Skip to content

Commit

Permalink
feat: support analyzing images
Browse files Browse the repository at this point in the history
  • Loading branch information
@xieshenzh
xieshenzh committed Mar 26, 2024
1 parent 607037a commit 7f091ed
Show file tree
Hide file tree
Showing 28 changed files with 24,798 additions and 27 deletions.
57 changes: 56 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,62 @@ This increasing the chances and the probability a lot that the automatic install
A New setting is introduced - `EXHORT_PYTHON_INSTALL_BEST_EFFORTS` (as both env variable/key in `options` object)
1. `EXHORT_PYTHON_INSTALL_BEST_EFFORTS`="false" - install requirements.txt while respecting declared versions for all packages.
2. `EXHORT_PYTHON_INSTALL_BEST_EFFORTS`="true" - install all packages from requirements.txt, not respecting the declared version, but trying to install a version tailored for the used python version, when using this setting,you must set setting `MATCH_MANIFEST_VERSIONS`="false"


### Image Support

Generate vulnerability analysis report for container images.

#### Code Example
```java
package com.redhat.exhort;

import com.redhat.exhort.api.AnalysisReport;
import com.redhat.exhort.image.ImageRef;
import com.redhat.exhort.impl.ExhortApi;

import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;

public class ExhortImageExample {

public static void main(String[] args) throws Exception {
// instantiate the Exhort API implementation
var exhortApi = new ExhortApi();

// create a reference to image test1 by specifying image name and its platform when applicable
var imageRef1 = new ImageRef("quay.io/test/test1:latest", "linux/amd64");

// create a reference to image test2 by specifying image name
var imageRef2 = new ImageRef("quay.io/test/test2:latest", null);

// get a byte array future holding a html Image Analysis reports
CompletableFuture<byte[]> htmlImageReport = exhortApi.imageAnalysisHtml(Set.of(imageRef1, imageRef2));

// get a map of AnalysisReport future holding a deserialized Image Analysis reports
CompletableFuture<Map<ImageRef, AnalysisReport>> imageReport = exhortApi.imageAnalysis(Set.of(imageRef1, imageRef2));
}
}
```

#### Customization
Customizing image analysis optionally by using *Environment Variables* or *Java Properties*.

| Env / Property | Description | Default Value |
|-------------------------------|-----------------------------------------------------------------------------------------|-------------------------------------------------|
| EXHORT_SYFT_PATH | Custom path to the `syft` executable | syft |
| EXHORT_SYFT_CONFIG_PATH | Custom path to the `syft` configuration file | .syft.yaml, .syft/config.yaml, $HOME/.syft.yaml |
| EXHORT_SYFT_IMAGE_SOURCE | Image source for `syft` | |
| EXHORT_SKOPEO_PATH | Custom path to the `skopeo` executable | skopeo |
| EXHORT_SKOPEO_CONFIG_PATH | Custom path to the authentication file used by `skopeo inspect` | $HOME/.docker/config.json |
| EXHORT_IMAGE_SERVICE_ENDPOINT | Host endpoint of the container runtime daemon / service | |
| EXHORT_DOCKER_PATH | Custom path to the `docker` executable | docker |
| EXHORT_PODMAN_PATH | Custom path to the `podman` executable | podman |
| EXHORT_IMAGE_PLATFORM | Default platform used for multi-arch images | |
| EXHORT_IMAGE_OS | Default OS used for multi-arch images when `EXHORT_IMAGE_PLATFORM` is not set | |
| EXHORT_IMAGE_ARCH | Default Architecture used for multi-arch images when `EXHORT_IMAGE_PLATFORM` is not set | |
| EXHORT_IMAGE_VARIANT | Default Variant used for multi-arch images when `EXHORT_IMAGE_PLATFORM` is not set | |

### Known Issues

- For pip requirements.txt - It's been observed that for python versions 3.11.x, there might be slowness for invoking the analysis.
Expand Down
9 changes: 9 additions & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -388,6 +388,7 @@ limitations under the License.]]>
<!-- This one excluding ExhortApi implementation calss from coverage report as it's not tested by surefire plugin, but with junit-platform-maven-plugin -->
<exclude>com/redhat/exhort/impl/*</exclude>
<exclude>com/redhat/exhort/logging/*</exclude>
<exclude>com/redhat/exhort/image/ImageUtils.class</exclude>

</excludes>
<propertyName>jacoco.java.option</propertyName>
Expand Down Expand Up @@ -462,6 +463,8 @@ limitations under the License.]]>
<classNamePatterns>
<pattern>.*Exhort_Api_Test</pattern>
<pattern>.*Operations_Test</pattern>
<pattern>.*Envs_Test</pattern>
<pattern>.*ImageUtilsTest</pattern>
</classNamePatterns>


Expand Down Expand Up @@ -502,6 +505,12 @@ limitations under the License.]]>
<exclude>
**/Operations_Test.java
</exclude>
<exclude>
**/*Envs_Test.java
</exclude>
<exclude>
**/*ImageUtilsTest.java
</exclude>
</excludes>
<argLine>@{surefire.argLine}</argLine>
</configuration>
Expand Down
7 changes: 7 additions & 0 deletions src/main/java/com/redhat/exhort/Api.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,13 @@

import java.io.IOException;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CompletableFuture;

import com.redhat.exhort.api.AnalysisReport;
import com.redhat.exhort.image.ImageRef;

/** The Api interface is used for contracting API implementations. **/
public interface Api {
Expand Down Expand Up @@ -104,4 +107,8 @@ public int hashCode() {
CompletableFuture<AnalysisReport> componentAnalysis(String manifestType, byte[] manifestContent) throws IOException;

CompletableFuture<AnalysisReport> componentAnalysis(String manifestFile) throws IOException;

CompletableFuture<Map<ImageRef, AnalysisReport>> imageAnalysis(Set<ImageRef> imageRefs) throws IOException;

CompletableFuture<byte[]> imageAnalysisHtml(Set<ImageRef> imageRefs) throws IOException;
}
Loading

0 comments on commit 7f091ed

Please sign in to comment.