Cyt 814 docker scout

[KendallHarterAtWork]

Summary

If merged this pull request will add support for running Docker Scout on Docker .tar and .tar.gz files

[nightlark]

Let's rename docker_file.py to docker_image.py to clarify that it is getting info from a docker image rather than a Dockerfile -- would be neat to get the original Dockerfile for an image, that would be like getting access to source code.

[nightlark]

Suggested change

	def run_docker(filename: str) -> object:
	def run_docker_scout(filename: str) -> object:

Docker Scout is a plugin for Docker (that may not be installed by default), so let's clarify that this is running it rather than one of the commands built into docker.

[nightlark]

It could be interesting to also capture the results from running docker scout cves, and either add as another entry in the returned dictionary, or convert to openvex files.

[KendallHarterAtWork]

docker scout cves requires being logged into Docker's website and may also require uploading the docker image (the documentation isn't very clear on this - it kind of just assumes you're using remote images)

[nightlark]

Looking at the docs, it seems to have it run on something not uploaded to DockerHub requires adding a prefix -- archive:// would probably be it for the docker tar files we are looking at.

If it gets run on a local file, does it still require being logged into Docker? Maybe this is something that would need to be a user configurable setting that defaults to off -- not really sure why it would need logging in though, other than if Docker is maintaining their own CVE/advisory database instead of using the public databases.

[nightlark]

For "internal plugins", the import of the file and registering can be done in: https://github.com/LLNL/Surfactant/blob/main/surfactant/plugin/manager.py#L13

[nightlark]

Suggested change

	def is_docker_scout_installed():
	# Check that Docker Scout can be run unless it's disabled
	result = subprocess.run(["docker", "scout", "--help"], capture_output=True, check=False)
	if result.returncode != 0:
	logger.warning(
	"Install Docker Scout to scan containers for additional information"
	)
	# Check if Docker Scout is installed when this Python module gets loaded
	disable_docker_scout = not is_docker_scout_installed()

The above should result in the check for Docker Scout happening just once when this module gets loaded (extract_docker_info() can check disable_docker_scout before calling run_docker_scout).

Another idea that came to mind is adding a "check_plugin_prereqs" hookspec that would let plugins that have choose to implement it do some checks when they first get loaded. That might be a more elegant solution, coupled with a future user settings for plugins feature.

---

I think in terms of UX the lack of Docker Scout shouldn't be a hard failure that requires disabling -- there are likely to be plenty of samples people analyze that don't have any Docker images. Ideally we'd know ahead of time that one of the files they'll be analyzing is a Docker image, and then warn them... a more realistic alternative to omniscience could be printing the warning in extract_docker_info() if/when a Docker file is encountered.

[nightlark]

From the CI tests, it looks like subprocess.run can sometimes throw a FileNotFoundError that should be caught (are there any other error types that can be thrown?) if the docker command isn't installed on a system.