From 532a6c77f388d2e06ec12338df9ea97d955f5edc Mon Sep 17 00:00:00 2001 From: Matus Marhefka Date: Thu, 16 Jan 2020 15:39:37 +0100 Subject: [PATCH] utils/oscap-podman: Detect ambiguous scan target In case that a container image and a running container have the same name, `oscap-podman` scans container image and a running container is skipped. This might be unexpected and might cause a confusion for user. Therefore, this commit adds a code which detects such situation and rather informs user about ambiguous scan target and terminates. In such cases the unique container image/container ID should be used for specifying the target of the scan. --- utils/oscap-podman | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/utils/oscap-podman b/utils/oscap-podman index 272afd988..32ec0cfcb 100755 --- a/utils/oscap-podman +++ b/utils/oscap-podman @@ -65,17 +65,30 @@ if grep -q "\-\-remediate" <<< "$@"; then die fi +IMAGE_NAME=$(podman image exists "$1" \ + && podman image inspect --format "{{.Id}} {{.RepoTags}}" "$1") +CONTAINER_NAME=$(podman container exists "$1" \ + && podman container inspect --format "{{.Id}} {{.Name}}" "$1") + +if [ -n "$IMAGE_NAME" ] && [ -n "$CONTAINER_NAME" ]; then + echo "Ambiguous target, container image and container with the same name detected: '$1'." >&2 + echo "Please rather use an unique ID to specify the target of the scan." >&2 + die +fi + # Check if the target of scan is image or container. CLEANUP=0 -if podman images | grep -q $1; then +if [ -n "$IMAGE_NAME" ]; then ID=$(podman create $1) || die - IMG_NAME=$(podman images --format "{{.ID}} ({{.Repository}}:{{.Tag}})" | grep -m1 $1) - TARGET="podman-image://$IMG_NAME" + TARGET="podman-image://$IMAGE_NAME" CLEANUP=1 -else +elif [ -n "$CONTAINER_NAME" ]; then # If the target was not found in images we suppose it is a container. ID=$1 - TARGET="podman-container://$1" + TARGET="podman-container://$CONTAINER_NAME" +else + echo "Target of the scan not found: '$1'." >&2 + die fi # podman init creates required files such as: /run/.containerenv - we don't care about output and exit code