fix(misconf): do not filter Terraform plan JSON by name

Signed-off-by: nikpivkin <[email protected]>
aquasecurity · Aug 27, 2024 · 0c88a36 · 0c88a36
1 parent dd9733e
commit 0c88a36
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 36 deletions.
diff --git a/docs/docs/coverage/iac/index.md b/docs/docs/coverage/iac/index.md
@@ -8,17 +8,17 @@ Trivy scans Infrastructure as Code (IaC) files for
 
 ## Supported configurations
 
-| Config type                         | File patterns                                 |
-|-------------------------------------|-----------------------------------------------|
-| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json                      |
-| [Docker](docker.md)                 | Dockerfile, Containerfile                     |
-| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars                  |
-| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.tfplan.json, \*.tf.json |
-| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json                      |
-| [Azure ARM Template](azure-arm.md)  | \*.json                                       |
-| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc.              |
-| [YAML][json-and-yaml]               | \*.yaml, \*.yml                               |
-| [JSON][json-and-yaml]               | \*.json                                       |
+| Config type                         | File patterns                    |
+|-------------------------------------|----------------------------------|
+| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json         |
+| [Docker](docker.md)                 | Dockerfile, Containerfile        |
+| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars     |
+| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.json       |
+| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json         |
+| [Azure ARM Template](azure-arm.md)  | \*.json                          |
+| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc. |
+| [YAML][json-and-yaml]               | \*.yaml, \*.yml                  |
+| [JSON][json-and-yaml]               | \*.json                          |
 
 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md

diff --git a/pkg/iac/detection/detect.go b/pkg/iac/detection/detect.go
@@ -88,12 +88,17 @@ func init() {
 
 			contents := make(map[string]any)
 			err := json.NewDecoder(r).Decode(&contents)
-			if err == nil {
-				if _, ok := contents["terraform_version"]; ok {
-					_, stillOk := contents["format_version"]
-					return stillOk
+			if err != nil {
+				return false
+			}
+
+			for _, k := range []string{"terraform_version", "format_version"} {
+				if _, ok := contents[k]; !ok {
+					return false
 				}
 			}
+
+			return true
 		}
 		return false
 	}
@@ -150,8 +155,7 @@ func init() {
 			return false
 		}
 
-		return (sniff.Parameters != nil && len(sniff.Parameters) > 0) ||
-			(sniff.Resources != nil && len(sniff.Resources) > 0)
+		return len(sniff.Parameters) > 0 || len(sniff.Resources) > 0
 	}
 
 	matchers[FileTypeDockerfile] = func(name string, _ io.ReadSeeker) bool {

diff --git a/pkg/iac/scanners/terraformplan/tfjson/scanner.go b/pkg/iac/scanners/terraformplan/tfjson/scanner.go
@@ -6,8 +6,6 @@ import (
 	"io"
 	"io/fs"
 
-	"github.com/bmatcuk/doublestar/v4"
-
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
@@ -17,11 +15,6 @@ import (
 	"github.com/aquasecurity/trivy/pkg/log"
 )
 
-var tfPlanExts = []string{
-	"**/*tfplan.json",
-	"**/*tf.json",
-}
-
 type Scanner struct {
 	parser                  *parser.Parser
 	logger                  *log.Logger
@@ -93,25 +86,32 @@ func (s *Scanner) Name() string {
 	return "Terraform Plan JSON"
 }
 
-func (s *Scanner) ScanFS(ctx context.Context, inputFS fs.FS, dir string) (scan.Results, error) {
-	var filesFound []string
+func (s *Scanner) ScanFS(ctx context.Context, fsys fs.FS, dir string) (scan.Results, error) {
+
+	var results scan.Results
 
-	for _, ext := range tfPlanExts {
-		files, err := doublestar.Glob(inputFS, ext, doublestar.WithFilesOnly())
+	walkFn := func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
-			return nil, fmt.Errorf("unable to scan for terraform plan files: %w", err)
+			return err
 		}
-		filesFound = append(filesFound, files...)
-	}
 
-	var results scan.Results
-	for _, f := range filesFound {
-		res, err := s.ScanFile(f, inputFS)
+		if d.IsDir() {
+			return nil
+		}
+
+		res, err := s.ScanFile(path, fsys)
 		if err != nil {
-			return nil, err
+			return fmt.Errorf("failed to scan %s: %w", path, err)
 		}
+
 		results = append(results, res...)
+		return nil
 	}
+
+	if err := fs.WalkDir(fsys, dir, walkFn); err != nil {
+		return nil, err
+	}
+
 	return results, nil
 }
 
@@ -148,7 +148,7 @@ func (s *Scanner) Scan(reader io.Reader) (scan.Results, error) {
 
 	planFS, err := planFile.ToFS()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to convert plan to FS: %w", err)
 	}
 
 	scanner := terraformScanner.New(s.options...)