publish metadata from image-get

Author: northdpole

components/targets/image-get/component.yaml

@@ -18,3 +18,9 @@ steps:
     args:
       - -c
       - /entrypoint.sh "{{ .parameters.image }}" "{{ sourceCodeWorkspace }}/image.tar" "{{ .parameters.username }}" "{{.parameters.password}}"
+  - name: write-metadata
+    image: components/targets/image-get/metadata-writer
+    executable: /bin/app
+    env_vars:
+      IMAGE_GET_TARGET_METADATA_PATH: "{{ targetMetadataWorkspace }}"
+      IMAGE_GET_IMAGE: "{{ .parameters.image }}"

components/targets/image-get/metadata-writer/cmd/main.go

@@ -0,0 +1,194 @@
+package main
+
+import (
+	"context"
+	"log"
+	"os"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/go-errors/errors"
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/package-url/packageurl-go"
+	"google.golang.org/protobuf/encoding/protojson"
+
+	"github.com/smithy-security/pkg/env"
+	"github.com/smithy-security/smithy/sdk/component"
+	ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1"
+)
+
+type (
+	// Conf wraps the component configuration.
+	Conf struct {
+		TargetMetadataPath string
+		Image              string
+	}
+	imageMetadataWriterTarget struct {
+		conf *Conf
+	}
+)
+
+// NewConf returns a new configuration build from environment lookup.
+func NewConf(envLoader env.Loader) (*Conf, error) {
+	var envOpts = make([]env.ParseOption, 0)
+	targetMetadataPath, err := env.GetOrDefault(
+		"IMAGE_GET_TARGET_METADATA_PATH",
+		"",
+		append(envOpts, env.WithDefaultOnError(true))...,
+	)
+	if err != nil {
+		return nil, errors.Errorf("could not get IMAGE_GET_TARGET_METADATA_PATH: %w", err)
+	}
+
+	image, err := env.GetOrDefault(
+		"IMAGE_GET_IMAGE",
+		"",
+		append(envOpts, env.WithDefaultOnError(true))...,
+	)
+	if err != nil {
+		return nil, errors.Errorf("could not get IMAGE_GET_IMAGE: %w", err)
+	}
+
+	if targetMetadataPath != "" && !strings.HasSuffix(targetMetadataPath, "target.json") {
+		targetMetadataPath = path.Join(targetMetadataPath, "target.json")
+	}
+	return &Conf{
+		TargetMetadataPath: targetMetadataPath,
+		Image:              image,
+	}, nil
+}
+
+func WriteTargetMetadata(conf *Conf) error {
+	purl, err := packageUrlFromImage(conf.Image)
+	if err != nil {
+		return errors.Errorf("could not get package url from image: %w", err)
+	}
+
+	dataSource := &ocsffindinginfo.DataSource{
+		TargetType: ocsffindinginfo.DataSource_TARGET_TYPE_CONTAINER_IMAGE,
+		OciPackageMetadata: &ocsffindinginfo.DataSource_OCIPackageMetadata{
+			PackageUrl: purl.ToString(),
+			Tag:        purl.Version,
+		},
+	}
+
+	marshaledDataSource, err := protojson.Marshal(dataSource)
+	if err != nil {
+		return errors.Errorf("could not marshal data source into JSON: %w", err)
+	}
+
+	// Write content to the file
+	err = os.WriteFile(conf.TargetMetadataPath, marshaledDataSource, 0644)
+	if err != nil {
+		return errors.Errorf("Error writing file: %w", err)
+	}
+	return nil
+}
+
+func packageUrlFromImage(image string) (*packageurl.PackageURL, error) {
+	var (
+		namespace = ""
+		path      = ""
+		tag       = ""
+		digest    = ""
+	)
+	// Parse the reference
+	ref, err := name.ParseReference(image)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add registry if not docker.io
+	registry := ref.Context().Registry.Name()
+	if registry != "index.docker.io" && registry != "docker.io" {
+		namespace = registry
+	}
+
+	// Add repository path
+	path = ref.Context().RepositoryStr()
+
+	// Add tag or digest
+	if tagged, ok := ref.(name.Tag); ok {
+		tag = tagged.TagStr()
+	} else if digested, ok := ref.(name.Digest); ok {
+		digest = digested.DigestStr()
+	}
+
+	var qualifiers packageurl.Qualifiers
+	if digest != "" {
+		qualifiers = packageurl.QualifiersFromMap(map[string]string{"digest": digest})
+
+		// special edge case: always prefer the digest over tag
+		tag = ""
+	}
+
+	if tag == "" && digest == "" {
+		// If no tag or digest is provided, default to "latest"
+		tag = "latest"
+	}
+
+	return packageurl.NewPackageURL(
+		packageurl.TypeDocker,
+		namespace,
+		path,
+		tag,
+		qualifiers,
+		"",
+	), nil
+}
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func Main(ctx context.Context) error {
+	conf, err := NewConf(nil)
+	if err != nil {
+		return errors.Errorf("could not create new configuration: %w", err)
+	}
+
+	metadataTarget, err := NewTarget(conf)
+	if err != nil {
+		return errors.Errorf("could not create git clone target: %w", err)
+	}
+
+	opts := append(make([]component.RunnerOption, 0), component.RunnerWithComponentName("image-get"))
+
+	if err := component.RunTarget(
+		ctx,
+		metadataTarget,
+		opts...,
+	); err != nil {
+		return errors.Errorf("could not run target: %w", err)
+	}
+
+	return nil
+}
+
+func NewTarget(conf *Conf) (*imageMetadataWriterTarget, error) {
+	if conf == nil {
+		return nil, errors.New("conf cannot be nil")
+	}
+
+	return &imageMetadataWriterTarget{
+		conf: conf,
+	}, nil
+}
+
+func (t *imageMetadataWriterTarget) Prepare(ctx context.Context) error {
+	if t.conf == nil {
+		return errors.New("conf cannot be nil")
+	}
+
+	if err := WriteTargetMetadata(t.conf); err != nil {
+		return errors.Errorf("could not write target metadata: %w", err)
+	}
+
+	return nil
+}

components/targets/image-get/metadata-writer/cmd/main_test.go

@@ -0,0 +1,104 @@
+package main
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestWriteTargetMetadata(t *testing.T) {
+	tests := []struct {
+		name           string
+		conf           Conf
+		expectedError  bool
+		expectedOutput string
+	}{
+		{
+			name: "Valid image with full URL and version tag",
+			conf: Conf{
+				TargetMetadataPath: "",
+				Image:              "repo.example.com/project/image:1.0.0",
+			},
+			expectedError:  false,
+			expectedOutput: `{"targetType":"TARGET_TYPE_CONTAINER_IMAGE","ociPackageMetadata":{"packageUrl":"pkg:docker/repo.example.com/project%[email protected]","tag":"1.0.0"}}`,
+		},
+		{
+			name: "Valid image with no tag (latest assumed)",
+			conf: Conf{
+				TargetMetadataPath: "",
+				Image:              "repo.example.com/project/image",
+			},
+			expectedOutput: `{"targetType":"TARGET_TYPE_CONTAINER_IMAGE","ociPackageMetadata":{"packageUrl":"pkg:docker/repo.example.com/project%2Fimage@latest","tag":"latest"}}`,
+		},
+		{
+			name: "Valid image with latest tag",
+			conf: Conf{
+				TargetMetadataPath: "",
+				Image:              "repo.example.com/project/image:latest",
+			},
+			expectedError:  false,
+			expectedOutput: `{"targetType":"TARGET_TYPE_CONTAINER_IMAGE","ociPackageMetadata":{"packageUrl":"pkg:docker/repo.example.com/project%2Fimage@latest","tag":"latest"}}`,
+		},
+		{
+			name: "Valid image with SHA tag",
+			conf: Conf{
+				TargetMetadataPath: "",
+				Image:              "repo.example.com/project/ubuntu@sha256:98706f0f213dbd440021993a82d2f70451a73698315370ae8615cc468ac06624",
+			},
+			expectedError:  false,
+			expectedOutput: `{"targetType":"TARGET_TYPE_CONTAINER_IMAGE","ociPackageMetadata":{"packageUrl":"pkg:docker/repo.example.com/project%2Fubuntu?digest=sha256%3A98706f0f213dbd440021993a82d2f70451a73698315370ae8615cc468ac06624"}}`,
+		},
+		{
+			name: "Valid image with SHA AND tag",
+			conf: Conf{
+				TargetMetadataPath: "",
+				Image:              "repo.example.com/project/ubuntu:18.04@sha256:98706f0f213dbd440021993a82d2f70451a73698315370ae8615cc468ac06624",
+			},
+			expectedError:  false,
+			expectedOutput: `{"targetType":"TARGET_TYPE_CONTAINER_IMAGE","ociPackageMetadata":{"packageUrl":"pkg:docker/repo.example.com/project%2Fubuntu?digest=sha256%3A98706f0f213dbd440021993a82d2f70451a73698315370ae8615cc468ac06624"}}`,
+		},
+		{
+			name: "Invalid image with empty string",
+			conf: Conf{
+				TargetMetadataPath: "",
+				Image:              "",
+			},
+			expectedError: true,
+		},
+		{
+			name: "Invalid image with malformed tag",
+			conf: Conf{
+				TargetMetadataPath: "",
+				Image:              "repo.example.com/project/image:tag:extra",
+			},
+			expectedError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a temporary file for testing
+			tempFile, err := os.CreateTemp("", "target.json")
+			if err != nil {
+				t.Fatalf("failed to create temp file: %v", err)
+			}
+			defer os.Remove(tempFile.Name())
+
+			// Update the conf to use the temp file path
+			tt.conf.TargetMetadataPath = tempFile.Name()
+
+			err = WriteTargetMetadata(tt.conf)
+			if tt.expectedError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+
+				// Read the file and verify its contents
+				data, readErr := os.ReadFile(tempFile.Name())
+				assert.NoError(t, readErr)
+				assert.JSONEq(t, tt.expectedOutput, string(data))
+			}
+		})
+	}
+}

components/targets/image-get/metadata-writer/go.mod

@@ -14,8 +14,55 @@ require (
 )
 
 require (
+	ariga.io/atlas v0.29.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/abice/go-enum v0.6.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-openapi/inflect v0.19.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.18.1 // indirect
+	github.com/huandu/xstrings v1.3.3 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgx/v5 v5.6.0 // indirect
+	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/labstack/gommon v0.4.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
+	github.com/mattn/goveralls v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/spf13/cast v1.3.1 // indirect
+	github.com/sqlc-dev/sqlc v1.27.0 // indirect
+	github.com/urfave/cli/v2 v2.26.0 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	github.com/zclconf/go-cty v1.14.4 // indirect
+	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/tools v0.29.0 // indirect
+	golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )