feat: use grype image-pull mechanism

Signed-off-by: Christian Kotzbauer <[email protected]>
ckotzbauer · Dec 23, 2022 · cd6b496 · cd6b496
1 parent 0b4ce9e
commit cd6b496
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 13 deletions.
diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.19
 
 require (
 	github.com/anchore/grype v0.54.0
+	github.com/anchore/stereoscope v0.0.0-20221208011002-c5ff155d72f1
 	github.com/anchore/syft v0.63.0
 	github.com/ckotzbauer/libstandard v0.0.0-20221211123229-8434bdf8eece
 	github.com/prometheus/client_golang v1.14.0
@@ -39,7 +40,6 @@ require (
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 // indirect
 	github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7 // indirect
 	github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963 // indirect
-	github.com/anchore/stereoscope v0.0.0-20221208011002-c5ff155d72f1 // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/aws/aws-sdk-go v1.44.144 // indirect
@@ -287,7 +287,7 @@ require (
 )
 
 require (
-	github.com/ckotzbauer/libk8soci v0.0.0-20221216164241-860d8e82111e
+	github.com/ckotzbauer/libk8soci v0.0.0-20221223154257-bd3f36fa6c82
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-git/go-git/v5 v5.5.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect

diff --git a/go.sum b/go.sum
@@ -704,8 +704,8 @@ github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJ
 github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
-github.com/ckotzbauer/libk8soci v0.0.0-20221216164241-860d8e82111e h1:gHdtP9pOrkrhn98baDTnScVPF/cqXl863eEfW4qeIbI=
-github.com/ckotzbauer/libk8soci v0.0.0-20221216164241-860d8e82111e/go.mod h1:iCyFGATOCWbtM7ompmb6194mK8Ye2u2pcpxOrande9A=
+github.com/ckotzbauer/libk8soci v0.0.0-20221223154257-bd3f36fa6c82 h1:nuBMfAHObfmu+AnVxd8LOqU42pGWCp0lXrGXAnNiLkU=
+github.com/ckotzbauer/libk8soci v0.0.0-20221223154257-bd3f36fa6c82/go.mod h1:CDB4JaydrC/0HiiFA1t8uwyTy0rdXxpB+LZqZf8+i1w=
 github.com/ckotzbauer/libstandard v0.0.0-20221211123229-8434bdf8eece h1:iYcSspfI75B4QVf/j6dMmqx1vOk+YxbCUVML3RE7p4A=
 github.com/ckotzbauer/libstandard v0.0.0-20221211123229-8434bdf8eece/go.mod h1:9W+F8tlDH+PqLUQmV+NA2awzzawEoaVfNg3nqwsluQI=
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=

diff --git a/internal/vuln/grype/grype.go b/internal/vuln/grype/grype.go
@@ -12,6 +12,7 @@ import (
 	"github.com/anchore/grype/grype/pkg"
 	"github.com/anchore/grype/grype/store"
 	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/stereoscope/pkg/image"
 	"github.com/anchore/syft/syft/pkg/cataloger"
 	"github.com/ckotzbauer/libk8soci/pkg/oci"
 	"github.com/ckotzbauer/vulnerability-operator/internal/vuln/kubernetes"
@@ -95,7 +96,17 @@ func (s *Grype) ScanItem(item source.ScanItem) ([]Vulnerability, error) {
 		return []Vulnerability{}, err
 	}
 
-	packages, context, err := pkg.Provide(item.ScanInput(), pkg.ProviderConfig{SyftProviderConfig: pkg.SyftProviderConfig{CatalogingOptions: cataloger.DefaultConfig()}})
+	registryOptions := &image.RegistryOptions{}
+	if img, ok := item.(source.Image); ok {
+		registryOptions.Credentials = oci.ConvertSecrets(img.RegistryImage)
+	}
+
+	packages, context, err := pkg.Provide(item.ScanInput(), pkg.ProviderConfig{
+		SyftProviderConfig: pkg.SyftProviderConfig{
+			CatalogingOptions: cataloger.DefaultConfig(),
+			RegistryOptions:   registryOptions,
+		},
+	})
 	if err != nil {
 		logrus.WithError(err).Error("Grype scan failed")
 		return []Vulnerability{}, err
@@ -139,12 +150,6 @@ func preprocessScan(item source.ScanItem) (source.ScanItem, error) {
 		}
 
 		return sbom, nil
-	} else if img, ok := item.(source.Image); ok {
-		err := oci.SaveImage("/tmp/image.tar.gz", img.RegistryImage)
-		if err != nil {
-			logrus.WithError(fmt.Errorf("failed to save image: %w", err)).Error()
-			return nil, err
-		}
 	}
 
 	return item, nil

diff --git a/internal/vuln/source/source.go b/internal/vuln/source/source.go
@@ -45,9 +45,9 @@ func (s Image) ImageId() string {
 }
 
 func (s Image) ScanInput() string {
-	return "docker-archive:/tmp/image.tar.gz"
+	return "registry:" + s.ImageID
 }
 
 func (s Image) Cleanup() error {
-	return os.Remove("/tmp/image.tar.gz")
+	return nil
 }