fix: extract container files from OCI tar instead of Docker daemon

pkg/leeway/build_integration_test.go

@@ -1244,6 +1244,168 @@ RUN echo "test content" > /test.txt
 }
 
 
+// TestDockerPackage_OCIExtraction_NoImage_Integration reproduces and verifies the fix for
+// the bug where container extraction fails with "No such image" when exportToCache=true.
+//
+// Bug: When a Docker package has no image: config (not pushed to registry) and exportToCache=true,
+// the build creates image.tar with OCI layout but extraction tries to get the image from Docker daemon,
+// which fails because the image was never loaded into the daemon.
+//
+// This test:
+// 1. Creates a Docker package with NO image: config
+// 2. Builds with exportToCache=true (creates OCI layout)
+// 3. Verifies container extraction succeeds (should extract from OCI tar, not daemon)
+// 4. Verifies extracted files exist
+//
+// SLSA relevance: Critical for SLSA L3 - packages without image: config must work with OCI export.
+func TestDockerPackage_OCIExtraction_NoImage_Integration(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	// Ensure Docker is available
+	if err := exec.Command("docker", "version").Run(); err != nil {
+		t.Skip("Docker not available, skipping integration test")
+	}
+
+	// Ensure buildx is available
+	if err := exec.Command("docker", "buildx", "version").Run(); err != nil {
+		t.Skip("Docker buildx not available, skipping integration test")
+	}
+
+	// Create docker-container builder for OCI export
+	builderName := "leeway-oci-extract-bug-test"
+	createBuilder := exec.Command("docker", "buildx", "create", "--name", builderName, "--driver", "docker-container", "--bootstrap")
+	if err := createBuilder.Run(); err != nil {
+		t.Logf("Warning: failed to create builder (might already exist): %v", err)
+	}
+	defer func() {
+		exec.Command("docker", "buildx", "rm", builderName).Run()
+	}()
+
+	useBuilder := exec.Command("docker", "buildx", "use", builderName)
+	if err := useBuilder.Run(); err != nil {
+		t.Fatalf("Failed to use builder: %v", err)
+	}
+	defer func() {
+		exec.Command("docker", "buildx", "use", "default").Run()
+	}()
+
+	tmpDir := t.TempDir()
+	wsDir := filepath.Join(tmpDir, "workspace")
+	if err := os.MkdirAll(wsDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create WORKSPACE.yaml
+	workspaceYAML := `defaultTarget: ":test-extract"`
+	if err := os.WriteFile(filepath.Join(wsDir, "WORKSPACE.yaml"), []byte(workspaceYAML), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create Dockerfile that produces files to extract
+	dockerfile := `FROM alpine:3.18
+RUN mkdir -p /app && echo "test content" > /app/test.txt
+RUN echo "another file" > /app/data.txt
+`
+	if err := os.WriteFile(filepath.Join(wsDir, "Dockerfile"), []byte(dockerfile), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create BUILD.yaml with NO image: config (this triggers the bug)
+	// When there's no image: config, leeway extracts container files
+	buildYAML := `packages:
+  - name: test-extract
+    type: docker
+    config:
+      dockerfile: Dockerfile
+      exportToCache: true
+`
+	if err := os.WriteFile(filepath.Join(wsDir, "BUILD.yaml"), []byte(buildYAML), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	// Initialize git repo
+	gitInit := exec.Command("git", "init")
+	gitInit.Dir = wsDir
+	if err := gitInit.Run(); err != nil {
+		t.Fatal(err)
+	}
+
+	gitConfigName := exec.Command("git", "config", "user.name", "Test User")
+	gitConfigName.Dir = wsDir
+	if err := gitConfigName.Run(); err != nil {
+		t.Fatal(err)
+	}
+
+	gitConfigEmail := exec.Command("git", "config", "user.email", "test@example.com")
+	gitConfigEmail.Dir = wsDir
+	if err := gitConfigEmail.Run(); err != nil {
+		t.Fatal(err)
+	}
+
+	gitAdd := exec.Command("git", "add", ".")
+	gitAdd.Dir = wsDir
+	if err := gitAdd.Run(); err != nil {
+		t.Fatal(err)
+	}
+
+	gitCommit := exec.Command("git", "commit", "-m", "initial")
+	gitCommit.Dir = wsDir
+	gitCommit.Env = append(os.Environ(),
+		"GIT_AUTHOR_DATE=2021-01-01T00:00:00Z",
+		"GIT_COMMITTER_DATE=2021-01-01T00:00:00Z",
+	)
+	if err := gitCommit.Run(); err != nil {
+		t.Fatal(err)
+	}
+
+	// Build
+	cacheDir := filepath.Join(tmpDir, "cache")
+	cache, err := local.NewFilesystemCache(cacheDir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	buildCtx, err := newBuildContext(buildOptions{
+		LocalCache:          cache,
+		DockerExportToCache: true,
+		DockerExportSet:     true,
+		Reporter:            NewConsoleReporter(),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ws, err := FindWorkspace(wsDir, Arguments{}, "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pkg, ok := ws.Packages["//:test-extract"]
+	if !ok {
+		t.Fatal("package //:test-extract not found")
+	}
+
+	// Build the package - this should trigger container extraction from OCI tar
+	// On main branch (before fix): Uses mock, doesn't test real extraction
+	// On fixed branch: Uses real extraction from OCI tar
+	//
+	// The key test: This should NOT fail with "No such image" error
+	// because the fix extracts from OCI tar instead of trying to get from Docker daemon
+	if err := pkg.build(buildCtx); err != nil {
+		// Check if it's the specific error we're fixing
+		if strings.Contains(err.Error(), "No such image") {
+			t.Fatalf("❌ BUG NOT FIXED: build failed with 'No such image' error: %v", err)
+		}
+		t.Fatalf("build failed with unexpected error: %v", err)
+	}
+
+	t.Logf("✅ Build succeeded with exportToCache=true and no image: config")
+	t.Logf("✅ No 'No such image' error - extraction worked from OCI tar")
+	t.Logf("✅ Bug fix confirmed: extraction works with OCI layout (no Docker daemon needed)")
+}
+
 // TestDockerPackage_SBOM_OCI_Integration verifies SBOM generation works with OCI layout export.
 // Tests two scenarios:
 // 1. SBOM with Docker daemon (exportToCache=false) - traditional path

pkg/leeway/build_test.go

@@ -67,49 +67,63 @@ if [[ " ${POSITIONAL_ARGS[@]} " =~ " buildx " ]] && [[ " ${POSITIONAL_ARGS[@]} "
 fi
 `
 
-// Create a mock for extractImageWithOCILibs to avoid dependency on actual Docker daemon
-func init() {
-	// Override with a simple mock implementation for tests
-	leeway.ExtractImageWithOCILibs = func(destDir, imgTag string) error {
-		log.WithFields(log.Fields{
-			"image":   imgTag,
-			"destDir": destDir,
-		}).Info("Mock: Extracting container filesystem")
-
-		// Create required directories
-		contentDir := filepath.Join(destDir, "content")
-		if err := os.MkdirAll(contentDir, 0755); err != nil {
-			return err
-		}
+// mockExtractImageWithOCILibs is a mock implementation for unit tests
+// that don't have Docker available
+var mockExtractImageWithOCILibs = func(destDir, imgTag string) error {
+	log.WithFields(log.Fields{
+		"image":   imgTag,
+		"destDir": destDir,
+	}).Info("Mock: Extracting container filesystem")
+
+	// Create required directories
+	contentDir := filepath.Join(destDir, "content")
+	if err := os.MkdirAll(contentDir, 0755); err != nil {
+		return err
+	}
 
-		// Create a mock file structure similar to what a real extraction would produce
-		mockFiles := map[string]string{
-			filepath.Join(destDir, "imgnames.txt"):        imgTag + "\n",
-			filepath.Join(destDir, "metadata.yaml"):       "test: metadata\n",
-			filepath.Join(destDir, "image-metadata.json"): `{"image":"` + imgTag + `"}`,
-			filepath.Join(contentDir, "bin/testfile"):     "test content",
-			filepath.Join(contentDir, "README.md"):        "# Test Container",
-		}
+	// Create a mock file structure similar to what a real extraction would produce
+	mockFiles := map[string]string{
+		filepath.Join(destDir, "imgnames.txt"):        imgTag + "\n",
+		filepath.Join(destDir, "metadata.yaml"):       "test: metadata\n",
+		filepath.Join(destDir, "image-metadata.json"): `{"image":"` + imgTag + `"}`,
+		filepath.Join(contentDir, "bin/testfile"):     "test content",
+		filepath.Join(contentDir, "README.md"):        "# Test Container",
+	}
 
-		// Create directories for the mock files
-		for filename := range mockFiles {
-			if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
-				return err
-			}
+	// Create directories for the mock files
+	for filename := range mockFiles {
+		if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
+			return err
 		}
+	}
 
-		// Create the mock files
-		for filename, content := range mockFiles {
-			if err := os.WriteFile(filename, []byte(content), 0644); err != nil {
-				return err
-			}
+	// Create the mock files
+	for filename, content := range mockFiles {
+		if err := os.WriteFile(filename, []byte(content), 0644); err != nil {
+			return err
 		}
+	}
 
-		return nil
+	return nil
+}
+
+// setupMockForUnitTests enables the mock for unit tests that don't have Docker
+// This should be called at the start of unit tests that need it
+func setupMockForUnitTests() func() {
+	original := leeway.ExtractImageWithOCILibs
+	leeway.ExtractImageWithOCILibs = mockExtractImageWithOCILibs
+	return func() {
+		leeway.ExtractImageWithOCILibs = original
 	}
 }
 
 func TestBuildDockerDeps(t *testing.T) {
+	// Enable mock for this test since it uses dummy docker (not real Docker)
+	// Without the mock, container extraction would fail because dummy docker
+	// doesn't create real images or OCI tars
+	restoreMock := setupMockForUnitTests()
+	defer restoreMock()
+
 	if *testutil.Dut {
 		pth, err := os.MkdirTemp("", "")
 		if err != nil {
@@ -540,6 +554,12 @@ func TestDockerPackage_BuildContextOverride(t *testing.T) {
 }
 
 func TestDockerPostProcessing(t *testing.T) {
+	// Enable mock for this test since it uses dummy docker (not real Docker)
+	// Without the mock, container extraction would fail because dummy docker
+	// doesn't create real images or OCI tars
+	restoreMock := setupMockForUnitTests()
+	defer restoreMock()
+
 	if *testutil.Dut {
 		pth, err := os.MkdirTemp("", "")
 		if err != nil {