UNPKG

snyk-docker-plugin/lib/types.ts

Version:

8.8 kBPlain TextView Raw

1import { DepGraphData } from "@snyk/dep-graph";
2
3import {
DockerFileAnalysis,
DockerFileLayers,
DockerFilePackages,
7} from "./dockerfile/types";
8
9export enum ImageType {
Identifier, // e.g. "nginx:latest"
DockerArchive = "docker-archive", // e.g. "docker-archive:/tmp/nginx.tar"
OciArchive = "oci-archive", // e.g. "oci-archive:/tmp/nginx.tar"
13}
14
15export enum OsReleaseFilePath {
Linux = "/etc/os-release",
LinuxFallback = "/usr/lib/os-release",
Lsb = "/etc/lsb-release",
Debian = "/etc/debian_version",
Alpine = "/etc/alpine-release",
RedHat = "/etc/redhat-release",
Oracle = "/etc/oracle-release",
Centos = "/etc/centos-release",
24}
25
26export enum HashAlgorithm {
Sha256 = "sha256",
Sha1 = "sha1",
29}
30
31export enum UnresolvedDockerfileVariableHandling {
Abort = "Abort",
Continue = "Continue",
34}
35
36export interface ManifestFile {
name: string;
path: string;
/**
 * Base64-encoded file contents.
 * We use Base64 to avoid any assumptions about the original file encoding,
 * which is difficult to infer and may be corrupted when the data is transferred over the network.
 */
contents: string;
45}
46
47export interface ImageNameInfo {
names: string[];
// this will allow us to extend in the future when needed
50}
51
52export type FactType =
| "autoDetectedUserInstructions"
| "depGraph"
| "dockerfileAnalysis"
| "imageCreationTime"
| "imageId"
| "imageLabels"
// Collects the file names of the individual .tar layers found in the scanned image.
| "imageLayers"
// Package manager manifests (e.g. requirements.txt, Gemfile.lock) collected as part of an application scan.
| "imageManifestFiles"
| "imageNames"
| "imageOsReleasePrettyName"
| "imageSizeBytes"
// Hashes of extracted *.jar binaries, hashed with sha1 algorithm
| "jarFingerprints"
// Hashes of executables not installed by a package manager (e.g. if they were copied straight onto the image).
| "keyBinariesHashes"
| "loadedPackages"
| "ociDistributionMetadata"
| "rootFs"
// Used for application dependencies scanning; shows which files were used in the analysis of the dependencies.
| "testedFiles";
75
76export interface PluginResponse {
/** The first result is guaranteed to be the OS dependencies scan result. */
scanResults: ScanResult[];
79}
80
81export interface ScanResult {
/** User-friendly name to use as the name of the Project that Snyk creates. */
name?: string;
/** Contains the Snyk policy file content. */
policy?: string;
/** The target defines "where" you found this scan result. */
target: ContainerTarget;
/** Identity defines "what" you found. */
identity: Identity;
/** Facts are the collection of things you found. */
facts: Fact[];
92}
93
94export interface AutoDetectedUserInstructions {
dockerfilePackages: DockerFilePackages;
dockerfileLayers: DockerFileLayers;
97}
98
99export interface ContainerTarget {
image: string;
101}
102
103/**
* The identity of a scan result allows to uniquely locate "what" you found.
* Any differences in the identity influences how a Project is created in Snyk
* and can result in a completely different Project (for example, if "args.targetFramework" differs).
*/
108export interface Identity {
/**
 * This used to be represented as "packageManager" but now can contain any sensible ecosystem type.
 * Examples: dockerfile, cpp, terraform-module, deb, npm, and so on.
 */
type: string;
targetFile?: string;
args?: { [key: string]: string };
116}
117
118/**
* A collection of things that were found as part of a scan.
* As the developer and owner, you are responsible for defining and maintaining your own Facts.
* Examples of facts: a dependency graph, a list of file content hashes, Dockerfile analysis. See FactType.
*/
123export interface Fact {
type: FactType;
data: any;
126}
127
128/**
* WARNING! WARNING! WARNING!
* The CLI may pass certain values as strings.
* Please make sure to sanitize ALL input and not assume it is a "number" or "boolean".
*/
133export interface PluginOptions {
/** This can be an image identifier, or a path to an OCI or Docker archive. */
path: string;
/** Override the default plugin path when pulling images to the filesystem. */
imageSavePath: string;
/** Path to a Dockerfile. */
file: string;
140
/**
 * Override the "name" and "version" fields of the OS dependencies result.
 * WARNING! This is NOT used by the Snyk CLI!
 *
 * It is used by K8s-Monitor and DRA to preserve the image identifier when scanning archives.
 * The archives do not contain any data about the image's name and tag (since they are only
 * known by the container registry) and in some contexts we know this data and want to keep it.
 *
 * This flag will be processed only when scanning image archives. In other cases "path" is used.
 */
imageNameAndTag: string;
152
/**
 * WARNING! This is NOT used by the Snyk CLI!
 *
 * It is used by K8s-Monitor to preserve the imageNameAndDigest if we can extract this
 * information from the workload metadata when scanning archives.
 */
imageNameAndDigest: string;
160
/**
 * WARNING! This is NOT used by the Snyk CLI!
 *
 * It is used by Docker Registry Agent to preserve the image digests if we can extract this
 * information from pulling the image with Snyk Docker Pull.
 */
digests: { manifest?: string; index?: string };
168
/**
 * Provide patterns on which to match for detecting package manager manifest files.
 * Used for the APP+OS deps feature, not by the CLI.
 */
globsToFind: {
  include: string[];
  exclude: string[];
};
177
/** For authentication to a container registry. */
username: string;
/** For authentication to a container registry. */
password: string;
182
/**
 * Format is "operating-system/processor-architecture", for example "linux/arm64/v8".
 * The default is "linux/amd64".
 */
platform: string;
188
/**
 * Whether to enable application dependencies scanning.
 * It's here so that things don't completely break if used, but it should not be used
 * (and is ignored) starting with release version 5.0.0
 */
"app-vulns": boolean | string;
195
/** Whether to disable application dependencies scanning. The default is "false" */
"exclude-app-vulns": boolean | string;
198
/**
 * How many levels of (nested) JARs we should unpack
 * If a JAR contains other JARs (AKA JAR of JARs), we send back only the children JARs, and don't look for vulns in the parent.
 *
 * If the flag was not provided but --app-vuls was, we unpack 1 level.
 * If 0 is provided, we do not unpack any JARs
 * if n > 0 is provided, we try to unpack n levels of JARs.
 * The default (if flag is provided, but without a number) is 1 level
 *
 * Cannot come with exclude-app-vulns
 *
 * Alias: shaded-jars-depth
 * TODO remove shaded-jars-depth
 * A shaded JAR is when you unpack all JAR files, then repack them into a single JAR, while
 * renaming (i.e., "shading") all packages of all dependencies.
 */
"nested-jars-depth": boolean | string;
"shaded-jars-depth": boolean | string;
217
/** The default is "false". */
"exclude-base-image-vulns": boolean | string;
220}
221
222export interface DepTreeDep {
name: string;
version: string;
sourceVersion?: string;
dependencies: {
  [depName: string]: DepTreeDep;
};
purl?: string;
labels?: {
  [key: string]: string;
};
233}
234
235/** @deprecated Prefer building Graphs instead of Trees. */
236export interface DepTree extends DepTreeDep {
type?: string;
packageFormatVersion: string;
targetOS: {
  name: string;
  prettyName: string;
  version: string;
};
244
targetFile?: string;
policy?: string;
docker?: {
  dockerfileAnalysis?: DockerFileAnalysis;
  dockerfilePkgs?: DockerFilePackages;
  dockerImageId?: string;
  imageLayers?: string[];
  rootFs?: string[];
  imageName?: string;
};
files?: any;
256}
257
258export interface Issue {
pkgName: string;
pkgVersion?: string;
issueId: string;
fixInfo: {
  nearestFixedInVersion?: string; // TODO: add more fix info
};
265}
266
267export interface IssuesData {
[issueId: string]: {
  id: string;
  severity: string;
  from: string[][];
  title: string;
};
274}
275
276export interface BaseImageRemediationAdvice {
message: string;
bold?: boolean;
color?: string;
280}
281
282interface BaseImageRemediation {
code: string;
advice: BaseImageRemediationAdvice[];
message?: string; // TODO: check if this is still being sent
286}
287
288export interface TestResult {
org: string;
licensesPolicy: object | null;
docker: {
  baseImage?: string;
  baseImageRemediation?: BaseImageRemediation;
};
issues: Issue[];
issuesData: IssuesData;
depGraphData: DepGraphData;
298}
299
300export interface Options {
path: string;
file?: string;
debug?: boolean;
isDockerUser?: boolean;
config?: any;
306}

1	`import { DepGraphData } from "@snyk/dep-graph";`
2
3	`import {`
4	`DockerFileAnalysis,`
5	`DockerFileLayers,`
6	`DockerFilePackages,`
7	`} from "./dockerfile/types";`
8
9	`export enum ImageType {`
10	`Identifier, // e.g. "nginx:latest"`
11	`DockerArchive = "docker-archive", // e.g. "docker-archive:/tmp/nginx.tar"`
12	`OciArchive = "oci-archive", // e.g. "oci-archive:/tmp/nginx.tar"`
13	`}`
14
15	`export enum OsReleaseFilePath {`
16	`Linux = "/etc/os-release",`
17	`LinuxFallback = "/usr/lib/os-release",`
18	`Lsb = "/etc/lsb-release",`
19	`Debian = "/etc/debian_version",`
20	`Alpine = "/etc/alpine-release",`
21	`RedHat = "/etc/redhat-release",`
22	`Oracle = "/etc/oracle-release",`
23	`Centos = "/etc/centos-release",`
24	`}`
25
26	`export enum HashAlgorithm {`
27	`Sha256 = "sha256",`
28	`Sha1 = "sha1",`
29	`}`
30
31	`export enum UnresolvedDockerfileVariableHandling {`
32	`Abort = "Abort",`
33	`Continue = "Continue",`
34	`}`
35
36	`export interface ManifestFile {`
37	`name: string;`
38	`path: string;`
39	`/**`
40	`* Base64-encoded file contents.`
41	`* We use Base64 to avoid any assumptions about the original file encoding,`
42	`* which is difficult to infer and may be corrupted when the data is transferred over the network.`
43	`*/`
44	`contents: string;`
45	`}`
46
47	`export interface ImageNameInfo {`
48	`names: string[];`
49	`// this will allow us to extend in the future when needed`
50	`}`
51
52	`export type FactType =`
53	`\| "autoDetectedUserInstructions"`
54	`\| "depGraph"`
55	`\| "dockerfileAnalysis"`
56	`\| "imageCreationTime"`
57	`\| "imageId"`
58	`\| "imageLabels"`
59	`// Collects the file names of the individual .tar layers found in the scanned image.`
60	`\| "imageLayers"`
61	`// Package manager manifests (e.g. requirements.txt, Gemfile.lock) collected as part of an application scan.`
62	`\| "imageManifestFiles"`
63	`\| "imageNames"`
64	`\| "imageOsReleasePrettyName"`
65	`\| "imageSizeBytes"`
66	`// Hashes of extracted *.jar binaries, hashed with sha1 algorithm`
67	`\| "jarFingerprints"`
68	`// Hashes of executables not installed by a package manager (e.g. if they were copied straight onto the image).`
69	`\| "keyBinariesHashes"`
70	`\| "loadedPackages"`
71	`\| "ociDistributionMetadata"`
72	`\| "rootFs"`
73	`// Used for application dependencies scanning; shows which files were used in the analysis of the dependencies.`
74	`\| "testedFiles";`
75
76	`export interface PluginResponse {`
77	`/** The first result is guaranteed to be the OS dependencies scan result. */`
78	`scanResults: ScanResult[];`
79	`}`
80
81	`export interface ScanResult {`
82	`/** User-friendly name to use as the name of the Project that Snyk creates. */`
83	`name?: string;`
84	`/** Contains the Snyk policy file content. */`
85	`policy?: string;`
86	`/** The target defines "where" you found this scan result. */`
87	`target: ContainerTarget;`
88	`/** Identity defines "what" you found. */`
89	`identity: Identity;`
90	`/** Facts are the collection of things you found. */`
91	`facts: Fact[];`
92	`}`
93
94	`export interface AutoDetectedUserInstructions {`
95	`dockerfilePackages: DockerFilePackages;`
96	`dockerfileLayers: DockerFileLayers;`
97	`}`
98
99	`export interface ContainerTarget {`
100	`image: string;`
101	`}`
102
103	`/**`
104	`* The identity of a scan result allows to uniquely locate "what" you found.`
105	`* Any differences in the identity influences how a Project is created in Snyk`
106	`* and can result in a completely different Project (for example, if "args.targetFramework" differs).`
107	`*/`
108	`export interface Identity {`
109	`/**`
110	`* This used to be represented as "packageManager" but now can contain any sensible ecosystem type.`
111	`* Examples: dockerfile, cpp, terraform-module, deb, npm, and so on.`
112	`*/`
113	`type: string;`
114	`targetFile?: string;`
115	`args?: { [key: string]: string };`
116	`}`
117
118	`/**`
119	`* A collection of things that were found as part of a scan.`
120	`* As the developer and owner, you are responsible for defining and maintaining your own Facts.`
121	`* Examples of facts: a dependency graph, a list of file content hashes, Dockerfile analysis. See FactType.`
122	`*/`
123	`export interface Fact {`
124	`type: FactType;`
125	`data: any;`
126	`}`
127
128	`/**`
129	`* WARNING! WARNING! WARNING!`
130	`* The CLI may pass certain values as strings.`
131	`* Please make sure to sanitize ALL input and not assume it is a "number" or "boolean".`
132	`*/`
133	`export interface PluginOptions {`
134	`/** This can be an image identifier, or a path to an OCI or Docker archive. */`
135	`path: string;`
136	`/** Override the default plugin path when pulling images to the filesystem. */`
137	`imageSavePath: string;`
138	`/** Path to a Dockerfile. */`
139	`file: string;`
140
141	`/**`
142	`* Override the "name" and "version" fields of the OS dependencies result.`
143	`* WARNING! This is NOT used by the Snyk CLI!`
144	`*`
145	`* It is used by K8s-Monitor and DRA to preserve the image identifier when scanning archives.`
146	`* The archives do not contain any data about the image's name and tag (since they are only`
147	`* known by the container registry) and in some contexts we know this data and want to keep it.`
148	`*`
149	`* This flag will be processed only when scanning image archives. In other cases "path" is used.`
150	`*/`
151	`imageNameAndTag: string;`
152
153	`/**`
154	`* WARNING! This is NOT used by the Snyk CLI!`
155	`*`
156	`* It is used by K8s-Monitor to preserve the imageNameAndDigest if we can extract this`
157	`* information from the workload metadata when scanning archives.`
158	`*/`
159	`imageNameAndDigest: string;`
160
161	`/**`
162	`* WARNING! This is NOT used by the Snyk CLI!`
163	`*`
164	`* It is used by Docker Registry Agent to preserve the image digests if we can extract this`
165	`* information from pulling the image with Snyk Docker Pull.`
166	`*/`
167	`digests: { manifest?: string; index?: string };`
168
169	`/**`
170	`* Provide patterns on which to match for detecting package manager manifest files.`
171	`* Used for the APP+OS deps feature, not by the CLI.`
172	`*/`
173	`globsToFind: {`
174	`include: string[];`
175	`exclude: string[];`
176	`};`
177
178	`/** For authentication to a container registry. */`
179	`username: string;`
180	`/** For authentication to a container registry. */`
181	`password: string;`
182
183	`/**`
184	`* Format is "operating-system/processor-architecture", for example "linux/arm64/v8".`
185	`* The default is "linux/amd64".`
186	`*/`
187	`platform: string;`
188
189	`/**`
190	`* Whether to enable application dependencies scanning.`
191	`* It's here so that things don't completely break if used, but it should not be used`
192	`* (and is ignored) starting with release version 5.0.0`
193	`*/`
194	`"app-vulns": boolean \| string;`
195
196	`/** Whether to disable application dependencies scanning. The default is "false" */`
197	`"exclude-app-vulns": boolean \| string;`
198
199	`/**`
200	`* How many levels of (nested) JARs we should unpack`
201	`* If a JAR contains other JARs (AKA JAR of JARs), we send back only the children JARs, and don't look for vulns in the parent.`
202	`*`
203	`* If the flag was not provided but --app-vuls was, we unpack 1 level.`
204	`* If 0 is provided, we do not unpack any JARs`
205	`* if n > 0 is provided, we try to unpack n levels of JARs.`
206	`* The default (if flag is provided, but without a number) is 1 level`
207	`*`
208	`* Cannot come with exclude-app-vulns`
209	`*`
210	`* Alias: shaded-jars-depth`
211	`* TODO remove shaded-jars-depth`
212	`* A shaded JAR is when you unpack all JAR files, then repack them into a single JAR, while`
213	`* renaming (i.e., "shading") all packages of all dependencies.`
214	`*/`
215	`"nested-jars-depth": boolean \| string;`
216	`"shaded-jars-depth": boolean \| string;`
217
218	`/** The default is "false". */`
219	`"exclude-base-image-vulns": boolean \| string;`
220	`}`
221
222	`export interface DepTreeDep {`
223	`name: string;`
224	`version: string;`
225	`sourceVersion?: string;`
226	`dependencies: {`
227	`[depName: string]: DepTreeDep;`
228	`};`
229	`purl?: string;`
230	`labels?: {`
231	`[key: string]: string;`
232	`};`
233	`}`
234
235	`/** @deprecated Prefer building Graphs instead of Trees. */`
236	`export interface DepTree extends DepTreeDep {`
237	`type?: string;`
238	`packageFormatVersion: string;`
239	`targetOS: {`
240	`name: string;`
241	`prettyName: string;`
242	`version: string;`
243	`};`
244
245	`targetFile?: string;`
246	`policy?: string;`
247	`docker?: {`
248	`dockerfileAnalysis?: DockerFileAnalysis;`
249	`dockerfilePkgs?: DockerFilePackages;`
250	`dockerImageId?: string;`
251	`imageLayers?: string[];`
252	`rootFs?: string[];`
253	`imageName?: string;`
254	`};`
255	`files?: any;`
256	`}`
257
258	`export interface Issue {`
259	`pkgName: string;`
260	`pkgVersion?: string;`
261	`issueId: string;`
262	`fixInfo: {`
263	`nearestFixedInVersion?: string; // TODO: add more fix info`
264	`};`
265	`}`
266
267	`export interface IssuesData {`
268	`[issueId: string]: {`
269	`id: string;`
270	`severity: string;`
271	`from: string[][];`
272	`title: string;`
273	`};`
274	`}`
275
276	`export interface BaseImageRemediationAdvice {`
277	`message: string;`
278	`bold?: boolean;`
279	`color?: string;`
280	`}`
281
282	`interface BaseImageRemediation {`
283	`code: string;`
284	`advice: BaseImageRemediationAdvice[];`
285	`message?: string; // TODO: check if this is still being sent`
286	`}`
287
288	`export interface TestResult {`
289	`org: string;`
290	`licensesPolicy: object \| null;`
291	`docker: {`
292	`baseImage?: string;`
293	`baseImageRemediation?: BaseImageRemediation;`
294	`};`
295	`issues: Issue[];`
296	`issuesData: IssuesData;`
297	`depGraphData: DepGraphData;`
298	`}`
299
300	`export interface Options {`
301	`path: string;`
302	`file?: string;`
303	`debug?: boolean;`
304	`isDockerUser?: boolean;`
305	`config?: any;`
306	`}`