From fc79e4e1c00da3b33eb2e692d3aaadba8044f3cf Mon Sep 17 00:00:00 2001 From: tockn Date: Sat, 10 Dec 2022 15:54:56 +0900 Subject: [PATCH 1/7] feat: add vm scan aws region flag --- pkg/commands/app.go | 1 + pkg/commands/artifact/run.go | 1 + pkg/fanal/artifact/artifact.go | 1 + pkg/fanal/artifact/vm/ami.go | 7 +++++-- pkg/fanal/artifact/vm/ebs.go | 6 ++++-- pkg/fanal/artifact/vm/vm.go | 4 ++-- pkg/flag/options.go | 5 +++++ pkg/flag/vm_flags.go | 38 ++++++++++++++++++++++++++++++++++ 8 files changed, 57 insertions(+), 6 deletions(-) create mode 100644 pkg/flag/vm_flags.go diff --git a/pkg/commands/app.go b/pkg/commands/app.go index 416c8ec50388..6d0f6a7e48ca 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -884,6 +884,7 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { ScanFlagGroup: flag.NewScanFlagGroup(), SecretFlagGroup: flag.NewSecretFlagGroup(), VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), + VMFlagGroups: flag.NewVMFlagGroup(), } cmd := &cobra.Command{ diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 36faa2ca0e15..d1560ffc3dad 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -543,6 +543,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi RekorURL: opts.RekorURL, Platform: opts.Platform, Slow: opts.Slow, + AWSRegion: opts.AWSRegion, // For misconfiguration scanning MisconfScannerOption: configScannerOptions, diff --git a/pkg/fanal/artifact/artifact.go b/pkg/fanal/artifact/artifact.go index 9675e04dd0f9..89aa9cbb60d8 100644 --- a/pkg/fanal/artifact/artifact.go +++ b/pkg/fanal/artifact/artifact.go @@ -27,6 +27,7 @@ type Option struct { RekorURL string Platform string Slow bool // Lower CPU and memory + AWSRegion string MisconfScannerOption misconf.ScannerOption SecretScannerOption analyzer.SecretScannerOption diff --git a/pkg/fanal/artifact/vm/ami.go b/pkg/fanal/artifact/vm/ami.go index 751fd4be3c97..b99d380f91c1 100644 --- a/pkg/fanal/artifact/vm/ami.go +++ b/pkg/fanal/artifact/vm/ami.go @@ -19,13 +19,16 @@ type AMI struct { imageID string } -func newAMI(imageID string, storage Storage) (*AMI, error) { +func newAMI(imageID string, storage Storage, region string) (*AMI, error) { // TODO: propagate context ctx := context.TODO() cfg, err := config.LoadDefaultConfig(ctx) if err != nil { return nil, xerrors.Errorf("aws config load error: %w", err) } + if region != "" { + cfg.Region = region + } client := ec2.NewFromConfig(cfg) output, err := client.DescribeImages(ctx, &ec2.DescribeImagesInput{ ImageIds: []string{imageID}, @@ -43,7 +46,7 @@ func newAMI(imageID string, storage Storage) (*AMI, error) { continue } log.Logger.Infof("Snapshot %s found", snapshotID) - ebs, err := newEBS(snapshotID, storage) + ebs, err := newEBS(snapshotID, storage, region) if err != nil { return nil, xerrors.Errorf("new EBS error: %w", err) } diff --git a/pkg/fanal/artifact/vm/ebs.go b/pkg/fanal/artifact/vm/ebs.go index 0628908f49df..2515c66e6cd8 100644 --- a/pkg/fanal/artifact/vm/ebs.go +++ b/pkg/fanal/artifact/vm/ebs.go @@ -24,8 +24,10 @@ type EBS struct { ebs ebsfile.EBSAPI } -func newEBS(snapshotID string, vm Storage) (*EBS, error) { - ebs, err := ebsfile.New(ebsfile.Option{}) +func newEBS(snapshotID string, vm Storage, region string) (*EBS, error) { + ebs, err := ebsfile.New(ebsfile.Option{ + AwsRegion: region, + }) if err != nil { return nil, xerrors.Errorf("new ebsfile error: %w", err) } diff --git a/pkg/fanal/artifact/vm/vm.go b/pkg/fanal/artifact/vm/vm.go index 82c31fc8935a..a09104c24963 100644 --- a/pkg/fanal/artifact/vm/vm.go +++ b/pkg/fanal/artifact/vm/vm.go @@ -109,10 +109,10 @@ func NewArtifact(target string, c cache.ArtifactCache, opt artifact.Option) (art switch targetType { case TypeAMI: target = strings.TrimPrefix(target, TypeAMI.Prefix()) - return newAMI(target, storage) + return newAMI(target, storage, opt.AWSRegion) case TypeEBS: target = strings.TrimPrefix(target, TypeEBS.Prefix()) - e, err := newEBS(target, storage) + e, err := newEBS(target, storage, opt.AWSRegion) if err != nil { return nil, xerrors.Errorf("new EBS error: %w", err) } diff --git a/pkg/flag/options.go b/pkg/flag/options.go index 0ddd7c9b5985..d97e627c1f4f 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -62,6 +62,7 @@ type Flags struct { ScanFlagGroup *ScanFlagGroup SecretFlagGroup *SecretFlagGroup VulnerabilityFlagGroup *VulnerabilityFlagGroup + VMFlagGroups *VMFlagGroups } // Options holds all the runtime configuration @@ -83,6 +84,7 @@ type Options struct { ScanOptions SecretOptions VulnerabilityOptions + VMOptions // Trivy's version, not populated via CLI flags AppVersion string @@ -256,6 +258,9 @@ func (f *Flags) groups() []FlagGroup { if f.RepoFlagGroup != nil { groups = append(groups, f.RepoFlagGroup) } + if f.VMFlagGroups != nil { + groups = append(groups, f.VMFlagGroups) + } return groups } diff --git a/pkg/flag/vm_flags.go b/pkg/flag/vm_flags.go new file mode 100644 index 000000000000..e8fe064523c4 --- /dev/null +++ b/pkg/flag/vm_flags.go @@ -0,0 +1,38 @@ +package flag + +var ( + vmAWSRegionFlag = Flag{ + Name: "region", + ConfigName: "scan.vm.region", + Value: "", + Usage: "AWS Region to scan", + } +) + +type VMFlagGroups struct { + AWSRegion *Flag +} + +type VMOptions struct { + AWSRegion string +} + +func NewVMFlagGroup() *VMFlagGroups { + return &VMFlagGroups{ + AWSRegion: &vmAWSRegionFlag, + } +} + +func (f *VMFlagGroups) Name() string { + return "VM" +} + +func (f *VMFlagGroups) Flags() []*Flag { + return []*Flag{f.AWSRegion} +} + +func (f *VMFlagGroups) ToOptions() VMOptions { + return VMOptions{ + AWSRegion: getString(f.AWSRegion), + } +} From a833315d70f44e0e00bcd56cc216c79ad0e7ae69 Mon Sep 17 00:00:00 2001 From: tockn Date: Sat, 10 Dec 2022 16:07:38 +0900 Subject: [PATCH 2/7] feat: import vm options --- pkg/flag/options.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/flag/options.go b/pkg/flag/options.go index d97e627c1f4f..d695355cdd9c 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -403,6 +403,10 @@ func (f *Flags) ToOptions(appVersion string, args []string, globalFlags *GlobalF opts.VulnerabilityOptions = f.VulnerabilityFlagGroup.ToOptions() } + if f.VMFlagGroups != nil { + opts.VMOptions = f.VMFlagGroups.ToOptions() + } + opts.Align() return opts, nil From 8430fd7c95511867b91c99e5844cdc02a4b1e650 Mon Sep 17 00:00:00 2001 From: tockn Date: Sat, 10 Dec 2022 16:24:09 +0900 Subject: [PATCH 3/7] docs: update vm docs --- docs/docs/vm/aws.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/docs/vm/aws.md b/docs/docs/vm/aws.md index 3832085e143b..00d9fda472a5 100644 --- a/docs/docs/vm/aws.md +++ b/docs/docs/vm/aws.md @@ -25,6 +25,12 @@ $ trivy vm --security-checks vuln ami:ami-0123456789abcdefg !!! tip The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection. +If you want to scan a AMI of non-default setting region, you can set any region via `--region` option. + +```shell +$ trivy vm --region ap-northeast-1 ami:ami-0123456789abcdefg +``` + ### Required Actions Some actions on EBS are also necessary since Trivy scans an EBS snapshot tied to the specified AMI under the hood. @@ -52,6 +58,13 @@ $ trivy vm --security-checks vuln ebs:snap-0123456789abcdefg !!! tip The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection. +If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--region` option. + +```shell +$ trivy vm --region ap-northeast-1 ebs:ebs-0123456789abcdefg +``` + + The above command takes a while as it calls EBS API and fetches the EBS blocks. If you want to scan the same snapshot several times, you can download the snapshot locally by using [coldsnap][coldsnap] maintained by AWS. Then, Trivy can scan the local VM image file. From 04769e1e4ee97839fa29d7826c989a5b0c1e072d Mon Sep 17 00:00:00 2001 From: tockn Date: Tue, 13 Dec 2022 00:35:44 +0900 Subject: [PATCH 4/7] Update docs/docs/vm/aws.md Co-authored-by: Teppei Fukuda --- docs/docs/vm/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/vm/aws.md b/docs/docs/vm/aws.md index 00d9fda472a5..3f037daf48f3 100644 --- a/docs/docs/vm/aws.md +++ b/docs/docs/vm/aws.md @@ -28,7 +28,7 @@ $ trivy vm --security-checks vuln ami:ami-0123456789abcdefg If you want to scan a AMI of non-default setting region, you can set any region via `--region` option. ```shell -$ trivy vm --region ap-northeast-1 ami:ami-0123456789abcdefg +$ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg ``` From 4c172539dedb31dddad5cd44492a5f58305c7a8e Mon Sep 17 00:00:00 2001 From: tockn Date: Tue, 13 Dec 2022 00:36:39 +0900 Subject: [PATCH 5/7] doc: region -> aws-region --- docs/docs/vm/aws.md | 2 +- pkg/flag/vm_flags.go | 38 -------------------------------------- 2 files changed, 1 insertion(+), 39 deletions(-) delete mode 100644 pkg/flag/vm_flags.go diff --git a/docs/docs/vm/aws.md b/docs/docs/vm/aws.md index 3f037daf48f3..17d6355cc306 100644 --- a/docs/docs/vm/aws.md +++ b/docs/docs/vm/aws.md @@ -61,7 +61,7 @@ The scanning could be faster if you enable only vulnerability scanning (`--secur If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--region` option. ```shell -$ trivy vm --region ap-northeast-1 ebs:ebs-0123456789abcdefg +$ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg ``` diff --git a/pkg/flag/vm_flags.go b/pkg/flag/vm_flags.go deleted file mode 100644 index e8fe064523c4..000000000000 --- a/pkg/flag/vm_flags.go +++ /dev/null @@ -1,38 +0,0 @@ -package flag - -var ( - vmAWSRegionFlag = Flag{ - Name: "region", - ConfigName: "scan.vm.region", - Value: "", - Usage: "AWS Region to scan", - } -) - -type VMFlagGroups struct { - AWSRegion *Flag -} - -type VMOptions struct { - AWSRegion string -} - -func NewVMFlagGroup() *VMFlagGroups { - return &VMFlagGroups{ - AWSRegion: &vmAWSRegionFlag, - } -} - -func (f *VMFlagGroups) Name() string { - return "VM" -} - -func (f *VMFlagGroups) Flags() []*Flag { - return []*Flag{f.AWSRegion} -} - -func (f *VMFlagGroups) ToOptions() VMOptions { - return VMOptions{ - AWSRegion: getString(f.AWSRegion), - } -} From bd66e07255a8cdf9a060ddf5950ff02f35e3ef68 Mon Sep 17 00:00:00 2001 From: tockn Date: Tue, 13 Dec 2022 00:45:45 +0900 Subject: [PATCH 6/7] refactor: using AWSFlagGroup instead of VMFlagGroup --- pkg/commands/app.go | 9 ++++++++- pkg/commands/artifact/run.go | 2 +- pkg/flag/options.go | 9 --------- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/pkg/commands/app.go b/pkg/commands/app.go index 6d0f6a7e48ca..012bd65638b0 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -884,7 +884,14 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { ScanFlagGroup: flag.NewScanFlagGroup(), SecretFlagGroup: flag.NewSecretFlagGroup(), VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), - VMFlagGroups: flag.NewVMFlagGroup(), + AWSFlagGroup: &flag.AWSFlagGroup{ + Region: &flag.Flag{ + Name: "aws-region", + ConfigName: "aws.region", + Value: "", + Usage: "AWS region to scan", + }, + }, } cmd := &cobra.Command{ diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index d1560ffc3dad..390652dfdceb 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -543,7 +543,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi RekorURL: opts.RekorURL, Platform: opts.Platform, Slow: opts.Slow, - AWSRegion: opts.AWSRegion, + AWSRegion: opts.Region, // For misconfiguration scanning MisconfScannerOption: configScannerOptions, diff --git a/pkg/flag/options.go b/pkg/flag/options.go index d695355cdd9c..0ddd7c9b5985 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -62,7 +62,6 @@ type Flags struct { ScanFlagGroup *ScanFlagGroup SecretFlagGroup *SecretFlagGroup VulnerabilityFlagGroup *VulnerabilityFlagGroup - VMFlagGroups *VMFlagGroups } // Options holds all the runtime configuration @@ -84,7 +83,6 @@ type Options struct { ScanOptions SecretOptions VulnerabilityOptions - VMOptions // Trivy's version, not populated via CLI flags AppVersion string @@ -258,9 +256,6 @@ func (f *Flags) groups() []FlagGroup { if f.RepoFlagGroup != nil { groups = append(groups, f.RepoFlagGroup) } - if f.VMFlagGroups != nil { - groups = append(groups, f.VMFlagGroups) - } return groups } @@ -403,10 +398,6 @@ func (f *Flags) ToOptions(appVersion string, args []string, globalFlags *GlobalF opts.VulnerabilityOptions = f.VulnerabilityFlagGroup.ToOptions() } - if f.VMFlagGroups != nil { - opts.VMOptions = f.VMFlagGroups.ToOptions() - } - opts.Align() return opts, nil From a7abdb661f44cf41f98f93cde6a3ca3131543a1f Mon Sep 17 00:00:00 2001 From: tockn Date: Tue, 13 Dec 2022 00:46:47 +0900 Subject: [PATCH 7/7] doc: region -> aws-region --- docs/docs/vm/aws.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/vm/aws.md b/docs/docs/vm/aws.md index 17d6355cc306..bee240aa4ac0 100644 --- a/docs/docs/vm/aws.md +++ b/docs/docs/vm/aws.md @@ -25,7 +25,7 @@ $ trivy vm --security-checks vuln ami:ami-0123456789abcdefg !!! tip The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection. -If you want to scan a AMI of non-default setting region, you can set any region via `--region` option. +If you want to scan a AMI of non-default setting region, you can set any region via `--aws-region` option. ```shell $ trivy vm --aws-region ap-northeast-1 ami:ami-0123456789abcdefg @@ -58,7 +58,7 @@ $ trivy vm --security-checks vuln ebs:snap-0123456789abcdefg !!! tip The scanning could be faster if you enable only vulnerability scanning (`--security-checks vuln`) because Trivy tries to download only necessary blocks for vulnerability detection. -If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--region` option. +If you want to scan an EBS Snapshot of non-default setting region, you can set any region via `--aws-region` option. ```shell $ trivy vm --aws-region ap-northeast-1 ebs:ebs-0123456789abcdefg