fix: buildImageMetadata when containers miss from the spec

this commit gives up supporting sidecar containers injected dynamically by collecting metadata for images only if they appear in both the spec and the status
snyk · Dec 4, 2019 · 79689b0 · 79689b0
1 parent 46050fd
commit 79689b0
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 8 deletions.
diff --git a/src/kube-scanner/metadata-extractor.ts b/src/kube-scanner/metadata-extractor.ts
@@ -26,7 +26,12 @@ export function buildImageMetadata(
     containerNameToStatus[containerStatus.name] = containerStatus;
   }
 
-  const images = containerStatuses.map(({ name: containerName }) => ({
+  const images: IWorkload[] = [];
+  for (const containerStatus of containerStatuses) {
+    if (!(containerStatus.name in containerNameToSpec)) {
+      continue
+    }
+    images.push({
       type: kind,
       name: name || 'unknown',
       namespace,
@@ -35,14 +40,15 @@ export function buildImageMetadata(
       uid,
       specLabels: specMeta.labels || {},
       specAnnotations: specMeta.annotations || {},
-      containerName,
-      imageName: containerNameToSpec[containerName].image,
-      imageId: containerNameToStatus[containerName].imageID,
+      containerName: containerStatus.name,
+      imageName: containerNameToSpec[containerStatus.name].image,
+      imageId: containerNameToStatus[containerStatus.name].imageID,
       cluster: currentClusterName,
       revision,
       podSpec,
-    } as IWorkload),
-  );
+    } as IWorkload);
+  }
+
   return images;
 }
 

diff --git a/test/unit/metadata-extractor.test.ts b/test/unit/metadata-extractor.test.ts
@@ -72,8 +72,26 @@ tap.test('buildImageMetadata', async (t) => {
     podSpec: deploymentObject.spec!.template.spec!,
   }
 
-  t.throws(() => metadataExtractor.buildImageMetadata(
+  const imageMetadataResult = metadataExtractor.buildImageMetadata(
     deploymentWeirdWrapper,
     podObject.status!.containerStatuses!,
-  ), 'buildImageMetadata can\'t handle discrepancies between spec and status');
+  );
+
+  t.ok(Array.isArray(imageMetadataResult), 'returns an array');
+  t.equals(
+    imageMetadataResult.length,
+    1,
+    'the size of the container status array that also appears in the spec',
+  );
+  t.equals(imageMetadataResult[0].type, 'Deployment', 'with the workload type of the parent');
+  t.equals(
+    imageMetadataResult[0].imageId,
+    'docker-pullable://eu.gcr.io/cookie/hello-world@sha256:1ac413b2756364b7b856c64d557fdedb97a4ba44ca16fc656e08881650848fe2',
+    'the image ID of the first container'
+  );
+  t.equals(
+    imageMetadataResult[0].imageName,
+    'eu.gcr.io/cookie/hello-world:1.20191125.132107-4664980',
+    'the image name of the first container'
+  );
 });