stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/base-image-detection-and-recommendations.md

2.2 KiB
Raw Blame History

Base Image Detection and Recommendations

Module

Scanner

Status

IMPLEMENTED

Description

Base image detection via layer diffID fingerprinting with PostgreSQL-backed fingerprint database, in-memory index, exact layer match and fuzzy matching, and bulk detection support. Interface IBaseImageDetector with full BaseImageDetector implementation.

Implementation Details

  • Core Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/IBaseImageDetector.cs - IBaseImageDetector interface
    • src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/BaseImageDetector.cs - BaseImageDetector with exact layer match and fuzzy matching, bulk detection support
  • Layer Resolution:
    • src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/ILayerDigestResolver.cs - Interface for resolving layer digests
    • src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/LayerDigestResolver.cs - Resolves layer diffIDs for fingerprint matching
    • src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Resolution/LayerProvenance.cs - Layer provenance tracking for base image attribution
  • Layer Reuse Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Reuse/ILayerReuseDetector.cs - Interface for layer reuse detection
    • src/Scanner/__Libraries/StellaOps.Scanner.Manifest/Reuse/LayerReuseDetector.cs - Detects shared layers between images for base image identification
  • DI Registration: src/Scanner/__Libraries/StellaOps.Scanner.Manifest/ManifestServiceCollectionExtensions.cs

E2E Test Plan

  • Scan an image built on a known base image (e.g., debian:bookworm) and verify IBaseImageDetector identifies the correct base image
  • Verify exact layer match identifies base images by diffID fingerprint comparison
  • Test fuzzy matching with a slightly modified base image (e.g., additional layer) and verify partial match is returned with confidence score
  • Test bulk detection by submitting multiple image references and verify all base images are identified in a single operation
  • Verify base image detection results appear in the scan report and SBOM metadata
  • Verify layer provenance tracking attributes vulnerability findings to base image vs application layers