[Skims] Analize Docker Images
Problem to solve
Skims is still not able to read and analyze Docker images.
Intended users
Skims and ARM users
Permissions and Security
Proposal
The main purpose is for us to obtain the Docker image (.tar) from the client's projects, in order to analyze the full dependencies.
Test plan
Steps
-
Make sure that the code contributions checklist has been followed. -
Obtain the client's registry, with their credentials securely scoped in the view. -
Ensure that those credentials securely reach Skims. -
Support each registry as a separate case (Azure, DockerHub, GitHub, GitLab). -
Enable Skims to analyze the .tar file by listing the dependencies and reporting vulnerabilities in them.
Languages
-
Alpine (APK db) -
Arch Linux (alpm db) - C++ ( Optional)
-
conanfile.txt -
conan.lock -
conaninfo.txt
-
-
Dart ( pubspec.lock ) (Optional) -
Debian ( dpkg DB) - Dotnet
-
*.deps.json -
project
-
-
Elixir ( mix.lock ) (Optional) - Erlang (Optional)
-
rebar.lock -
rebarv2.lock -
otp app (*.app)
-
- Github (Optional)
-
workflow -
composite action
-
- Golang
-
mod -
sum
-
- Haskell (Optional)
-
stack.lock -
stack.yaml -
cabal.project.freeze
-
- Java
-
gradle.lock -
java manifest -
pom.properties -
pom.xml -
tar file -
zip file
-
- javascript
-
package.json -
pacakge.lock -
pnpm.lock -
yarn.lock -
validate if it is a development dependency using the package.json that must be in the same path (Optional)
-
-
-
nix (nix store paths) - php
-
composer.lock -
Validate dev pacakages
-
-
installed json -
serialized
-
- Python
-
pip file lock -
poetry lock -
the packages has a category named category = "dev"
-
-
requirements -
setup -
wheel egg metadata -
wheel egg record
-
-
R ( DESCRIPTION ) - RedHat
-
rpm db -
rpm manifest -
rpm archive
-
- Ruby
-
gemfile.lock -
Especify the ruby version as a dependency
-
-
gemspec
-
- Rust
-
audit binary -
cargo.lock
-
- Swift (Optional)
-
Podfile.lock -
Package.resolved
-
- Wordpress ( plugin )
What does success look like, and how can we measure that?
Links / references
Edited by Diego Restrepo