Skip to content

Commit

Permalink
scan: ability to override repository
Browse files Browse the repository at this point in the history
Signed-off-by: Dentrax <[email protected]>
  • Loading branch information
Dentrax committed Jul 8, 2024
1 parent d807594 commit cbd5210
Showing 1 changed file with 22 additions and 6 deletions.
28 changes: 22 additions & 6 deletions pkg/cli/scan.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (
"github.com/wolfi-dev/wolfictl/pkg/configs"
v2 "github.com/wolfi-dev/wolfictl/pkg/configs/advisory/v2"
rwos "github.com/wolfi-dev/wolfictl/pkg/configs/rwfs/os"
"github.com/wolfi-dev/wolfictl/pkg/index"
"github.com/wolfi-dev/wolfictl/pkg/sbom"
"github.com/wolfi-dev/wolfictl/pkg/scan"
"github.com/wolfi-dev/wolfictl/pkg/versions"
Expand Down Expand Up @@ -357,6 +356,7 @@ type scanParams struct {
disableSBOMCache bool
triageWithGoVulnCheck bool
remoteScanning bool
remoteRepository string
useCPEMatching bool
verbosity int
}
Expand All @@ -374,6 +374,7 @@ func (p *scanParams) addFlagsTo(cmd *cobra.Command) {
cmd.Flags().BoolVar(&p.triageWithGoVulnCheck, "govulncheck", false, "EXPERIMENTAL: triage vulnerabilities in Go binaries using govulncheck")
_ = cmd.Flags().MarkHidden("govulncheck") //nolint:errcheck
cmd.Flags().BoolVarP(&p.remoteScanning, "remote", "r", false, "treat input(s) as the name(s) of package(s) in the Wolfi package repository to download and scan the latest versions of")
cmd.Flags().StringVar(&p.remoteRepository, "repository", "https://packages.wolfi.dev/os", "URL of the Wolfi package repository")
cmd.Flags().BoolVar(&p.useCPEMatching, "use-cpes", false, "turn on all CPE matching in Grype")
addVerboseFlag(&p.verbosity, cmd)
}
Expand Down Expand Up @@ -403,7 +404,7 @@ func (p *scanParams) resolveInputsToScan(ctx context.Context, args []string) (in
}

for _, arg := range args {
targetPaths, cleanup, err := resolveInputForRemoteTarget(ctx, arg)
targetPaths, cleanup, err := resolveInputForRemoteTarget(ctx, arg, p.remoteRepository)
if err != nil {
return nil, nil, fmt.Errorf("failed to resolve input %q for remote scanning: %w", arg, err)
}
Expand Down Expand Up @@ -606,6 +607,18 @@ func resolveInputFileFromArg(inputFilePath string) (*os.File, error) {
}
}

// getRepositoryURL returns the URL of the APKINDEX.tar.gz file for the given
// repository and architecture. If the repository URL already points to an
// APKINDEX.tar.gz file, it will be returned as-is. User input may or may not
// have included the architecture or the APKINDEX.tar.gz suffix, so construct
// the full URL to provide better UX.
func getRepositoryURL(repository, arch string) string {
if strings.HasSuffix(repository, "/x86_64/APKINDEX.tar.gz") || strings.HasSuffix(repository, "/aarch64/APKINDEX.tar.gz") {
return repository
}
return fmt.Sprintf("%s/%s/APKINDEX.tar.gz", repository, arch)
}

// resolveInputForRemoteTarget takes the given input string, which is expected
// to be the name of a Wolfi package (or subpackage), and it queries the Wolfi
// APK repository to find the latest version of the package for each
Expand All @@ -615,13 +628,15 @@ func resolveInputFileFromArg(inputFilePath string) (*os.File, error) {
// For example, given the input value "calico", this function will find the
// latest version of the package (e.g. "calico-3.26.3-r3.apk") and download it
// for each architecture.
func resolveInputForRemoteTarget(ctx context.Context, input string) (downloadedAPKFilePaths []string, cleanup func() error, err error) {
func resolveInputForRemoteTarget(ctx context.Context, input, repository string) (downloadedAPKFilePaths []string, cleanup func() error, err error) {
logger := clog.FromContext(ctx)

archesFound := 0
for _, arch := range []string{"x86_64", "aarch64"} {

Check failure on line 635 in pkg/cli/scan.go

View workflow job for this annotation

GitHub Actions / lint

unnecessary leading newline (whitespace)
const apkRepositoryURL = "https://packages.wolfi.dev/os"
apkindex, err := index.Index(arch, apkRepositoryURL)

// Since index.Index function doesn't respect the `$HTTP_AUTH`, use
// fetchAPKIndex function instead.
apkindex, _, err := fetchAPKIndex(ctx, getRepositoryURL(repository, arch))
if err != nil {
return nil, nil, fmt.Errorf("getting APKINDEX: %w", err)
}
Expand Down Expand Up @@ -651,7 +666,7 @@ func resolveInputForRemoteTarget(ctx context.Context, input string) (downloadedA
break
}
}
downloadURL := fmt.Sprintf("%s/%s/%s", apkRepositoryURL, arch, latestPkg.Filename())
downloadURL := fmt.Sprintf("%s/%s/%s", repository, arch, latestPkg.Filename())

apkTempFileName := fmt.Sprintf("%s-%s-%s-*.apk", arch, input, latestVersion)
tmpFile, err := os.CreateTemp("", apkTempFileName)
Expand All @@ -665,6 +680,7 @@ func resolveInputForRemoteTarget(ctx context.Context, input string) (downloadedA
return nil, nil, fmt.Errorf("creating request for %q: %w", downloadURL, err)
}

addAuth(req)
logger.Debug("downloading APK", "url", downloadURL)
resp, err := http.DefaultClient.Do(req)
if err != nil {
Expand Down

0 comments on commit cbd5210

Please sign in to comment.