feat: support OCI Image Format (#475)

* chore(wire): specify package names

* fix(extractor): remove types.GetDockerOption

* chore(README): mention OCI support

* chore(mod): update dependencies

* test(integration): fix an error message

* test(integration): revert the error message

* chore(mod): tidy

Co-authored-by: Simarpreet Singh <simar@linux.com>

Makefile

@@ -12,7 +12,7 @@ $(GOBIN)/wire:
 
 .PHONY: wire
 wire: $(GOBIN)/wire
-	wire gen ./...
+	wire gen ./pkg/... ./internal/...
 
 .PHONY: mock
 mock: $(GOBIN)/mockery

README.md

@@ -31,6 +31,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
   - [Standalone](#standalone)
     - [Scan an image](#scan-an-image)
     - [Scan an image file](#scan-an-image-file)
+    - [Scan an OCI image](#scan-an-oci-image)
     - [Save the results as JSON](#save-the-results-as-json)
     - [Save the results using a template](#save-the-results-using-a-template)
     - [Filter the vulnerabilities by severities](#filter-the-vulnerabilities-by-severities)
@@ -95,6 +96,11 @@ See [here](#continuous-integration-ci) for details.
 - DevSecOps
   - **Suitable for CI** such as Travis CI, CircleCI, Jenkins, etc.
   - See [CI Example](#continuous-integration-ci)
+- Support multiple formats
+  - A local image in Docker Engine which is running as a daemon
+  - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
+  - A tar archive stored in the `docker save` formatted file
+  - An image directory compliant with [OCI Image Format](https://github.com/opencontainers/image-spec)
 
 Please see [LICENSE](https://github.com/aquasecurity/trivy/blob/master/LICENSE) for Trivy licensing information. Note that Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
 
@@ -530,6 +536,23 @@ Total: 7447 (UNKNOWN: 5, LOW: 326, MEDIUM: 5695, HIGH: 1316, CRITICAL: 105)
 ...
 ```
 
+### Scan an OCI image
+An image directory compliant with "Open Container Image Layout Specification".
+
+Buildah:
+
+```
+$ buildah push docker.io/library/alpine:3.11 oci:/path/to/alpine
+$ trivy --input /path/to/alpine
+```
+
+Skopeo:
+
+```
+$ skopeo copy docker-daemon:alpine:3.11 oci:/path/to/alpine
+$ trivy --input /path/to/alpine
+```
+
 </details>
 
 ### Save the results as JSON

go.sum

@@ -425,7 +425,6 @@ github.com/vdemeester/k8s-pkg-credentialprovider v1.17.4/go.mod h1:inCTmtUdr5KJb
 github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-go.etcd.io/bbolt v1.3.3 h1:MUGmc65QhB3pIlaQ5bB4LwqSj6GIonVJXpZiaKNyaKk=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg=
 go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=

integration/docker_engine_test.go

@@ -236,7 +236,7 @@ func TestRun_WithDockerEngine(t *testing.T) {
 			name:          "sad path, invalid image",
 			invalidImage:  true,
 			testfile:      "badimage:latest",
-			expectedError: "unable to inspect the image (index.docker.io/library/badimage:latest): Error: No such image: index.docker.io/library/badimage:latest",
+			expectedError: "unable to inspect the image (index.docker.io/library/badimage:latest)",
 		},
 	}
 

pkg/scanner/scan.go

@@ -34,7 +34,6 @@ var StandaloneDockerSet = wire.NewSet(
 )
 
 var StandaloneArchiveSet = wire.NewSet(
-	types.GetDockerOption,
 	docker.NewArchiveImageExtractor,
 	wire.Bind(new(extractor.Extractor), new(docker.Extractor)),
 	StandaloneSuperSet,
@@ -57,7 +56,6 @@ var RemoteDockerSet = wire.NewSet(
 )
 
 var RemoteArchiveSet = wire.NewSet(
-	types.GetDockerOption,
 	docker.NewArchiveImageExtractor,
 	wire.Bind(new(extractor.Extractor), new(docker.Extractor)),
 	RemoteSuperSet,