feat(plugin): enable caching for binary artifacts (#1924)

* feat(plugin): enable caching for binary artifacts

* fix(plugin): fix description of BinaryArtifactsClean

* fix(plugin): fix typo

* fix(plugin): fix linter warning

* fix(plugin): fix test

.families.yaml

@@ -187,6 +187,8 @@ rootkits:
 plugins:
   enabled: false
   binary_mode: false
+  binary_artifacts_path: ""
+  binary_artifacts_clean: true
   scanners_list:
     - "kics"
   inputs: 

api/openapi.yaml

@@ -2089,6 +2089,10 @@ components:
           type: boolean
         binary_mode:
           type: boolean
+        binary_artifacts_path:
+          type: string
+        binary_artifacts_clean:
+          type: boolean
         scanners_list:
           type: array
           items:

cli/state/testdata/effective-config.json

@@ -154,10 +154,12 @@
     }
   },
   "plugins": {
-    "Enabled":false,
-    "ScannersList":null,
-    "Inputs":null,
-    "ScannersConfig":null,
-    "binary_mode":false
+    "Enabled": false,
+    "ScannersList": null,
+    "Inputs": null,
+    "ScannersConfig": null,
+    "BinaryMode": false,
+    "BinaryArtifactsPath": "",
+    "BinaryArtifactsClean": false
   }
 }

plugins/runner/internal/runtimehandler/binary/handler.go

@@ -71,12 +71,19 @@ func (h *binaryRuntimeHandler) Start(ctx context.Context) error {
 	}
 	h.imageCleanup = cleanup
 
-	home, err := os.UserHomeDir()
-	if err != nil {
-		return fmt.Errorf("unable to determine user's home directory: %w", err)
+	var binaryArtifactsPath string
+	if h.config.BinaryArtifactsPath != "" {
+		binaryArtifactsPath = h.config.BinaryArtifactsPath
+	} else {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return fmt.Errorf("unable to determine user's home directory: %w", err)
+		}
+
+		binaryArtifactsPath = filepath.Join(home, ".vmclarity/plugins")
 	}
 
-	h.pluginDir = filepath.Join(home, ".vmclarity/plugins", h.config.Name, image.Metadata.ID)
+	h.pluginDir = filepath.Join(binaryArtifactsPath, h.config.Name, image.Metadata.ID)
 
 	if _, err := os.Stat(h.pluginDir); os.IsNotExist(err) {
 		err = containerrootfs.ToDirectory(ctx, image, h.pluginDir)
@@ -232,9 +239,11 @@ func (h *binaryRuntimeHandler) Remove(ctx context.Context) error {
 	if err := syscall.Unmount(h.inputDirMountPoint, 0); err != nil {
 		removeErr = multierror.Append(removeErr, fmt.Errorf("failed to kill plugin process: %w", err))
 	} else {
-		// Call the cleanup function for the image only after the input directory is unmounted, or else it will also remove
-		// the root filesystem mounted under input
-		h.imageCleanup()
+		if h.config.BinaryArtifactsClean {
+			// Call the cleanup function for the image only after the input directory is unmounted, or else it will also remove
+			// the root filesystem mounted under input
+			h.imageCleanup()
+		}
 	}
 
 	return removeErr //nolint:wrapcheck

plugins/runner/types/types.go

@@ -42,6 +42,10 @@ type PluginConfig struct {
 	TimeoutSeconds int `yaml:"timeout_seconds" mapstructure:"timeout_seconds"`
 	// BinaryMode is a flag to indicate that the plugin should be run as a binary
 	BinaryMode bool `yaml:"binary_mode" mapstructure:"binary_mode"`
+	// BinaryArtifactsPath is the location of the extracted container images
+	BinaryArtifactsPath string `yaml:"binary_artifacts_path" mapstructure:"binary_artifacts_path"`
+	// BinaryArtifactsClean is a flag to indicate that the downloaded and extracted container image needs to be cleaned up after the plugin execution
+	BinaryArtifactsClean bool `yaml:"binary_artifacts_clean" mapstructure:"binary_artifacts_clean"`
 }
 
 type PluginRunner interface {

scanner/families/plugins/runner/config/config.go

@@ -25,5 +25,9 @@ type Config struct {
 	// ScannerConfig is a json string that will be passed to the scanner in the plugin
 	ScannerConfig string `yaml:"scanner_config" mapstructure:"scanner_config"`
 	// BinaryMode is a flag to indicate that the plugin should be run as a binary
-	BinaryMode bool `json:"binary_mode,omitempty" mapstructure:"binary_mode,omitempty"`
+	BinaryMode bool `yaml:"binary_mode,omitempty" mapstructure:"binary_mode,omitempty"`
+	// BinaryArtifactsPath is the location of the extracted container images
+	BinaryArtifactsPath string `yaml:"binary_artifacts_path" mapstructure:"binary_artifacts_path"`
+	// BinaryArtifactsClean is a flag to indicate that the downloaded and extracted container image needs to be cleaned up after the plugin execution
+	BinaryArtifactsClean bool `yaml:"binary_artifacts_clean" mapstructure:"binary_artifacts_clean"`
 }

scanner/families/plugins/types/config.go

@@ -21,11 +21,13 @@ import (
 )
 
 type Config struct {
-	Enabled        bool               `yaml:"enabled" mapstructure:"enabled"`
-	ScannersList   []string           `yaml:"scanners_list" mapstructure:"scanners_list"`
-	Inputs         []common.ScanInput `yaml:"inputs" mapstructure:"inputs"`
-	ScannersConfig ScannersConfig     `yaml:"scanners_config" mapstructure:"scanners_config"`
-	BinaryMode     bool               `json:"binary_mode" mapstructure:"binary_mode"`
+	Enabled              bool               `yaml:"enabled" mapstructure:"enabled"`
+	ScannersList         []string           `yaml:"scanners_list" mapstructure:"scanners_list"`
+	Inputs               []common.ScanInput `yaml:"inputs" mapstructure:"inputs"`
+	ScannersConfig       ScannersConfig     `yaml:"scanners_config" mapstructure:"scanners_config"`
+	BinaryMode           bool               `yaml:"binary_mode" mapstructure:"binary_mode"`
+	BinaryArtifactsPath  string             `yaml:"binary_artifacts_path" mapstructure:"binary_artifacts_path"`
+	BinaryArtifactsClean bool               `yaml:"binary_artifacts_clean" mapstructure:"binary_artifacts_clean"`
 }
 
 type ScannersConfig map[string]runnerconfig.Config