report: improve functionality with locally saved images

Previously the locally saved image flow was at best confusing and at
worst just wrong for some cases. This change simplified the handling of
local images and reduces resources that were previously allocated for no
good reason. Tests were also added to verify both docker and podman
saved images work as expected. The application now expects all saved
images to follow the OCI spec https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md

Signed-off-by: crozzy <[email protected]>

Author: crozzy

README.md

@@ -253,7 +253,7 @@ Following inputs can be used as `step.with` keys
 | Name                | Type   | Required | default          | Description                                                                                                                                                                                |
 | ------------------- | ------ | -------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | `image-ref`         | String | yes*     | -                | The reference to an image in a container registry, currently this needs to be public (e.g., `quay.io/projectquay/clair:nightly`)                                                           |
-| `image-path`        | String | yes*     | -                | Where on the filesystem the image was saved, i.e. the --output-flag from the `docker save` command the action require either this or `image-ref` to be defined (e.g., `/tmp/my-image.tar`) |
+| `image-path`        | String | yes*     | -                | Where on the filesystem the image was saved, i.e. the --output-flag from the `docker save` command the action require either this or `image-ref` to be defined (e.g., `/tmp/my-image.tar`). The image must follow the OCI Image Spec https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md (this means using the `--format oci-archive` flag for `podman save`).|
 | `format`            | String | no       | `clair`          | The output format of the report, currently `clair`, `sarif` and `quay` are supported.                                                                                                      |
 | `output`            | String | yes      | -                | The file path where the report gets saved (e.g., /tmp/my-image-report.sarif)                                                                                                               |
 | `return-code`       | String | no       | `0`              | A code to return from the process if Clair found vulnerabilities. (e.g., `1`)                                                                                                              |

cmd/clair-action/report.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/quay/claircore"
 	"github.com/quay/claircore/enricher/cvss"
 	"github.com/quay/claircore/indexer"
 	"github.com/quay/claircore/libindex"
@@ -127,8 +128,8 @@ func report(c *cli.Context) error {
 	)
 
 	var (
-		img image.Image
-		fa  indexer.FetchArena
+		mf *claircore.Manifest
+		fa indexer.FetchArena
 	)
 	switch {
 	case imgRef != "":
@@ -138,17 +139,25 @@ func report(c *cli.Context) error {
 		if err != nil {
 			return fmt.Errorf("error setting DOCKER_CONFIG env var")
 		}
-		img = image.NewDockerRemoteImage(ctx, imgRef)
+		mf, err = image.ManifestFromRemote(ctx, imgRef)
+		if err != nil {
+			return fmt.Errorf("error getting image information: %v", err)
+		}
 	case imgPath != "":
 		fa = &LocalFetchArena{}
 		var err error
-		img, err = image.NewDockerLocalImage(ctx, imgPath, os.TempDir())
+		mf, err = image.ManifestFromLocal(ctx, imgPath, os.TempDir())
 		if err != nil {
 			return fmt.Errorf("error getting image information: %v", err)
 		}
 	default:
 		return fmt.Errorf("no $IMAGE_PATH / --image-path or $IMAGE_REF / --image-ref set")
 	}
+	defer func() {
+		for _, l := range mf.Layers {
+			l.Close()
+		}
+	}()
 
 	switch {
 	case dbPath != "":
@@ -186,11 +195,6 @@ func report(c *cli.Context) error {
 		return fmt.Errorf("error creating Libvuln: %v", err)
 	}
 
-	mf, err := img.GetManifest(ctx)
-	if err != nil {
-		return fmt.Errorf("error creating manifest: %v", err)
-	}
-
 	indexerOpts := &libindex.Options{
 		Store:      datastore.NewLocalIndexerStore(),
 		Locker:     NewLocalLockSource(),