Add support for image digests

[dmc5179]

Current the tool accepts CVE/Image:tag pairs. Red Hat Advanced Cluster Security produces CVE reports with all images referenced by digest.

It is possible to remove the digest and pass that to the cve-analyser but the results are less complete due to the "latest" tag not being used for all image repos.

Add a mapping function to map image digests to image tags. I did this in my bash script like:

function digest_to_tag() {

  local image_name="${1}"

  if [[ ! "${image_name}" =~ "@" ]]; then
    echo "Image does not appear to contain digest"
    return 1
  fi

  local image_repo=$(echo "${image_name}" | awk -F\@ '{print $1}' | awk '{sub(/\//," ");$1=$1;print $2}')
  local image_tag=$(echo "${image_name}" | awk -F\@ '{print $NF}')

  image=$(echo "${image_repo}" | awk -F\/ '{print $NF}')

  image_metadata_file="${METADATA_DIR}/$(echo ${image_repo} | sed 's|/|_|g')_images.json"

  # pull all past images if we don't have the file already
  if [ ! -e "${image_metadata_file}" ]; then
    curl -s "${CATALOG_API}/${image_repo}/images?page_size=500&page=0" > "${image_metadata_file}"
  fi
  
  jq -r -c ".data[] | select((.repositories[0].manifest_list_digest == \"${image_tag}\") and .parsed_data.architecture == \"amd64\") | .repositories[].tags[0].name" "${image_metadata_file}"
  
} 

It's ugly and much slower than I would think GO can do but it works. There might be a better way but looking at the full image repo metadata and finding the arch/digest that matches seems to work pretty well.

[p-rog]

There is a few options on how image digest can be converted to the container repository and tag.
Dumping the full list of all images' digest from the catalog and searching that list later is one option. It is also possible to check the container image metadata and gather container repository and tag from there. OpenShift cluster admins can do that by using oc image info command.

I will think how to implement such functionality into the cve-analyser tool.
Thank you for point this out.