Skip to content

feat: centralized image name parsing#756

Draft
d3vco wants to merge 22 commits intomainfrom
feat-centralized-image-name-parsing
Draft

feat: centralized image name parsing#756
d3vco wants to merge 22 commits intomainfrom
feat-centralized-image-name-parsing

Conversation

@d3vco
Copy link
Copy Markdown
Contributor

@d3vco d3vco commented Feb 20, 2026

  • Ready for review
  • Follows CONTRIBUTING rules
  • Reviewed by Snyk internal team

What does this PR do?

Centralizes all OCI image reference parsing in lib/image-reference.ts and uses it everywhere the plugin interprets image reference strings (e.g. nginx:latest, gcr.io/project/nginx:1.23@sha256:...). This removes duplicate regexes and ad-hoc parsing, and keeps behavior consistent across scan, pull, metadata, and dependency tree.

Where should the reviewer start?

  1. lib/image-reference.ts: Single source of truth for image string parsing. Derived from CNCF regex.
  2. test/lib/image-reference.spec.ts: Tests that define the intended parsing behavior. Copies pre-existing validation tests from tests/lib/utils.spec.ts and adds new tests to validate the component parsing.

Callers:

  1. lib/scan.ts: Uses the new validation and appendLatestTagIfMissing logic.
  2. lib/analyzer/image-inspector.ts: extractImageDetails refactor (replaced helpers with one parser call + mapping).
  3. lib/extractor/image.ts: ImageName constructor refactor to use parseImageReference and map to existing shape.
  4. lib/extractor/oci-distribution-metadata.ts: constructOCIDisributionMetadata uses parseImageReference(imageName) instead of @swimlane/docker-reference’s parseAll.
  5. lib/dependency-tree/index.ts: Added nameAndVersionFromTargetImage helper to buildTree which uses parseImageReference before falling back to previous logic.

How should this be manually tested?

TODO

Any background context you want to provide?

ImageName Creation
The previous ImageName constructor attempted to deduplicate digests if a digest was included in the image reference string. However, this comparison always fails, meaning that if the image included a pinned digest it would always be added as digests.other. This then results in two duplicate names being created by the getAllNames function. This bug was captured in some of our snapshot tests causing these tests to fail after the bug was corrected. The snapshots have been updated to reflect the corrected behavior.

Dependency Tree Generation
The buildTree function used "ad-hoc" parsing to extract an "imageName" and "version" from the image reference string that are used as the image identifiers in analysis. This PR adds a helper to perform this parsing with a fallback to the previous logic. Tests have been added in test/lib/dependency-tree/index.spec.ts to ensure the fallback did not impact the previous functionality which is reached for archive image references. These tests also make the parsing results more explicit and could be a focus for further improvement.

Removed:

  • lib/utils.ts: this was a duplicate source of image string validation.
  • @swimlane/docker-reference removed as a dependency, another duplicate sourcce of image string parsing.

What are the relevant tickets?

TODO

Screenshots

N/A

Additional questions

None

d3vco added 20 commits February 19, 2026 14:02
@d3vco
feat: initial centralized image reference parser
077241f
@d3vco
fix: use central parser in imagename
694b9a6
@d3vco
fix: remove duplicate validator
6e1e9b9
@d3vco
feat: convert parsedimagereference to class
bdbbc88
@d3vco
fix: update tests to use valid image names
7d9bf73
@d3vco
fix: use central parsing in extractimagedetails
9abf986
@d3vco
fix: use central parsing to create oci metadata
c26f858
@d3vco
fix: update append latest logic
b7aac22
@d3vco
fix: use central parser in dependency tree
0886129
@d3vco
chore: run formatter
9ec8fc4
@d3vco
fix: remove dead code
6cff33c
@d3vco
fix: restore digest validation
31e31cc
@d3vco
fix: use valid image name in test
c16529b
@d3vco
fix: test for invalid and missing images
873393a
@d3vco
fix: correct dep tree snapshots
7c2e0de 
Previous image parsing and dependency tree generation failed to properly
compare hashes resulting in duplicate digest values being stored and
duplicate image names being generated.
@d3vco
fix: revert error message
ab687c1
@d3vco
fix: improve archive detection
18be2b4 
This change ensures that images references in the form of
'image.tar:tag' will fallback to the previous manual parsing code,
rather than attempt to parse the string as an OCI image reference.
@d3vco
fix: rollback change with comment
23fb61a
@d3vco
chore: merge main
79a0338
@d3vco
fix: restore 255 char image name limit
72c36b0
@d3vco d3vco force-pushed the feat-centralized-image-name-parsing branch from 15af853 to 72c36b0 Compare April 7, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d3vco