From 4b421ffd140f24dba0cc6ebde0dae64b25d31b01 Mon Sep 17 00:00:00 2001 From: Allen Conlon Date: Fri, 25 Jul 2025 16:54:21 -0400 Subject: [PATCH 1/4] chore: update case for find images Signed-off-by: Allen Conlon --- src/pkg/packager/find_images.go | 12 ++++++++++-- src/pkg/packager/find_images_test.go | 18 ++++++++++++++++++ .../find-images/roles-bindings/zarf.yaml | 12 ++++++++++++ 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml diff --git a/src/pkg/packager/find_images.go b/src/pkg/packager/find_images.go index ad3c2ceb76..c91e6362f0 100644 --- a/src/pkg/packager/find_images.go +++ b/src/pkg/packager/find_images.go @@ -380,6 +380,9 @@ func processUnstructuredImages(ctx context.Context, resource *unstructured.Unstr } matchedImages = appendToImageMapOCIRepo(ctx, matchedImages, ociRepo) + case "ClusterRoleBinding", "RoleBinding", "ClusterRole", "Role": + l.Debug("found a known false positive type", "kind", resource.GetKind()) + default: // Capture any custom images matches := imageCheck.FindAllStringSubmatch(string(b), -1) @@ -392,8 +395,13 @@ func processUnstructuredImages(ctx context.Context, resource *unstructured.Unstr // Capture "maybe images" for all kinds matches := imageFuzzyCheck.FindAllStringSubmatch(string(b), -1) for _, group := range matches { - l.Debug("found possible fuzzy match", "kind", resource.GetKind(), "value", group[1]) - maybeImages[group[1]] = true + switch resource.GetKind() { + case "ClusterRoleBinding", "RoleBinding", "ClusterRole", "Role": + l.Debug("found a known false positive type", "kind", resource.GetKind()) + default: + l.Debug("found possible fuzzy match", "kind", resource.GetKind(), "value", group[1]) + maybeImages[group[1]] = true + } } return matchedImages, maybeImages, nil diff --git a/src/pkg/packager/find_images_test.go b/src/pkg/packager/find_images_test.go index 6e86e71814..0d0f37b68c 100644 --- a/src/pkg/packager/find_images_test.go +++ b/src/pkg/packager/find_images_test.go @@ -205,6 +205,24 @@ func TestFindImages(t *testing.T) { }, }, }, + { + name: "roles-bindings", + packagePath: "./testdata/find-images/roles-bindings", + opts: FindImagesOptions{ + SkipCosign: true, + KubeVersionOverride: "v1.32.0", + }, + expectedImages: []ComponentImageScan{ + { + ComponentName: "baseline", + PotentialMatches: []string{ + "ghcr.io/kedacore/keda:2.17.0", + "ghcr.io/kedacore/keda-metrics-apiserver:2.17.0", + "ghcr.io/kedacore/keda-admission-webhooks:2.17.0", + }, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml b/src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml new file mode 100644 index 0000000000..864dcf9818 --- /dev/null +++ b/src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml @@ -0,0 +1,12 @@ +kind: ZarfPackageConfig +metadata: + name: git-helm-repo +components: + - name: baseline + required: true + charts: + - name: keda + version: "2.17.0" + namespace: keda + url: https://kedacore.github.io/charts + repoName: keda From b4c5d970cdd0b4277e66a8ca4aabf3440982d987 Mon Sep 17 00:00:00 2001 From: Allen Conlon Date: Thu, 31 Jul 2025 19:13:28 -0400 Subject: [PATCH 2/4] revert: logic changes from pr #4011 Signed-off-by: Allen Conlon --- src/pkg/packager/find_images.go | 13 ++----- src/pkg/packager/find_images_test.go | 34 ++----------------- .../fuzzy-registry-auth/configmap.yml | 13 ------- .../find-images/fuzzy-registry-auth/zarf.yaml | 12 ------- .../{fuzzy-upstream => fuzzy}/configmap.yml | 0 .../kustomization.yaml | 0 .../{fuzzy-upstream => fuzzy}/zarf.yaml | 0 7 files changed, 5 insertions(+), 67 deletions(-) delete mode 100644 src/pkg/packager/testdata/find-images/fuzzy-registry-auth/configmap.yml delete mode 100644 src/pkg/packager/testdata/find-images/fuzzy-registry-auth/zarf.yaml rename src/pkg/packager/testdata/find-images/{fuzzy-upstream => fuzzy}/configmap.yml (100%) rename src/pkg/packager/testdata/find-images/{fuzzy-upstream => fuzzy}/kustomization.yaml (100%) rename src/pkg/packager/testdata/find-images/{fuzzy-upstream => fuzzy}/zarf.yaml (100%) diff --git a/src/pkg/packager/find_images.go b/src/pkg/packager/find_images.go index c91e6362f0..a3de88e936 100644 --- a/src/pkg/packager/find_images.go +++ b/src/pkg/packager/find_images.go @@ -37,11 +37,8 @@ import ( ) var ( - imageCheck = regexp.MustCompile(`(?mi)"image":"((([a-z0-9._-]+)/)?([a-z0-9._-]+)(:([a-z0-9._-]+))?)"`) - imageFuzzyCheck = regexp.MustCompile(`(?mi)["|=]([a-z0-9\-.\/:]+:[\w.\-]*[a-z\.\-][\w.\-]*)"`) - shaCheck = regexp.MustCompile(`(?mi)sha256:[a-fA-F0-9]{64}`) - statusCheck = regexp.MustCompile(`(?mi)status code 40[0-9]`) - connRefusedCheck = regexp.MustCompile(`(?mi)connect: connection refused`) + imageCheck = regexp.MustCompile(`(?mi)"image":"((([a-z0-9._-]+)/)?([a-z0-9._-]+)(:([a-z0-9._-]+))?)"`) + imageFuzzyCheck = regexp.MustCompile(`(?mi)["|=]([a-z0-9\-.\/:]+:[\w.\-]*[a-z\.\-][\w.\-]*)"`) ) // FindImagesOptions declares the parameters to find images. @@ -243,12 +240,6 @@ func FindImages(ctx context.Context, packagePath string, opts FindImagesOptions) if descriptor, err := crane.Head(image, images.WithGlobalInsecureFlag()...); err != nil { // Test if this is a real image, if not just quiet log to debug, this is normal l.Debug("suspected image does not appear to be valid", "error", err) - // statusCheck is find if the error has an 40x error code - // shaCheck is remove false positives of sha256:aaaaa.... - if (statusCheck.FindString(err.Error()) != "" || connRefusedCheck.FindString(err.Error()) != "") && shaCheck.FindString(image) == "" { - l.Debug("adding image even though registry check failed") - validMaybeImages = append(validMaybeImages, image) - } } else { // Otherwise, add to the list of images l.Debug("imaged digest found", "digest", descriptor.Digest) diff --git a/src/pkg/packager/find_images_test.go b/src/pkg/packager/find_images_test.go index 0d0f37b68c..89ad070044 100644 --- a/src/pkg/packager/find_images_test.go +++ b/src/pkg/packager/find_images_test.go @@ -4,14 +4,12 @@ package packager import ( - "fmt" "testing" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" "github.com/zarf-dev/zarf/src/pkg/lint" - "github.com/zarf-dev/zarf/src/pkg/utils" "github.com/zarf-dev/zarf/src/test/testutil" ) @@ -20,11 +18,6 @@ func TestFindImages(t *testing.T) { ctx := testutil.TestContext(t) - htp, err := utils.GetHtpasswdString("axol", "otl") - require.NoError(t, err) - - address := testutil.SetupInMemoryRegistryWithAuth(ctx, t, 65000, htp) - lint.ZarfSchema = testutil.LoadSchema(t, "../../../zarf.schema.json") tests := []struct { @@ -163,8 +156,8 @@ func TestFindImages(t *testing.T) { }, }, { - name: "fuzzy-upstream", - packagePath: "./testdata/find-images/fuzzy-upstream", + name: "fuzzy", + packagePath: "./testdata/find-images/fuzzy", opts: FindImagesOptions{ SkipCosign: true, }, @@ -184,27 +177,6 @@ func TestFindImages(t *testing.T) { }, }, }, - { - name: "fuzzy-registry-auth", - packagePath: "./testdata/find-images/fuzzy-registry-auth", - opts: FindImagesOptions{ - SkipCosign: true, - }, - expectedImages: []ComponentImageScan{ - { - ComponentName: "baseline", - PotentialMatches: []string{ - "registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:v1.12.0", - "registry1.dso.mil/ironbank/opensource/ceph/ceph-csi:v3.14.1", - "registry1.dso.mil/ironbank/opensource/kubernetes-sigs/sig-storage/csi-attacher:v4.8.1", - "registry1.dso.mil/ironbank/opensource/kubernetes-sigs/sig-storage/csi-provisioner:v5.2.0", - fmt.Sprintf("%s/sig-storage/csi-snapshotter:v8.2.1", address), - fmt.Sprintf("%s/sig-storage/csi-resizer:v1.13.2", address), - fmt.Sprintf("%s/sig-storage/csi-node-driver-registrar:v2.13.0", address), - }, - }, - }, - }, { name: "roles-bindings", packagePath: "./testdata/find-images/roles-bindings", @@ -215,7 +187,7 @@ func TestFindImages(t *testing.T) { expectedImages: []ComponentImageScan{ { ComponentName: "baseline", - PotentialMatches: []string{ + Matches: []string{ "ghcr.io/kedacore/keda:2.17.0", "ghcr.io/kedacore/keda-metrics-apiserver:2.17.0", "ghcr.io/kedacore/keda-admission-webhooks:2.17.0", diff --git a/src/pkg/packager/testdata/find-images/fuzzy-registry-auth/configmap.yml b/src/pkg/packager/testdata/find-images/fuzzy-registry-auth/configmap.yml deleted file mode 100644 index 6cb1c9cd9b..0000000000 --- a/src/pkg/packager/testdata/find-images/fuzzy-registry-auth/configmap.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: rook-ceph-operator-config - namespace: rook-ceph -data: - A_IMAGE: registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:v1.12.0 - B_IMAGE: registry1.dso.mil/ironbank/opensource/kubernetes-sigs/sig-storage/csi-attacher:v4.8.1 - C_IMAGE: registry1.dso.mil/ironbank/opensource/ceph/ceph-csi:v3.14.1 - D_IMAGE: registry1.dso.mil/ironbank/opensource/kubernetes-sigs/sig-storage/csi-provisioner:v5.2.0 - E_IMAGE: localhost:65000/sig-storage/csi-node-driver-registrar:v2.13.0 - F_IMAGE: localhost:65000/sig-storage/csi-resizer:v1.13.2 - G_IMAGE: localhost:65000/sig-storage/csi-snapshotter:v8.2.1 diff --git a/src/pkg/packager/testdata/find-images/fuzzy-registry-auth/zarf.yaml b/src/pkg/packager/testdata/find-images/fuzzy-registry-auth/zarf.yaml deleted file mode 100644 index a42171f017..0000000000 --- a/src/pkg/packager/testdata/find-images/fuzzy-registry-auth/zarf.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ZarfPackageConfig -metadata: - name: fuzzy-registry1 - version: 1.0.0 -components: - - name: baseline - required: true - manifests: - - name: fuzzy-registry1 - namespace: default - files: - - configmap.yml diff --git a/src/pkg/packager/testdata/find-images/fuzzy-upstream/configmap.yml b/src/pkg/packager/testdata/find-images/fuzzy/configmap.yml similarity index 100% rename from src/pkg/packager/testdata/find-images/fuzzy-upstream/configmap.yml rename to src/pkg/packager/testdata/find-images/fuzzy/configmap.yml diff --git a/src/pkg/packager/testdata/find-images/fuzzy-upstream/kustomization.yaml b/src/pkg/packager/testdata/find-images/fuzzy/kustomization.yaml similarity index 100% rename from src/pkg/packager/testdata/find-images/fuzzy-upstream/kustomization.yaml rename to src/pkg/packager/testdata/find-images/fuzzy/kustomization.yaml diff --git a/src/pkg/packager/testdata/find-images/fuzzy-upstream/zarf.yaml b/src/pkg/packager/testdata/find-images/fuzzy/zarf.yaml similarity index 100% rename from src/pkg/packager/testdata/find-images/fuzzy-upstream/zarf.yaml rename to src/pkg/packager/testdata/find-images/fuzzy/zarf.yaml From 5069017ca40446e46defadff46261064f0c0332f Mon Sep 17 00:00:00 2001 From: Allen Conlon Date: Mon, 4 Aug 2025 18:12:39 -0400 Subject: [PATCH 3/4] chore: update per comments on pr Signed-off-by: Allen Conlon --- src/pkg/packager/find_images.go | 12 ++---------- src/pkg/packager/find_images_test.go | 18 ------------------ src/test/testutil/registry.go | 9 --------- 3 files changed, 2 insertions(+), 37 deletions(-) diff --git a/src/pkg/packager/find_images.go b/src/pkg/packager/find_images.go index a3de88e936..87e6230a5f 100644 --- a/src/pkg/packager/find_images.go +++ b/src/pkg/packager/find_images.go @@ -371,9 +371,6 @@ func processUnstructuredImages(ctx context.Context, resource *unstructured.Unstr } matchedImages = appendToImageMapOCIRepo(ctx, matchedImages, ociRepo) - case "ClusterRoleBinding", "RoleBinding", "ClusterRole", "Role": - l.Debug("found a known false positive type", "kind", resource.GetKind()) - default: // Capture any custom images matches := imageCheck.FindAllStringSubmatch(string(b), -1) @@ -386,13 +383,8 @@ func processUnstructuredImages(ctx context.Context, resource *unstructured.Unstr // Capture "maybe images" for all kinds matches := imageFuzzyCheck.FindAllStringSubmatch(string(b), -1) for _, group := range matches { - switch resource.GetKind() { - case "ClusterRoleBinding", "RoleBinding", "ClusterRole", "Role": - l.Debug("found a known false positive type", "kind", resource.GetKind()) - default: - l.Debug("found possible fuzzy match", "kind", resource.GetKind(), "value", group[1]) - maybeImages[group[1]] = true - } + l.Debug("found possible fuzzy match", "kind", resource.GetKind(), "value", group[1]) + maybeImages[group[1]] = true } return matchedImages, maybeImages, nil diff --git a/src/pkg/packager/find_images_test.go b/src/pkg/packager/find_images_test.go index 89ad070044..2f0229b15f 100644 --- a/src/pkg/packager/find_images_test.go +++ b/src/pkg/packager/find_images_test.go @@ -177,24 +177,6 @@ func TestFindImages(t *testing.T) { }, }, }, - { - name: "roles-bindings", - packagePath: "./testdata/find-images/roles-bindings", - opts: FindImagesOptions{ - SkipCosign: true, - KubeVersionOverride: "v1.32.0", - }, - expectedImages: []ComponentImageScan{ - { - ComponentName: "baseline", - Matches: []string{ - "ghcr.io/kedacore/keda:2.17.0", - "ghcr.io/kedacore/keda-metrics-apiserver:2.17.0", - "ghcr.io/kedacore/keda-admission-webhooks:2.17.0", - }, - }, - }, - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/src/test/testutil/registry.go b/src/test/testutil/registry.go index 0692dc4ab3..00d7c0cac5 100644 --- a/src/test/testutil/registry.go +++ b/src/test/testutil/registry.go @@ -19,12 +19,6 @@ import ( // SetupInMemoryRegistry sets up an in-memory registry on localhost and returns the address. func SetupInMemoryRegistry(ctx context.Context, t *testing.T, port int) string { - return SetupInMemoryRegistryWithAuth(ctx, t, port, "") -} - -// SetupInMemoryRegistryWithAuth sets up an in-memory registry on localhost and returns the address. -// If the parameter `htpassword` is not empty, the registry will use that as the auth for accessing it. -func SetupInMemoryRegistryWithAuth(ctx context.Context, t *testing.T, port int, htpassword string) string { t.Helper() config := &configuration.Configuration{} config.HTTP.Addr = fmt.Sprintf(":%d", port) @@ -32,9 +26,6 @@ func SetupInMemoryRegistryWithAuth(ctx context.Context, t *testing.T, port int, config.Log.Level = "error" logrus.SetOutput(io.Discard) config.HTTP.DrainTimeout = 10 * time.Second - if htpassword != "" { - config.HTTP.Secret = htpassword - } config.Storage = map[string]configuration.Parameters{"inmemory": map[string]interface{}{}} ref, err := registry.NewRegistry(ctx, config) require.NoError(t, err) From 2d393ecbc75d6b0ba18e92884fdecca5656e84d0 Mon Sep 17 00:00:00 2001 From: Allen Conlon Date: Tue, 5 Aug 2025 18:03:39 -0400 Subject: [PATCH 4/4] feat: remove un-needed tests Signed-off-by: Allen Conlon --- .../testdata/find-images/roles-bindings/zarf.yaml | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml diff --git a/src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml b/src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml deleted file mode 100644 index 864dcf9818..0000000000 --- a/src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ZarfPackageConfig -metadata: - name: git-helm-repo -components: - - name: baseline - required: true - charts: - - name: keda - version: "2.17.0" - namespace: keda - url: https://kedacore.github.io/charts - repoName: keda