Skip to content

Commit

Permalink
bump trivy to v0.57.1
Browse files Browse the repository at this point in the history
Signed-off-by: Nikita Pivkin <[email protected]>
  • Loading branch information
nikpivkin committed Nov 19, 2024
1 parent f43f05b commit 936dc4a
Show file tree
Hide file tree
Showing 27 changed files with 989 additions and 680 deletions.
2 changes: 1 addition & 1 deletion cmd/trivy-aws/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (

func main() {
if err := run(); err != nil {
log.Fatal(err.Error())
log.Fatal("Fatal error", log.Err(err))
}
}

Expand Down
223 changes: 131 additions & 92 deletions go.mod

Large diffs are not rendered by default.

718 changes: 452 additions & 266 deletions go.sum

Large diffs are not rendered by default.

61 changes: 26 additions & 35 deletions internal/adapters/cloud/aws/adapt.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,20 @@ package aws
import (
"context"
"fmt"
"slices"

"github.com/aquasecurity/trivy-aws/pkg/concurrency"
"github.com/aquasecurity/trivy-aws/pkg/errs"
"github.com/aquasecurity/trivy/pkg/iac/types"

"github.com/aquasecurity/trivy/pkg/iac/debug"

"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/aws/arn"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/sts"

"github.com/aquasecurity/trivy-aws/internal/adapters/cloud/options"
"github.com/aquasecurity/trivy-aws/pkg/concurrency"
"github.com/aquasecurity/trivy-aws/pkg/errs"
"github.com/aquasecurity/trivy-aws/pkg/progress"
"github.com/aquasecurity/trivy/pkg/iac/state"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/aws/arn"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
)

var registeredAdapters []ServiceAdapter
Expand All @@ -44,27 +43,24 @@ type RootAdapter struct {
accountID string
currentService string
region string
debugWriter debug.Logger
logger *log.Logger
concurrencyStrategy concurrency.Strategy
}

func NewRootAdapter(ctx context.Context, cfg aws.Config, tracker progress.ServiceTracker) *RootAdapter {
func NewRootAdapter(ctx context.Context, cfg aws.Config, tracker progress.ServiceTracker, logger *log.Logger) *RootAdapter {
return &RootAdapter{
ctx: ctx,
tracker: tracker,
sessionCfg: cfg,
region: cfg.Region,
logger: logger,
}
}

func (a *RootAdapter) Region() string {
return a.region
}

func (a *RootAdapter) Debug(format string, args ...interface{}) {
a.debugWriter.Log(format, args...)
}

func (a *RootAdapter) ConcurrencyStrategy() concurrency.Strategy {
return a.concurrencyStrategy
}
Expand All @@ -81,6 +77,10 @@ func (a *RootAdapter) Tracker() progress.ServiceTracker {
return a.tracker
}

func (a *RootAdapter) Logger() *log.Logger {
return a.logger
}

func (a *RootAdapter) CreateMetadata(resource string) types.Metadata {

// some services don't require region/account id in the ARN
Expand Down Expand Up @@ -136,7 +136,7 @@ func Adapt(ctx context.Context, state *state.State, opt options.Options) error {
c := &RootAdapter{
ctx: ctx,
tracker: opt.ProgressTracker,
debugWriter: opt.DebugWriter.Extend("adapt", "aws"),
logger: log.WithPrefix("adapt-aws"),
concurrencyStrategy: opt.ConcurrencyStrategy,
}

Expand All @@ -148,15 +148,15 @@ func Adapt(ctx context.Context, state *state.State, opt options.Options) error {
c.sessionCfg = cfg

if opt.Region != "" {
c.Debug("Using region '%s'", opt.Region)
c.logger.Info("Using region", log.String("region", opt.Region))
c.sessionCfg.Region = opt.Region
}
if opt.Endpoint != "" {
c.Debug("Using endpoint '%s'", opt.Endpoint)
c.logger.Info("Using endpoint", log.String("endpoint", opt.Endpoint))
c.sessionCfg.EndpointResolverWithOptions = createResolver(opt.Endpoint)
}

c.Debug("Discovering caller identity...")
c.logger.Debug("Discovering caller identity...")
stsClient := sts.NewFromConfig(c.sessionCfg)
result, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
if err != nil {
Expand All @@ -166,13 +166,13 @@ func Adapt(ctx context.Context, state *state.State, opt options.Options) error {
return fmt.Errorf("missing account id for aws account")
}
c.accountID = *result.Account
c.Debug("AWS account ID: %s", c.accountID)
c.logger.Info("AWS account ID", log.String("ID", c.accountID))

if len(opt.Services) == 0 {
c.Debug("Preparing to run for all %d registered services...", len(registeredAdapters))
c.logger.Info("Preparing to run for all registered services...", log.Int("count", len(registeredAdapters)))
opt.ProgressTracker.SetTotalServices(len(registeredAdapters))
} else {
c.Debug("Preparing to run for %d filtered services...", len(opt.Services))
c.logger.Info("Preparing to run for filtered services...", log.Int("count", len(opt.Services)))
opt.ProgressTracker.SetTotalServices(len(opt.Services))
}

Expand All @@ -181,16 +181,16 @@ func Adapt(ctx context.Context, state *state.State, opt options.Options) error {
var adapterErrors []error

for _, adapter := range registeredAdapters {
if len(opt.Services) != 0 && !contains(opt.Services, adapter.Name()) {
if len(opt.Services) != 0 && !slices.Contains(opt.Services, adapter.Name()) {
continue
}
c.currentService = adapter.Name()
c.Debug("Running adapter for %s...", adapter.Name())
c.logger.Debug("Running adapter", log.String("service", adapter.Name()))
opt.ProgressTracker.StartService(adapter.Name())

if err := adapter.Adapt(c, state); err != nil {
c.Debug("Error occurred while running adapter for %s: %s", adapter.Name(), err)
adapterErrors = append(adapterErrors, fmt.Errorf("failed to run adapter for %s: %w", adapter.Name(), err))
c.logger.Error("Failed to adapt", log.String("service", adapter.Name()), log.Err(err))
adapterErrors = append(adapterErrors, fmt.Errorf("failed to adapt service %s: %w", adapter.Name(), err))
}
opt.ProgressTracker.FinishService()
}
Expand All @@ -201,12 +201,3 @@ func Adapt(ctx context.Context, state *state.State, opt options.Options) error {

return nil
}

func contains(services []string, service string) bool {
for _, s := range services {
if s == service {
return true
}
}
return false
}
5 changes: 3 additions & 2 deletions internal/adapters/cloud/aws/elasticache/adapt.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/elasticache"
"github.com/aquasecurity/trivy/pkg/iac/state"
trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
api "github.com/aws/aws-sdk-go-v2/service/elasticache"
"github.com/aws/aws-sdk-go-v2/service/elasticache/types"

Expand Down Expand Up @@ -124,7 +125,7 @@ func (a *adapter) getReplicationGroups() ([]elasticache.ReplicationGroup, error)
for _, apiGroup := range apiGroups {
group, err := a.adaptReplicationGroup(apiGroup)
if err != nil {
a.Debug("Failed to adapt replication group '%s': %s", *apiGroup.ARN, err)
a.Logger().Error("Failed to adapt replication group", log.String("ARN", *apiGroup.ARN), log.Err(err))
continue
}
groups = append(groups, *group)
Expand Down Expand Up @@ -178,7 +179,7 @@ func (a *adapter) getSecurityGroups() ([]elasticache.SecurityGroup, error) {
for _, apiGroup := range apiGroups {
group, err := a.adaptSecurityGroup(apiGroup)
if err != nil {
a.Debug("Failed to adapt security group '%s': %s", *apiGroup.ARN, err)
a.Logger().Error("Failed to adapt security group", log.String("ARN", *apiGroup.ARN), log.Err(err))
continue
}
groups = append(groups, *group)
Expand Down
4 changes: 3 additions & 1 deletion internal/adapters/cloud/aws/emr/adapt.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/emr"
"github.com/aquasecurity/trivy/pkg/iac/state"
trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
api "github.com/aws/aws-sdk-go-v2/service/emr"
"github.com/aws/aws-sdk-go-v2/service/emr/types"

Expand Down Expand Up @@ -131,7 +132,8 @@ func (a *adapter) getSecurityConfigurations() ([]emr.SecurityConfiguration, erro
for _, apiConfig := range apiConfigs {
config, err := a.adaptConfig(apiConfig)
if err != nil {
a.Debug("Failed to adapt security configuration '%s': %s", *apiConfig.Name, err)
a.Logger().Error("Failed to adapt security configuration",
log.String("name", *apiConfig.Name), log.Err(err))
continue
}
configs = append(configs, *config)
Expand Down
7 changes: 5 additions & 2 deletions internal/adapters/cloud/aws/iam/group.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/iam"
"github.com/aquasecurity/trivy/pkg/iac/state"
"github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"

Expand Down Expand Up @@ -57,14 +58,16 @@ func (a *adapter) adaptGroup(apiGroup iamtypes.Group, state *state.State) (*iam.
for {
policiesOutput, err := a.api.ListAttachedGroupPolicies(a.Context(), input)
if err != nil {
a.Debug("Failed to locate policies attached to group '%s': %s", *apiGroup.GroupName, err)
a.Logger().Error("Failed to locate policies attached to group",
log.String("name", *apiGroup.GroupName), log.Err(err))
break
}

for _, apiPolicy := range policiesOutput.AttachedPolicies {
policy, err := a.adaptAttachedPolicy(apiPolicy)
if err != nil {
a.Debug("Failed to adapt policy attached to group '%s': %s", *apiGroup.GroupName, err)
a.Logger().Error("Failed to adapt policy attached to group",
log.String("name", *apiGroup.GroupName), log.Err(err))
continue
}
policies = append(policies, *policy)
Expand Down
3 changes: 2 additions & 1 deletion internal/adapters/cloud/aws/iam/iam.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/iam"
"github.com/aquasecurity/trivy/pkg/iac/state"
"github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
)

Expand Down Expand Up @@ -64,7 +65,7 @@ func (a *adapter) adaptPasswordPolicy(state *state.State) error {

output, err := a.api.GetAccountPasswordPolicy(a.Context(), &iamapi.GetAccountPasswordPolicyInput{})
if err != nil {
a.Debug("Failed to adapt account password policy: %s", err)
a.Logger().Error("Failed to adapt account password policy", log.Err(err))
return nil
}
a.Tracker().SetTotalResources(1)
Expand Down
7 changes: 5 additions & 2 deletions internal/adapters/cloud/aws/iam/role.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/iam"
"github.com/aquasecurity/trivy/pkg/iac/state"
"github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"

Expand Down Expand Up @@ -55,14 +56,16 @@ func (a *adapter) adaptRole(apiRole iamtypes.Role) (*iam.Role, error) {
for {
policiesOutput, err := a.api.ListAttachedRolePolicies(a.Context(), input)
if err != nil {
a.Debug("Failed to locate policies attached to role '%s': %s", *apiRole.RoleName, err)
a.Logger().Error("Failed to locate policies attached to role",
log.String("name", *apiRole.RoleName), log.Err(err))
break
}

for _, apiPolicy := range policiesOutput.AttachedPolicies {
policy, err := a.adaptAttachedPolicy(apiPolicy)
if err != nil {
a.Debug("Failed to adapt policy attached to role '%s': %s", *apiRole.RoleName, err)
a.Logger().Error("Failed to adapt policy attached to role",
log.String("name", *apiRole.RoleName), log.Err(err))
continue
}
policies = append(policies, *policy)
Expand Down
7 changes: 5 additions & 2 deletions internal/adapters/cloud/aws/iam/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/iam"
"github.com/aquasecurity/trivy/pkg/iac/state"
trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
iamapi "github.com/aws/aws-sdk-go-v2/service/iam"
iamtypes "github.com/aws/aws-sdk-go-v2/service/iam/types"

Expand Down Expand Up @@ -83,14 +84,16 @@ func (a *adapter) getUserPolicies(apiUser iamtypes.User) []iam.Policy {
for {
policiesOutput, err := a.api.ListAttachedUserPolicies(a.Context(), input)
if err != nil {
a.Debug("Failed to locate policies attached to user '%s': %s", *apiUser.UserName, err)
a.Logger().Error("Failed to locate policies attached to user",
log.String("name", *apiUser.UserName), log.Err(err))
break
}

for _, apiPolicy := range policiesOutput.AttachedPolicies {
policy, err := a.adaptAttachedPolicy(apiPolicy)
if err != nil {
a.Debug("Failed to adapt policy attached to user '%s': %s", *apiUser.UserName, err)
a.Logger().Error("Failed to adapt policy attached to user",
log.String("name", *apiUser.UserName), log.Err(err))
continue
}
policies = append(policies, *policy)
Expand Down
3 changes: 2 additions & 1 deletion internal/adapters/cloud/aws/rds/rds.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/rds"
"github.com/aquasecurity/trivy/pkg/iac/state"
trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
awssdk "github.com/aws/aws-sdk-go-v2/aws"
rdsApi "github.com/aws/aws-sdk-go-v2/service/rds"
rdsTypes "github.com/aws/aws-sdk-go-v2/service/rds/types"
Expand Down Expand Up @@ -48,7 +49,7 @@ func (a *adapter) Adapt(root *aws.RootAdapter, state *state.State) error {

state.AWS.RDS.Classic, err = a.getClassic()
if err != nil {
a.Debug("Failed to retrieve classic resource: %s", err)
a.Logger().Error("Failed to retrieve classic resource", log.Err(err))
return nil
}

Expand Down
3 changes: 2 additions & 1 deletion internal/adapters/cloud/aws/redshift/adapt.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/redshift"
"github.com/aquasecurity/trivy/pkg/iac/state"
trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
"github.com/aquasecurity/trivy/pkg/log"
awssdk "github.com/aws/aws-sdk-go-v2/aws"
api "github.com/aws/aws-sdk-go-v2/service/redshift"
redshiftTypes "github.com/aws/aws-sdk-go-v2/service/redshift/types"
Expand Down Expand Up @@ -56,7 +57,7 @@ func (a *adapter) Adapt(root *aws.RootAdapter, state *state.State) error {
// this can error is classic resources are used where disabled
state.AWS.Redshift.SecurityGroups, err = a.getSecurityGroups()
if err != nil {
a.Debug("Failed to adapt security groups: %s", err)
a.Logger().Error("Failed to adapt security groups", log.Err(err))
return nil
}

Expand Down
Loading

0 comments on commit 936dc4a

Please sign in to comment.