feat: implement OCI image analysis

.eslintrc.json

@@ -18,11 +18,11 @@
   ],
   "rules": {
     "curly": "warn",
-    "eqeqeq": "warn",
+    "eqeqeq": ["warn", "always", {"null": "never"}],
     "no-throw-literal": "warn",
     "sort-imports": "warn"
   },
   "ignorePatterns": [
     "integration"
   ]
-}
+}

.github/workflows/pr.yml

@@ -70,6 +70,17 @@ jobs:
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
 
+      - name: Setup syft
+        uses: jaxxstorm/action-install-gh-release@v1.10.0
+        with:
+          repo: anchore/syft
+          platform: linux
+          arch: amd64
+          # tag: the latest one, so we can catch changes
+
+      - name: Setup skopeo
+        run: sudo apt update && sudo apt-get -y install skopeo
+
       - name: Install project modules
         run: npm ci
 

.github/workflows/stage.yml

@@ -60,7 +60,6 @@ jobs:
       - name: Prepare PNPM
         run: corepack prepare pnpm@latest --activate
 
-
       - name: Setup Java 17
         uses: actions/setup-java@v4
         with:
@@ -76,6 +75,17 @@ jobs:
       - name: Setup Gradle
         uses: gradle/gradle-build-action@v3
 
+      - name: Setup syft
+        uses: jaxxstorm/action-install-gh-release@v1.10.0
+        with:
+          repo: anchore/syft
+          platform: linux
+          arch: amd64
+          # tag: the latest one, so we can catch changes
+
+      - name: Setup skopeo
+        run: sudo apt update && sudo apt-get -y install skopeo
+
       - name: Configure git
         run: |
           git config user.name "${{ github.actor }}"

src/analysis.js

@@ -1,10 +1,11 @@
 import fs from "node:fs";
 import path from "node:path";
-import {EOL} from "os";
-import {RegexNotToBeLogged, getCustom} from "./tools.js";
+import { EOL } from "os";
+import { RegexNotToBeLogged, getCustom } from "./tools.js";
 import { HttpsProxyAgent } from "https-proxy-agent";
+import { generateImageSBOM, parseImageRef } from "./oci_image/utils.js";
 
-export default { requestComponent, requestStack, validateToken }
+export default { requestComponent, requestStack, requestImages, validateToken }
 
 const rhdaTokenHeader = "rhda-token";
 const rhdaSourceHeader = "rhda-source"
@@ -133,6 +134,52 @@
 	return Promise.resolve(result)
 }
 
+/**
+ *
+ * @param {Array<string>} imageRefs
+ * @param {string} url
+ * @param {{}} [opts={}] - optional various options to pass along the application
+ * @returns {Promise<string|import('@trustification/exhort-api-spec/model/v4/AnalysisReport').AnalysisReport>}
+ */
+async function requestImages(imageRefs, url, html = false, opts = {}) {
+	const imageSboms = {}
+	for (const image of imageRefs) {
+		const parsedImageRef = parseImageRef(image)
+		imageSboms[parsedImageRef.getPackageURL().toString()] = generateImageSBOM(parsedImageRef)
+	}
+
+	const resp = await fetch(`${url}/api/v4/batch-analysis`, {
+		method: 'POST',
+		headers: {
+			'Accept': html ? 'text/html' : 'application/json',
+			'Content-Type': 'application/vnd.cyclonedx+json',
+			...getTokenHeaders(opts)
+		},
+		body: JSON.stringify(imageSboms),
+	})
+
+	if(resp.status === 200) {
+		let result;
+		if (!html) {
+			result = await resp.json()
+		} else {
+			result = await resp.text()
+		}
+		if (process.env["EXHORT_DEBUG"] === "true") {
+			let exRequestId = resp.headers.get("ex-request-id");
+			if (exRequestId) {
+				console.log("Unique Identifier associated with this request - ex-request-id=" + exRequestId)
+			}
+			console.log("Response body received from exhort server : " + EOL + EOL)
+			console.log(JSON.stringify(result, null, 4))
+			console.log("Ending time of sending component analysis request to exhort server= " + new Date())
+		}
+		return result
+	} else {
+		throw new Error(`Got error response from exhort backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`)
+	}
+}
+
 /**
  *
  * @param url the backend url to send the request to

src/index.js

@@ -7,7 +7,7 @@ import { getCustom } from "./tools.js";
 import.meta.dirname
 import * as url from 'url';
 
-export default { componentAnalysis, stackAnalysis, validateToken }
+export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken }
 
 export const exhortDevDefaultUrl = 'https://exhort.stage.devshift.net';
 
@@ -148,6 +148,39 @@ async function componentAnalysis(manifest, opts = {}) {
 	return await analysis.requestComponent(provider, manifest, theUrl, opts) // throws error request sending failed
 }
 
+/**
+ * @overload
+ * @param {Array<string>} imageRefs
+ * @param {true} html
+ * @param {object} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+
+/**
+ * @overload
+ * @param {Array<string>} imageRefs
+ * @param {false} html
+ * @param {object} [opts={}]
+ * @returns {Promise<import('@trustification/exhort-api-spec/model/v4/AnalysisReport').AnalysisReport}
+ * @throws {Error}
+ */
+
+/**
+ * Get image analysis report for a set of OCI image references.
+ * @overload
+ * @param {Array<string>} imageRefs - OCI image references
+ * @param {boolean} [html=false] - true will return a html string, false will return AnalysisReport
+ * @param {{}} [opts={}] - optional various options to pass along the application
+ * @returns {Promise<string|import('@trustification/exhort-api-spec/model/v4/AnalysisReport').AnalysisReport}
+ * @throws {Error} if manifest inaccessible, no matching provider, failed to get create content,
+ * 		or backend request failed
+ */
+async function imageAnalysis(imageRefs, html = false, opts = {}) {
+	theUrl = selectExhortBackend(opts)
+	return await analysis.requestImages(imageRefs, theUrl, opts)
+}
+
 /**
  * Validates the Exhort token.
  * @param {object} [opts={}] - Optional parameters, potentially including token override.