NVSHAS-9584: Add package github.com/coreos/clair

1. Add upstream package github.com/coreos/clair 2. Update usage for tar functions based on neuvector repo's change
neuvector · Jan 21, 2025 · 819d8ed · 819d8ed
1 parent 660e33f
commit 819d8ed
Show file tree

Hide file tree

Showing 9 changed files with 412 additions and 14 deletions.
diff --git a/common/db.go b/common/db.go
@@ -721,7 +721,7 @@ func unzipDb(path, desPath string, encryptKey []byte) error {
 	}
 
 	tarFile := bytes.NewReader(plainData)
-	err = utils.ExtractAllArchiveToFiles(desPath, tarFile, maxExtractSize, nil)
+	err = utils.ExtractAllArchiveToFiles(desPath, tarFile, nil)
 	if err != nil {
 		log.WithFields(log.Fields{"error": err}).Error("Extract db file error")
 		return err

diff --git a/cvetools/cvesearch.go b/cvetools/cvesearch.go
@@ -28,7 +28,6 @@ import (
 )
 
 const (
-	maxFileSize     = 300 * 1024 * 1024
 	contentManifest = "root/buildinfo/content_manifests"
 )
 
@@ -144,7 +143,7 @@ func (cv *ScanTools) ScanImageData(data *share.ScanData) (*share.ScanResult, err
 
 	pkgs, err := utils.SelectivelyExtractArchive(bytes.NewReader(data.Buffer), func(filename string) bool {
 		return true
-	}, maxFileSize)
+	})
 	if err != nil {
 		log.WithFields(log.Fields{"error": err}).Error("read file error")
 		return result, err

diff --git a/cvetools/image.go b/cvetools/image.go
@@ -25,6 +25,7 @@ import (
 	"github.com/neuvector/neuvector/share/scan/registry"
 	"github.com/neuvector/neuvector/share/scan/secrets"
 	"github.com/neuvector/neuvector/share/utils"
+	"github.com/coreos/clair/pkg/tarutil"
 )
 
 const (
@@ -334,13 +335,8 @@ func getImageLayers(tmpDir string, imageTar string) ([]string, map[string]string
 	defer reader.Close()
 
 	//get the manifest from the image tar
-	files, _ := utils.SelectivelyExtractArchive(bufio.NewReader(reader), func(filename string) bool {
-		if filename == manifestJson || strings.HasSuffix(filename, layerJson) || filename == ociLayout {
-			return true
-		} else {
-			return false
-		}
-	}, maxFileSize)
+	filenames := []string{manifestJson, layerJson, ociLayout}
+	files, _ := tarutil.ExtractFiles(bufio.NewReader(reader), filenames)
 
 	// https://github.com/opencontainers/image-spec/blob/main/image-layout.md
 	// Optional: Following the index.json to find a manifest
@@ -447,7 +443,7 @@ func getImageLayerIterate(
 			size = info.Size
 		}
 
-		pathMap, err := selectiveFilesFromPath(layerPath, maxFileSize, func(path, fullpath string) bool {
+		pathMap, err := selectiveFilesFromPath(layerPath, func(path, fullpath string) bool {
 			if scan.OSPkgFiles.Contains(path) || scan.IsAppsPkgFile(path, fullpath) {
 				return true
 			}
@@ -621,7 +617,7 @@ func downloadLayers(ctx context.Context, layers []string, sizes map[string]int64
 							break
 						}
 
-						size, err = utils.ExtractAllArchive(layerPath, rd.(io.ReadCloser), -1)
+						size, err = utils.ExtractAllArchive(layerPath, rd.(io.ReadCloser))
 						if err != nil {
 							log.WithFields(log.Fields{"error": err, "path": layerPath}).Error("Failed to unzip image")
 							os.RemoveAll(layerPath)
@@ -648,7 +644,7 @@ func downloadLayers(ctx context.Context, layers []string, sizes map[string]int64
 
 // selectiveFilesFromPath the specified files and folders
 // store them in a map indexed by file paths
-func selectiveFilesFromPath(rootPath string, maxFileSize int64, selected func(string, string) bool) (map[string]string, error) {
+func selectiveFilesFromPath(rootPath string, selected func(string, string) bool) (map[string]string, error) {
 	rootLen := len(filepath.Clean(rootPath))
 	data := make(map[string]string)
 
@@ -660,7 +656,7 @@ func selectiveFilesFromPath(rootPath string, maxFileSize int64, selected func(st
 		}
 
 		if !info.IsDir() {
-			if info.Mode().IsRegular() && (maxFileSize > 0 && info.Size() < maxFileSize) {
+			if info.Mode().IsRegular() && (info.Size() < tarutil.MaxExtractableFileSize) {
 				inpath := path[(rootLen + 1):] // remove the root "/"
 				if selected(inpath, path) {
 					data[inpath] = path

diff --git a/go.mod b/go.mod
@@ -35,6 +35,7 @@ require (
 	github.com/containerd/ttrpc v1.2.4 // indirect
 	github.com/containerd/typeurl v1.0.3-0.20220422153119-7f6e6d160d67 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/coreos/clair v2.1.0+incompatible // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect

diff --git a/go.sum b/go.sum
@@ -45,6 +45,8 @@ github.com/containerd/typeurl v1.0.3-0.20220422153119-7f6e6d160d67 h1:rQvjv7gRi6
 github.com/containerd/typeurl v1.0.3-0.20220422153119-7f6e6d160d67/go.mod h1:HDkcKOXRnX6yKnXv3P0QrogFi0DoiauK/LpQi961f0A=
 github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4=
 github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
+github.com/coreos/clair v2.1.0+incompatible h1:lY0fTAGneYxXfq0j2vM+Xxip30XBzSn2tzSolAwkMnc=
+github.com/coreos/clair v2.1.0+incompatible/go.mod h1:uXhHPWAoRqw0jJc2f8RrPCwRhIo9otQ8OEWUFtpCiwA=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

diff --git a/vendor/github.com/coreos/clair/LICENSE b/vendor/github.com/coreos/clair/LICENSE
diff --git a/vendor/github.com/coreos/clair/NOTICE b/vendor/github.com/coreos/clair/NOTICE