Make cve and base image query async

Author: cdupuis

commands/cmd.go

@@ -32,7 +32,6 @@ import (
 	"github.com/docker/index-cli-plugin/query"
 	"github.com/docker/index-cli-plugin/sbom"
 	"github.com/docker/index-cli-plugin/types"
-	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/moby/term"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -117,34 +116,14 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 			var sb *types.Sbom
 
 			if ociDir == "" {
-				sb, _, err = sbom.IndexImage(image, dockerCli)
+				sb, err = sbom.IndexImage(image, dockerCli)
 			} else {
-				sb, _, err = sbom.IndexPath(ociDir, image, dockerCli)
+				sb, err = sbom.IndexPath(ociDir, image, dockerCli)
 			}
 			if err != nil {
 				return err
 			}
-			if includeCves {
-				workspace, _ := config.PluginConfig("index", "workspace")
-				apiKey, _ := config.PluginConfig("index", "api-key")
-				cves, err := query.QueryCves(sb, "", workspace, apiKey)
-				if err != nil {
-					skill.Log.Warnf("error running cve query")
-				}
-				if cves != nil {
-					sb.Vulnerabilities = *cves
-				}
-			}
-			if includeBaseImages {
-				bi, err := query.ForBaseImageInGraphQL(sb.Source.Image.Config, true)
-				if err != nil {
-					skill.Log.Warnf("error running base image query")
-				}
-				if bi != nil && len(bi.ImagesByDiffIds) > 0 {
-					sb.Source.BaseImages = bi.ImagesByDiffIds
-				}
-			}
-
+			sb = query.ForCvesAndBaseImagesAsync(sb, includeCves, includeBaseImages, "", "")
 			js, err := json.MarshalIndent(sb, "", "  ")
 			if err != nil {
 				return err
@@ -190,16 +169,15 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 			}
 
 			var sb *types.Sbom
-			var img *v1.Image
 			if ociDir == "" {
-				sb, img, err = sbom.IndexImage(image, dockerCli)
+				sb, err = sbom.IndexImage(image, dockerCli)
 			} else {
-				sb, img, err = sbom.IndexPath(ociDir, image, dockerCli)
+				sb, err = sbom.IndexPath(ociDir, image, dockerCli)
 			}
 			if err != nil {
 				return err
 			}
-			err = sbom.UploadSbom(sb, img, workspace, apiKey)
+			err = sbom.UploadSbom(sb, workspace, apiKey)
 
 			return nil
 		},
@@ -220,12 +198,11 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 			cve := args[0]
 			var err error
 			var sb *types.Sbom
-			var img *v1.Image
 
 			if ociDir == "" {
-				sb, img, err = sbom.IndexImage(image, dockerCli)
+				sb, err = sbom.IndexImage(image, dockerCli)
 			} else {
-				sb, img, err = sbom.IndexPath(ociDir, image, dockerCli)
+				sb, err = sbom.IndexPath(ociDir, image, dockerCli)
 			}
 			if err != nil {
 				return err
@@ -237,7 +214,7 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 				return err
 			}
 
-			format.Cves(cve, cves, img, sb, remediate, dockerCli, workspace, apiKey)
+			format.Cves(cve, cves, sb, remediate, dockerCli, workspace, apiKey)
 
 			if len(*cves) > 0 {
 				os.Exit(1)

format/cve.go

@@ -24,10 +24,9 @@ import (
 	"github.com/docker/index-cli-plugin/internal"
 	"github.com/docker/index-cli-plugin/query"
 	"github.com/docker/index-cli-plugin/types"
-	v1 "github.com/google/go-containerregistry/pkg/v1"
 )
 
-func Cves(cve string, cves *[]types.Cve, img *v1.Image, sb *types.Sbom, remediate bool, dockerCli command.Cli, workspace string, apiKey string) {
+func Cves(cve string, cves *[]types.Cve, sb *types.Sbom, remediate bool, dockerCli command.Cli, workspace string, apiKey string) {
 	if len(*cves) > 0 {
 		for _, c := range *cves {
 			Cve(sb, &c)
@@ -56,7 +55,7 @@ func Cves(cve string, cves *[]types.Cve, img *v1.Image, sb *types.Sbom, remediat
 			// see if the package comes in via the base image
 			s := internal.StartInfoSpinner("Detecting base image", dockerCli.Out().IsTerminal())
 			defer s.Stop()
-			baseImages, index, _ := query.Detect(img, true, workspace, apiKey)
+			baseImages, index, _ := query.Detect(sb, true, workspace, apiKey)
 			s.Stop()
 			var baseImage *types.Image
 			if layerIndex <= index && baseImages != nil && len(*baseImages) > 0 {
@@ -71,7 +70,7 @@ func Cves(cve string, cves *[]types.Cve, img *v1.Image, sb *types.Sbom, remediat
 			if baseImage != nil {
 				s := internal.StartInfoSpinner("Finding alternative base images", dockerCli.Out().IsTerminal())
 				defer s.Stop()
-				aBaseImage, _ := query.ForBaseImageWithoutCve(c.SourceId, baseImage.Repository.Name, img, workspace, apiKey)
+				aBaseImage, _ := query.ForBaseImageWithoutCve(c.SourceId, baseImage.Repository.Name, sb, workspace, apiKey)
 				s.Stop()
 
 				if aBaseImage != nil && len(*aBaseImage) > 0 {

query/async.go

@@ -0,0 +1,81 @@
+/*
+ * Copyright © 2022 Docker, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package query
+
+import (
+	"sync"
+
+	"github.com/docker/index-cli-plugin/types"
+)
+
+type queryResult struct {
+	Cves       []types.Cve
+	BaseImages []types.BaseImage
+	Error      error
+}
+
+func ForCvesAndBaseImagesAsync(sb *types.Sbom, includeCves bool, includeBaseImages bool, workspace string, apiKey string) *types.Sbom {
+	resultChan := make(chan queryResult, 2)
+	var wg sync.WaitGroup
+	if includeCves {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			cves, err := QueryCves(sb, "", workspace, apiKey)
+			if err != nil {
+				resultChan <- queryResult{
+					Error: err,
+				}
+			}
+			if cves != nil {
+				resultChan <- queryResult{
+					Cves: *cves,
+				}
+			}
+		}()
+	}
+	if includeBaseImages {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			bi, err := ForBaseImageInGraphQL(sb.Source.Image.Config, true)
+			if err != nil {
+				resultChan <- queryResult{
+					Error: err,
+				}
+			}
+			if bi != nil && len(bi.ImagesByDiffIds) > 0 {
+				resultChan <- queryResult{
+					BaseImages: bi.ImagesByDiffIds,
+				}
+			}
+		}()
+	}
+	wg.Wait()
+	close(resultChan)
+
+	for result := range resultChan {
+		if result.BaseImages != nil {
+			sb.Source.BaseImages = result.BaseImages
+		}
+		if result.Cves != nil {
+			sb.Vulnerabilities = result.Cves
+		}
+	}
+
+	return sb
+}

query/base.go

@@ -57,12 +57,11 @@ var baseImageCveQuery string
 //go:embed repository_query.edn
 var repositoryQuery string
 
-func Detect(img *v1.Image, excludeSelf bool, workspace string, apiKey string) (*[]types.Image, int, error) {
+func Detect(sb *types.Sbom, excludeSelf bool, workspace string, apiKey string) (*[]types.Image, int, error) {
 	digests := make([]digest.Digest, 0)
-	layers, _ := (*img).Layers()
+	layers := (*sb).Source.Image.Config.RootFS.DiffIDs
 	for _, layer := range layers {
-		d, _ := layer.DiffID()
-		parsed, _ := digest.Parse(d.String())
+		parsed, _ := digest.Parse(layer.String())
 		digests = append(digests, parsed)
 	}
 	if excludeSelf {
@@ -134,8 +133,8 @@ func ForBaseImageInIndex(digest digest.Digest, workspace string, apiKey string)
 	return nil, nil
 }
 
-func ForBaseImageWithoutCve(cve string, name string, img *v1.Image, workspace string, apiKey string) (*[]types.Image, error) {
-	cf, _ := (*img).ConfigFile()
+func ForBaseImageWithoutCve(cve string, name string, sb *types.Sbom, workspace string, apiKey string) (*[]types.Image, error) {
+	cf := (*sb).Source.Image.Config
 	resp, err := query(fmt.Sprintf(baseImageCveQuery, cve, name, cf.OS, cf.Architecture, cf.Variant), "base_image_cve_query", workspace, apiKey)
 
 	var result ImageQueryResult
@@ -224,7 +223,7 @@ func ForBaseImageInGraphQL(cfg *v1.ConfigFile, excludeSelf bool) (*types.BaseIma
 		diffIds = append(diffIds, graphql.ID(d.String()))
 	}
 	if excludeSelf {
-		diffIds = diffIds[0 : len(diffIds)-1]
+		// diffIds = diffIds[0 : len(diffIds)-1]
 	}
 
 	if len(diffIds) == 0 {

registry/save.go

@@ -97,7 +97,7 @@ func (c *ImageCache) StoreImage() error {
 		skill.Log.Infof("Copied image")
 		return nil
 	} else if format == "tar" {
-		u := make(chan v1.Update, 200)
+		u := make(chan v1.Update, 0)
 		errchan := make(chan error)
 		go func() {
 			if err := tarball.WriteToFile(c.ImagePath, *c.Ref, *c.Image, tarball.WithProgress(u)); err != nil {

sbom/index.go

@@ -37,53 +37,58 @@ import (
 
 type ImageIndexResult struct {
 	Input string
-	Image *v1.Image
 	Sbom  *types.Sbom
 	Error error
 }
 
 func indexImageAsync(wg *sync.WaitGroup, image string, cli command.Cli, resultChan chan<- ImageIndexResult) {
 	defer wg.Done()
-	sbom, img, err := IndexImage(image, cli)
+	sbom, err := IndexImage(image, cli)
 	cves, err := query.QueryCves(sbom, "", "", "")
 	if err == nil {
 		sbom.Vulnerabilities = *cves
 	}
 	resultChan <- ImageIndexResult{
 		Input: image,
-		Image: img,
 		Sbom:  sbom,
 		Error: err,
 	}
 }
 
-func IndexPath(path string, name string, cli command.Cli) (*types.Sbom, *v1.Image, error) {
+func IndexPath(path string, name string, cli command.Cli) (*types.Sbom, error) {
 	cache, err := registry.ReadImage(name, path)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "failed to read image")
+		return nil, errors.Wrap(err, "failed to read image")
 	}
 	return indexImage(cache, cli)
 }
 
-func IndexImage(image string, cli command.Cli) (*types.Sbom, *v1.Image, error) {
+func IndexImage(image string, cli command.Cli) (*types.Sbom, error) {
+	if strings.HasPrefix(image, "sha256:") {
+		configFilePath := cli.ConfigFile().Filename
+		sbomFilePath := filepath.Join(filepath.Dir(configFilePath), "sbom", "sha256", image[7:], "sbom.json")
+		if sbom := cachedSbom(sbomFilePath); sbom != nil {
+			return sbom, nil
+		}
+	}
 	cache, err := registry.SaveImage(image, cli)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "failed to copy image")
+		return nil, errors.Wrap(err, "failed to copy image")
 	}
 	return indexImage(cache, cli)
 }
 
-func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, *v1.Image, error) {
+func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, error) {
 	configFilePath := cli.ConfigFile().Filename
 	sbomFilePath := filepath.Join(filepath.Dir(configFilePath), "sbom", "sha256", cache.Digest[7:], "sbom.json")
-	if sbom := cachedSbom(cache, sbomFilePath); sbom != nil {
-		return sbom, cache.Image, nil
+	if sbom := cachedSbom(sbomFilePath); sbom != nil {
+		return sbom, nil
 	}
 
 	err := cache.StoreImage()
 	defer cache.Cleanup()
 	if err != nil {
-		return nil, nil, errors.Wrapf(err, "failed to copy image")
+		return nil, errors.Wrapf(err, "failed to copy image")
 	}
 
 	lm := createLayerMapping(*cache.Image)
@@ -101,7 +106,7 @@ func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, *v1.I
 	trivyResult.Packages, err = types.NormalizePackages(trivyResult.Packages)
 	syftResult.Packages, err = types.NormalizePackages(syftResult.Packages)
 	if err != nil {
-		return nil, nil, errors.Wrapf(err, "failed to normalize packagess: %s", cache.Name)
+		return nil, errors.Wrapf(err, "failed to normalize packagess: %s", cache.Name)
 	}
 
 	packages := types.MergePackages(syftResult, trivyResult)
@@ -119,7 +124,7 @@ func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, *v1.I
 	if cache.Name != "" {
 		ref, err := name.ParseReference(cache.Name)
 		if err != nil {
-			return nil, nil, errors.Wrapf(err, "failed to parse reference: %s", cache.Name)
+			return nil, errors.Wrapf(err, "failed to parse reference: %s", cache.Name)
 		}
 		cache.Name = ref.Context().String()
 		if !strings.HasPrefix(ref.Identifier(), "sha256:") {
@@ -162,18 +167,18 @@ func indexImage(cache *registry.ImageCache, cli command.Cli) (*types.Sbom, *v1.I
 	if err == nil {
 		err = os.MkdirAll(filepath.Dir(sbomFilePath), os.ModePerm)
 		if err != nil {
-			return nil, nil, errors.Wrapf(err, "failed create to sbom folder")
+			return nil, errors.Wrapf(err, "failed create to sbom folder")
 		}
 		err = os.WriteFile(sbomFilePath, js, 0644)
 		if err != nil {
-			return nil, nil, errors.Wrapf(err, "failed to write sbom")
+			return nil, errors.Wrapf(err, "failed to write sbom")
 		}
 	}
 
-	return &sbom, cache.Image, nil
+	return &sbom, nil
 }
 
-func cachedSbom(cache *registry.ImageCache, sbomFilePath string) *types.Sbom {
+func cachedSbom(sbomFilePath string) *types.Sbom {
 	// see if we can re-use an existing sbom
 	if _, ok := os.LookupEnv("ATOMIST_NO_CACHE"); !ok {
 		if _, err := os.Stat(sbomFilePath); !os.IsNotExist(err) {

sbom/monitor.go

@@ -44,7 +44,7 @@ func WatchImages(cli command.Cli) error {
 
 func indexImageWorker(cli command.Cli, indexJobs <-chan types.ImageSummary) {
 	for img := range indexJobs {
-		_, _, err := IndexImage(img.ID, cli)
+		_, err := IndexImage(img.ID, cli)
 		if err != nil {
 			skill.Log.Warnf("Failed to index image %s", img.ID)
 			delete(imageCache, img.ID)

sbom/upload.go

@@ -34,19 +34,13 @@ import (
 )
 
 // UploadSbom transact an image and its data into the data plane
-func UploadSbom(sb *types.Sbom, img *v1.Image, workspace string, apikey string) error {
+func UploadSbom(sb *types.Sbom, workspace string, apikey string) error {
 	host, name, err := parseReference(sb)
 	if err != nil {
 		return errors.Wrapf(err, "failed to obtain host and repository")
 	}
-	config, err := (*img).ConfigFile()
-	if err != nil {
-		return errors.Wrapf(err, "failed to obtain config")
-	}
-	manifest, err := (*img).Manifest()
-	if err != nil {
-		return errors.Wrapf(err, "failed to obtain manifest")
-	}
+	config := (*sb).Source.Image.Config
+	manifest := (*sb).Source.Image.Manifest
 
 	now := time.Now()
 	correlationId := uuid.NewString()