.registry
+      : DOCKER_HUB_REGISTRY;
+    await getConnection({}, requestedRegistryRef);
     recordActivity({
       kind: "container",
       reason:
@@ -1615,14 +1746,6 @@ export const exportImage = async (fullImageName, options) => {
     });
     return undefined;
   }
-  // Safely ignore local directories
-  if (
-    !fullImageName ||
-    fullImageName === "." ||
-    safeExistsSync(resolve(fullImageName))
-  ) {
-    return undefined;
-  }
   // Try to get the data locally first
   const localData = await getImage(fullImageName);
   if (!localData) {
@@ -1935,18 +2058,17 @@ export const getCredsFromHelper = (exeSuffix, serverAddress) => {
   } else if (result.stdout) {
     const cmdOutput = Buffer.from(result.stdout).toString();
     try {
+      const dockerUser = readEnvironmentVariable("DOCKER_USER", {
+        sensitive: true,
+      });
+      const dockerPassword = readEnvironmentVariable("DOCKER_PASSWORD", {
+        sensitive: true,
+      });
       const authPayload = JSON.parse(cmdOutput);
       const fixedAuthPayload = {
-        username:
-          authPayload.username ||
-          authPayload.Username ||
-          process.env.DOCKER_USER,
-        password:
-          authPayload.password ||
-          authPayload.Secret ||
-          process.env.DOCKER_PASSWORD,
-        email:
-          authPayload.email || authPayload.username || process.env.DOCKER_USER,
+        username: authPayload.username || authPayload.Username || dockerUser,
+        password: authPayload.password || authPayload.Secret || dockerPassword,
+        email: authPayload.email || authPayload.username || dockerUser,
         serveraddress: serverAddress,
       };
       const authKey = toBase64Url(JSON.stringify(fixedAuthPayload));