in cmd/acr/cssc.go [72:139]
func newPatchFilterCmd(csscParams *csscParameters) *cobra.Command {
cmd := &cobra.Command{
Use: "patch",
Short: "[Preview] Run cssc patch operations for a registry",
Long: newPatchCmdLongMessage,
RunE: func(_ *cobra.Command, _ []string) error {
ctx := context.Background()
registryName, err := csscParams.GetRegistryName()
if err != nil {
return err
}
loginURL := api.LoginURL(registryName)
resolveRegistryCredentials(csscParams, loginURL)
acrClient, err := api.GetAcrCLIClientWithAuth(loginURL, csscParams.username, csscParams.password, csscParams.configs)
if err != nil {
return err
}
filter := cssc.Filter{}
if csscParams.filterPolicy != "" && csscParams.filterfilePath != "" {
return errors.New("flag --filter-policy and --filter-policy-file cannot be used together")
} else if !csscParams.dryRun && csscParams.filterfilePath != "" {
return errors.New("flag --filter-policy-file can only be used in combination with --dry-run")
} else if !csscParams.dryRun && csscParams.filterPolicy != "" {
return errors.New("patch command without --dry-run is not operational at the moment and will be enabled in future releases")
} else if csscParams.dryRun {
fmt.Println("DRY RUN mode enabled...")
fmt.Println("DRY RUN mode will only list all the repositories and tags that match the filter and are eligible for continuous scan and patch. During the actual patch operation, each of the eligible images will first be scanned using trivy and if there are any vulnerabilities found, a new patched image will be generated with tag <originaltag>-patched or <originaltag>-x based on the configured tag-convention.")
if csscParams.filterPolicy == "" && csscParams.filterfilePath == "" {
return errors.New("flag --filter-policy or --filter-policy-file is required when using --dry-run")
} else if csscParams.filterfilePath != "" {
fmt.Println("Reading filter from filter file path...")
filter, err = cssc.GetFilterFromFilePath(csscParams.filterfilePath)
if err != nil {
return err
}
} else if csscParams.filterPolicy != "" {
fmt.Println("Reading filter from filter policy...")
filter, err = cssc.GetFilterFromFilterPolicy(ctx, csscParams.filterPolicy, loginURL, csscParams.username, csscParams.password)
if err != nil {
return err
}
}
}
// Validate the filter and return error if invalid
err = filter.ValidateFilter()
if err != nil {
return err
}
fmt.Println("Configured Tag Convention: ", filter.TagConvention)
filteredResult, artifactsNotFound, err := cssc.ApplyFilterAndGetFilteredList(ctx, acrClient, filter)
if err != nil {
return err
}
cssc.PrintNotFoundArtifacts(artifactsNotFound)
cssc.PrintFilteredResult(filteredResult, csscParams.showPatchTags)
return nil
},
}
cmd.PersistentFlags().StringVar(&csscParams.filterPolicy, "filter-policy", "", "The filter policy defined by the filter json file uploaded in a repo:tag. For v1, it should be csscpolicies/patchpolicy:v1")
cmd.PersistentFlags().BoolVar(&csscParams.dryRun, "dry-run", false, "Use this to list the filtered repositories and tags that match the filter either from a filter policy or a filter file path. ")
cmd.PersistentFlags().StringVar(&csscParams.filterfilePath, "filter-policy-file", "", "The filter policy JSON file path.")
cmd.Flags().BoolVar(&csscParams.showPatchTags, "show-patch-tags", false, "Use this flag to get patch tag (if it exists) for repositories and tags that match the filter. Example: acr cssc patch --filter-policy csscpolicies/patchpolicy:v1 --show-patch-tags")
return cmd
}