feat: Prefer local image (#381)

Signed-off-by: Peter Engelbert <[email protected]>
Signed-off-by: Peter Engelbert <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>

.github/workflows/scripts/buildkitenvs/docker/custom-unix

@@ -25,7 +25,7 @@ _check_docker_dind() {
 }
 
 while ! _check_docker_dind; do
-    check_docker_dind || sleep 1
+    _check_docker_dind || sleep 1
 done
 
-export COPA_BUILDKIT_ADDR="docker://unix://${sock_dir}/docker.sock"
+export COPA_BUILDKIT_ADDR="docker://unix://${sock_dir}/docker.sock"

go.mod

@@ -5,8 +5,8 @@ go 1.20
 require (
 	github.com/aquasecurity/trivy v0.45.1
 	github.com/containerd/console v1.0.3
-	github.com/containerd/containerd v1.7.8
 	github.com/cpuguy83/dockercfg v0.3.1
+	github.com/cpuguy83/go-docker v0.2.1
 	github.com/distribution/reference v0.5.0
 	github.com/docker/buildx v0.11.2
 	github.com/docker/cli v24.0.7+incompatible
@@ -26,10 +26,9 @@ require (
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
 	golang.org/x/sync v0.4.0
 	google.golang.org/grpc v1.59.0
+	k8s.io/apimachinery v0.28.1
 )
 
-require github.com/containerd/log v0.1.0 // indirect
-
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -41,10 +40,10 @@ require (
 	github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/containerd/containerd v1.7.8 // indirect
 	github.com/containerd/continuity v0.4.2 // indirect
-	github.com/containerd/ttrpc v1.2.2 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
-	github.com/cpuguy83/go-docker v0.2.1
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.7+incompatible // indirect
@@ -141,7 +140,6 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apimachinery v0.28.1 // indirect
 	k8s.io/client-go v0.28.1 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect

go.sum

@@ -99,7 +99,6 @@ github.com/containerd/nydus-snapshotter v0.8.2 h1:7SOrMU2YmLzfbsr5J7liMZJlNi5WT6
 github.com/containerd/stargz-snapshotter v0.14.3 h1:OTUVZoPSPs8mGgmQUE1dqw3WX/3nrsmsurW7UPLWl1U=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/ttrpc v1.2.2 h1:9vqZr0pxwOF5koz6N0N3kJ0zDHokrcPxIR/ZR2YFtOs=
-github.com/containerd/ttrpc v1.2.2/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf1G5tYZak=
 github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4=
 github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
 github.com/cpuguy83/dockercfg v0.3.1 h1:/FpZ+JaygUR/lZP2NlFI2DVfrOEMAIKP5wWEJdoYe9E=
@@ -376,7 +375,6 @@ github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
 github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -394,7 +392,6 @@ github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
@@ -591,7 +588,6 @@ golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -623,7 +619,6 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

integration/fixtures/test-images.json

@@ -7,6 +7,15 @@
         "description": "Valid apk/db, apk present",
         "ignoreErrors": false
     },
+    {
+        "image": "docker.io/grafana/grafana",
+        "tag": "8.5.0",
+        "localName": "registry.copacetic.test/repo/image:tag",
+        "digest": "sha256:42d3e6bc186572245aded5a0be381012adba6d89355fa9486dd81b0c634695b5",
+        "distro": "Alpine",
+        "description": "Valid apk/db, apk present, locally tagged with fully-qualified name",
+        "ignoreErrors": false
+    },
     {
         "image": "docker.io/library/nginx",
         "tag": "1.21.6",
@@ -15,6 +24,15 @@
         "description": "Valid dpkg/status, apt present",
         "ignoreErrors": false
     },
+    {
+        "image": "docker.io/library/nginx",
+        "tag": "1.21.6",
+        "digest": "sha256:2bcabc23b45489fb0885d69a06ba1d648aeda973fae7bb981bafbb884165e514",
+        "localName": "local/image:tag",
+        "distro": "Debian",
+        "description": "Valid dpkg/status, apt present, locally tagged with repo and image name",
+        "ignoreErrors": false
+    },
     {
         "image": "registry.k8s.io/kube-proxy",
         "tag": "v1.23.4",
@@ -39,6 +57,15 @@
         "description": "Custom dpkg/status.d with base64 names, no apt",
         "ignoreErrors": false
     },
+    {
+        "image": "docker.io/fluent/fluent-bit",
+        "tag": "1.8.4",
+        "digest": "sha256:2d80c13c2e7e06aa6a2e54a1825c6adbb3829c8a133ff617a0a61790bd61c53d",
+        "localName": "localimage:tag",
+        "distro": "Google Distroless",
+        "description": "Custom dpkg/status.d with base64 names, no apt, locally tagged with image name only",
+        "ignoreErrors": false
+    },
     {
         "image": "docker.io/openpolicyagent/opa",
         "tag": "0.46.0",

integration/patch_test.go

@@ -8,8 +8,11 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strconv"
+	"strings"
+	"sync"
 	"testing"
 
+	"github.com/distribution/reference"
 	"github.com/opencontainers/go-digest"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -26,6 +29,7 @@ var (
 type testImage struct {
 	Image        string        `json:"image"`
 	Tag          string        `json:"tag"`
+	LocalName    string        `json:"localName,omitempty"`
 	Distro       string        `json:"distro"`
 	Digest       digest.Digest `json:"digest"`
 	Description  string        `json:"description"`
@@ -47,11 +51,29 @@ func TestPatch(t *testing.T) {
 		t.Run(img.Description, func(t *testing.T) {
 			t.Parallel()
 
+			// Only the buildkit instance running within the docker daemon can work
+			// with locally-built or locally-tagged images. As a result, skip tests
+			// for local-only images when the daemon in question is not docker itself.
+			// i.e., don't test local images in buildx or with stock buildkit.
+			if img.LocalName != "" && !strings.HasPrefix(os.Getenv(`COPA_BUILDKIT_ADDR`), "docker://") {
+				t.Skip()
+			}
+
 			dir := t.TempDir()
 			scanResults := filepath.Join(dir, "scan.json")
+
 			ref := fmt.Sprintf("%s:%s@%s", img.Image, img.Tag, img.Digest)
+			if img.LocalName != "" {
+				dockerPull(t, ref)
+				dockerTag(t, ref, img.LocalName)
+				ref = img.LocalName
+			}
+
+			r, err := reference.ParseNormalizedNamed(ref)
+			require.NoError(t, err, err)
+
 			tagPatched := img.Tag + "-patched"
-			patchedRef := fmt.Sprintf("%s:%s", img.Image, tagPatched)
+			patchedRef := fmt.Sprintf("%s:%s", r.Name(), tagPatched)
 
 			t.Log("scanning original image")
 			scanner().
@@ -77,6 +99,66 @@ func TestPatch(t *testing.T) {
 	}
 }
 
+func dockerPull(t *testing.T, ref string) {
+	dockerCmd(t, `pull`, ref)
+}
+
+func dockerTag(t *testing.T, ref, newRef string) {
+	dockerCmd(t, `tag`, ref, newRef)
+}
+
+type addrWrapper struct {
+	m       sync.Mutex
+	address *string
+}
+
+var dockerDINDAddress addrWrapper
+
+func (w *addrWrapper) addr() string {
+	w.m.Lock()
+	defer w.m.Unlock()
+
+	if w.address != nil {
+		return *w.address
+	}
+
+	w.address = new(string)
+	if addr := os.Getenv("COPA_BUILDKIT_ADDR"); addr != "" && strings.HasPrefix(addr, "docker://") {
+		*w.address = strings.TrimPrefix(addr, "docker://")
+	}
+
+	return *w.address
+}
+
+func (w *addrWrapper) env() []string {
+	a := dockerDINDAddress.addr()
+	if a == "" {
+		return []string{}
+	}
+
+	return []string{fmt.Sprintf("DOCKER_HOST=%s", a)}
+}
+
+func dockerCmd(t *testing.T, args ...string) {
+	var err error
+	if len(args) == 0 {
+		err = fmt.Errorf("no args provided")
+	}
+	require.NoError(t, err, "no args provided")
+
+	a := []string{}
+
+	if addr := dockerDINDAddress.addr(); addr != "" {
+		a = append(a, "-H", addr)
+	}
+
+	a = append(a, args...)
+
+	cmd := exec.Command(`docker`, a...)
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+}
+
 func patch(t *testing.T, ref, patchedTag, path string, ignoreErrors bool) {
 	var addrFl string
 	if buildkitAddr != "" {
@@ -96,6 +178,10 @@ func patch(t *testing.T, ref, patchedTag, path string, ignoreErrors bool) {
 		"--ignore-errors="+strconv.FormatBool(ignoreErrors),
 		"--output="+path+"/vex.json",
 	)
+
+	cmd.Env = append(cmd.Env, os.Environ()...)
+	cmd.Env = append(cmd.Env, dockerDINDAddress.env()...)
+
 	out, err := cmd.CombinedOutput()
 	require.NoError(t, err, string(out))
 }
@@ -134,8 +220,10 @@ func (s *scannerCmd) scan(t *testing.T, ref string, ignoreErrors bool) {
 	}
 
 	args = append(args, ref)
-
-	out, err := exec.Command(args[0], args[1:]...).CombinedOutput() //#nosec G204
+	cmd := exec.Command(args[0], args[1:]...) //#nosec G204
+	cmd.Env = append(cmd.Env, os.Environ()...)
+	cmd.Env = append(cmd.Env, dockerDINDAddress.env()...)
+	out, err := cmd.CombinedOutput()
 	assert.NoError(t, err, string(out))
 }