From cd0fbfad6f7aa51b9b55128c458eda5acb1b7854 Mon Sep 17 00:00:00 2001
From: Gerald Pinder <gmpinder@gmail.com>
Date: Sat, 5 Oct 2024 22:09:50 -0400
Subject: [PATCH] fix: Ensure the correct digest is used for docker and podman
 inspect drivers

---
 process/drivers/docker_driver.rs | 22 +++++++++++++++++++++-
 process/drivers/podman_driver.rs | 22 +++++++++++++++++++++-
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/process/drivers/docker_driver.rs b/process/drivers/docker_driver.rs
index e587445..624c3f1 100644
--- a/process/drivers/docker_driver.rs
+++ b/process/drivers/docker_driver.rs
@@ -66,9 +66,22 @@ impl TryFrom<Vec<DockerImageMetadata>> for ImageMetadata {
             bail!("Metadata requires at least 1 digest:\n{value:#?}");
         }
 
+        let index = value
+            .repo_digests
+            .iter()
+            .enumerate()
+            .find(|(_, repo_digest)| verify_image(repo_digest))
+            .map(|(index, _)| index)
+            .ok_or_else(|| {
+                miette!(
+                    "No repo digest could be verified:\n{:?}",
+                    &value.repo_digests
+                )
+            })?;
+
         let digest: Reference = value
             .repo_digests
-            .swap_remove(0)
+            .swap_remove(index)
             .parse()
             .into_diagnostic()?;
         let digest = digest
@@ -83,6 +96,13 @@ impl TryFrom<Vec<DockerImageMetadata>> for ImageMetadata {
     }
 }
 
+fn verify_image(repo_digest: &str) -> bool {
+    let mut command = cmd!("docker", "pull", repo_digest);
+    trace!("{command:?}");
+
+    command.output().is_ok_and(|out| out.status.success())
+}
+
 #[derive(Debug, Deserialize)]
 struct DockerVerisonJsonClient {
     #[serde(alias = "Version")]
diff --git a/process/drivers/podman_driver.rs b/process/drivers/podman_driver.rs
index 2538d46..3b5363b 100644
--- a/process/drivers/podman_driver.rs
+++ b/process/drivers/podman_driver.rs
@@ -54,9 +54,22 @@ impl TryFrom<Vec<PodmanImageMetadata>> for ImageMetadata {
             bail!("Podman Metadata requires at least 1 digest:\n{value:#?}");
         }
 
+        let index = value
+            .repo_digests
+            .iter()
+            .enumerate()
+            .find(|(_, repo_digest)| verify_image(repo_digest))
+            .map(|(index, _)| index)
+            .ok_or_else(|| {
+                miette!(
+                    "No repo digest could be verified:\n{:?}",
+                    &value.repo_digests
+                )
+            })?;
+
         let digest: Reference = value
             .repo_digests
-            .swap_remove(0)
+            .swap_remove(index)
             .parse()
             .into_diagnostic()?;
         let digest = digest
@@ -71,6 +84,13 @@ impl TryFrom<Vec<PodmanImageMetadata>> for ImageMetadata {
     }
 }
 
+fn verify_image(repo_digest: &str) -> bool {
+    let mut command = cmd!("podman", "pull", repo_digest);
+    trace!("{command:?}");
+
+    command.output().is_ok_and(|out| out.status.success())
+}
+
 #[derive(Debug, Deserialize)]
 struct PodmanVersionJsonClient {
     #[serde(alias = "Version")]