fix: improve subprocess spawning portability

Author: adrobuta

lib/analyzer/image-inspector.ts

@@ -212,8 +212,11 @@ async function getImageArchive(
 
   try {
     inspectResult = await getInspectResult(docker, targetImage);
-  } catch {
-    debug(`${targetImage} does not exist locally, proceeding to pull image.`);
+  } catch (error) {
+    debug(
+      `${targetImage} does not exist locally, proceeding to pull image.`,
+      error.stack || error,
+    );
   }
 
   if (inspectResult === undefined) {

lib/sub-process.ts

@@ -1,5 +1,4 @@
 import * as childProcess from "child_process";
-import { quoteAll } from "shescape/stateless";
 
 export { execute, CmdOutput };
 interface CmdOutput {
@@ -13,13 +12,15 @@ function execute(
   options?,
 ): Promise<CmdOutput> {
   const spawnOptions: any = {
-    shell: process.platform !== "win32" ? "/bin/bash" : true,
+    // Some distributions may not have /bin/bash, which would cause `child_process.spawn` to fail.
+    // By setting `shell: false`, we tell `spawn` to execute the command directly without a shell,
+    // which is more portable.
+    shell: false,
     env: { ...process.env },
   };
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
-  args = quoteAll(args, { ...spawnOptions, flagProtection: false });
 
   // Before spawning an external process, we look if we need to restore the system proxy configuration,
   // which overrides the cli internal proxy configuration.

package-lock.json

@@ -45,7 +45,6 @@
     "mkdirp": "^1.0.4",
     "packageurl-js": "1.2.0",
     "semver": "^7.6.3",
-    "shescape": "2.1.0",
     "snyk-nodejs-lockfile-parser": "^2.0.0",
     "snyk-poetry-lockfile-parser": "^1.4.0",
     "snyk-resolve-deps": "^4.7.1",

package.json

@@ -1,5 +1,6 @@
 import { DepGraph } from "@snyk/dep-graph";
 import * as plugin from "../../lib";
+import * as subProcess from "../../lib/sub-process";
 import { getFixture } from "../util";
 
 describe("plugin", () => {
@@ -91,6 +92,35 @@ describe("plugin", () => {
     });
   });
 
+  describe("when scanning a locally loaded image", () => {
+    const imageName = "busybox";
+    const imageTag = "latest";
+    const imageNameWithTag = `${imageName}:${imageTag}`;
+
+    beforeAll(async () => {
+      const fixturePath = getFixture([
+        "../fixtures/docker-archives",
+        "skopeo-copy/busybox.tar",
+      ]);
+      await subProcess.execute("docker", ["load", "--input", fixturePath]);
+    }, 10000); // 10s timeout for loading image
+
+    afterAll(async () => {
+      await subProcess.execute("docker", ["rmi", imageNameWithTag]);
+    });
+
+    test("should successfully scan a local image loaded from a tar archive", async () => {
+      const pluginResult = await plugin.scan({ path: imageNameWithTag });
+      const depGraph: DepGraph = pluginResult.scanResults[0].facts.find(
+        (fact) => fact.type === "depGraph",
+      )!.data;
+
+      expect(depGraph.rootPkg.name).toEqual(`docker-image|${imageName}`);
+      expect(depGraph.rootPkg.version).toEqual(imageTag);
+      expect(pluginResult.scanResults[0].identity.type).toEqual("linux");
+    });
+  });
+
   test("image pulled by tag has version set", async () => {
     const imageNameAndTag = `nginx:1.19.0`;