From 0b706bc7c4fc3ecfc9e9c38b4bd79d23bc653c66 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Fri, 8 Feb 2019 16:20:44 -0500
Subject: [PATCH] Make sure images in the process of being uploaded are not
 scanned by Clair

---
 data/model/image.py                    | 3 ++-
 data/registry_model/manifestbuilder.py | 1 +
 util/secscan/analyzer.py               | 8 ++++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/data/model/image.py b/data/model/image.py
index 1615dd44d..08d6cfa2d 100644
--- a/data/model/image.py
+++ b/data/model/image.py
@@ -446,7 +446,8 @@ def get_image_pk_field():
 def get_images_eligible_for_scan(clair_version):
   """ Returns a query that gives all images eligible for a clair scan """
   return (get_image_with_storage_and_parent_base()
-          .where(Image.security_indexed_engine < clair_version))
+          .where(Image.security_indexed_engine < clair_version)
+          .where(ImageStorage.uploading == False))
 
 
 def get_image_with_storage_and_parent_base():
diff --git a/data/registry_model/manifestbuilder.py b/data/registry_model/manifestbuilder.py
index 065093d72..3ccd281f8 100644
--- a/data/registry_model/manifestbuilder.py
+++ b/data/registry_model/manifestbuilder.py
@@ -145,6 +145,7 @@ class _ManifestBuilder(object):
   def assign_layer_blob(self, layer, blob, computed_checksums):
     """ Assigns a blob to a layer. """
     assert blob
+    assert not blob.uploading
 
     repo_image = model.image.get_image_by_db_id(layer.db_id)
     if repo_image is None:
diff --git a/util/secscan/analyzer.py b/util/secscan/analyzer.py
index 97ab81950..008c28700 100644
--- a/util/secscan/analyzer.py
+++ b/util/secscan/analyzer.py
@@ -104,6 +104,14 @@ class LayerAnalyzer(object):
       # Nothing more to do.
       return
 
+    # Make sure the image's storage is not marked as uploading. If so, nothing more to do.
+    if layer.storage.uploading:
+      if not set_secscan_status(layer, False, self._target_version):
+        raise PreemptedException
+
+      # Nothing more to do.
+      return
+
     # Analyze the image.
     previously_security_indexed_successfully = layer.security_indexed
     previous_security_indexed_engine = layer.security_indexed_engine