Merge pull request #652 from snyk/feat/support-unspecified-archive-type

adrobuta · web-flow · commit 241f8139360f · 2025-04-03T09:40:52.000+03:00
feat: support scan with unspecified archive type
diff --git a/.snyk b/.snyk
@@ -1,5 +1,9 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
-ignore: {}
+ignore: 
+  SNYK-JS-TARFS-9535930:
+    - '*':
+        reason: "Temporary ignore"
+        expires: "2025-05-31T23:59:59.000Z"
 patch: {}
diff --git a/lib/extractor/index.ts b/lib/extractor/index.ts
@@ -127,12 +127,9 @@ export async function extractImageContent(
   } catch (err) {
     if (err instanceof InvalidArchiveError) {
       // fallback to the other extractor if layer extraction failed
-      if (imageType === ImageType.DockerArchive) {
-        extractor = extractors.get(ImageType.OciArchive) as ArchiveExtractor;
-      } else {
-        extractor = extractors.get(ImageType.DockerArchive) as ArchiveExtractor;
-      }
-      archiveContent = await extractor.getLayersAndManifest();
+      [archiveContent, extractor] = await extractArchiveContentFallback(
+        extractors,
+      );
     } else {
       throw err;
     }
@@ -152,6 +149,22 @@ export async function extractImageContent(
   };
 }
 
+async function extractArchiveContentFallback(
+  extractors: Map<ImageType, ArchiveExtractor>,
+): Promise<[ExtractedLayersAndManifest, ArchiveExtractor]> {
+  for (const extractor of extractors.values()) {
+    try {
+      return [await extractor.getLayersAndManifest(), extractor];
+    } catch (error) {
+      continue;
+    }
+  }
+
+  throw new InvalidArchiveError(
+    `Unsupported archive type. Please use a Docker archive, OCI image layout, or Kaniko-compatible tarball.`,
+  );
+}
+
 export function getRootFsLayersFromConfig(imageConfig: ImageConfig): string[] {
   try {
     return imageConfig.rootfs.diff_ids;
diff --git a/lib/image-type.ts b/lib/image-type.ts
@@ -14,7 +14,11 @@ export function getImageType(targetImage: string): ImageType {
       return ImageType.KanikoArchive;
 
     default:
-      return ImageType.Identifier;
+      if (imageIdentifier.endsWith(".tar")) {
+        return ImageType.UnspecifiedArchiveType;
+      } else {
+        return ImageType.Identifier;
+      }
   }
 }
 
@@ -24,11 +28,15 @@ export function getArchivePath(targetImage: string): string {
     "oci-archive",
     "kaniko-archive",
   ];
+
   for (const archiveType of possibleArchiveTypes) {
     if (targetImage.startsWith(archiveType)) {
       return normalizePath(targetImage.substring(`${archiveType}:`.length));
     }
   }
+  if (targetImage.endsWith(".tar")) {
+    return normalizePath(targetImage);
+  }
 
   throw new Error(
     'The provided archive path is missing a prefix, for example "docker-archive:", "oci-archive:" or "kaniko-archive"',
diff --git a/lib/scan.ts b/lib/scan.ts
@@ -95,6 +95,7 @@ export async function scan(
     case ImageType.DockerArchive:
     case ImageType.OciArchive:
     case ImageType.KanikoArchive:
+    case ImageType.UnspecifiedArchiveType:
       return localArchiveAnalysis(
         targetImage,
         imageType,
diff --git a/lib/types.ts b/lib/types.ts
@@ -7,6 +7,7 @@ import {
 } from "./dockerfile/types";
 
 export enum ImageType {
+  UnspecifiedArchiveType, // "e.g /path/nginx.tar"
   Identifier, // e.g. "nginx:latest"
   DockerArchive = "docker-archive", // e.g. "docker-archive:/tmp/nginx.tar"
   OciArchive = "oci-archive", // e.g. "oci-archive:/tmp/nginx.tar"
diff --git a/test/fixtures/docker-oci-archives/unsupported-image.tar b/test/fixtures/docker-oci-archives/unsupported-image.tar
diff --git a/test/lib/extractor/extractor.spec.ts b/test/lib/extractor/extractor.spec.ts
@@ -89,16 +89,6 @@ describe("extractImageContent", () => {
         extractImageContent(ImageType.KanikoArchive, fixture, [], opts),
       ).resolves.not.toThrow();
     });
-
-    it("fails to extract the archive when image type is not set", async () => {
-      await expect(extractImageContent(0, fixture, [], opts)).rejects.toThrow();
-    });
-
-    it("fails to extract the archive when image type is set to docker-archive", async () => {
-      await expect(
-        extractImageContent(ImageType.DockerArchive, fixture, [], opts),
-      ).rejects.toThrow();
-    });
   });
 
   describe("Images pulled & saved with Docker Engine >= 25.x", () => {
diff --git a/test/system/plugin.spec.ts b/test/system/plugin.spec.ts
@@ -1,7 +1,70 @@
 import { DepGraph } from "@snyk/dep-graph";
 import * as plugin from "../../lib";
+import { getFixture } from "../util";
 
 describe("plugin", () => {
+  describe("image is scanned when no image type is specified", () => {
+    it("docker image.tar is scanned successfully when image type is not specified", async () => {
+      const fixturePath = getFixture([
+        "../fixtures/docker-archives",
+        "alpine-arm64.tar",
+      ]);
+      const imagePath = `${fixturePath}`;
+
+      const pluginResult = await plugin.scan({
+        path: imagePath,
+      });
+      const depGraph: DepGraph = pluginResult.scanResults[0].facts.find(
+        (fact) => fact.type === "depGraph",
+      )!.data;
+    });
+
+    it("kaniko image.tar is scanned successfully when image type is not specified", async () => {
+      const fixturePath = getFixture([
+        "../fixtures/kaniko-archives",
+        "kaniko-busybox.tar",
+      ]);
+      const imagePath = `${fixturePath}`;
+
+      const pluginResult = await plugin.scan({
+        path: imagePath,
+      });
+      const depGraph: DepGraph = pluginResult.scanResults[0].facts.find(
+        (fact) => fact.type === "depGraph",
+      )!.data;
+    });
+    it("oci image.tar is scanned successfully when image type is not specified", async () => {
+      const fixturePath = getFixture([
+        "../fixtures/docker-oci-archives",
+        "busybox.amd64.tar",
+      ]);
+      const imagePath = `${fixturePath}`;
+
+      const pluginResult = await plugin.scan({
+        path: imagePath,
+      });
+      const depGraph: DepGraph = pluginResult.scanResults[0].facts.find(
+        (fact) => fact.type === "depGraph",
+      )!.data;
+    });
+
+    it("fails to extract the archive when the archive type is not supported", async () => {
+      const fixturePath = getFixture([
+        "../fixtures/docker-oci-archives",
+        "unsupported-image.tar",
+      ]);
+      const imagePath = `${fixturePath}`;
+
+      await expect(
+        plugin.scan({
+          path: imagePath,
+        }),
+      ).rejects.toThrow(
+        "Unsupported archive type. Please use a Docker archive, OCI image layout, or Kaniko-compatible tarball.",
+      );
+    });
+  });
+
   describe("docker-archive image type throws on bad files", () => {
     test("throws when a file does not exists", async () => {
       const path = "docker-archive:missing-path";
