Use the --option=value syntax for run_command_safely args #1257

Signed-off-by: tdruez <[email protected]>

CHANGELOG.rst

@@ -1,6 +1,13 @@
 Changelog
 =========
 
+v34.6.3 (unreleased)
+--------------------
+
+- Use the ``--option=value`` syntax for args entries in place of ``--option value``
+  for fetching Docker images using skopeo through ``run_command_safely`` calls.
+  https://github.com/nexB/scancode.io/issues/1257
+
 v34.6.2 (2024-06-18)
 --------------------
 

scanpipe/pipes/fetch.py

@@ -55,6 +55,9 @@ def run_command_safely(command_args):
     commands. It provides a safer and more straightforward API compared to older methods
     like subprocess.Popen.
 
+    WARNING: Please note that the `--option=value` syntax is required for args entries,
+    and not the `--option value` format.
+
     - This does not use the Shell (shell=False) to prevent injection vulnerabilities.
     - The command should be provided as a list of ``command_args`` arguments.
     - Only full paths to executable commands should be provided to avoid any ambiguity.
@@ -197,12 +200,12 @@ def get_docker_image_platform(docker_url):
     authentication_args = []
     authfile = settings.SCANCODEIO_SKOPEO_AUTHFILE_LOCATION
     if authfile:
-        authentication_args.append(f"--authfile {authfile}")
+        authentication_args.append(f"--authfile={authfile}")
 
     netloc = urlparse(docker_url).netloc
     if credential := settings.SCANCODEIO_SKOPEO_CREDENTIALS.get(netloc):
         # Username and password for accessing the registry.
-        authentication_args.append(f"--creds {credential}")
+        authentication_args.append(f"--creds={credential}")
     elif not authfile:
         # Access the registry anonymously.
         authentication_args.append("--no-creds")
@@ -287,12 +290,12 @@ def fetch_docker_image(docker_url, to=None):
 
     authentication_args = []
     if authfile := settings.SCANCODEIO_SKOPEO_AUTHFILE_LOCATION:
-        authentication_args.append(f"--authfile {authfile}")
+        authentication_args.append(f"--authfile={authfile}")
 
     netloc = urlparse(docker_url).netloc
     if credential := settings.SCANCODEIO_SKOPEO_CREDENTIALS.get(netloc):
         # Credentials for accessing the source registry.
-        authentication_args.append(f"--src-creds {credential}")
+        authentication_args.append(f"--src-creds={credential}")
 
     cmd_args = (
         str(skopeo_executable),

scanpipe/tests/pipes/test_fetch.py

@@ -129,14 +129,14 @@ def test_scanpipe_pipes_fetch_docker_image(
             with self.assertRaises(Exception):
                 fetch.fetch_docker_image(url)
             cmd_args = mock_run_command_safely.call_args[0][0]
-            self.assertIn("--authfile auth.json", cmd_args)
+            self.assertIn("--authfile=auth.json", cmd_args)
 
         credentials = {"registry.com": "user:password"}
         with override_settings(SCANCODEIO_SKOPEO_CREDENTIALS=credentials):
             with self.assertRaises(Exception):
                 fetch.fetch_docker_image(url)
             cmd_args = mock_run_command_safely.call_args[0][0]
-            self.assertIn("--src-creds user:password", cmd_args)
+            self.assertIn("--src-creds=user:password", cmd_args)
 
     @mock.patch("scanpipe.pipes.fetch._get_skopeo_location")
     @mock.patch("scanpipe.pipes.fetch.run_command_safely")
@@ -165,14 +165,14 @@ def test_scanpipe_pipes_fetch_get_docker_image_platform(
         with override_settings(SCANCODEIO_SKOPEO_AUTHFILE_LOCATION="auth.json"):
             fetch.get_docker_image_platform(url)
             cmd_args = mock_run_command_safely.call_args[0][0]
-            self.assertIn("--authfile auth.json", cmd_args)
+            self.assertIn("--authfile=auth.json", cmd_args)
             self.assertNotIn("--no-creds", cmd_args)
 
         credentials = {"registry.com": "user:password"}
         with override_settings(SCANCODEIO_SKOPEO_CREDENTIALS=credentials):
             fetch.get_docker_image_platform(url)
             cmd_args = mock_run_command_safely.call_args[0][0]
-            self.assertIn("--creds user:password", cmd_args)
+            self.assertIn("--creds=user:password", cmd_args)
             self.assertNotIn("--no-creds", cmd_args)
 
     def test_scanpipe_pipes_fetch_docker_image_string_injection_protection(self):