#1838 Fix image name and version recognition

Lukas Fischer · Lukas Fischer · commit 67c3f4ffbbd2 · 2023-09-18T14:09:29.000+02:00
The previous way of detecting the name and version to supply to Dependency-Track was very brittle, it already failed for image references including a hash, resulting in names like hello-world@sha256, because it would only split on ':' and then select the first and last component. This version uses a regex to as accurately as possible match the individual components of a docker image reference. The regex comes from the [official implementation] on GitHub, but is actually taken from a [pull request], which adds named capture groups and fixes an issue with domain recognition being too eager. Yes the regex looks pretty wild, yes there are tests. I don't think it makes sense to build the regex from the individual components like the docker library does it. Unfortunately this does not solve the problem of actually getting the reference from somewhere, for images it works with getting it from the name of the main component, but this part stays brittle. Annotations to the scans might be a possible solution for that. [official implementation]: https://github.com/distribution/reference [pull request]: distribution/distribution#3803 Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
diff --git a/hooks/persistence-dependencytrack/hook/hook.js b/hooks/persistence-dependencytrack/hook/hook.js
@@ -27,9 +27,26 @@ async function handle({
   // Get the project name and version from the name attribute of the main component
   // This might be a bit brittle, but there is not really a better way to get this information
   // Neither Trivy's nor Syft's SBOM contains a useful version attribute (none or sha256)
-  const components = result.metadata.component.name.split(':');
-  const name = components[0];
-  const version = components.length > 1 ? components.pop() : "latest";
+
+  // Get the components of a docker image reference, the regex is a direct JavaScript adaption of
+  // the official Go-implementation available at https://github.com/distribution/reference/blob/main/regexp.go
+  // but taken from pull request https://github.com/distribution/distribution/pull/3803 which
+  // introduces the named groups and fixes the issue that in "bkimminich/juice-shop" the regex
+  // detects "bkimminich" as part of the domain/host.
+  const imageRegex = new RegExp([
+    '^(?<name>(?:(?<domain>(?:localhost|(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])',
+    '(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+|',
+    '(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])',
+    '(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))*',
+    '(?::[0-9]+)|\\[(?:[a-fA-F0-9:]+)\\](?::[0-9]+)?)(?::[0-9]+)?)\\/)?',
+    '(?<repository>[a-z0-9]+(?:(?:[._]|__|[-]+)[a-z0-9]+)*',
+    '(?:\\/[a-z0-9]+(?:(?:[._]|__|[-]+)[a-z0-9]+)*)*))',
+    '(?::(?<tag>[\\w][\\w.-]{0,127}))?',
+    '(?:@(?<digest>[A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][0-9A-Fa-f]{32,}))?$',
+  ].join(''));
+  const groups = imageRegex.exec(result.metadata.component.name).groups
+  const name = groups.name
+  const version = groups.tag || groups.digest || "latest"
 
   // The POST endpoint expects multipart/form-data
   // Alternatively the PUT endpoint could be used, which requires base64-encoding the SBOM
diff --git a/hooks/persistence-dependencytrack/hook/hook.test.js b/hooks/persistence-dependencytrack/hook/hook.test.js
@@ -111,3 +111,70 @@ test("should send a post request to the url when fired", async () => {
 
   expect(fetch.mock.calls[0][1].body.get("bom")).toBe(JSON.stringify(result));
 });
+
+// Make sure that the crazy regex to parse the reference parts actually works
+test.each([
+  {
+    reference: "bkimminich/juice-shop:v15.0.0",
+    name: "bkimminich/juice-shop",
+    version: "v15.0.0"
+  },
+  {
+    reference: "ubuntu@sha256:b492494d8e0113c4ad3fe4528a4b5ff89faa5331f7d52c5c138196f69ce176a6",
+    name: "ubuntu",
+    version: "sha256:b492494d8e0113c4ad3fe4528a4b5ff89faa5331f7d52c5c138196f69ce176a6"
+  },
+  {
+    reference: "hello-world",
+    name: "hello-world",
+    version: "latest"
+  },
+  {
+    reference: "gcr.io/distroless/cc-debian12:debug-nonroot",
+    name: "gcr.io/distroless/cc-debian12",
+    version: "debug-nonroot"
+  },
+  {
+    reference: "myawesomedockerhub.example.org:8080/notthetag",
+    name: "myawesomedockerhub.example.org:8080/notthetag",
+    version: "latest"
+  },
+])("should detect image reference components accurately", async ({ reference, name, version }) => {
+  const result = {
+    bomFormat: "CycloneDX",
+    metadata: {
+      component: {
+        name: reference
+      }
+    }
+  };
+
+  const getRawResults = async () => result;
+
+  const scan = {
+    metadata: {
+      uid: "a30122a6-7f1a-4e37-ae81-2c25ed7fb8f5",
+      name: "demo-sbom",
+    },
+    status: {
+      rawResultType: "sbom-cyclonedx"
+    }
+  };
+
+  const apiKey = "verysecretgitleaksplsignore"
+  const baseUrl = "http://example.com/foo/bar";
+  const url = baseUrl + "/api/v1/bom"
+
+  await handle({ getRawResults, scan, apiKey, baseUrl, fetch });
+
+  expect(fetch).toBeCalledTimes(1);
+  expect(fetch).toBeCalledWith(url, expect.objectContaining({
+    method: "POST",
+    headers: {
+      "X-API-Key": apiKey,
+    },
+  }));
+
+  expect(fetch.mock.calls[0][1].body.get("projectName")).toBe(name);
+  expect(fetch.mock.calls[0][1].body.get("projectVersion")).toBe(version);
+});
