fix: use central parser in dependency tree

Author: d3vco

lib/dependency-tree/index.ts

@@ -1,13 +1,26 @@
 import { AnalyzedPackageWithVersion, OSRelease } from "../analyzer/types";
+import { parseImageReference } from "../image-reference";
 import { DepTree, DepTreeDep } from "../types";
 
-/** @deprecated Should implement a new function to build a dependency graph instead. */
-export function buildTree(
-  targetImage: string,
-  packageFormat: string,
-  depInfosList: AnalyzedPackageWithVersion[],
-  targetOS: OSRelease,
-): DepTree {
+export function nameAndVersionFromTargetImage(targetImage: string): {
+  name: string;
+  version: string;
+} {
+  let imageName: string;
+  let imageVersion: string;
+
+  if (!targetImage.endsWith(".tar")) {
+    try {
+      const parsed = parseImageReference(targetImage);
+      return {
+        name: parsed.fullName,
+        version: parsed.tag ? parsed.tag : parsed.digest ? "" : "latest",
+      };
+    } catch {
+      // Fallback to manual parsing
+    }
+  }
+
   // A tag can only occur in the last section of a docker image name, so
   // check any colon separator after the final '/'. If there are no '/',
   // which is common when using Docker's official images such as
@@ -18,8 +31,8 @@ export function buildTree(
     targetImage.includes(":");
 
   // Defaults for simple images from dockerhub, like "node" or "centos"
-  let imageName = targetImage;
-  let imageVersion = "latest";
+  imageName = targetImage;
+  imageVersion = "latest";
 
   // If we have a version, split on the last ':' to avoid the optional
   // port on a hostname (i.e. localhost:5000)
@@ -40,6 +53,19 @@ export function buildTree(
     imageVersion = "";
   }
 
+  return { name: imageName, version: imageVersion };
+}
+
+/** @deprecated Should implement a new function to build a dependency graph instead. */
+export function buildTree(
+  targetImage: string,
+  packageFormat: string,
+  depInfosList: AnalyzedPackageWithVersion[],
+  targetOS: OSRelease,
+): DepTree {
+  const { name: imageName, version: imageVersion } =
+    nameAndVersionFromTargetImage(targetImage);
+
   const root: DepTree = {
     // don't use the real image name to avoid scanning it as an issue
     name: "docker-image|" + imageName,

lib/image-reference.ts

@@ -54,12 +54,26 @@ export class ParsedImageReference {
     return ref;
   }
 
+  /**
+   * The qualified repository name.
+   * This is the registry and repository combined.
+   */
+  get fullName(): string {
+    return this.registry
+      ? this.registry + "/" + this.repository
+      : this.repository;
+  }
+
   /**
    * Whether the image is from Docker Hub.
    * This is true if the registry is "registry-1.docker.io" or "docker.io" or undefined.
    */
   get isDockerHub(): boolean {
-    return this.registry === "registry-1.docker.io" || this.registry === "docker.io" || this.registry === undefined;
+    return (
+      this.registry === "registry-1.docker.io" ||
+      this.registry === "docker.io" ||
+      this.registry === undefined
+    );
   }
 
   /**
@@ -151,3 +165,12 @@ export function isValidImageReference(reference: string): boolean {
     return false;
   }
 }
+
+// Regular Expression Source: OCI Image Spec V1
+// https://github.com/opencontainers/image-spec/blob/d60099175f88c47cd379c4738d158884749ed235/descriptor.md?plain=1#L143
+const digestIsValid = (digest: string) => /^sha256:[a-f0-9]{64}$/.test(digest);
+
+// Regular Expression Source: OCI Image Spec V1
+// https://github.com/opencontainers/distribution-spec/blob/3940529fe6c0a068290b27fb3cd797cf0528bed6/spec.md?plain=1#L160
+const tagIsValid = (tag: string) =>
+  /^[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}$/.test(tag);

test/lib/dependency-tree/index.spec.ts

@@ -1,5 +1,8 @@
 import { AnalyzedPackageWithVersion } from "../../../lib/analyzer/types";
-import { buildTree } from "../../../lib/dependency-tree";
+import {
+  buildTree,
+  nameAndVersionFromTargetImage,
+} from "../../../lib/dependency-tree";
 
 const targetImage = "snyk/deptree-test@1.0.0";
 const targetOS = {
@@ -76,3 +79,161 @@ describe("dependency-tree", () => {
     });
   });
 });
+
+const validSha256 =
+  "sha256:56ea7092e72db3e9f84d58d583370d59b842de02ea9e1f836c3f3afc7ce408c1";
+
+describe("nameAndVersionFromTargetImage", () => {
+  describe("handles valid image references", () => {
+    it("with repository only", () => {
+      expect(nameAndVersionFromTargetImage("nginx")).toEqual({
+        name: "nginx",
+        version: "latest",
+      });
+    });
+
+    it("with tag", () => {
+      expect(nameAndVersionFromTargetImage("nginx:1.23")).toEqual({
+        name: "nginx",
+        version: "1.23",
+      });
+    });
+
+    it("with digest", () => {
+      expect(nameAndVersionFromTargetImage(`nginx@${validSha256}`)).toEqual({
+        name: "nginx",
+        version: "",
+      });
+    });
+
+    it("with tag and digest", () => {
+      expect(
+        nameAndVersionFromTargetImage(`nginx:1.23@${validSha256}`),
+      ).toEqual({
+        name: "nginx",
+        version: "1.23",
+      });
+    });
+
+    it("with registry", () => {
+      expect(nameAndVersionFromTargetImage("gcr.io/project/nginx")).toEqual({
+        name: "gcr.io/project/nginx",
+        version: "latest",
+      });
+    });
+
+    it("with registry and port", () => {
+      expect(nameAndVersionFromTargetImage("localhost:5000/foo/bar")).toEqual({
+        name: "localhost:5000/foo/bar",
+        version: "latest",
+      });
+    });
+
+    it("with registry and port and tag", () => {
+      expect(
+        nameAndVersionFromTargetImage("localhost:5000/foo/bar:tag"),
+      ).toEqual({
+        name: "localhost:5000/foo/bar",
+        version: "tag",
+      });
+    });
+
+    it("with registry and port and digest", () => {
+      expect(
+        nameAndVersionFromTargetImage(`localhost:5000/foo/bar@${validSha256}`),
+      ).toEqual({
+        name: "localhost:5000/foo/bar",
+        version: "",
+      });
+    });
+
+    it("with registry, port, digest and tag", () => {
+      expect(
+        nameAndVersionFromTargetImage(
+          `localhost:5000/foo/bar:tag@${validSha256}`,
+        ),
+      ).toEqual({
+        name: "localhost:5000/foo/bar",
+        version: "tag",
+      });
+    });
+
+    it("with library/ namespace", () => {
+      expect(nameAndVersionFromTargetImage("library/nginx:latest")).toEqual({
+        name: "library/nginx",
+        version: "latest",
+      });
+    });
+
+    it("with dots and dashes in the tag", () => {
+      expect(nameAndVersionFromTargetImage("nginx:1.23.0-alpha")).toEqual({
+        name: "nginx",
+        version: "1.23.0-alpha",
+      });
+    });
+  });
+
+  // These tests are to verify that the previous logic is still working as expected for
+  // references that cannot be parsed by the new parseImageReference function.
+  // They are not necessarily asserting that this is the correct parsing logic.
+  describe("handles file-based reference strings", () => {
+    it("with a simple image name", () => {
+      expect(nameAndVersionFromTargetImage("image.tar")).toEqual({
+        name: "image.tar",
+        version: "",
+      });
+    });
+
+    it("with a longer path", () => {
+      expect(nameAndVersionFromTargetImage("path/to/archive.tar")).toEqual({
+        name: "path/to/archive.tar",
+        version: "",
+      });
+    });
+
+    it("with a tag", () => {
+      expect(nameAndVersionFromTargetImage("path/to/archive.tar:tag")).toEqual({
+        name: "path/to/archive.tar",
+        version: "tag",
+      });
+    });
+
+    it("with a digest", () => {
+      expect(
+        nameAndVersionFromTargetImage(`archive.tar@${validSha256}`),
+      ).toEqual({
+        name: "archive.tar",
+        version: "",
+      });
+    });
+
+    it("with a tag and digest", () => {
+      expect(
+        nameAndVersionFromTargetImage(`path/to/archive.tar:tag@${validSha256}`),
+      ).toEqual({
+        name: "path/to/archive.tar",
+        version: "tag",
+      });
+    });
+
+    it("with a tag and specific image name", () => {
+      expect(
+        nameAndVersionFromTargetImage("path/to/archive.tar:image:tag"),
+      ).toEqual({
+        name: "path/to/archive.tar:image",
+        version: "tag",
+      });
+    });
+
+    it("with a tag and specific image name and digest", () => {
+      expect(
+        nameAndVersionFromTargetImage(
+          `path/to/archive.tar:image:tag@${validSha256}`,
+        ),
+      ).toEqual({
+        name: "path/to/archive.tar:image:tag",
+        version: "",
+      });
+    });
+  });
+});