fix(cve): push patched image with skopeo to avoid tagging of single m…

…anifest image

CVEs/Makefile

@@ -7,7 +7,7 @@
 	scan-vulns \
 	concat-multiple-kfd-images-list
 
-KFD_VERSIONS := $(shell find . -type d -name "v*" -maxdepth 1 -mindepth 1 | cut -d/ -f2 | sort )
+KFD_VERSIONS := $(shell find . -maxdepth 1 -mindepth 1 -type d -name "v*"  | cut -d/ -f2 | sort )
 DRY_RUN := 1
 PATCH_FILE_IMAGE_LIST_TO_PATCHING := all_kfd_images.txt
 

CVEs/patch_images_with_copacetic.sh

@@ -62,6 +62,7 @@ echo -n "" > "${PATCH_ERROR_OUTPUT_FILE}"
 REGISTRY_BASE_URL='registry.sighup.io/fury/'
 REGISTRY_SECURED_BASE_URL='registry.sighup.io/fury-secured/'
 RETURN_ERROR=0
+PATCH_IMAGE_RETURN_ERROR=0
 
 function patch_image() {
   local image="$1"
@@ -73,7 +74,7 @@ function patch_image() {
   secured_image_repo=$(echo ${secured_image} | cut -d: -f1)
 
   ARCHITECTURES=$(get_architecture_and_digest ${image_to_patch} | jq -r '.[].architecture' )
-  [[ -z "${ARCHITECTURES}" ]] && error "no architectures found for ${image_to_patch}" && RETURN_ERROR=$((RETURN_ERROR + 1 )) && return 1
+  [[ -z "${ARCHITECTURES}" ]] && error "no architectures found for ${image_to_patch}" && PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1 )) && return $PATCH_IMAGE_RETURN_ERROR
 
   MULTI_ARCH_IMAGES=""
 
@@ -87,7 +88,7 @@ function patch_image() {
     if ! docker pull "${image_to_patch_with_digest}" --platform linux/${ARCHITECTURE} > /dev/null 2>&1
     then
       error "Failed pull ${image_to_patch_with_digest} for linux/${ARCHITECTURE}"
-      RETURN_ERROR=$((RETURN_ERROR + 1))
+      PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1))
       continue
     fi
     # Replace with skopeo/podman if exists a command that get imageId
@@ -151,19 +152,30 @@ function patch_image() {
       secured_image_labeled_image_id=$(docker inspect "${secured_image_with_tag_arch}" --format '{{.Id}}')
       if [ ${DRY_RUN:-1} -eq 0 ]
       then
-        info "Push secure image: ${secured_image_with_tag_arch}"
-        docker push $(docker inspect ${secured_image_with_tag_arch} --format '{{json .RepoDigests}}' | jq '.[0]' -r)
-        MULTI_ARCH_IMAGES="${secured_image_with_tag_arch} ${MULTI_ARCH_IMAGES}"
+        secured_image_labeled_digest=$(skopeo_run "skopeo inspect docker-daemon:${secured_image_with_tag_arch}" | jq -r '.Digest')
+        secured_image_with_digest=${secured_image_repo}@${secured_image_labeled_digest}
+        info "Push secure image: ${secured_image_with_digest}"
+        skopeo_run "skopeo copy \
+          --authfile=\$DOCKER_CONFIG/config.json \
+          docker-daemon:${secured_image_with_tag_arch} \
+          docker://${secured_image_with_digest}"
+        if [ $? -eq 0 ]
+        then
+          success "${secured_image_with_tag_arch} pushed with image id: ${secured_image_labeled_image_id}"
+        else
+          PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1))
+          error "failed to push ${secured_image_with_tag_arch} with image id: ${secured_image_labeled_image_id}"
+        fi
+        MULTI_ARCH_IMAGES="${secured_image_with_digest} ${MULTI_ARCH_IMAGES}"
       fi
       sed -i'.unsecured' s#"${image_patched}"#"${secured_image}"# "${PATCH_REPORT_OUTPUT_FILE}"
-      sed -i'.unsecured' s#"${image_patched_hashimage_patched_image_id}"#"${secured_image_labeled_image_id}"# "${PATCH_REPORT_OUTPUT_FILE}"
+      sed -i'.unsecured' s#"${image_patched_image_id}"#"${secured_image_labeled_image_id}"# "${PATCH_REPORT_OUTPUT_FILE}"
       rm "${PATCH_REPORT_OUTPUT_FILE}.unsecured"
       info "Cleanup ${image_patched}"
       buildctl --addr tcp://127.0.0.1:8888 prune
       docker rmi -f "${image_patched}"
       info "cleanup ${secured_image_with_tag_arch}"
       docker rmi -f "${secured_image_with_tag_arch}"
-      success "${secured_image_with_tag_arch} pushed with image id: ${secured_image_labeled_image_id}"
     else
       if [ "${image_to_patch}" != "${secured_image}" ]
       then
@@ -189,24 +201,32 @@ function patch_image() {
   if [ ${DRY_RUN:-1} -eq 0 ] && [[ -n ${MULTI_ARCH_IMAGES} ]]
   then
     info "Create and push manifest ${secured_image}"
-    podman_run "podman manifest create ${secured_image} ${MULTI_ARCH_IMAGES} && podman manifest push ${secured_image}"
-    success "manifest ${secured_image} pushed"
+    if podman_run "podman manifest create ${secured_image} ${MULTI_ARCH_IMAGES} && podman manifest push ${secured_image}"
+    then
+      success "manifest ${secured_image} pushed"
+    else
+      error "failed pushing manifest ${secured_image}"
+      PATCH_IMAGE_RETURN_ERROR=$((PATCH_IMAGE_RETURN_ERROR + 1))
+    fi
   fi
 
   echo "================================================================"
   echo ""
-  return 0
+  return $PATCH_IMAGE_RETURN_ERROR
 }
 
 function patch_from_list(){
   while IFS= read -r image; do
     patch_image "${image}"
+    RETURN_ERROR=$(($RETURN_ERROR + PATCH_IMAGE_RETURN_ERROR))
+    PATCH_IMAGE_RETURN_ERROR=0
   done
 }
 
 if [ -n "${IMAGE_TO_PATCH}" ]
 then
   patch_image "${IMAGE_TO_PATCH}"
+  RETURN_ERROR=$(($RETURN_ERROR + PATCH_IMAGE_RETURN_ERROR))
 else
   [[ ! -f "${FILE_WITH_IMAGES_LIST_TO_PATCH}" ]] && fail "Missing image list files"
   patch_from_list < "${FILE_WITH_IMAGES_LIST_TO_PATCH}"

CVEs/utils.sh

@@ -13,7 +13,7 @@ function podman_run(){
 }
 
 function skopeo_run(){
-  docker run --rm -v ${DOCKER_CONFIG}:${DOCKER_CONFIG} -e DOCKER_CONFIG="${DOCKER_CONFIG}" --entrypoint bash quay.io/skopeo/stable:v1.13 -c "$*"
+  docker run --rm -v ${DOCKER_CONFIG}:${DOCKER_CONFIG} -v /var/run/docker.sock:/var/run/docker.sock -e DOCKER_CONFIG="${DOCKER_CONFIG}" --entrypoint bash quay.io/skopeo/stable:v1.16 -c "$*"
 }
 
 function get_architecture_and_digest(){