feat(image): customer podman host or socket option

[parvez0]

Description

This pull request adds a new feature option --podman-host to the image command. This option allows users to specify a custom Podman host.

command output before introducing this feature

$ trivy image --image-src podman nginx:latest
2024-03-02T16:49:02.943Z	INFO	Need to update DB
2024-03-02T16:49:02.944Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2024-03-02T16:49:02.944Z	INFO	Downloading DB...
43.58 MiB / 43.58 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 7.43 MiB p/s 6.1s
2024-03-02T16:49:10.272Z	INFO	Vulnerability scanning is enabled
2024-03-02T16:49:10.272Z	INFO	Secret scanning is enabled
2024-03-02T16:49:10.272Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-02T16:49:10.273Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-02T16:49:10.279Z	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 1 error occurred:
	* podman error: unable to initialize Podman client: no podman socket found: stat /run/user/1000/snap.trivy/podman/podman.sock: no such file or directory

command output after introducing the feature

$ trivy image --image-src podman --podman-host /run/user/1000/podman/podman.sock docker.io/nginx:latest
2024-03-02T17:03:12.479Z	INFO	Vulnerability scanning is enabled
2024-03-02T17:03:12.479Z	INFO	Secret scanning is enabled
2024-03-02T17:03:12.479Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-02T17:03:12.480Z	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-03-02T17:03:25.884Z	INFO	Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2024-03-02T17:03:25.884Z	INFO	Downloading the Java DB...
509.15 MiB / 509.15 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 18.21 MiB p/s 28s
2024-03-02T17:03:55.181Z	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2024-03-02T17:03:55.631Z	INFO	Detected OS: debian
2024-03-02T17:03:55.631Z	INFO	Detecting Debian vulnerabilities...
2024-03-02T17:03:55.730Z	INFO	Number of language-specific files: 0

docker.io/nginx:latest (debian 12.5)

Total: 146 (UNKNOWN: 1, LOW: 84, MEDIUM: 32, HIGH: 27, CRITICAL: 2)

┌────────────────────┬─────────────────────┬──────────┬──────────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│      Library       │    Vulnerability    │ Severity │    Status    │    Installed Version    │ Fixed Version │                            Title                             │
├────────────────────┼─────────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ apt                │ CVE-2011-3374       │ LOW      │ affected     │ 2.6.1                   │               │ It was found that apt-key in apt, all versions, do not       │
│                    │                     │          │              │                         │               │ correctly...                                                 │
│                    │                     │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2011-3374                    │
├────────────────────┼─────────────────────┤          │              ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ bash               │ TEMP-0841856-B18BAF │          │              │ 5.2.15-2+b2             │               │ [Privilege escalation possible to other user than root]      │
│                    │                     │          │              │                         │               │ https://security-tracker.debian.org/tracker/TEMP-0841856-B1- │
│                    │                     │          │              │                         │               │ 8BAF                                                         │

Related issues

• Close Support for rootless podman #3098

Related PRs

• feat(image): custom docker host option #3599

Remove this section if you don't have related PRs.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[DmitriyLewen]

Hello @parvez0
Thank you for your work!

Left a comment. Please take a look when you have time.

Can you also add a test for podman-host?
You can create a similar test:

trivy/pkg/fanal/image/daemon/image_test.go

Lines 74 to 116 in c1d26ec

	func Test_image_ConfigNameWithCustomDockerHost(t *testing.T) {
	ref, err := name.ParseReference("alpine:3.11")
	require.NoError(t, err)
	eo := engine.Option{
	APIVersion: opt.APIVersion,
	ImagePaths: opt.ImagePaths,
	}
	var dockerHostParam string
	if runtime.GOOS != "windows" {
	runtimeDir, err := os.MkdirTemp("", "daemon")
	require.NoError(t, err)
	dir := filepath.Join(runtimeDir, "image")
	err = os.MkdirAll(dir, os.ModePerm)
	require.NoError(t, err)
	customDockerHost := filepath.Join(dir, "image-test-unix-socket.sock")
	eo.UnixDomainSocket = customDockerHost
	dockerHostParam = "unix://" + customDockerHost
	}
	te := engine.NewDockerEngine(eo)
	defer te.Close()
	if runtime.GOOS == "windows" {
	dockerHostParam = te.Listener.Addr().Network() + "://" + te.Listener.Addr().String()
	}
	img, cleanup, err := DockerImage(ref, dockerHostParam)
	require.NoError(t, err)
	defer cleanup()
	conf, err := img.ConfigName()
	assert.Equal(t, v1.Hash{
	Algorithm: "sha256",
	Hex: "a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
	}, conf)
	assert.Nil(t, err)
	}

Regards, Dmitriy

[DmitriyLewen]

@parvez0 Thanks for your work!

@knqyf263 i approved this PR. Take a look, when you have time, please.

[knqyf263]

DOCKER_HOST is natively supported by Docker.
https://docs.docker.com/engine/reference/commandline/cli/

But I didn't find PODMAN_HOST support in Podman. If Podman doesn't support it, there is no reason we do it.

[parvez0]

Hey @knqyf263 thanks for the review, I'll remove PODMAN_HOST and reraise the PR

[knqyf263]

LGTM! Thanks.

[knqyf263]

Sorry, I accidentally closed it... never mind.