feat(python): add packaging detector and respective hook (#1223)

Co-authored-by: knqyf263 <[email protected]>
aquasecurity · Sep 13, 2021 · dbc7a83 · dbc7a83
1 parent 19c0b70
commit dbc7a83
Show file tree

Hide file tree

Showing 25 changed files with 191 additions and 99 deletions.
diff --git a/docs/vulnerability/detection/language.md b/docs/vulnerability/detection/language.md
@@ -2,23 +2,32 @@
 
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
-| Language | File                                            | Dev dependencies |
-| ---------| ------------------------------------------------| -----------------|
-| Ruby     | Gemfile.lock                                    | included         |
-| Python   | Pipfile.lock                                    | excluded         |
-|          | poetry.lock                                     | included         |
-| PHP      | composer.lock                                   | excluded         |
-| Node.js  | package-lock.json                               | excluded         |
-|          | yarn.lock                                       | included         |
-| .NET     | packages.lock.json                              | included         |
-| Java     | JAR/WAR/EAR (`*.jar`, `*.war`, and `*.ear`)[^1] | included         |
-| Go       | Binaries built by Go[^2]                        | excluded         |
-|          | go.sum                                          | included         |
+| Language | File                     | Image[^6] | Filesystem[^7] |  Repository[^8] |Dev dependencies |
+|---------|-------------------------|:---------:|:--------------:|:---------------:|-----------------|
+| Ruby     | Gemfile.lock             | ✅        | ✅              | ✅              | included         |
+| Python   | Pipfile.lock             | -         | ✅              | ✅              |excluded         |
+|          | poetry.lock              | -         | ✅              | ✅              | included         |
+|          | requirements.txt         | -         | ✅              | ✅              | included         |
+|          | egg package[^1]          | ✅        | ✅              | -               | excluded         |
+|          | wheel package[^2]        | ✅        | ✅              | -               | excluded         |
+| PHP      | composer.lock            | ✅        | ✅              | ✅              | excluded         |
+| Node.js  | package-lock.json        | ✅        | ✅              | ✅              | excluded         |
+|          | yarn.lock                | ✅        | ✅              | ✅              | ncluded         |
+| .NET     | packages.lock.json       | ✅        | ✅              | ✅              | included         |
+| Java     | JAR/WAR/EAR[^3][^4]      | ✅        | ✅              | ✅              | included         |
+| Go       | Binaries built by Go[^5] | ✅        | ✅              | -               | excluded         |
+|          | go.sum                   | -         | ✅              | ✅             | included         |
 
 
 The path of these files does not matter.
 
 Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile)
 
-[^1]: It requires the Internet access
-[^2]: UPX-compressed binaries don't work
+[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
+[^2]: `.dist-info/META-DATA`
+[^3]: `*.jar`, `*.war`, and `*.ear`
+[^4]: It requires the Internet access
+[^5]: UPX-compressed binaries don't work
+[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^7]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
diff --git a/go.mod b/go.mod
@@ -7,8 +7,8 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20210815095355-42429a80d0e3
-	github.com/aquasecurity/go-dep-parser v0.0.0-20210815080135-5be65146849a
+	github.com/aquasecurity/fanal v0.0.0-20210913141820-41bee177765e
+	github.com/aquasecurity/go-dep-parser v0.0.0-20210905090655-b95c2c079bbb
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -37,18 +37,18 @@ require (
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.31.0
+	github.com/open-policy-agent/opa v0.32.0
 	github.com/smartystreets/assertions v1.2.0 // indirect
 	github.com/spf13/afero v1.6.0
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0
 	github.com/testcontainers/testcontainers-go v0.11.1
 	github.com/twitchtv/twirp v8.1.0+incompatible
 	github.com/urfave/cli/v2 v2.3.0
-	go.uber.org/zap v1.17.0
+	go.uber.org/zap v1.19.0
 	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-	google.golang.org/protobuf v1.26.0
+	google.golang.org/protobuf v1.27.1
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920