From 6b131d033c32c0931576087d7bcb7cab02425be8 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 7 Mar 2023 14:29:57 +0600 Subject: [PATCH 1/4] disable languages without licenses when only license scanner is enabled --- pkg/commands/artifact/run.go | 6 ++++++ pkg/fanal/analyzer/const.go | 24 ++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 24be95513c45..d411cff2dfb6 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -494,6 +494,12 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type { analyzers = append(analyzers, analyzer.TypeLicenseFile) } + // Some language files contain license information + // We don't need to parse other languages if we don't analyze vulnerabilities + if opts.Scanners.Enabled(types.LicenseScanner) && !opts.Scanners.Enabled(types.VulnerabilityScanner) { + analyzers = append(analyzers, analyzer.TypeLanguagesWithoutLicenses...) + } + // Do not perform misconfiguration scanning on container image config // when it is not specified. if !opts.ImageConfigScanners.Enabled(types.MisconfigScanner) { diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go index 7b429e876ec9..044199e08d44 100644 --- a/pkg/fanal/analyzer/const.go +++ b/pkg/fanal/analyzer/const.go @@ -218,4 +218,28 @@ var ( TypeCloudFormation, TypeHelm, } + + // TypeLanguagesWithoutLicenses has all language analyzers which don't have licenses + TypeLanguagesWithoutLicenses = []Type{ + TypeBundler, + TypeCargo, + TypeComposer, + TypeJar, + TypePom, + TypeGradleLock, + TypeNpmPkgLock, + TypeYarn, + TypePnpm, + TypeNuget, + TypeDotNetCore, + TypePip, + TypePipenv, + TypePoetry, + TypeGoBinary, + TypeRustBinary, + TypeConanLock, + TypeCocoaPods, + TypePubSpecLock, + TypeMixLock, + } ) From 2074fc79bf1b8b56c41b177ef608f87ded6dfc35 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 7 Mar 2023 14:47:42 +0600 Subject: [PATCH 2/4] add sbom format check to disable languages without licenses --- pkg/commands/artifact/run.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index d411cff2dfb6..21d849cd5c88 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -495,8 +495,9 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type { } // Some language files contain license information - // We don't need to parse other languages if we don't analyze vulnerabilities - if opts.Scanners.Enabled(types.LicenseScanner) && !opts.Scanners.Enabled(types.VulnerabilityScanner) { + // We don't need to parse other languages if we don't analyze vulnerabilities or use sbom format + if opts.Scanners.Enabled(types.LicenseScanner) && !opts.Scanners.Enabled(types.VulnerabilityScanner) && + !slices.Contains(report.SupportedSBOMFormats, opts.Format) { analyzers = append(analyzers, analyzer.TypeLanguagesWithoutLicenses...) } From 52fec504aff1f62cef4794972584eaa08134ad5d Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 7 Mar 2023 15:50:49 +0600 Subject: [PATCH 3/4] disable only jar analyzer --- pkg/commands/artifact/run.go | 8 +++++--- pkg/fanal/analyzer/const.go | 24 ------------------------ 2 files changed, 5 insertions(+), 27 deletions(-) diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 21d849cd5c88..aa90163d1bf6 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -494,11 +494,13 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type { analyzers = append(analyzers, analyzer.TypeLicenseFile) } - // Some language files contain license information - // We don't need to parse other languages if we don't analyze vulnerabilities or use sbom format + // Parsing jar files requires Java-db client + // But we don't create client if vulnerability analysis is disabled and sbom format is not used + // We need to disable jar analyzer to avoid errors + // TODO disable all languages that don't contains license information for this case if opts.Scanners.Enabled(types.LicenseScanner) && !opts.Scanners.Enabled(types.VulnerabilityScanner) && !slices.Contains(report.SupportedSBOMFormats, opts.Format) { - analyzers = append(analyzers, analyzer.TypeLanguagesWithoutLicenses...) + analyzers = append(analyzers, analyzer.TypeJar) } // Do not perform misconfiguration scanning on container image config diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go index 044199e08d44..7b429e876ec9 100644 --- a/pkg/fanal/analyzer/const.go +++ b/pkg/fanal/analyzer/const.go @@ -218,28 +218,4 @@ var ( TypeCloudFormation, TypeHelm, } - - // TypeLanguagesWithoutLicenses has all language analyzers which don't have licenses - TypeLanguagesWithoutLicenses = []Type{ - TypeBundler, - TypeCargo, - TypeComposer, - TypeJar, - TypePom, - TypeGradleLock, - TypeNpmPkgLock, - TypeYarn, - TypePnpm, - TypeNuget, - TypeDotNetCore, - TypePip, - TypePipenv, - TypePoetry, - TypeGoBinary, - TypeRustBinary, - TypeConanLock, - TypeCocoaPods, - TypePubSpecLock, - TypeMixLock, - } ) From 70829195b3cf3affde6d1bad6d9e084d1b146912 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 7 Mar 2023 15:51:22 +0600 Subject: [PATCH 4/4] fix typo --- pkg/commands/artifact/run.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index aa90163d1bf6..33b334669595 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -495,9 +495,9 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type { } // Parsing jar files requires Java-db client - // But we don't create client if vulnerability analysis is disabled and sbom format is not used + // But we don't create client if vulnerability analysis is disabled and SBOM format is not used // We need to disable jar analyzer to avoid errors - // TODO disable all languages that don't contains license information for this case + // TODO disable all languages that don't contain license information for this case if opts.Scanners.Enabled(types.LicenseScanner) && !opts.Scanners.Enabled(types.VulnerabilityScanner) && !slices.Contains(report.SupportedSBOMFormats, opts.Format) { analyzers = append(analyzers, analyzer.TypeJar)