1 | import { DepGraphData } from "@snyk/dep-graph";
|
2 |
|
3 | import {
|
4 | DockerFileAnalysis,
|
5 | DockerFileLayers,
|
6 | DockerFilePackages,
|
7 | } from "./dockerfile/types";
|
8 |
|
9 | export enum ImageType {
|
10 | Identifier, // e.g. "nginx:latest"
|
11 | DockerArchive = "docker-archive", // e.g. "docker-archive:/tmp/nginx.tar"
|
12 | OciArchive = "oci-archive", // e.g. "oci-archive:/tmp/nginx.tar"
|
13 | }
|
14 |
|
15 | export enum OsReleaseFilePath {
|
16 | Linux = "/etc/os-release",
|
17 | LinuxFallback = "/usr/lib/os-release",
|
18 | Lsb = "/etc/lsb-release",
|
19 | Debian = "/etc/debian_version",
|
20 | Alpine = "/etc/alpine-release",
|
21 | RedHat = "/etc/redhat-release",
|
22 | Oracle = "/etc/oracle-release",
|
23 | Centos = "/etc/centos-release",
|
24 | }
|
25 |
|
26 | export enum HashAlgorithm {
|
27 | Sha256 = "sha256",
|
28 | Sha1 = "sha1",
|
29 | }
|
30 |
|
31 | export enum UnresolvedDockerfileVariableHandling {
|
32 | Abort = "Abort",
|
33 | Continue = "Continue",
|
34 | }
|
35 |
|
36 | export interface ManifestFile {
|
37 | name: string;
|
38 | path: string;
|
39 | /**
|
40 | * Base64-encoded file contents.
|
41 | * We use Base64 to avoid any assumptions about the original file encoding,
|
42 | * which is difficult to infer and may be corrupted when the data is transferred over the network.
|
43 | */
|
44 | contents: string;
|
45 | }
|
46 |
|
47 | export interface ImageNameInfo {
|
48 | names: string[];
|
49 | // this will allow us to extend in the future when needed
|
50 | }
|
51 |
|
52 | export type FactType =
|
53 | | "autoDetectedUserInstructions"
|
54 | | "depGraph"
|
55 | | "dockerfileAnalysis"
|
56 | | "imageCreationTime"
|
57 | | "imageId"
|
58 | | "imageLabels"
|
59 | // Collects the file names of the individual .tar layers found in the scanned image.
|
60 | | "imageLayers"
|
61 | // Package manager manifests (e.g. requirements.txt, Gemfile.lock) collected as part of an application scan.
|
62 | | "imageManifestFiles"
|
63 | | "imageNames"
|
64 | | "imageOsReleasePrettyName"
|
65 | | "imageSizeBytes"
|
66 | // Hashes of extracted *.jar binaries, hashed with sha1 algorithm
|
67 | | "jarFingerprints"
|
68 | // Hashes of executables not installed by a package manager (e.g. if they were copied straight onto the image).
|
69 | | "keyBinariesHashes"
|
70 | | "loadedPackages"
|
71 | | "ociDistributionMetadata"
|
72 | | "rootFs"
|
73 | // Used for application dependencies scanning; shows which files were used in the analysis of the dependencies.
|
74 | | "testedFiles";
|
75 |
|
76 | export interface PluginResponse {
|
77 | /** The first result is guaranteed to be the OS dependencies scan result. */
|
78 | scanResults: ScanResult[];
|
79 | }
|
80 |
|
81 | export interface ScanResult {
|
82 | /** User-friendly name to use as the name of the Project that Snyk creates. */
|
83 | name?: string;
|
84 | /** Contains the Snyk policy file content. */
|
85 | policy?: string;
|
86 | /** The target defines "where" you found this scan result. */
|
87 | target: ContainerTarget;
|
88 | /** Identity defines "what" you found. */
|
89 | identity: Identity;
|
90 | /** Facts are the collection of things you found. */
|
91 | facts: Fact[];
|
92 | }
|
93 |
|
94 | export interface AutoDetectedUserInstructions {
|
95 | dockerfilePackages: DockerFilePackages;
|
96 | dockerfileLayers: DockerFileLayers;
|
97 | }
|
98 |
|
99 | export interface ContainerTarget {
|
100 | image: string;
|
101 | }
|
102 |
|
103 | /**
|
104 | * The identity of a scan result allows to uniquely locate "what" you found.
|
105 | * Any differences in the identity influences how a Project is created in Snyk
|
106 | * and can result in a completely different Project (for example, if "args.targetFramework" differs).
|
107 | */
|
108 | export interface Identity {
|
109 | /**
|
110 | * This used to be represented as "packageManager" but now can contain any sensible ecosystem type.
|
111 | * Examples: dockerfile, cpp, terraform-module, deb, npm, and so on.
|
112 | */
|
113 | type: string;
|
114 | targetFile?: string;
|
115 | args?: { [key: string]: string };
|
116 | }
|
117 |
|
118 | /**
|
119 | * A collection of things that were found as part of a scan.
|
120 | * As the developer and owner, you are responsible for defining and maintaining your own Facts.
|
121 | * Examples of facts: a dependency graph, a list of file content hashes, Dockerfile analysis. See FactType.
|
122 | */
|
123 | export interface Fact {
|
124 | type: FactType;
|
125 | data: any;
|
126 | }
|
127 |
|
128 | /**
|
129 | * WARNING! WARNING! WARNING!
|
130 | * The CLI may pass certain values as strings.
|
131 | * Please make sure to sanitize ALL input and not assume it is a "number" or "boolean".
|
132 | */
|
133 | export interface PluginOptions {
|
134 | /** This can be an image identifier, or a path to an OCI or Docker archive. */
|
135 | path: string;
|
136 | /** Override the default plugin path when pulling images to the filesystem. */
|
137 | imageSavePath: string;
|
138 | /** Path to a Dockerfile. */
|
139 | file: string;
|
140 |
|
141 | /**
|
142 | * Override the "name" and "version" fields of the OS dependencies result.
|
143 | * WARNING! This is NOT used by the Snyk CLI!
|
144 | *
|
145 | * It is used by K8s-Monitor and DRA to preserve the image identifier when scanning archives.
|
146 | * The archives do not contain any data about the image's name and tag (since they are only
|
147 | * known by the container registry) and in some contexts we know this data and want to keep it.
|
148 | *
|
149 | * This flag will be processed only when scanning image archives. In other cases "path" is used.
|
150 | */
|
151 | imageNameAndTag: string;
|
152 |
|
153 | /**
|
154 | * WARNING! This is NOT used by the Snyk CLI!
|
155 | *
|
156 | * It is used by K8s-Monitor to preserve the imageNameAndDigest if we can extract this
|
157 | * information from the workload metadata when scanning archives.
|
158 | */
|
159 | imageNameAndDigest: string;
|
160 |
|
161 | /**
|
162 | * WARNING! This is NOT used by the Snyk CLI!
|
163 | *
|
164 | * It is used by Docker Registry Agent to preserve the image digests if we can extract this
|
165 | * information from pulling the image with Snyk Docker Pull.
|
166 | */
|
167 | digests: { manifest?: string; index?: string };
|
168 |
|
169 | /**
|
170 | * Provide patterns on which to match for detecting package manager manifest files.
|
171 | * Used for the APP+OS deps feature, not by the CLI.
|
172 | */
|
173 | globsToFind: {
|
174 | include: string[];
|
175 | exclude: string[];
|
176 | };
|
177 |
|
178 | /** For authentication to a container registry. */
|
179 | username: string;
|
180 | /** For authentication to a container registry. */
|
181 | password: string;
|
182 |
|
183 | /**
|
184 | * Format is "operating-system/processor-architecture", for example "linux/arm64/v8".
|
185 | * The default is "linux/amd64".
|
186 | */
|
187 | platform: string;
|
188 |
|
189 | /**
|
190 | * Whether to enable application dependencies scanning.
|
191 | * It's here so that things don't completely break if used, but it should not be used
|
192 | * (and is ignored) starting with release version 5.0.0
|
193 | */
|
194 | "app-vulns": boolean | string;
|
195 |
|
196 | /** Whether to disable application dependencies scanning. The default is "false" */
|
197 | "exclude-app-vulns": boolean | string;
|
198 | /** Whether to disable node modules dependencies scanning. The default is "false" */
|
199 | "exclude-node-modules": boolean | string;
|
200 | /**
|
201 | * How many levels of (nested) JARs we should unpack
|
202 | * If a JAR contains other JARs (AKA JAR of JARs), we send back only the children JARs, and don't look for vulns in the parent.
|
203 | *
|
204 | * If the flag was not provided but --app-vuls was, we unpack 1 level.
|
205 | * If 0 is provided, we do not unpack any JARs
|
206 | * if n > 0 is provided, we try to unpack n levels of JARs.
|
207 | * The default (if flag is provided, but without a number) is 1 level
|
208 | *
|
209 | * Cannot come with exclude-app-vulns
|
210 | *
|
211 | * Alias: shaded-jars-depth
|
212 | * TODO remove shaded-jars-depth
|
213 | * A shaded JAR is when you unpack all JAR files, then repack them into a single JAR, while
|
214 | * renaming (i.e., "shading") all packages of all dependencies.
|
215 | */
|
216 | "nested-jars-depth": boolean | string;
|
217 | "shaded-jars-depth": boolean | string;
|
218 |
|
219 | /** The default is "false". */
|
220 | "exclude-base-image-vulns": boolean | string;
|
221 | }
|
222 |
|
223 | export interface DepTreeDep {
|
224 | name: string;
|
225 | version: string;
|
226 | sourceVersion?: string;
|
227 | dependencies: {
|
228 | [depName: string]: DepTreeDep;
|
229 | };
|
230 | purl?: string;
|
231 | labels?: {
|
232 | [key: string]: string;
|
233 | };
|
234 | }
|
235 |
|
236 | /** @deprecated Prefer building Graphs instead of Trees. */
|
237 | export interface DepTree extends DepTreeDep {
|
238 | type?: string;
|
239 | packageFormatVersion: string;
|
240 | targetOS: {
|
241 | name: string;
|
242 | prettyName: string;
|
243 | version: string;
|
244 | };
|
245 |
|
246 | targetFile?: string;
|
247 | policy?: string;
|
248 | docker?: {
|
249 | dockerfileAnalysis?: DockerFileAnalysis;
|
250 | dockerfilePkgs?: DockerFilePackages;
|
251 | dockerImageId?: string;
|
252 | imageLayers?: string[];
|
253 | rootFs?: string[];
|
254 | imageName?: string;
|
255 | };
|
256 | files?: any;
|
257 | }
|
258 |
|
259 | export interface Issue {
|
260 | pkgName: string;
|
261 | pkgVersion?: string;
|
262 | issueId: string;
|
263 | fixInfo: {
|
264 | nearestFixedInVersion?: string; // TODO: add more fix info
|
265 | };
|
266 | }
|
267 |
|
268 | export interface IssuesData {
|
269 | [issueId: string]: {
|
270 | id: string;
|
271 | severity: string;
|
272 | from: string[][];
|
273 | title: string;
|
274 | };
|
275 | }
|
276 |
|
277 | export interface BaseImageRemediationAdvice {
|
278 | message: string;
|
279 | bold?: boolean;
|
280 | color?: string;
|
281 | }
|
282 |
|
283 | interface BaseImageRemediation {
|
284 | code: string;
|
285 | advice: BaseImageRemediationAdvice[];
|
286 | message?: string; // TODO: check if this is still being sent
|
287 | }
|
288 |
|
289 | export interface TestResult {
|
290 | org: string;
|
291 | licensesPolicy: object | null;
|
292 | docker: {
|
293 | baseImage?: string;
|
294 | baseImageRemediation?: BaseImageRemediation;
|
295 | };
|
296 | issues: Issue[];
|
297 | issuesData: IssuesData;
|
298 | depGraphData: DepGraphData;
|
299 | }
|
300 |
|
301 | export interface Options {
|
302 | path: string;
|
303 | file?: string;
|
304 | debug?: boolean;
|
305 | isDockerUser?: boolean;
|
306 | config?: any;
|
307 | }
|