Add OCI support + use URI schemes (#160)

* add oci support + update image schemes Signed-off-by: Alex Goodman <[email protected]> * update to oci-dir Signed-off-by: Alex Goodman <[email protected]> * bump upstream stereoscope, testutils, and syft pins Signed-off-by: Alex Goodman <[email protected]> * fix malformed go.sum Signed-off-by: Alex Goodman <[email protected]> * pull in upstream syft json presenter updates Signed-off-by: Alex Goodman <[email protected]>
anchore · Sep 25, 2020 · 326afa3 · 326afa3
1 parent 9f6301b
commit 326afa3
Show file tree

Hide file tree

Showing 15 changed files with 92 additions and 53 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -93,15 +93,15 @@ jobs:
 
       - restore_cache:
           keys:
-            - integration-test-tar-cache-{{ checksum "test/integration/test-fixtures/tar-cache.fingerprint" }}
+            - integration-test-cache-{{ checksum "test/integration/test-fixtures/cache.fingerprint" }}
       - run:
           name: run integration tests
           command: make integration
 
       - save_cache:
-          key: integration-test-tar-cache-{{ checksum "test/integration/test-fixtures/tar-cache.fingerprint" }}
+          key: integration-test-cache-{{ checksum "test/integration/test-fixtures/cache.fingerprint" }}
           paths:
-            - "test/integration/test-fixtures/tar-cache"
+            - "test/integration/test-fixtures/cache"
 
 workflows:
   "Static Analysis + Unit + Integration":

diff --git a/Makefile b/Makefile
@@ -128,11 +128,11 @@ integration: ## Run integration tests
 # note: this is used by CI to determine if the integration test fixture cache (docker image tars) should be busted
 .PHONY: integration-fingerprint
 integration-fingerprint:
-	find test/integration/test-fixtures/image-* -type f -exec md5sum {} + | awk '{print $1}' | sort | md5sum | tee test/integration/test-fixtures/tar-cache.fingerprint
+	find test/integration/test-fixtures/image-* -type f -exec md5sum {} + | awk '{print $1}' | sort | md5sum | tee test/integration/test-fixtures/cache.fingerprint
 
 .PHONY: clear-test-cache
 clear-test-cache: ## Delete all test cache (built docker image tars)
-	find . -type f -wholename "**/test-fixtures/tar-cache/*.tar" -delete
+	find . -type f -wholename "**/test-fixtures/cache/*.tar" -delete
 
 .PHONY: check-pipeline
 check-pipeline: ## Run local CircleCI pipeline locally (sanity check)

diff --git a/README.md b/README.md
@@ -24,6 +24,7 @@ A vulnerability scanner for container images and filesystems. [Easily install th
   - JavaScript (NPM/Yarn)
   - Python (Egg/Wheel)
   - Python pip/requirements.txt/setup.py listings
+- Supports Docker and OCI image formats
 
 > :warning: **This is pre-release software** and it may not work as expected. If you encounter an issue, please [let us know using the issue tracker](https://github.com/anchore/grype/issues).
 
@@ -45,19 +46,23 @@ grype <image> --scope all-layers
 Grype can scan a variety of sources beyond those found in Docker.
 
 ```
-# scan a docker image tar (from the result of "docker image save ... -o image.tar" command)
-grype docker-archive://path/to/image.tar
+# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
+grype path/to/image.tar
 
 # scan a directory
-grype dir://path/to/dir
+grype path/to/dir
 ```
 
-By default Grype shows a summary table, however, a more detailed `json` format is also available.
-
+The output format for Grype is configurable as well:
 ```
-grype <image> -o json
+grype <image> -o <format>
 ```
 
+Where the `format`s available are:
+- `json`: Use this to get as much information out of Grype as possible!
+- `cyclonedx`: A XML report conforming to the [CycloneDX 1.2](https://cyclonedx.org/) specification.
+- `table`: A columnar summary (default).
+
 Grype pulls a database of vulnerabilities derived from the publicly available [Anchore Feed Service](https://ancho.re/v1/service/feeds). This database is updated at the beginning of each scan, but an update can also be triggered manually.
 
 ```

diff --git a/cmd/root.go b/cmd/root.go
@@ -35,11 +35,17 @@ import (
 var rootCmd = &cobra.Command{
 	Use:   fmt.Sprintf("%s [IMAGE]", internal.ApplicationName),
 	Short: "A vulnerability scanner for container images and filesystems", // TODO: add copy, add path-based scans
-	Long: format.Tprintf(`Supports the following image sources:
-    {{.appName}} yourrepo/yourimage:tag             defaults to using images from a docker daemon
-    {{.appName}} dir://path/to/yourrepo             do a directory scan
-    {{.appName}} docker://yourrepo/yourimage:tag    explicitly use a docker daemon
-    {{.appName}} tar://path/to/yourimage.tar        use a tarball from disk
+	Long: format.Tprintf(`
+Supports the following image sources:
+    {{.appName}} yourrepo/yourimage:tag     defaults to using images from a Docker daemon
+    {{.appName}} path/to/yourproject        a Docker tar, OCI tar, OCI directory, or generic filesystem directory 
+
+You can also explicitly specify the scheme to use:
+    {{.appName}} docker:yourrepo/yourimage:tag          explicitly use the Docker daemon
+    {{.appName}} docker-archive:path/to/yourimage.tar   use a tarball from disk for archives created from "docker save"
+    {{.appName}} oci-archive:path/to/yourimage.tar      use a tarball from disk for OCI archives (from Podman or otherwise)
+    {{.appName}} oci-dir:path/to/yourimage              read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
+    {{.appName}} dir:path/to/yourproject                read directly from a path on disk (any directory)
 `, map[string]interface{}{
 		"appName": internal.ApplicationName,
 	}),

diff --git a/go.mod b/go.mod
@@ -4,17 +4,19 @@ go 1.14
 
 require (
 	github.com/adrg/xdg v0.2.1
-	github.com/anchore/go-testutils v0.0.0-20200923124913-cc3783363628
+	github.com/anchore/go-testutils v0.0.0-20200924130829-c7fdedf242b7
 	github.com/anchore/go-version v1.2.2-0.20200810141238-330bef18dbca
 	github.com/anchore/grype-db v0.0.0-20200909132108-9474dd8f080f
-	github.com/anchore/stereoscope v0.0.0-20200922191919-df2d5de22d9d
-	github.com/anchore/syft v0.1.0-beta.4.0.20200918175440-45b5cab49a8a
+	github.com/anchore/stereoscope v0.0.0-20200925141829-d086a3427f85
+	github.com/anchore/syft v0.1.0-beta.4.0.20200925180738-49800b6747b3
 	github.com/docker/docker v17.12.0-ce-rc1.0.20200309214505-aa6a9891b09c+incompatible
 	github.com/dustin/go-humanize v1.0.0
 	github.com/facebookincubator/nvdtools v0.1.4-0.20200622182922-aed862a62ae6
 	github.com/go-test/deep v1.0.7
+	github.com/google/go-containerregistry v0.1.1 // indirect
 	github.com/google/uuid v1.1.1
 	github.com/gookit/color v1.2.7
+	github.com/gopherjs/gopherjs v0.0.0-20190910122728-9d188e94fb99 // indirect
 	github.com/hashicorp/go-getter v1.4.1
 	github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
@@ -31,5 +33,10 @@ require (
 	github.com/wagoodman/jotframe v0.0.0-20200730190914-3517092dd163
 	github.com/x-cray/logrus-prefixed-formatter v0.5.2
 	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect
+	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 // indirect
+	golang.org/x/sys v0.0.0-20200610111108-226ff32320da // indirect
+	google.golang.org/genproto v0.0.0-20200615140333-fd031eab31e7 // indirect
+	gopkg.in/ini.v1 v1.57.0 // indirect
 	gopkg.in/yaml.v2 v2.3.0
 )