feat(flag): Support globstar for --skip-files and `--skip-directori…

…es` (#4026) Signed-off-by: Simar <[email protected]> Co-authored-by: knqyf263 <[email protected]>
aquasecurity · Apr 16, 2023 · b43b19b · b43b19b
1 parent 1480500
commit b43b19b
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 3 deletions.
diff --git a/docs/docs/vulnerability/examples/others.md b/docs/docs/vulnerability/examples/others.md
@@ -33,9 +33,18 @@ $ trivy image --skip-dirs "./testdata/*" .
 Will skip all subdirectories of the testdata directory.
 
 !!! tip
-    Glob patters work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
+    Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
 
 
+### Advanced globbing
+Trivy also supports the [globstar](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) pattern matching. 
+
+```bash
+$ trivy image --skip-files "**/foo"``` image:tag
+```
+
+Will skip the file `foo` that happens to be nested under any parent(s). 
+
 ## File patterns
 When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
 The default file patterns are [here](../../misconfiguration/custom/index.md).

diff --git a/go.mod b/go.mod
@@ -33,6 +33,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.18.15
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.89.1
 	github.com/aws/aws-sdk-go-v2/service/sts v1.18.7
+	github.com/bmatcuk/doublestar v1.3.4
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.2
 	github.com/containerd/containerd v1.7.0
@@ -189,7 +190,6 @@ require (
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/bmatcuk/doublestar v1.3.4 // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect

diff --git a/pkg/fanal/walker/walk.go b/pkg/fanal/walker/walk.go
@@ -6,6 +6,8 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/bmatcuk/doublestar"
+
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/utils"
 	"github.com/aquasecurity/trivy/pkg/log"
@@ -56,7 +58,7 @@ func (w *walker) shouldSkipFile(filePath string) bool {
 
 	// skip files
 	for _, pattern := range w.skipFiles {
-		match, err := path.Match(pattern, filePath)
+		match, err := doublestar.Match(pattern, filePath)
 		if err != nil {
 			return false // return early if bad pattern
 		} else if match {

diff --git a/pkg/fanal/walker/walk_test.go b/pkg/fanal/walker/walk_test.go
@@ -27,6 +27,14 @@ func Test_shouldSkipFile(t *testing.T) {
 				filepath.Join("/etc/foo/bar"): true,
 			},
 		},
+		{
+			skipFiles: []string{filepath.Join("**/*.txt")},
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):         false,
+				filepath.Join("/etc/foo/bar"):     false,
+				filepath.Join("/var/log/bar.txt"): true,
+			},
+		},
 		{
 			skipFiles: []string{filepath.Join("/etc/*/*"), filepath.Join("/var/log/*.txt")},
 			skipMap: map[string]bool{