more stuff

Signed-off-by: RTann <[email protected]>

Author: RTann

chainguard/distributionscanner.go

@@ -19,8 +19,8 @@ const (
 	scannerVersion = "1"
 	scannerKind    = "distribution"
 
-	chainguard = `chainguard`
-	wolfi      = `wolfi`
+	chainguardID = `chainguard`
+	wolfiID      = `wolfi`
 )
 
 var (
@@ -63,31 +63,25 @@ func (s *DistributionScanner) Scan(ctx context.Context, l *claircore.Layer) ([]*
 	b, err := fs.ReadFile(sys, osrelease.Path)
 	switch {
 	case errors.Is(err, nil):
-		m, err := osrelease.Parse(ctx, bytes.NewReader(b))
-		if err != nil {
-			return nil, err
-		}
-
-		switch id := m[`ID`]; id {
-		case chainguard, wolfi:
-			return []*claircore.Distribution{
-				{
-					Name: m[`NAME`],
-					DID:  id,
-					// Neither chainguard nor wolfi images are considered to be "versioned".
-					// Explicitly set the version to the empty string for clarity.
-					Version:    "",
-					PrettyName: m[`PRETTY_NAME`],
-				},
-			}, nil
-		default:
-			// This is neither chainguard nor wolfi.
-			return nil, nil
-		}
 	case errors.Is(err, fs.ErrNotExist):
 		// os-release file must exist in chainguard and wolfi images.
 		return nil, nil
 	default:
 		return nil, err
 	}
+
+	m, err := osrelease.Parse(ctx, bytes.NewReader(b))
+	if err != nil {
+		return nil, err
+	}
+
+	switch id := m[`ID`]; id {
+	case chainguardID:
+		return []*claircore.Distribution{chainguardDist}, nil
+	case wolfiID:
+		return []*claircore.Distribution{wolfiDist}, nil
+	default:
+		// This is neither chainguard nor wolfi.
+		return nil, nil
+	}
 }

chainguard/doc.go

@@ -0,0 +1,7 @@
+// Package chainguard implements everything required to index chainguard-based and wolfi-based container images
+// and match their respective packages to related vulnerabilities.
+//
+// The implementation is based on the [documentation] provided upstream.
+//
+// [documentation] https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/scanning_implementation.md
+package chainguard

chainguard/ecosystem.go

@@ -8,7 +8,7 @@ import (
 	"github.com/quay/claircore/linux"
 )
 
-// NewEcosystem provides the set of scanners and coalescers for the chainguard ecosystem
+// NewEcosystem provides the set of scanners and coalescers for the chainguard/wolfi ecosystem.
 func NewEcosystem(_ context.Context) *indexer.Ecosystem {
 	return &indexer.Ecosystem{
 		PackageScanners: func(ctx context.Context) ([]indexer.PackageScanner, error) {

chainguard/fetcher.go

@@ -0,0 +1,83 @@
+package chainguard
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/quay/zlog"
+
+	"github.com/quay/claircore/libvuln/driver"
+	"github.com/quay/claircore/pkg/tmp"
+)
+
+func (u *updater) Fetch(ctx context.Context, hint driver.Fingerprint) (io.ReadCloser, driver.Fingerprint, error) {
+	ctx = zlog.ContextWithValues(ctx, "component", "chainguard/Updater.Fetch")
+
+	zlog.Info(ctx).Str("database", u.url).Msg("starting fetch")
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, u.url, nil)
+	if err != nil {
+		return nil, hint, fmt.Errorf("chainguard: unable to construct request: %w", err)
+	}
+
+	if hint != "" {
+		zlog.Debug(ctx).
+			Str("hint", string(hint)).
+			Msg("using hint")
+		req.Header.Set("if-none-match", string(hint))
+	}
+
+	res, err := u.client.Do(req)
+	if err != nil {
+		return nil, hint, fmt.Errorf("chainguard: error making request: %w", err)
+	}
+	defer res.Body.Close()
+
+	switch res.StatusCode {
+	case http.StatusOK:
+		if t := string(hint); t == "" || t != res.Header.Get("etag") {
+			break
+		}
+		fallthrough
+	case http.StatusNotModified:
+		zlog.Info(ctx).Msg("database unchanged since last fetch")
+		return nil, hint, driver.Unchanged
+	default:
+		return nil, hint, fmt.Errorf("chainguard: http response error: %s %d", res.Status, res.StatusCode)
+	}
+	zlog.Debug(ctx).Msg("successfully requested database")
+
+	tf, err := tmp.NewFile("", u.Name()+".")
+	if err != nil {
+		return nil, hint, fmt.Errorf("chainguard: unable to open tempfile: %w", err)
+	}
+	zlog.Debug(ctx).
+		Str("name", tf.Name()).
+		Msg("created tempfile")
+	var success bool
+	defer func() {
+		if !success {
+			if err := tf.Close(); err != nil {
+				zlog.Warn(ctx).Err(err).Msg("unable to close spool")
+			}
+		}
+	}()
+
+	var r io.Reader = res.Body
+	if _, err := io.Copy(tf, r); err != nil {
+		return nil, hint, fmt.Errorf("chainguard: unable to copy resp body to tempfile: %w", err)
+	}
+	if n, err := tf.Seek(0, io.SeekStart); err != nil || n != 0 {
+		return nil, hint, fmt.Errorf("chainguard: unable to seek database to start: at %d, %v", n, err)
+	}
+	zlog.Debug(ctx).Msg("decompressed and buffered database")
+
+	success = true
+	hint = driver.Fingerprint(res.Header.Get("etag"))
+	zlog.Debug(ctx).
+		Str("hint", string(hint)).
+		Msg("using new hint")
+
+	return tf, hint, nil
+}

chainguard/matcher.go

@@ -0,0 +1,81 @@
+package chainguard
+
+import (
+	"context"
+
+	version "github.com/knqyf263/go-apk-version"
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/libvuln/driver"
+)
+
+var (
+	ChainguardMatcher = &matcher{"chainguard"}
+	WolfiMatcher      = &matcher{"wolfi"}
+)
+
+var _ driver.Matcher = (*matcher)(nil)
+
+// Matcher implements driver.Matcher for Chainguard and Wolfi containers.
+type matcher struct {
+	name string
+}
+
+// Name implements driver.Matcher.
+func (m *matcher) Name() string {
+	return m.name + "-matcher"
+}
+
+// Filter implements driver.Matcher.
+func (m *matcher) Filter(record *claircore.IndexRecord) bool {
+	if record.Distribution == nil {
+		return false
+	}
+
+	switch {
+	case record.Distribution.DID == m.name:
+		return true
+	case record.Distribution.Name == m.name:
+		return true
+	default:
+		return false
+	}
+}
+
+// Query implements driver.Matcher.
+func (*matcher) Query() []driver.MatchConstraint {
+	return []driver.MatchConstraint{
+		driver.DistributionDID,
+		driver.DistributionName,
+		driver.DistributionPrettyName,
+	}
+}
+
+// Vulnerable implements driver.Matcher.
+func (*matcher) Vulnerable(_ context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) {
+	if vuln.FixedInVersion == "" {
+		return true, nil
+	}
+
+	// Version "0" tracks false-positives, and it indicates the package is not affected by the vulnerability.
+	// See the following for more information:
+	// https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/scanning_implementation.md#the-meaning-of-version-0
+	if vuln.FixedInVersion == "0" {
+		return false, nil
+	}
+
+	pkgVersion, err := version.NewVersion(record.Package.Version)
+	if err != nil {
+		return false, nil
+	}
+
+	fixedInVersion, err := version.NewVersion(vuln.FixedInVersion)
+	if err != nil {
+		return false, nil
+	}
+
+	if pkgVersion.LessThan(fixedInVersion) {
+		return true, nil
+	}
+
+	return false, nil
+}

chainguard/parser.go

@@ -0,0 +1,72 @@
+package chainguard
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/quay/zlog"
+	"io"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/updater/secdb"
+)
+
+const urlPrefix = "https://images.chainguard.dev/security/"
+
+func (u *updater) Parse(ctx context.Context, r io.ReadCloser) ([]*claircore.Vulnerability, error) {
+	ctx = zlog.ContextWithValues(ctx, "component", "chainguard/Updater.Parse")
+	zlog.Info(ctx).Msg("starting parse")
+	defer r.Close()
+
+	var db secdb.SecurityDB
+	if err := json.NewDecoder(r).Decode(&db); err != nil {
+		return nil, err
+	}
+	return u.parse(ctx, &db)
+}
+
+// parse parses the alpine SecurityDB
+func (u *updater) parse(ctx context.Context, sdb *secdb.SecurityDB) ([]*claircore.Vulnerability, error) {
+	var dist *claircore.Distribution
+	switch u.Name() {
+	case "chainguard-updater":
+		dist = chainguardDist
+	case "wolfi-updater":
+		dist = wolfiDist
+	}
+	if dist == nil {
+		return nil, fmt.Errorf("chainguard: no distribution found for %s", u.Name())
+	}
+	out := []*claircore.Vulnerability{}
+	for _, pkg := range sdb.Packages {
+		if err := ctx.Err(); err != nil {
+			return nil, ctx.Err()
+		}
+		partial := claircore.Vulnerability{
+			Updater:            u.Name(),
+			NormalizedSeverity: claircore.Unknown,
+			Package: &claircore.Package{
+				Name: pkg.Pkg.Name,
+				Kind: claircore.SOURCE,
+			},
+			Dist: dist,
+		}
+		out = append(out, unpackSecFixes(partial, pkg.Pkg.Secfixes)...)
+	}
+	return out, nil
+}
+
+// unpackSecFixes takes a map of secFixes and creates a claircore.Vulnerability for each all CVEs present.
+func unpackSecFixes(partial claircore.Vulnerability, secFixes map[string][]string) []*claircore.Vulnerability {
+	out := []*claircore.Vulnerability{}
+	for fixedIn, ids := range secFixes {
+		for _, id := range ids {
+			v := partial
+			v.Name = id
+			v.FixedInVersion = fixedIn
+			v.Links = urlPrefix + id
+			out = append(out, &v)
+		}
+	}
+	return out
+}

chainguard/release.go

@@ -0,0 +1,27 @@
+package chainguard
+
+import (
+	"github.com/quay/claircore"
+)
+
+var chainguardDist = &claircore.Distribution{
+	Name: "chainguard",
+	DID:  "chainguard",
+	// Chainguard images are not versioned.
+	// Explicitly set the version to the empty string for clarity.
+	// See https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/scanning_implementation.md#chainguards-distros-are-not-versioned
+	// for more information.
+	Version:    "",
+	PrettyName: "Chainguard",
+}
+
+var wolfiDist = &claircore.Distribution{
+	Name: "wolfi",
+	DID:  "wolfi",
+	// Wolfi images are not versioned.
+	// Explicitly set the version to the empty string for clarity.
+	// See https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/scanning_implementation.md#chainguards-distros-are-not-versioned
+	// for more information.
+	Version:    "",
+	PrettyName: "Wolfi",
+}