Reapply "Add OCI image support to Linux scanner (#1708)" (#1716)

[jasonpaulos]

Reapply #1708 and #1711 which were reverted in #1716 and #1715

[Copilot]

Pull request overview

Reapplies OCI image support for the Linux container detector by allowing --DockerImagesToScan inputs to reference OCI layout directories and OCI archive tarballs, running Syft against those sources, and mapping detected packages back to image layers.

Changes:

• Add ImageReference parsing (Docker image vs oci-dir: / oci-archive:) and update LinuxContainerDetector to resolve/scan local OCI inputs via Syft volume binds.
• Extend ILinuxScanner/LinuxScanner to support returning raw Syft output and processing it separately (needed to extract source metadata for OCI inputs).
• Extend IDockerService/DockerService to support additional bind mounts and to create empty ContainerDetails for non-Docker-inspect image sources; add/expand unit tests and docs.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
test/Microsoft.ComponentDetection.Detectors.Tests/LinuxScannerTests.cs	Updates mocks for new DockerService overload and adds tests for raw Syft output + layer mapping behavior.
test/Microsoft.ComponentDetection.Detectors.Tests/LinuxContainerDetectorTests.cs	Adds comprehensive OCI layout/archive detector tests (path normalization, metadata presence/absence, mixed inputs).
test/Microsoft.ComponentDetection.Detectors.Tests/ImageReferenceTests.cs	Adds unit tests for parsing Docker vs OCI references and validating empty-path errors.
src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs	Refactors to support “run Syft” vs “process Syft output” paths; adds bind support and a safe fallback when no layers are provided.
src/Microsoft.ComponentDetection.Detectors/linux/LinuxContainerDetector.cs	Implements OCI scanning flow: validate local paths, bind-mount into Syft container, extract metadata, and record components.
src/Microsoft.ComponentDetection.Detectors/linux/ImageReference.cs	Introduces parsing and classification of image inputs (Docker vs OCI directory/archive).
src/Microsoft.ComponentDetection.Detectors/linux/ILinuxScanner.cs	Adds new public methods to return raw Syft output and process it separately.
src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SyftSourceMetadata.cs	Adds typed model for Syft source.metadata (image ID, layers, tags, labels, etc.).
src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SyftSourceLayer.cs	Adds typed model for Syft source layer entries.
src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SourceClassExtensions.cs	Adds helper to deserialize the untyped SourceClass.Metadata into SyftSourceMetadata.
src/Microsoft.ComponentDetection.Contracts/IDockerService.cs	Adds container-run overload supporting bind mounts and adds GetEmptyContainerDetails().
src/Microsoft.ComponentDetection.Common/DockerService.cs	Implements new IDockerService members and plumbs additional bind mounts into container creation.
docs/detectors/linux.md	Documents supported image input types including oci-dir: and oci-archive:.

[github-actions]

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

• The detector detects more or fewer components than before
• The detector generates different parent/child graph relationships than before
• The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

[Copilot]

Pull request overview

Reapplies OCI image support for the Linux container scanning detector by enabling Syft scans over OCI layout directories / OCI archives / Docker archives, and by adding parsing + metadata extraction paths to map detected components to layers.

Changes:

• Add ImageReference parsing to distinguish Docker images vs oci-dir:, oci-archive:, and docker-archive: inputs.
• Extend ILinuxScanner to support retrieving raw Syft output and processing it separately (needed for OCI metadata).
• Update Docker service/container execution APIs to accept additional bind mounts; add tests and documentation for new input types.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
test/Microsoft.ComponentDetection.Detectors.Tests/LinuxScannerTests.cs	Updates mocks for new Docker service signature; adds Syft-output-focused tests.
test/Microsoft.ComponentDetection.Detectors.Tests/LinuxContainerDetectorTests.cs	Adds extensive coverage for OCI layout/archive and mixed image inputs.
test/Microsoft.ComponentDetection.Detectors.Tests/ImageReferenceTests.cs	New unit tests for image reference parsing behavior.
src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs	Refactors Syft invocation + processing; introduces raw output retrieval and layer mapping fallback behavior.
src/Microsoft.ComponentDetection.Detectors/linux/LinuxContainerDetector.cs	Adds OCI/local-image resolution + scanning flow and metadata extraction for container details.
src/Microsoft.ComponentDetection.Detectors/linux/ImageReference.cs	New parser for user-provided image references (docker vs OCI/docker archive schemes).
src/Microsoft.ComponentDetection.Detectors/linux/ILinuxScanner.cs	New APIs for “get raw Syft output” and “process Syft output”.
src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SyftSourceMetadata.cs	Strongly-typed model for Syft source.metadata (image) data.
src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SyftSourceLayer.cs	Strongly-typed model for Syft source layer metadata.
src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SourceClassExtensions.cs	Adds helper to deserialize source.metadata into SyftSourceMetadata.
src/Microsoft.ComponentDetection.Contracts/IDockerService.cs	Adds overload to pass additional binds and a helper for empty ContainerDetails.
src/Microsoft.ComponentDetection.Common/DockerService.cs	Implements additional-binds overload and empty container details creation.
docs/detectors/linux.md	Documents supported image input types including OCI and docker archives.

Comments suppressed due to low confidence (1)

src/Microsoft.ComponentDetection.Common/DockerService.cs:323

• CreateContainerAsync builds a binds list that includes additionalBinds, but CreateContainerParameters.HostConfig.Binds is still hard-coded to only the default two mounts. As a result, callers providing additionalBinds (e.g., OCI directory/archive mounts) will be silently ignored and Syft won’t be able to access the local image path. Use the constructed binds list when setting HostConfig.Binds.

            var binds = new List<string>
            {
                $"{Path.GetTempPath()}:/tmp",
                "/var/run/docker.sock:/var/run/docker.sock",
            };

            if (additionalBinds != null)
            {
                binds.AddRange(additionalBinds);
            }

            var parameters = new CreateContainerParameters
            {
                Image = image,
                Cmd = command,
                NetworkDisabled = true,
                HostConfig = new HostConfig
                {
                    CapDrop =
                    [
                        "all",
                    ],
                    SecurityOpt =
                    [
                        "no-new-privileges",
                    ],
                    Binds =
                    [
                        $"{Path.GetTempPath()}:/tmp",
                        "/var/run/docker.sock:/var/run/docker.sock",
                    ],
                },

[Copilot]

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

src/Microsoft.ComponentDetection.Common/DockerService.cs:323

• additionalBinds is currently ignored when creating the container. CreateContainerAsync builds a binds list (including additionalBinds) but then sets HostConfig.Binds to a hard-coded list instead of using binds. This both breaks OCI/archive scanning (Syft won't see the mounted image) and triggers a compiler warning/error because binds is assigned but never used (TreatWarningsAsErrors=true). Use the constructed binds list for HostConfig.Binds (and avoid duplicating the default binds).

            var binds = new List<string>
            {
                $"{Path.GetTempPath()}:/tmp",
                "/var/run/docker.sock:/var/run/docker.sock",
            };

            if (additionalBinds != null)
            {
                binds.AddRange(additionalBinds);
            }

            var parameters = new CreateContainerParameters
            {
                Image = image,
                Cmd = command,
                NetworkDisabled = true,
                HostConfig = new HostConfig
                {
                    CapDrop =
                    [
                        "all",
                    ],
                    SecurityOpt =
                    [
                        "no-new-privileges",
                    ],
                    Binds =
                    [
                        $"{Path.GetTempPath()}:/tmp",
                        "/var/run/docker.sock:/var/run/docker.sock",
                    ],
                },

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.0%. Comparing base (af0cff9) to head (d4e5b86).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@     Coverage Diff      @@
##   main   #1717   +/-   ##
============================
============================

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.