chore: update case for find images

src/pkg/packager/find_images.go

@@ -37,11 +37,8 @@ import (
 )
 
 var (
-	imageCheck       = regexp.MustCompile(`(?mi)"image":"((([a-z0-9._-]+)/)?([a-z0-9._-]+)(:([a-z0-9._-]+))?)"`)
-	imageFuzzyCheck  = regexp.MustCompile(`(?mi)["|=]([a-z0-9\-.\/:]+:[\w.\-]*[a-z\.\-][\w.\-]*)"`)
-	shaCheck         = regexp.MustCompile(`(?mi)sha256:[a-fA-F0-9]{64}`)
-	statusCheck      = regexp.MustCompile(`(?mi)status code 40[0-9]`)
-	connRefusedCheck = regexp.MustCompile(`(?mi)connect: connection refused`)
+	imageCheck      = regexp.MustCompile(`(?mi)"image":"((([a-z0-9._-]+)/)?([a-z0-9._-]+)(:([a-z0-9._-]+))?)"`)
+	imageFuzzyCheck = regexp.MustCompile(`(?mi)["|=]([a-z0-9\-.\/:]+:[\w.\-]*[a-z\.\-][\w.\-]*)"`)
 )
 
 // FindImagesOptions declares the parameters to find images.
@@ -243,12 +240,6 @@ func FindImages(ctx context.Context, packagePath string, opts FindImagesOptions)
 				if descriptor, err := crane.Head(image, images.WithGlobalInsecureFlag()...); err != nil {
 					// Test if this is a real image, if not just quiet log to debug, this is normal
 					l.Debug("suspected image does not appear to be valid", "error", err)
-					// statusCheck is find if the error has an 40x error code
-					// shaCheck is remove false positives of sha256:aaaaa....
-					if (statusCheck.FindString(err.Error()) != "" || connRefusedCheck.FindString(err.Error()) != "") && shaCheck.FindString(image) == "" {
-						l.Debug("adding image even though registry check failed")
-						validMaybeImages = append(validMaybeImages, image)
-					}
 				} else {
 					// Otherwise, add to the list of images
 					l.Debug("imaged digest found", "digest", descriptor.Digest)
@@ -380,6 +371,9 @@ func processUnstructuredImages(ctx context.Context, resource *unstructured.Unstr
 		}
 		matchedImages = appendToImageMapOCIRepo(ctx, matchedImages, ociRepo)
 
+	case "ClusterRoleBinding", "RoleBinding", "ClusterRole", "Role":
+		l.Debug("found a known false positive type", "kind", resource.GetKind())
+
 	default:
 		// Capture any custom images
 		matches := imageCheck.FindAllStringSubmatch(string(b), -1)
@@ -392,8 +386,13 @@ func processUnstructuredImages(ctx context.Context, resource *unstructured.Unstr
 	// Capture "maybe images" for all kinds
 	matches := imageFuzzyCheck.FindAllStringSubmatch(string(b), -1)
 	for _, group := range matches {
-		l.Debug("found possible fuzzy match", "kind", resource.GetKind(), "value", group[1])
-		maybeImages[group[1]] = true
+		switch resource.GetKind() {
+		case "ClusterRoleBinding", "RoleBinding", "ClusterRole", "Role":
+			l.Debug("found a known false positive type", "kind", resource.GetKind())
+		default:
+			l.Debug("found possible fuzzy match", "kind", resource.GetKind(), "value", group[1])
+			maybeImages[group[1]] = true
+		}
 	}
 
 	return matchedImages, maybeImages, nil

src/pkg/packager/find_images_test.go

@@ -4,14 +4,12 @@
 package packager
 
 import (
-	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/zarf-dev/zarf/src/pkg/lint"
-	"github.com/zarf-dev/zarf/src/pkg/utils"
 	"github.com/zarf-dev/zarf/src/test/testutil"
 )
 
@@ -20,11 +18,6 @@ func TestFindImages(t *testing.T) {
 
 	ctx := testutil.TestContext(t)
 
-	htp, err := utils.GetHtpasswdString("axol", "otl")
-	require.NoError(t, err)
-
-	address := testutil.SetupInMemoryRegistryWithAuth(ctx, t, 65000, htp)
-
 	lint.ZarfSchema = testutil.LoadSchema(t, "../../../zarf.schema.json")
 
 	tests := []struct {
@@ -163,8 +156,8 @@ func TestFindImages(t *testing.T) {
 			},
 		},
 		{
-			name:        "fuzzy-upstream",
-			packagePath: "./testdata/find-images/fuzzy-upstream",
+			name:        "fuzzy",
+			packagePath: "./testdata/find-images/fuzzy",
 			opts: FindImagesOptions{
 				SkipCosign: true,
 			},
@@ -185,22 +178,19 @@ func TestFindImages(t *testing.T) {
 			},
 		},
 		{
-			name:        "fuzzy-registry-auth",
-			packagePath: "./testdata/find-images/fuzzy-registry-auth",
+			name:        "roles-bindings",
+			packagePath: "./testdata/find-images/roles-bindings",
 			opts: FindImagesOptions{
-				SkipCosign: true,
+				SkipCosign:          true,
+				KubeVersionOverride: "v1.32.0",
 			},
 			expectedImages: []ComponentImageScan{
 				{
 					ComponentName: "baseline",
-					PotentialMatches: []string{
-						"registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:v1.12.0",
-						"registry1.dso.mil/ironbank/opensource/ceph/ceph-csi:v3.14.1",
-						"registry1.dso.mil/ironbank/opensource/kubernetes-sigs/sig-storage/csi-attacher:v4.8.1",
-						"registry1.dso.mil/ironbank/opensource/kubernetes-sigs/sig-storage/csi-provisioner:v5.2.0",
-						fmt.Sprintf("%s/sig-storage/csi-snapshotter:v8.2.1", address),
-						fmt.Sprintf("%s/sig-storage/csi-resizer:v1.13.2", address),
-						fmt.Sprintf("%s/sig-storage/csi-node-driver-registrar:v2.13.0", address),
+					Matches: []string{
+						"ghcr.io/kedacore/keda:2.17.0",
+						"ghcr.io/kedacore/keda-metrics-apiserver:2.17.0",
+						"ghcr.io/kedacore/keda-admission-webhooks:2.17.0",
 					},
 				},
 			},

src/pkg/packager/testdata/find-images/roles-bindings/zarf.yaml

@@ -0,0 +1,12 @@
+kind: ZarfPackageConfig
+metadata:
+  name: git-helm-repo
+components:
+  - name: baseline
+    required: true
+    charts:
+      - name: keda
+        version: "2.17.0"
+        namespace: keda
+        url: https://kedacore.github.io/charts
+        repoName: keda