fix: update append latest logic

Author: d3vco

lib/extractor/oci-distribution-metadata.ts

@@ -43,7 +43,14 @@ export function constructOCIDisributionMetadata({
       imageTag: parsed.tag,
     };
 
-    if (!ociDistributionMetadataIsValid(metadata)) {
+    // 255 byte limit is enforced by RFC 1035.
+    if (Buffer.byteLength(metadata.registryHost) > 255) {
+      return;
+    }
+
+    // 2048 byte limit is enforced by Snyk for platform stability.
+    // Longer strings may be valid, but nothing close to this limit has been observed by Snyk at time of writing.
+    if (Buffer.byteLength(metadata.repository) > 2048) {
       return;
     }
 
@@ -52,51 +59,3 @@ export function constructOCIDisributionMetadata({
     return;
   }
 }
-
-function ociDistributionMetadataIsValid(
-  data: OCIDistributionMetadata,
-): boolean {
-  // 255 byte limit is enforced by RFC 1035.
-  if (Buffer.byteLength(data.registryHost) > 255) {
-    return false;
-  }
-
-  // 2048 byte limit is enforced by Snyk for platform stability.
-  // Longer strings may be valid, but nothing close to this limit has been observed by Snyk at time of writing.
-  if (
-    Buffer.byteLength(data.repository) > 2048 ||
-    !repositoryNameIsValid(data.repository)
-  ) {
-    return false;
-  }
-
-  if (!digestIsValid(data.manifestDigest)) {
-    return false;
-  }
-
-  if (data.indexDigest && !digestIsValid(data.indexDigest)) {
-    return false;
-  }
-
-  if (data.imageTag && !tagIsValid(data.imageTag)) {
-    return false;
-  }
-
-  return true;
-}
-
-// Regular Expression Source: OCI Distribution Spec V1
-// https://github.com/opencontainers/distribution-spec/blob/570d0262abe8ec5e59d8e3fbbd7be4bd784b200e/spec.md?plain=1#L141
-const repositoryNameIsValid = (name: string) =>
-  /^[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(\/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)*$/.test(
-    name,
-  );
-
-// Regular Expression Source: OCI Image Spec V1
-// https://github.com/opencontainers/image-spec/blob/d60099175f88c47cd379c4738d158884749ed235/descriptor.md?plain=1#L143
-const digestIsValid = (digest: string) => /^sha256:[a-f0-9]{64}$/.test(digest);
-
-// Regular Expression Source: OCI Image Spec V1
-// https://github.com/opencontainers/distribution-spec/blob/3940529fe6c0a068290b27fb3cd797cf0528bed6/spec.md?plain=1#L160
-const tagIsValid = (tag: string) =>
-  /^[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}$/.test(tag);

lib/scan.ts

@@ -12,7 +12,7 @@ import { getArchivePath, getImageType } from "./image-type";
 import { isNumber, isTrue } from "./option-utils";
 import * as staticModule from "./static";
 import { ImageType, PluginOptions, PluginResponse } from "./types";
-import { isValidImageReference } from "./image-reference";
+import { isValidImageReference, ParsedImageReference, parseImageReference } from "./image-reference";
 
 // Registry credentials may also be provided by env vars. When both are set, flags take precedence.
 export function mergeEnvVarsIntoCredentials(
@@ -214,13 +214,16 @@ async function imageIdentifierAnalysis(
 }
 
 export function appendLatestTagIfMissing(targetImage: string): string {
-  if (
-    getImageType(targetImage) === ImageType.Identifier &&
-    !targetImage.includes(":")
-  ) {
-    return `${targetImage}:latest`;
+  if (getImageType(targetImage) !== ImageType.Identifier) {
+    return targetImage;
   }
-  return targetImage;
+  try {
+    const parsed = parseImageReference(targetImage);
+    if (parsed.tag !== undefined || parsed.digest !== undefined) {
+      return parsed.toString();
+    }
+    return parsed.toString() + ':latest';
+  } catch { return targetImage; }
 }
 
 export async function extractContent(

test/lib/scan.spec.ts

@@ -30,22 +30,22 @@ describe("mergeEnvVarsIntoCredentials", () => {
     ${FLAG_USER} | ${ENV_VAR_USER} |  ${FLAG_USER}
         
   `("should set username to $expectedUsername when flag is $usernameFlag and envvar is $usernameEnvVar",
-  ({
-        usernameFlag,
-        usernameEnvVar,
-        expectedUsername,
-      }) => {
-        if (usernameEnvVar) {
-            process.env.SNYK_REGISTRY_USERNAME = usernameEnvVar;
-        }
-        const options = {
-            username: usernameFlag,
-        };
-
-        mergeEnvVarsIntoCredentials(options);
-
-        expect(options.username).toEqual(expectedUsername);
-  });
+    ({
+      usernameFlag,
+      usernameEnvVar,
+      expectedUsername,
+    }) => {
+      if (usernameEnvVar) {
+        process.env.SNYK_REGISTRY_USERNAME = usernameEnvVar;
+      }
+      const options = {
+        username: usernameFlag,
+      };
+
+      mergeEnvVarsIntoCredentials(options);
+
+      expect(options.username).toEqual(expectedUsername);
+    });
 
   // prettier-ignore
   it.each`
@@ -59,10 +59,10 @@ describe("mergeEnvVarsIntoCredentials", () => {
         
   `("should set password to $expectedPassword when flag is $passwordFlag and envvar is $passwordEnvVar",
     ({
-       passwordFlag,
-       passwordEnvVar,
-       expectedPassword,
-     }) => {
+      passwordFlag,
+      passwordEnvVar,
+      expectedPassword,
+    }) => {
       if (passwordEnvVar) {
         process.env.SNYK_REGISTRY_PASSWORD = passwordEnvVar;
       }
@@ -84,26 +84,66 @@ describe("appendLatestTagIfMissing", () => {
     );
   });
 
-  it("does not append latest to docker archive path", () => {
+  it("does not append latest to oci archive path", () => {
     const ociArchivePath = "oci-archive:some/path/image.tar";
     expect(appendLatestTagIfMissing(ociArchivePath)).toEqual(ociArchivePath);
   });
 
+  it("does not append latest to kaniko-archive path", () => {
+    const path = "kaniko-archive:some/path/image.tar";
+    expect(appendLatestTagIfMissing(path)).toEqual(path);
+  });
+
+  it("does not append latest to unspecified archive path (.tar)", () => {
+    const path = "/tmp/nginx.tar";
+    expect(appendLatestTagIfMissing(path)).toEqual(path);
+  });
+
   it("does not append latest if tag exists", () => {
     const imageWithTag = "image:sometag";
     expect(appendLatestTagIfMissing(imageWithTag)).toEqual(imageWithTag);
   });
 
-  it("does not modify targetImage with sha", () => {
-    const imageWithSha =
-      "snyk container test nginx@sha256:56ea7092e72db3e9f84d58d583370d59b842de02ea9e1f836c3f3afc7ce408c1";
-    expect(appendLatestTagIfMissing(imageWithSha)).toEqual(imageWithSha);
+  it("does not append latest if digest exists (digest-only reference)", () => {
+    const imageWithDigest =
+      "nginx@sha256:56ea7092e72db3e9f84d58d583370d59b842de02ea9e1f836c3f3afc7ce408c1";
+    expect(appendLatestTagIfMissing(imageWithDigest)).toEqual(
+      imageWithDigest,
+    );
   });
 
-  it("appends latest if no tag exists", () => {
-    const imageWithoutTag = "image";
-    expect(appendLatestTagIfMissing(imageWithoutTag)).toEqual(
-      `${imageWithoutTag}:latest`,
+  it("does not append latest if both tag and digest exist", () => {
+    const imageWithTagAndDigest =
+      "nginx:1.23@sha256:56ea7092e72db3e9f84d58d583370d59b842de02ea9e1f836c3f3afc7ce408c1";
+    expect(appendLatestTagIfMissing(imageWithTagAndDigest)).toEqual(
+      imageWithTagAndDigest,
     );
   });
-});
+
+  it("appends latest for repository-only reference", () => {
+    expect(appendLatestTagIfMissing("image")).toEqual("image:latest");
+  });
+
+  it("appends latest for repository with namespace", () => {
+    expect(appendLatestTagIfMissing("library/nginx")).toEqual(
+      "library/nginx:latest",
+    );
+  });
+
+  it("appends latest for registry with port and no tag", () => {
+    expect(appendLatestTagIfMissing("localhost:5000/foo/bar")).toEqual(
+      "localhost:5000/foo/bar:latest",
+    );
+  });
+
+  it("appends latest for custom registry without tag", () => {
+    expect(appendLatestTagIfMissing("gcr.io/project/nginx")).toEqual(
+      "gcr.io/project/nginx:latest",
+    );
+  });
+
+  it("returns unchanged for invalid image reference", () => {
+    const invalid = "/test:unknown";
+    expect(appendLatestTagIfMissing(invalid)).toEqual(invalid);
+  });
+});