From 0e6f8f5679480dd87434b902b91a32691237053a Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 24 Apr 2023 12:23:10 +0600 Subject: [PATCH 01/12] add third party flag for dpkg --- pkg/commands/artifact/run.go | 1 + pkg/fanal/analyzer/analyzer.go | 1 + pkg/fanal/analyzer/pkg/dpkg/dpkg.go | 51 ++++++++++----- pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go | 55 +++++++++++------ pkg/fanal/artifact/artifact.go | 1 + pkg/fanal/artifact/image/image.go | 1 + pkg/fanal/artifact/local/fs.go | 1 + pkg/flag/scan_flags.go | 79 ++++++++++++++---------- 8 files changed, 123 insertions(+), 67 deletions(-) diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index 630724e4dc2b..cf59609911fc 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -629,6 +629,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi DisabledAnalyzers: disabledAnalyzers(opts), SkipFiles: opts.SkipFiles, SkipDirs: opts.SkipDirs, + ThirdPartyOSPkgs: opts.ThirdPartyOSPkgs, FilePatterns: opts.FilePatterns, Offline: opts.OfflineScan, NoProgress: opts.NoProgress || opts.Quiet, diff --git a/pkg/fanal/analyzer/analyzer.go b/pkg/fanal/analyzer/analyzer.go index 46d91f1f7155..7e9c5c1aaef6 100644 --- a/pkg/fanal/analyzer/analyzer.go +++ b/pkg/fanal/analyzer/analyzer.go @@ -44,6 +44,7 @@ var ( type AnalyzerOptions struct { Group Group Slow bool + ThirdPartyOSPkgs []string // To exclude these package files from system files FilePatterns []string DisabledAnalyzers []Type MisconfScannerOption misconf.ScannerOption diff --git a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go index 0007432cc68e..2de4b80b6fe5 100644 --- a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go +++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go @@ -12,6 +12,7 @@ import ( debVersion "github.com/knqyf263/go-deb-version" "github.com/samber/lo" + "golang.org/x/exp/slices" "golang.org/x/xerrors" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" @@ -36,11 +37,17 @@ var ( dpkgSrcCaptureRegexpNames = dpkgSrcCaptureRegexp.SubexpNames() ) -type dpkgAnalyzer struct{} +type dpkgAnalyzer struct { + ThirdPartyPkgs []string +} -func (a dpkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { +func (a *dpkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { scanner := bufio.NewScanner(input.Content) if a.isListFile(filepath.Split(input.FilePath)) { + // If user has marked package as third party package - we will parse files of this package as language packages + if a.skipThirdPartyPkg(filepath.Base(input.FilePath)) { + return nil, nil + } return a.parseDpkgInfoList(scanner) } @@ -48,7 +55,7 @@ func (a dpkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) ( } // parseDpkgStatus parses /var/lib/dpkg/info/*.list -func (a dpkgAnalyzer) parseDpkgInfoList(scanner *bufio.Scanner) (*analyzer.AnalysisResult, error) { +func (a *dpkgAnalyzer) parseDpkgInfoList(scanner *bufio.Scanner) (*analyzer.AnalysisResult, error) { var installedFiles []string var previous string for scanner.Scan() { @@ -82,7 +89,7 @@ func (a dpkgAnalyzer) parseDpkgInfoList(scanner *bufio.Scanner) (*analyzer.Analy } // parseDpkgStatus parses /var/lib/dpkg/status or /var/lib/dpkg/status/* -func (a dpkgAnalyzer) parseDpkgStatus(filePath string, scanner *bufio.Scanner) (*analyzer.AnalysisResult, error) { +func (a *dpkgAnalyzer) parseDpkgStatus(filePath string, scanner *bufio.Scanner) (*analyzer.AnalysisResult, error) { var pkg *types.Package pkgs := map[string]*types.Package{} pkgIDs := map[string]string{} @@ -118,7 +125,8 @@ func (a dpkgAnalyzer) parseDpkgStatus(filePath string, scanner *bufio.Scanner) ( }, nil } -func (a dpkgAnalyzer) parseDpkgPkg(scanner *bufio.Scanner) (pkg *types.Package) { +// nolint: gocyclo +func (a *dpkgAnalyzer) parseDpkgPkg(scanner *bufio.Scanner) (pkg *types.Package) { var ( name string version string @@ -138,6 +146,10 @@ func (a dpkgAnalyzer) parseDpkgPkg(scanner *bufio.Scanner) (pkg *types.Package) switch { case strings.HasPrefix(line, "Package: "): name = strings.TrimSpace(strings.TrimPrefix(line, "Package: ")) + if slices.Contains(a.ThirdPartyPkgs, name) { + log.Logger.Debugf("Skipping %q as OS package. Parse files of this package as language packages", name) + return nil + } case strings.HasPrefix(line, "Source: "): // Source line (Optional) // Gives the name of the source package @@ -216,7 +228,7 @@ func (a dpkgAnalyzer) parseDpkgPkg(scanner *bufio.Scanner) (pkg *types.Package) return pkg } -func (a dpkgAnalyzer) Required(filePath string, _ os.FileInfo) bool { +func (a *dpkgAnalyzer) Required(filePath string, _ os.FileInfo) bool { dir, fileName := filepath.Split(filePath) if a.isListFile(dir, fileName) || filePath == statusFile { return true @@ -228,11 +240,11 @@ func (a dpkgAnalyzer) Required(filePath string, _ os.FileInfo) bool { return false } -func (a dpkgAnalyzer) pkgID(name, version string) string { +func (a *dpkgAnalyzer) pkgID(name, version string) string { return fmt.Sprintf("%s@%s", name, version) } -func (a dpkgAnalyzer) parseStatus(line string) bool { +func (a *dpkgAnalyzer) parseStatus(line string) bool { for _, ss := range strings.Fields(strings.TrimPrefix(line, "Status: ")) { if ss == "deinstall" || ss == "purge" { return false @@ -241,7 +253,7 @@ func (a dpkgAnalyzer) parseStatus(line string) bool { return true } -func (a dpkgAnalyzer) parseDepends(line string) []string { +func (a *dpkgAnalyzer) parseDepends(line string) []string { line = strings.TrimPrefix(line, "Depends: ") // e.g. Depends: passwd, debconf (>= 0.5) | debconf-2.0 @@ -259,7 +271,7 @@ func (a dpkgAnalyzer) parseDepends(line string) []string { return dependencies } -func (a dpkgAnalyzer) trimVersionRequirement(s string) string { +func (a *dpkgAnalyzer) trimVersionRequirement(s string) string { // e.g. // libapt-pkg6.0 (>= 2.2.4) => libapt-pkg6.0 // adduser => adduser @@ -269,7 +281,7 @@ func (a dpkgAnalyzer) trimVersionRequirement(s string) string { return s } -func (a dpkgAnalyzer) consolidateDependencies(pkgs map[string]*types.Package, pkgIDs map[string]string) { +func (a *dpkgAnalyzer) consolidateDependencies(pkgs map[string]*types.Package, pkgIDs map[string]string) { for _, pkg := range pkgs { // e.g. libc6 => libc6@2.31-13+deb11u4 pkg.DependsOn = lo.FilterMap(pkg.DependsOn, func(d string, _ int) (string, bool) { @@ -285,7 +297,12 @@ func (a dpkgAnalyzer) consolidateDependencies(pkgs map[string]*types.Package, pk } } -func (a dpkgAnalyzer) isListFile(dir, fileName string) bool { +func (a *dpkgAnalyzer) Init(opt analyzer.AnalyzerOptions) error { + a.ThirdPartyPkgs = opt.ThirdPartyOSPkgs + return nil +} + +func (a *dpkgAnalyzer) isListFile(dir, fileName string) bool { if dir != infoDir { return false } @@ -293,10 +310,16 @@ func (a dpkgAnalyzer) isListFile(dir, fileName string) bool { return strings.HasSuffix(fileName, ".list") } -func (a dpkgAnalyzer) Type() analyzer.Type { +// skipThirdPartyPkg is true when user has marked this package as third party package +func (a *dpkgAnalyzer) skipThirdPartyPkg(fileName string) bool { + pkgName := strings.TrimSuffix(fileName, filepath.Ext(fileName)) + return slices.Contains(a.ThirdPartyPkgs, pkgName) +} + +func (a *dpkgAnalyzer) Type() analyzer.Type { return analyzer.TypeDpkg } -func (a dpkgAnalyzer) Version() int { +func (a *dpkgAnalyzer) Version() int { return analyzerVersion } diff --git a/pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go b/pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go index 823c60cb42b5..d27207e1491f 100644 --- a/pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go +++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go @@ -15,16 +15,18 @@ import ( func Test_dpkgAnalyzer_Analyze(t *testing.T) { tests := []struct { - name string - testFile string - filePath string - want *analyzer.AnalysisResult - wantErr bool + name string + testFile string + filePath string + thirdPartyPkgs []string + want *analyzer.AnalysisResult + wantErr bool }{ { - name: "valid", - testFile: "./testdata/dpkg", - filePath: "var/lib/dpkg/status", + name: "valid", + testFile: "./testdata/dpkg", + filePath: "var/lib/dpkg/status", + thirdPartyPkgs: []string{"ubuntu-keyring"}, want: &analyzer.AnalysisResult{ PackageInfos: []types.PackageInfo{ { @@ -58,7 +60,6 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) { "libgnutls30@3.5.18-1ubuntu1", "libseccomp2@2.3.1-2.1ubuntu4", "libstdc++6@8-20180414-1ubuntu2", - "ubuntu-keyring@2018.02.28", }, Maintainer: "Ubuntu Developers ", Arch: "amd64", @@ -1162,15 +1163,6 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) { Maintainer: "Ubuntu Developers ", Arch: "amd64", }, - { - ID: "ubuntu-keyring@2018.02.28", - Name: "ubuntu-keyring", - Version: "2018.02.28", - SrcName: "ubuntu-keyring", - SrcVersion: "2018.02.28", - Maintainer: "Dimitri John Ledkov ", - Arch: "all", - }, { ID: "util-linux@2.31.1-0.4ubuntu3.1", Name: "util-linux", @@ -1302,6 +1294,31 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) { }, }, }, + { + name: "info list of third party package", + testFile: "./testdata/bash.list", + thirdPartyPkgs: []string{"bash"}, + filePath: "var/lib/dpkg/info/tar.list", + want: &analyzer.AnalysisResult{ + SystemInstalledFiles: []string{ + "/bin/tar", + "/etc", + "/usr/lib/mime/packages/tar", + "/usr/sbin/rmt-tar", + "/usr/sbin/tarcat", + "/usr/share/doc/tar/AUTHORS", + "/usr/share/doc/tar/NEWS.gz", + "/usr/share/doc/tar/README.Debian", + "/usr/share/doc/tar/THANKS.gz", + "/usr/share/doc/tar/changelog.Debian.gz", + "/usr/share/doc/tar/copyright", + "/usr/share/man/man1/tar.1.gz", + "/usr/share/man/man1/tarcat.1.gz", + "/usr/share/man/man8/rmt-tar.8.gz", + "/etc/rmt", + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -1309,7 +1326,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) { require.NoError(t, err) defer f.Close() - a := dpkgAnalyzer{} + a := dpkgAnalyzer{ThirdPartyPkgs: tt.thirdPartyPkgs} ctx := context.Background() got, err := a.Analyze(ctx, analyzer.AnalysisInput{ FilePath: tt.filePath, diff --git a/pkg/fanal/artifact/artifact.go b/pkg/fanal/artifact/artifact.go index c4c7b95d1344..4eb859ca6ad3 100644 --- a/pkg/fanal/artifact/artifact.go +++ b/pkg/fanal/artifact/artifact.go @@ -16,6 +16,7 @@ type Option struct { DisabledHandlers []types.HandlerType SkipFiles []string SkipDirs []string + ThirdPartyOSPkgs []string FilePatterns []string NoProgress bool Insecure bool diff --git a/pkg/fanal/artifact/image/image.go b/pkg/fanal/artifact/image/image.go index 4193480b5162..829dba8b9e6f 100644 --- a/pkg/fanal/artifact/image/image.go +++ b/pkg/fanal/artifact/image/image.go @@ -54,6 +54,7 @@ func NewArtifact(img types.Image, c cache.ArtifactCache, opt artifact.Option) (a a, err := analyzer.NewAnalyzerGroup(analyzer.AnalyzerOptions{ Group: opt.AnalyzerGroup, Slow: opt.Slow, + ThirdPartyOSPkgs: opt.ThirdPartyOSPkgs, FilePatterns: opt.FilePatterns, DisabledAnalyzers: opt.DisabledAnalyzers, MisconfScannerOption: opt.MisconfScannerOption, diff --git a/pkg/fanal/artifact/local/fs.go b/pkg/fanal/artifact/local/fs.go index 171d9e46ef78..330c96aae7f4 100644 --- a/pkg/fanal/artifact/local/fs.go +++ b/pkg/fanal/artifact/local/fs.go @@ -45,6 +45,7 @@ func NewArtifact(rootPath string, c cache.ArtifactCache, opt artifact.Option) (a a, err := analyzer.NewAnalyzerGroup(analyzer.AnalyzerOptions{ Group: opt.AnalyzerGroup, Slow: opt.Slow, + ThirdPartyOSPkgs: opt.ThirdPartyOSPkgs, FilePatterns: opt.FilePatterns, DisabledAnalyzers: opt.DisabledAnalyzers, MisconfScannerOption: opt.MisconfScannerOption, diff --git a/pkg/flag/scan_flags.go b/pkg/flag/scan_flags.go index 1a8b02b0ef2a..e9e816e8fd5c 100644 --- a/pkg/flag/scan_flags.go +++ b/pkg/flag/scan_flags.go @@ -66,41 +66,50 @@ var ( Value: "https://rekor.sigstore.dev", Usage: "[EXPERIMENTAL] address of rekor STL server", } + ThirdPartyOSPkgs = Flag{ + Name: "third-party-os-pkgs", + ConfigName: "scan.third-party-os-pkgs", + Value: []string{}, + Usage: "parse files of these os packages as language packages (use GitHub and GitLab database for these files)", + } ) type ScanFlagGroup struct { - SkipDirs *Flag - SkipFiles *Flag - OfflineScan *Flag - Scanners *Flag - FilePatterns *Flag - Slow *Flag - SBOMSources *Flag - RekorURL *Flag + SkipDirs *Flag + SkipFiles *Flag + ThirdPartyOSPkgs *Flag + OfflineScan *Flag + Scanners *Flag + FilePatterns *Flag + Slow *Flag + SBOMSources *Flag + RekorURL *Flag } type ScanOptions struct { - Target string - SkipDirs []string - SkipFiles []string - OfflineScan bool - Scanners types.Scanners - FilePatterns []string - Slow bool - SBOMSources []string - RekorURL string + Target string + SkipDirs []string + SkipFiles []string + ThirdPartyOSPkgs []string + OfflineScan bool + Scanners types.Scanners + FilePatterns []string + Slow bool + SBOMSources []string + RekorURL string } func NewScanFlagGroup() *ScanFlagGroup { return &ScanFlagGroup{ - SkipDirs: &SkipDirsFlag, - SkipFiles: &SkipFilesFlag, - OfflineScan: &OfflineScanFlag, - Scanners: &ScannersFlag, - FilePatterns: &FilePatternsFlag, - Slow: &SlowFlag, - SBOMSources: &SBOMSourcesFlag, - RekorURL: &RekorURLFlag, + SkipDirs: &SkipDirsFlag, + SkipFiles: &SkipFilesFlag, + ThirdPartyOSPkgs: &ThirdPartyOSPkgs, + OfflineScan: &OfflineScanFlag, + Scanners: &ScannersFlag, + FilePatterns: &FilePatternsFlag, + Slow: &SlowFlag, + SBOMSources: &SBOMSourcesFlag, + RekorURL: &RekorURLFlag, } } @@ -112,6 +121,7 @@ func (f *ScanFlagGroup) Flags() []*Flag { return []*Flag{ f.SkipDirs, f.SkipFiles, + f.ThirdPartyOSPkgs, f.OfflineScan, f.Scanners, f.FilePatterns, @@ -137,15 +147,16 @@ func (f *ScanFlagGroup) ToOptions(args []string) (ScanOptions, error) { } return ScanOptions{ - Target: target, - SkipDirs: getStringSlice(f.SkipDirs), - SkipFiles: getStringSlice(f.SkipFiles), - OfflineScan: getBool(f.OfflineScan), - Scanners: scanners, - FilePatterns: getStringSlice(f.FilePatterns), - Slow: getBool(f.Slow), - SBOMSources: sbomSources, - RekorURL: getString(f.RekorURL), + Target: target, + SkipDirs: getStringSlice(f.SkipDirs), + SkipFiles: getStringSlice(f.SkipFiles), + ThirdPartyOSPkgs: getStringSlice(f.ThirdPartyOSPkgs), + OfflineScan: getBool(f.OfflineScan), + Scanners: scanners, + FilePatterns: getStringSlice(f.FilePatterns), + Slow: getBool(f.Slow), + SBOMSources: sbomSources, + RekorURL: getString(f.RekorURL), }, nil } From f283dcc622d431690d0f9e1bc454bde65632ca6a Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 24 Apr 2023 13:32:39 +0600 Subject: [PATCH 02/12] update cli docs --- .../configuration/cli/trivy_image.md | 1 + .../configuration/cli/trivy_rootfs.md | 119 +++++++++--------- .../configuration/cli/trivy_sbom.md | 1 - pkg/commands/app.go | 21 +++- 4 files changed, 77 insertions(+), 65 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index ca3e635e3a56..805b9696c034 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -95,6 +95,7 @@ trivy image [flags] IMAGE_NAME --slow scan over time with lower CPU and memory utilization -t, --template string output template --tf-vars strings specify paths to override the Terraform tfvars files + --third-party-os-pkgs strings parse files of these os packages as language packages (use GitHub and GitLab database for these files) --token string for authentication in client/server mode --token-header string specify a header name for token in client/server mode (default "Trivy-Token") --trace enable more verbose trace output for custom queries diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index 203fa96f2a22..f4adb999635a 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -22,65 +22,66 @@ trivy rootfs [flags] ROOTDIR ### Options ``` - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --config-data strings specify paths from which data for the Rego policies will be recursively loaded - --config-policy strings specify paths to the Rego policy files directory, applying config files - --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for rootfs - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-unfixed display only fixed vulnerabilities - --ignored-licenses strings specify a list of license to ignore - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") - --license-full eagerly look for licenses in source code headers and license files - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. - --policy-namespaces strings Rego namespaces - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --registry-token string registry token - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --reset remove all caches and database - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-java-db-update skip updating Java index database - --skip-policy-update skip fetching rego policy updates - --slow scan over time with lower CPU and memory utilization - -t, --template string output template - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --trace enable more verbose trace output for custom queries - --username strings username. Comma-separated usernames allowed. - --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --config-data strings specify paths from which data for the Rego policies will be recursively loaded + --config-policy strings specify paths to the Rego policy files directory, applying config files + --custom-headers strings custom headers in client mode + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for rootfs + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-unfixed display only fixed vulnerabilities + --ignored-licenses strings specify a list of license to ignore + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --license-full eagerly look for licenses in source code headers and license files + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons. + --policy-namespaces strings Rego namespaces + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --registry-token string registry token + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --reset remove all caches and database + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-java-db-update skip updating Java index database + --skip-policy-update skip fetching rego policy updates + --slow scan over time with lower CPU and memory utilization + -t, --template string output template + --tf-vars strings specify paths to override the Terraform tfvars files + --third-party-os-pkgs strings parse files of these os packages as language packages (use GitHub and GitLab database for these files) + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --trace enable more verbose trace output for custom queries + --username strings username. Comma-separated usernames allowed. + --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") ``` ### Options inherited from parent commands diff --git a/docs/docs/references/configuration/cli/trivy_sbom.md b/docs/docs/references/configuration/cli/trivy_sbom.md index 3a5c8bc286e7..cc152440e874 100644 --- a/docs/docs/references/configuration/cli/trivy_sbom.md +++ b/docs/docs/references/configuration/cli/trivy_sbom.md @@ -51,7 +51,6 @@ trivy sbom [flags] SBOM_PATH --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --reset remove all caches and database --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) --server string server address in client mode -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") --skip-db-update skip updating vulnerability database diff --git a/pkg/commands/app.go b/pkg/commands/app.go index ead3ddbad407..cf4cdc6b4ca3 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -298,6 +298,9 @@ func NewFilesystemCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup.Compliance = nil // disable '--compliance' reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol' + scanFlagGroup := flag.NewScanFlagGroup() + scanFlagGroup.ThirdPartyOSPkgs = nil // disable `--third-party-os-pkgs` + fsFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), DBFlagGroup: flag.NewDBFlagGroup(), @@ -308,7 +311,7 @@ func NewFilesystemCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { RegistryFlagGroup: flag.NewRegistryFlagGroup(), RegoFlagGroup: flag.NewRegoFlagGroup(), ReportFlagGroup: reportFlagGroup, - ScanFlagGroup: flag.NewScanFlagGroup(), + ScanFlagGroup: scanFlagGroup, SecretFlagGroup: flag.NewSecretFlagGroup(), VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), } @@ -412,6 +415,9 @@ func NewRepositoryCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup.Compliance = nil // disable '--compliance' reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol' + scanFlagGroup := flag.NewScanFlagGroup() + scanFlagGroup.ThirdPartyOSPkgs = nil // disable `--third-party-os-pkgs` + repoFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), DBFlagGroup: flag.NewDBFlagGroup(), @@ -422,7 +428,7 @@ func NewRepositoryCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { RegoFlagGroup: flag.NewRegoFlagGroup(), RemoteFlagGroup: flag.NewClientFlags(), // for client/server mode ReportFlagGroup: reportFlagGroup, - ScanFlagGroup: flag.NewScanFlagGroup(), + ScanFlagGroup: scanFlagGroup, SecretFlagGroup: flag.NewSecretFlagGroup(), VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), RepoFlagGroup: flag.NewRepoFlagGroup(), @@ -795,6 +801,7 @@ func NewModuleCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { scanFlags := flag.NewScanFlagGroup() + scanFlags.ThirdPartyOSPkgs = nil // disable `--third-party-os-pkgs` scanners := flag.ScannersFlag scanners.Value = fmt.Sprintf( // overwrite the default value "%s,%s,%s,%s", @@ -937,6 +944,9 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup := flag.NewReportFlagGroup() reportFlagGroup.ReportFormat = nil // TODO: support --report summary + scanFlagGroup := flag.NewScanFlagGroup() + scanFlagGroup.ThirdPartyOSPkgs = nil // disable `--third-party-os-pkgs` + vmFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), DBFlagGroup: flag.NewDBFlagGroup(), @@ -945,7 +955,7 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { ModuleFlagGroup: flag.NewModuleFlagGroup(), RemoteFlagGroup: flag.NewClientFlags(), // for client/server mode ReportFlagGroup: reportFlagGroup, - ScanFlagGroup: flag.NewScanFlagGroup(), + ScanFlagGroup: scanFlagGroup, SecretFlagGroup: flag.NewSecretFlagGroup(), VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), AWSFlagGroup: &flag.AWSFlagGroup{ @@ -1004,14 +1014,15 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup.ReportFormat = nil // TODO: support --report summary scanFlags := flag.NewScanFlagGroup() - scanFlags.Scanners = nil // disable '--scanners' as it always scans for vulnerabilities + scanFlags.Scanners = nil // disable '--scanners' as it always scans for vulnerabilities + scanFlags.ThirdPartyOSPkgs = nil // disable `--third-party-os-pkgs` sbomFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), DBFlagGroup: flag.NewDBFlagGroup(), RemoteFlagGroup: flag.NewClientFlags(), // for client/server mode ReportFlagGroup: reportFlagGroup, - ScanFlagGroup: flag.NewScanFlagGroup(), + ScanFlagGroup: scanFlags, SBOMFlagGroup: flag.NewSBOMFlagGroup(), VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), } From 7b6ac076767cd4b23fe5342f1b4e44e67d4bbef1 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 26 Apr 2023 14:47:26 +0600 Subject: [PATCH 03/12] add third party option to rpm --- pkg/fanal/analyzer/pkg/dpkg/dpkg.go | 2 +- pkg/fanal/analyzer/pkg/rpm/rpm.go | 24 ++++++++++++++++++------ pkg/fanal/analyzer/pkg/rpm/rpm_test.go | 12 +++++++----- 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go index 2de4b80b6fe5..f17064a1683f 100644 --- a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go +++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go @@ -44,7 +44,7 @@ type dpkgAnalyzer struct { func (a *dpkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { scanner := bufio.NewScanner(input.Content) if a.isListFile(filepath.Split(input.FilePath)) { - // If user has marked package as third party package - we will parse files of this package as language packages + // If user has marked package as third party package - we need to skip this package and parse files of this package as language packages if a.skipThirdPartyPkg(filepath.Base(input.FilePath)) { return nil, nil } diff --git a/pkg/fanal/analyzer/pkg/rpm/rpm.go b/pkg/fanal/analyzer/pkg/rpm/rpm.go index 9fe693dfa932..6e7a75631a1f 100644 --- a/pkg/fanal/analyzer/pkg/rpm/rpm.go +++ b/pkg/fanal/analyzer/pkg/rpm/rpm.go @@ -60,9 +60,11 @@ var osVendors = []string{ "Rocky", // Rocky Linux } -type rpmPkgAnalyzer struct{} +type rpmPkgAnalyzer struct { + ThirdPartyPkgs []string +} -func (a rpmPkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { +func (a *rpmPkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { parsedPkgs, installedFiles, err := a.parsePkgInfo(input.Content) if err != nil { return nil, xerrors.Errorf("failed to parse rpmdb: %w", err) @@ -79,7 +81,7 @@ func (a rpmPkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) }, nil } -func (a rpmPkgAnalyzer) parsePkgInfo(rc io.Reader) (types.Packages, []string, error) { +func (a *rpmPkgAnalyzer) parsePkgInfo(rc io.Reader) (types.Packages, []string, error) { filePath, err := writeToTempFile(rc) if err != nil { return nil, nil, xerrors.Errorf("temp file error: %w", err) @@ -120,6 +122,11 @@ func (a rpmPkgAnalyzer) parsePkgInfo(rc io.Reader) (types.Packages, []string, er } } + // If user has marked package as third party package - we need to skip this package and parse files of this package as language packages + if slices.Contains(a.ThirdPartyPkgs, pkg.Name) || slices.Contains(a.ThirdPartyPkgs, srcName) { + continue + } + // Check if the package is vendor-provided. // If the package is not provided by vendor, the installed files should not be skipped. var files []string @@ -164,18 +171,23 @@ func (a rpmPkgAnalyzer) parsePkgInfo(rc io.Reader) (types.Packages, []string, er return pkgs, installedFiles, nil } -func (a rpmPkgAnalyzer) Required(filePath string, _ os.FileInfo) bool { +func (a *rpmPkgAnalyzer) Required(filePath string, _ os.FileInfo) bool { return utils.StringInSlice(filePath, requiredFiles) } -func (a rpmPkgAnalyzer) Type() analyzer.Type { +func (a *rpmPkgAnalyzer) Type() analyzer.Type { return analyzer.TypeRpm } -func (a rpmPkgAnalyzer) Version() int { +func (a *rpmPkgAnalyzer) Version() int { return version } +func (a *rpmPkgAnalyzer) Init(opt analyzer.AnalyzerOptions) error { + a.ThirdPartyPkgs = opt.ThirdPartyOSPkgs + return nil +} + // splitFileName returns a name, version, release, epoch, arch: // // e.g. diff --git a/pkg/fanal/analyzer/pkg/rpm/rpm_test.go b/pkg/fanal/analyzer/pkg/rpm/rpm_test.go index 73dc9dda4721..030cbaa39e54 100644 --- a/pkg/fanal/analyzer/pkg/rpm/rpm_test.go +++ b/pkg/fanal/analyzer/pkg/rpm/rpm_test.go @@ -13,16 +13,18 @@ import ( func TestParseRpmInfo(t *testing.T) { var tests = map[string]struct { - path string - pkgs types.Packages + path string + thirdPartyPkgs []string + pkgs types.Packages }{ "Valid": { - path: "./testdata/valid", + path: "./testdata/valid", + thirdPartyPkgs: []string{"filesystem"}, // cp ./testdata/valid /path/to/testdir/Packages // rpm --dbpath /path/to/testdir -qa --qf "{Name: \"%{NAME}\", Epoch: %{EPOCHNUM}, Version: \"%{VERSION}\", Release: \"%{RELEASE}\", Arch: \"%{ARCH}\"\},\n" + // remove `filesystem`, because it is marked as third party package pkgs: []types.Package{ {Name: "centos-release", Epoch: 0, Version: "7", Release: "1.1503.el7.centos.2.8", Arch: "x86_64", SrcName: "centos-release", SrcEpoch: 0, SrcVersion: "7", SrcRelease: "1.1503.el7.centos.2.8", Licenses: []string{"GPLv2"}, Maintainer: "CentOS"}, - {Name: "filesystem", Epoch: 0, Version: "3.2", Release: "18.el7", Arch: "x86_64", SrcName: "filesystem", SrcEpoch: 0, SrcVersion: "3.2", SrcRelease: "18.el7", Licenses: []string{"Public Domain"}, Maintainer: "CentOS"}, }, }, "ValidBig": { @@ -578,9 +580,9 @@ func TestParseRpmInfo(t *testing.T) { }, }, } - a := rpmPkgAnalyzer{} for testname, tc := range tests { t.Run(testname, func(t *testing.T) { + a := rpmPkgAnalyzer{tc.thirdPartyPkgs} f, err := os.Open(tc.path) require.NoError(t, err) defer f.Close() From 788a585421644e3be348753415473fc9d07cc259 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 26 Apr 2023 15:34:58 +0600 Subject: [PATCH 04/12] add third party option to apk --- pkg/fanal/analyzer/pkg/apk/apk.go | 54 ++++++++++++++++---------- pkg/fanal/analyzer/pkg/apk/apk_test.go | 31 +++++---------- pkg/fanal/analyzer/pkg/rpm/rpm.go | 2 +- 3 files changed, 44 insertions(+), 43 deletions(-) diff --git a/pkg/fanal/analyzer/pkg/apk/apk.go b/pkg/fanal/analyzer/pkg/apk/apk.go index 57aa3a8b426c..de9383785e79 100644 --- a/pkg/fanal/analyzer/pkg/apk/apk.go +++ b/pkg/fanal/analyzer/pkg/apk/apk.go @@ -27,9 +27,11 @@ const analyzerVersion = 2 var requiredFiles = []string{"lib/apk/db/installed"} -type alpinePkgAnalyzer struct{} +type alpinePkgAnalyzer struct { + ThirdPartyPkgs []string +} -func (a alpinePkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { +func (a *alpinePkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { scanner := bufio.NewScanner(input.Content) parsedPkgs, installedFiles := a.parseApkInfo(scanner) @@ -44,14 +46,15 @@ func (a alpinePkgAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInp }, nil } -func (a alpinePkgAnalyzer) parseApkInfo(scanner *bufio.Scanner) ([]types.Package, []string) { +func (a *alpinePkgAnalyzer) parseApkInfo(scanner *bufio.Scanner) ([]types.Package, []string) { var ( - pkgs []types.Package - pkg types.Package - version string - dir string - installedFiles []string - provides = map[string]string{} // for dependency graph + pkgs []types.Package + pkg types.Package + pkgInstalledFiles []string + version string + dir string + installedFiles []string + provides = map[string]string{} // for dependency graph ) for scanner.Scan() { @@ -61,15 +64,20 @@ func (a alpinePkgAnalyzer) parseApkInfo(scanner *bufio.Scanner) ([]types.Package if len(line) < 2 { if !pkg.Empty() { pkgs = append(pkgs, pkg) + installedFiles = append(installedFiles, pkgInstalledFiles...) } pkg = types.Package{} + pkgInstalledFiles = []string{} continue } // ref. https://wiki.alpinelinux.org/wiki/Apk_spec switch line[:2] { case "P:": - pkg.Name = line[2:] + // If user has marked package as third party package - we need to skip this package and parse files of this package as language packages + if !slices.Contains(a.ThirdPartyPkgs, line[2:]) { + pkg.Name = line[2:] + } case "V:": version = line[2:] if !apkVersion.Valid(version) { @@ -86,7 +94,7 @@ func (a alpinePkgAnalyzer) parseApkInfo(scanner *bufio.Scanner) ([]types.Package case "F:": dir = line[2:] case "R:": - installedFiles = append(installedFiles, path.Join(dir, line[2:])) + pkgInstalledFiles = append(pkgInstalledFiles, path.Join(dir, line[2:])) case "p:": // provides (corresponds to provides in PKGINFO, concatenated by spaces into a single line) a.parseProvides(line, pkg.ID, provides) case "D:": // dependencies (corresponds to depend in PKGINFO, concatenated by spaces into a single line) @@ -104,6 +112,7 @@ func (a alpinePkgAnalyzer) parseApkInfo(scanner *bufio.Scanner) ([]types.Package // in case of last paragraph if !pkg.Empty() { pkgs = append(pkgs, pkg) + installedFiles = append(installedFiles, pkgInstalledFiles...) } pkgs = a.uniquePkgs(pkgs) @@ -114,7 +123,7 @@ func (a alpinePkgAnalyzer) parseApkInfo(scanner *bufio.Scanner) ([]types.Package return pkgs, installedFiles } -func (a alpinePkgAnalyzer) trimRequirement(s string) string { +func (a *alpinePkgAnalyzer) trimRequirement(s string) string { // Trim version requirements // e.g. // so:libssl.so.1.1=1.1 => so:libssl.so.1.1 @@ -125,7 +134,7 @@ func (a alpinePkgAnalyzer) trimRequirement(s string) string { return s } -func (a alpinePkgAnalyzer) parseLicense(line string) []string { +func (a *alpinePkgAnalyzer) parseLicense(line string) []string { line = line[2:] // Remove "L:" if line == "" { return nil @@ -145,7 +154,7 @@ func (a alpinePkgAnalyzer) parseLicense(line string) []string { return licenses } -func (a alpinePkgAnalyzer) parseProvides(line, pkgID string, provides map[string]string) { +func (a *alpinePkgAnalyzer) parseProvides(line, pkgID string, provides map[string]string) { for _, p := range strings.Fields(line[2:]) { p = a.trimRequirement(p) @@ -154,7 +163,7 @@ func (a alpinePkgAnalyzer) parseProvides(line, pkgID string, provides map[string } } -func (a alpinePkgAnalyzer) parseDependencies(line string) []string { +func (a *alpinePkgAnalyzer) parseDependencies(line string) []string { line = line[2:] // Remove "D:" return lo.FilterMap(strings.Fields(line), func(d string, _ int) (string, bool) { // e.g. D:!uclibc-utils scanelf musl=1.1.14-r10 so:libc.musl-x86_64.so.1 @@ -165,7 +174,7 @@ func (a alpinePkgAnalyzer) parseDependencies(line string) []string { }) } -func (a alpinePkgAnalyzer) consolidateDependencies(pkgs []types.Package, provides map[string]string) { +func (a *alpinePkgAnalyzer) consolidateDependencies(pkgs []types.Package, provides map[string]string) { for i := range pkgs { // e.g. libc6 => libc6@2.31-13+deb11u4 pkgs[i].DependsOn = lo.FilterMap(pkgs[i].DependsOn, func(d string, _ int) (string, bool) { @@ -183,7 +192,7 @@ func (a alpinePkgAnalyzer) consolidateDependencies(pkgs []types.Package, provide } } -func (a alpinePkgAnalyzer) uniquePkgs(pkgs []types.Package) (uniqPkgs []types.Package) { +func (a *alpinePkgAnalyzer) uniquePkgs(pkgs []types.Package) (uniqPkgs []types.Package) { uniq := map[string]struct{}{} for _, pkg := range pkgs { if _, ok := uniq[pkg.Name]; ok { @@ -195,14 +204,19 @@ func (a alpinePkgAnalyzer) uniquePkgs(pkgs []types.Package) (uniqPkgs []types.Pa return uniqPkgs } -func (a alpinePkgAnalyzer) Required(filePath string, _ os.FileInfo) bool { +func (a *alpinePkgAnalyzer) Required(filePath string, _ os.FileInfo) bool { return slices.Contains(requiredFiles, filePath) } -func (a alpinePkgAnalyzer) Type() analyzer.Type { +func (a *alpinePkgAnalyzer) Type() analyzer.Type { return analyzer.TypeApk } -func (a alpinePkgAnalyzer) Version() int { +func (a *alpinePkgAnalyzer) Version() int { return analyzerVersion } + +func (a *alpinePkgAnalyzer) Init(opt analyzer.AnalyzerOptions) error { + a.ThirdPartyPkgs = opt.ThirdPartyOSPkgs + return nil +} diff --git a/pkg/fanal/analyzer/pkg/apk/apk_test.go b/pkg/fanal/analyzer/pkg/apk/apk_test.go index 7e9e97972e11..944c37400f62 100644 --- a/pkg/fanal/analyzer/pkg/apk/apk_test.go +++ b/pkg/fanal/analyzer/pkg/apk/apk_test.go @@ -12,12 +12,14 @@ import ( func TestParseApkInfo(t *testing.T) { var tests = map[string]struct { - path string - wantPkgs []types.Package - wantFiles []string + path string + thirdPartyPkgs []string + wantPkgs []types.Package + wantFiles []string }{ "Valid": { - path: "./testdata/apk", + path: "./testdata/apk", + thirdPartyPkgs: []string{"busybox"}, wantPkgs: []types.Package{ { ID: "musl@1.1.14-r10", @@ -27,15 +29,6 @@ func TestParseApkInfo(t *testing.T) { SrcVersion: "1.1.14-r10", Licenses: []string{"MIT"}, }, - { - ID: "busybox@1.24.2-r9", - Name: "busybox", - Version: "1.24.2-r9", - SrcName: "busybox", - SrcVersion: "1.24.2-r9", - Licenses: []string{"GPL-2.0"}, - DependsOn: []string{"musl@1.1.14-r10"}, - }, { ID: "alpine-baselayout@3.0.3-r0", Name: "alpine-baselayout", @@ -43,7 +36,7 @@ func TestParseApkInfo(t *testing.T) { SrcName: "alpine-baselayout", SrcVersion: "3.0.3-r0", Licenses: []string{"GPL-2.0"}, - DependsOn: []string{"busybox@1.24.2-r9", "musl@1.1.14-r10"}, + DependsOn: []string{"musl@1.1.14-r10"}, }, { ID: "alpine-keys@1.1-r0", @@ -165,13 +158,6 @@ func TestParseApkInfo(t *testing.T) { "lib/libc.musl-x86_64.so.1", "lib/ld-musl-x86_64.so.1", - // busybox-1.24.2-r9 - "bin/busybox", - "bin/sh", - "etc/securetty", - "etc/udhcpd.conf", - "etc/logrotate.d/acpid", - // alpine-baselayout-3.0.3-r0 "etc/hosts", "etc/sysctl.conf", @@ -265,8 +251,9 @@ func TestParseApkInfo(t *testing.T) { }, }, } - a := alpinePkgAnalyzer{} + for testname, v := range tests { + a := alpinePkgAnalyzer{ThirdPartyPkgs: v.thirdPartyPkgs} read, err := os.Open(v.path) if err != nil { t.Errorf("%s : can't open file %s", testname, v.path) diff --git a/pkg/fanal/analyzer/pkg/rpm/rpm.go b/pkg/fanal/analyzer/pkg/rpm/rpm.go index 6e7a75631a1f..8d796887bc9e 100644 --- a/pkg/fanal/analyzer/pkg/rpm/rpm.go +++ b/pkg/fanal/analyzer/pkg/rpm/rpm.go @@ -123,7 +123,7 @@ func (a *rpmPkgAnalyzer) parsePkgInfo(rc io.Reader) (types.Packages, []string, e } // If user has marked package as third party package - we need to skip this package and parse files of this package as language packages - if slices.Contains(a.ThirdPartyPkgs, pkg.Name) || slices.Contains(a.ThirdPartyPkgs, srcName) { + if slices.Contains(a.ThirdPartyPkgs, pkg.Name) { continue } From 044cebf0ae3ae48ff931da0619479fe9743c4fb7 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 27 Apr 2023 10:46:16 +0600 Subject: [PATCH 05/12] add `third-party-os-pkgs` in cache key base --- pkg/fanal/cache/key.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/fanal/cache/key.go b/pkg/fanal/cache/key.go index 22bde9d0b0f5..97a35a0845a1 100644 --- a/pkg/fanal/cache/key.go +++ b/pkg/fanal/cache/key.go @@ -26,8 +26,9 @@ func CalcKey(id string, analyzerVersions analyzer.Versions, hookVersions map[str HookVersions map[string]int SkipFiles []string SkipDirs []string + ThirdPartyOSPkgs []string FilePatterns []string `json:",omitempty"` - }{id, analyzerVersions, hookVersions, artifactOpt.SkipFiles, artifactOpt.SkipDirs, artifactOpt.FilePatterns} + }{id, analyzerVersions, hookVersions, artifactOpt.SkipFiles, artifactOpt.SkipDirs, artifactOpt.ThirdPartyOSPkgs, artifactOpt.FilePatterns} if err := json.NewEncoder(h).Encode(keyBase); err != nil { return "", xerrors.Errorf("json encode error: %w", err) From 7ec9f86a695137563d4b56d6d9225bf0a78064f2 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 27 Apr 2023 11:01:13 +0600 Subject: [PATCH 06/12] update docs --- docs/docs/configuration/filtering.md | 42 ++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/docs/configuration/filtering.md b/docs/docs/configuration/filtering.md index b77b39b62987..a16de10d5d6d 100644 --- a/docs/docs/configuration/filtering.md +++ b/docs/docs/configuration/filtering.md @@ -302,6 +302,48 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2) +## By Package Name + +| Scanner | Supported | +|:----------------:|:---------:| +| Vulnerability | ✓ | +| Misconfiguration | | +| Secret | | +| License | | + +!!! warning "EXPERIMENTAL" + This feature might change without preserving backwards compatibility. + +By default, Trivy ignores language package files installed from package managers. You can read about it [here](../scanner/vulnerability/os.md#data-source-selection). + +To scan these files as language packages, use `--third-party-os-pkgs` options with package names. + +!!! warning + This feature removes the OS package from the report, so the dependency tree may not be complete. + + +```bash +$ trivy -d image --third-party-os-pkgs keycloak test_image +``` + +
+Result + +```bash +2023-04-27T10:42:50.884+0600 DEBUG wolfi: the number of packages: 17 +2023-04-27T10:42:50.885+0600 INFO Number of language-specific files: 1 +Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) + +2023-04-27T10:42:50.906+0600 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file. + +Java (jar) + +Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1) + +``` + +
+ ## By Open Policy Agent | Scanner | Supported | From b86c1e02a69c630a1fc8c6fee0c5a374b578b8ea Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 27 Apr 2023 12:59:00 +0600 Subject: [PATCH 07/12] fix tests --- pkg/commands/app.go | 5 +- pkg/fanal/artifact/image/image_test.go | 108 +++++++++--------- pkg/fanal/artifact/image/remote_sbom_test.go | 12 +- pkg/fanal/artifact/local/fs_test.go | 110 +++++++++---------- pkg/fanal/artifact/remote/git_test.go | 4 +- pkg/fanal/artifact/sbom/sbom_test.go | 14 +-- pkg/fanal/artifact/vm/vm_test.go | 20 ++-- pkg/fanal/cache/key_test.go | 40 +++++-- 8 files changed, 163 insertions(+), 150 deletions(-) diff --git a/pkg/commands/app.go b/pkg/commands/app.go index dc9a74b475a5..63ae0474053f 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -945,9 +945,6 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { reportFlagGroup := flag.NewReportFlagGroup() reportFlagGroup.ReportFormat = nil // TODO: support --report summary - scanFlagGroup := flag.NewScanFlagGroup() - scanFlagGroup.ThirdPartyOSPkgs = nil // disable `--third-party-os-pkgs` - vmFlags := &flag.Flags{ CacheFlagGroup: flag.NewCacheFlagGroup(), DBFlagGroup: flag.NewDBFlagGroup(), @@ -955,7 +952,7 @@ func NewVMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { ModuleFlagGroup: flag.NewModuleFlagGroup(), RemoteFlagGroup: flag.NewClientFlags(), // for client/server mode ReportFlagGroup: reportFlagGroup, - ScanFlagGroup: scanFlagGroup, + ScanFlagGroup: flag.NewScanFlagGroup(), SecretFlagGroup: flag.NewSecretFlagGroup(), VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), AWSFlagGroup: &flag.AWSFlagGroup{ diff --git a/pkg/fanal/artifact/image/image_test.go b/pkg/fanal/artifact/image/image_test.go index c180099e6962..6049e962f2b2 100644 --- a/pkg/fanal/artifact/image/image_test.go +++ b/pkg/fanal/artifact/image/image_test.go @@ -216,18 +216,18 @@ func TestArtifact_Inspect(t *testing.T) { }, missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ - ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46"}, + ArtifactID: "sha256:84c218b06ab31467a6cb7e0fb95871a69a78b9c0e4b7b92488973a4b029a0171", + BlobIDs: []string{"sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207"}, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingArtifact: true, - MissingBlobIDs: []string{"sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46"}, + MissingBlobIDs: []string{"sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207"}, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46", + BlobID: "sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -279,7 +279,7 @@ func TestArtifact_Inspect(t *testing.T) { putArtifactExpectations: []cache.ArtifactCachePutArtifactExpectation{ { Args: cache.ArtifactCachePutArtifactArgs{ - ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", + ArtifactID: "sha256:84c218b06ab31467a6cb7e0fb95871a69a78b9c0e4b7b92488973a4b029a0171", ArtifactInfo: types.ArtifactInfo{ SchemaVersion: types.ArtifactJSONSchemaVersion, Architecture: "amd64", @@ -293,8 +293,8 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "../../test/testdata/alpine-311.tar.gz", Type: types.ArtifactContainerImage, - ID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46"}, + ID: "sha256:84c218b06ab31467a6cb7e0fb95871a69a78b9c0e4b7b92488973a4b029a0171", + BlobIDs: []string{"sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207"}, ImageMetadata: types.ImageMetadata{ ID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72", DiffIDs: []string{ @@ -351,27 +351,27 @@ func TestArtifact_Inspect(t *testing.T) { }, missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ - ArtifactID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", + ArtifactID: "sha256:cc9ad0ac4a49098edee58c3d3a2797e7b45b742978659ba693ef85b80b5020ad", BlobIDs: []string{ - "sha256:1d02588865377e478a263c4ef2b020d8bf8d9919fdbd14243283b35249b91d4a", - "sha256:7b2d1df7e78b9e5c851676d9cc04bad8d7e86deb2661f0e15ff3d7f37bf53d53", - "sha256:57508fe06ce45edcad30f95a9da631edf746914b0ffa32fa13b83a133529828e", - "sha256:f8d6b5b326b6bad89cf20b94e1c98380187e536ec34795d18c00907f9a35aeb5", + "sha256:eb81fc685bcd1993f39cbd65aa89b24c488d8808d8a2aae63086b9e723a0ac72", + "sha256:2b6f78f9cfc278c8cb8fdb71d6c0bfb08caff089b8d95545a581f0aa1690a89e", + "sha256:64546f2c2e4dc7b3604e1e2ea1c68afb077ca1577c1cb53e3aa0498c2a4715a4", + "sha256:834a501bc1a56f1066db143176a3c2be60965b1d4d89c763333dd7b4cbd34845", }, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingBlobIDs: []string{ - "sha256:1d02588865377e478a263c4ef2b020d8bf8d9919fdbd14243283b35249b91d4a", - "sha256:7b2d1df7e78b9e5c851676d9cc04bad8d7e86deb2661f0e15ff3d7f37bf53d53", - "sha256:57508fe06ce45edcad30f95a9da631edf746914b0ffa32fa13b83a133529828e", - "sha256:f8d6b5b326b6bad89cf20b94e1c98380187e536ec34795d18c00907f9a35aeb5", + "sha256:eb81fc685bcd1993f39cbd65aa89b24c488d8808d8a2aae63086b9e723a0ac72", + "sha256:2b6f78f9cfc278c8cb8fdb71d6c0bfb08caff089b8d95545a581f0aa1690a89e", + "sha256:64546f2c2e4dc7b3604e1e2ea1c68afb077ca1577c1cb53e3aa0498c2a4715a4", + "sha256:834a501bc1a56f1066db143176a3c2be60965b1d4d89c763333dd7b4cbd34845", }, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:1d02588865377e478a263c4ef2b020d8bf8d9919fdbd14243283b35249b91d4a", + BlobID: "sha256:eb81fc685bcd1993f39cbd65aa89b24c488d8808d8a2aae63086b9e723a0ac72", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -459,7 +459,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:7b2d1df7e78b9e5c851676d9cc04bad8d7e86deb2661f0e15ff3d7f37bf53d53", + BlobID: "sha256:2b6f78f9cfc278c8cb8fdb71d6c0bfb08caff089b8d95545a581f0aa1690a89e", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -555,7 +555,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:57508fe06ce45edcad30f95a9da631edf746914b0ffa32fa13b83a133529828e", + BlobID: "sha256:64546f2c2e4dc7b3604e1e2ea1c68afb077ca1577c1cb53e3aa0498c2a4715a4", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -679,7 +679,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:f8d6b5b326b6bad89cf20b94e1c98380187e536ec34795d18c00907f9a35aeb5", + BlobID: "sha256:834a501bc1a56f1066db143176a3c2be60965b1d4d89c763333dd7b4cbd34845", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1486,12 +1486,12 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "../../test/testdata/vuln-image.tar.gz", Type: types.ArtifactContainerImage, - ID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", + ID: "sha256:cc9ad0ac4a49098edee58c3d3a2797e7b45b742978659ba693ef85b80b5020ad", BlobIDs: []string{ - "sha256:1d02588865377e478a263c4ef2b020d8bf8d9919fdbd14243283b35249b91d4a", - "sha256:7b2d1df7e78b9e5c851676d9cc04bad8d7e86deb2661f0e15ff3d7f37bf53d53", - "sha256:57508fe06ce45edcad30f95a9da631edf746914b0ffa32fa13b83a133529828e", - "sha256:f8d6b5b326b6bad89cf20b94e1c98380187e536ec34795d18c00907f9a35aeb5", + "sha256:eb81fc685bcd1993f39cbd65aa89b24c488d8808d8a2aae63086b9e723a0ac72", + "sha256:2b6f78f9cfc278c8cb8fdb71d6c0bfb08caff089b8d95545a581f0aa1690a89e", + "sha256:64546f2c2e4dc7b3604e1e2ea1c68afb077ca1577c1cb53e3aa0498c2a4715a4", + "sha256:834a501bc1a56f1066db143176a3c2be60965b1d4d89c763333dd7b4cbd34845", }, ImageMetadata: types.ImageMetadata{ ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4", @@ -1583,27 +1583,27 @@ func TestArtifact_Inspect(t *testing.T) { }, missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ - ArtifactID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", + ArtifactID: "sha256:cc9ad0ac4a49098edee58c3d3a2797e7b45b742978659ba693ef85b80b5020ad", BlobIDs: []string{ - "sha256:9a7c29b10391bcedce533e9609c58ec0e7b0132692fd287bd40592816d1bfbef", - "sha256:e15c92866a85305a909ae200974937d6febcd7a504aeb32ad0a01371c245c25e", - "sha256:6cfccd64a1b1ead1b517bad7dfda8aa0616f63a2d93e71921ff51cb70f447567", - "sha256:032128f06ff805d1ec38f171ea6ae60639175eb70bc80e2b3abc91f6fbfa343d", + "sha256:2cf954d6912b237f23fa24fdbae7d3712ad46a5132baf8dc524cfb6d66248084", + "sha256:a9961187a5f0762b096c004fdf85269a3738f7f539ed41e6a633a11f0faa657d", + "sha256:055294c74ed25124357c14b83f26d94c71750f5c908774ac806f4aa713868cc9", + "sha256:d539794edca51f8c06b474882af3da1789b755e55cb0487b076ed242975d6469", }, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingBlobIDs: []string{ - "sha256:9a7c29b10391bcedce533e9609c58ec0e7b0132692fd287bd40592816d1bfbef", - "sha256:e15c92866a85305a909ae200974937d6febcd7a504aeb32ad0a01371c245c25e", - "sha256:6cfccd64a1b1ead1b517bad7dfda8aa0616f63a2d93e71921ff51cb70f447567", - "sha256:032128f06ff805d1ec38f171ea6ae60639175eb70bc80e2b3abc91f6fbfa343d", + "sha256:2cf954d6912b237f23fa24fdbae7d3712ad46a5132baf8dc524cfb6d66248084", + "sha256:a9961187a5f0762b096c004fdf85269a3738f7f539ed41e6a633a11f0faa657d", + "sha256:055294c74ed25124357c14b83f26d94c71750f5c908774ac806f4aa713868cc9", + "sha256:d539794edca51f8c06b474882af3da1789b755e55cb0487b076ed242975d6469", }, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:9a7c29b10391bcedce533e9609c58ec0e7b0132692fd287bd40592816d1bfbef", + BlobID: "sha256:2cf954d6912b237f23fa24fdbae7d3712ad46a5132baf8dc524cfb6d66248084", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1614,7 +1614,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:e15c92866a85305a909ae200974937d6febcd7a504aeb32ad0a01371c245c25e", + BlobID: "sha256:a9961187a5f0762b096c004fdf85269a3738f7f539ed41e6a633a11f0faa657d", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1625,7 +1625,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:6cfccd64a1b1ead1b517bad7dfda8aa0616f63a2d93e71921ff51cb70f447567", + BlobID: "sha256:055294c74ed25124357c14b83f26d94c71750f5c908774ac806f4aa713868cc9", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1637,7 +1637,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:032128f06ff805d1ec38f171ea6ae60639175eb70bc80e2b3abc91f6fbfa343d", + BlobID: "sha256:d539794edca51f8c06b474882af3da1789b755e55cb0487b076ed242975d6469", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1651,12 +1651,12 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "../../test/testdata/vuln-image.tar.gz", Type: types.ArtifactContainerImage, - ID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", + ID: "sha256:cc9ad0ac4a49098edee58c3d3a2797e7b45b742978659ba693ef85b80b5020ad", BlobIDs: []string{ - "sha256:9a7c29b10391bcedce533e9609c58ec0e7b0132692fd287bd40592816d1bfbef", - "sha256:e15c92866a85305a909ae200974937d6febcd7a504aeb32ad0a01371c245c25e", - "sha256:6cfccd64a1b1ead1b517bad7dfda8aa0616f63a2d93e71921ff51cb70f447567", - "sha256:032128f06ff805d1ec38f171ea6ae60639175eb70bc80e2b3abc91f6fbfa343d", + "sha256:2cf954d6912b237f23fa24fdbae7d3712ad46a5132baf8dc524cfb6d66248084", + "sha256:a9961187a5f0762b096c004fdf85269a3738f7f539ed41e6a633a11f0faa657d", + "sha256:055294c74ed25124357c14b83f26d94c71750f5c908774ac806f4aa713868cc9", + "sha256:d539794edca51f8c06b474882af3da1789b755e55cb0487b076ed242975d6469", }, ImageMetadata: types.ImageMetadata{ ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4", @@ -1738,8 +1738,8 @@ func TestArtifact_Inspect(t *testing.T) { imagePath: "../../test/testdata/alpine-311.tar.gz", missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ - ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46"}, + ArtifactID: "sha256:84c218b06ab31467a6cb7e0fb95871a69a78b9c0e4b7b92488973a4b029a0171", + BlobIDs: []string{"sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207"}, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ Err: xerrors.New("MissingBlobs failed"), @@ -1752,17 +1752,17 @@ func TestArtifact_Inspect(t *testing.T) { imagePath: "../../test/testdata/alpine-311.tar.gz", missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ - ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46"}, + ArtifactID: "sha256:84c218b06ab31467a6cb7e0fb95871a69a78b9c0e4b7b92488973a4b029a0171", + BlobIDs: []string{"sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207"}, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ - MissingBlobIDs: []string{"sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46"}, + MissingBlobIDs: []string{"sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207"}, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46", + BlobID: "sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1820,18 +1820,18 @@ func TestArtifact_Inspect(t *testing.T) { imagePath: "../../test/testdata/alpine-311.tar.gz", missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ - ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46"}, + ArtifactID: "sha256:84c218b06ab31467a6cb7e0fb95871a69a78b9c0e4b7b92488973a4b029a0171", + BlobIDs: []string{"sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207"}, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingArtifact: true, - MissingBlobIDs: []string{"sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46"}, + MissingBlobIDs: []string{"sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207"}, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:61da8ea7801a711b5fdd7e11c47471bb98bc0537fb50bef3f46e7b67e2d90f46", + BlobID: "sha256:4185d2c02cd7c4332c1cd48355f9f24a6bce65482080b8c4f62d6748eb53d207", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1883,7 +1883,7 @@ func TestArtifact_Inspect(t *testing.T) { putArtifactExpectations: []cache.ArtifactCachePutArtifactExpectation{ { Args: cache.ArtifactCachePutArtifactArgs{ - ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", + ArtifactID: "sha256:84c218b06ab31467a6cb7e0fb95871a69a78b9c0e4b7b92488973a4b029a0171", ArtifactInfo: types.ArtifactInfo{ SchemaVersion: types.ArtifactJSONSchemaVersion, Architecture: "amd64", diff --git a/pkg/fanal/artifact/image/remote_sbom_test.go b/pkg/fanal/artifact/image/remote_sbom_test.go index 384768b9a6e2..9c6643514b58 100644 --- a/pkg/fanal/artifact/image/remote_sbom_test.go +++ b/pkg/fanal/artifact/image/remote_sbom_test.go @@ -69,7 +69,7 @@ func TestArtifact_InspectRekorAttestation(t *testing.T) { putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:9c23872047046e145f49fb5533b63ace0cbf819f5b68e33f69f4e9bbab4c517e", + BlobID: "sha256:5e20ff2012937031c7ecafc61f4f0dab8d8adb7bf36557cdecdb1a971fa9de75", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, OS: types.OS{ @@ -104,9 +104,9 @@ func TestArtifact_InspectRekorAttestation(t *testing.T) { want: types.ArtifactReference{ Name: "test/image:10", Type: types.ArtifactCycloneDX, - ID: "sha256:9c23872047046e145f49fb5533b63ace0cbf819f5b68e33f69f4e9bbab4c517e", + ID: "sha256:5e20ff2012937031c7ecafc61f4f0dab8d8adb7bf36557cdecdb1a971fa9de75", BlobIDs: []string{ - "sha256:9c23872047046e145f49fb5533b63ace0cbf819f5b68e33f69f4e9bbab4c517e", + "sha256:5e20ff2012937031c7ecafc61f4f0dab8d8adb7bf36557cdecdb1a971fa9de75", }, }, }, @@ -208,7 +208,7 @@ func TestArtifact_inspectOCIReferrerSBOM(t *testing.T) { putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:d07a1894bfd283b4ac26682ab48f12ad22cdc4fef9cf8b4c09056f631d3667a5", + BlobID: "sha256:6c162e9014fd0a5faa4702fb49f56bab6f871c836e97cbbf79f940c47e70f446", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Applications: []types.Application{ @@ -235,9 +235,9 @@ func TestArtifact_inspectOCIReferrerSBOM(t *testing.T) { want: types.ArtifactReference{ Name: registry + "/test/image:10", Type: types.ArtifactCycloneDX, - ID: "sha256:d07a1894bfd283b4ac26682ab48f12ad22cdc4fef9cf8b4c09056f631d3667a5", + ID: "sha256:6c162e9014fd0a5faa4702fb49f56bab6f871c836e97cbbf79f940c47e70f446", BlobIDs: []string{ - "sha256:d07a1894bfd283b4ac26682ab48f12ad22cdc4fef9cf8b4c09056f631d3667a5", + "sha256:6c162e9014fd0a5faa4702fb49f56bab6f871c836e97cbbf79f940c47e70f446", }, }, }, diff --git a/pkg/fanal/artifact/local/fs_test.go b/pkg/fanal/artifact/local/fs_test.go index af81b3353e6a..8f21b1b03ef8 100644 --- a/pkg/fanal/artifact/local/fs_test.go +++ b/pkg/fanal/artifact/local/fs_test.go @@ -47,7 +47,7 @@ func TestArtifact_Inspect(t *testing.T) { }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:fc0c7d225197e1c103784139def1e34b642e8183cf54519cac79dd0cfdd19aba", + BlobID: "sha256:8cae0ebe4e528eb4f3ae0cf26f5d148384883ed28c989b6d39a6b0ed1bc1db89", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, OS: types.OS{ @@ -76,9 +76,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "host", Type: types.ArtifactFilesystem, - ID: "sha256:fc0c7d225197e1c103784139def1e34b642e8183cf54519cac79dd0cfdd19aba", + ID: "sha256:8cae0ebe4e528eb4f3ae0cf26f5d148384883ed28c989b6d39a6b0ed1bc1db89", BlobIDs: []string{ - "sha256:fc0c7d225197e1c103784139def1e34b642e8183cf54519cac79dd0cfdd19aba", + "sha256:8cae0ebe4e528eb4f3ae0cf26f5d148384883ed28c989b6d39a6b0ed1bc1db89", }, }, }, @@ -96,7 +96,7 @@ func TestArtifact_Inspect(t *testing.T) { }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:0fbf0f996ea580c0a7408a34290f2f061e6577995cd63c475ecf8b262a7622d1", + BlobID: "sha256:aee2e60ecdc511029192c9483c0add1173b01c6d5af10b618a3098e2b66cfb81", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, }, @@ -106,9 +106,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "host", Type: types.ArtifactFilesystem, - ID: "sha256:0fbf0f996ea580c0a7408a34290f2f061e6577995cd63c475ecf8b262a7622d1", + ID: "sha256:aee2e60ecdc511029192c9483c0add1173b01c6d5af10b618a3098e2b66cfb81", BlobIDs: []string{ - "sha256:0fbf0f996ea580c0a7408a34290f2f061e6577995cd63c475ecf8b262a7622d1", + "sha256:aee2e60ecdc511029192c9483c0add1173b01c6d5af10b618a3098e2b66cfb81", }, }, }, @@ -119,7 +119,7 @@ func TestArtifact_Inspect(t *testing.T) { }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:fc0c7d225197e1c103784139def1e34b642e8183cf54519cac79dd0cfdd19aba", + BlobID: "sha256:8cae0ebe4e528eb4f3ae0cf26f5d148384883ed28c989b6d39a6b0ed1bc1db89", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, OS: types.OS{ @@ -163,7 +163,7 @@ func TestArtifact_Inspect(t *testing.T) { }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:874588e7714441c06344a11526d73fe4d8c386d85e6d5498eab3cde13cae05ac", + BlobID: "sha256:f767640b56a10986108cb081574bd507b4a0ccce358924c48bbcd06d7b471f38", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Applications: []types.Application{ @@ -185,9 +185,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/requirements.txt", Type: types.ArtifactFilesystem, - ID: "sha256:874588e7714441c06344a11526d73fe4d8c386d85e6d5498eab3cde13cae05ac", + ID: "sha256:f767640b56a10986108cb081574bd507b4a0ccce358924c48bbcd06d7b471f38", BlobIDs: []string{ - "sha256:874588e7714441c06344a11526d73fe4d8c386d85e6d5498eab3cde13cae05ac", + "sha256:f767640b56a10986108cb081574bd507b4a0ccce358924c48bbcd06d7b471f38", }, }, }, @@ -198,7 +198,7 @@ func TestArtifact_Inspect(t *testing.T) { }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:874588e7714441c06344a11526d73fe4d8c386d85e6d5498eab3cde13cae05ac", + BlobID: "sha256:f767640b56a10986108cb081574bd507b4a0ccce358924c48bbcd06d7b471f38", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Applications: []types.Application{ @@ -220,9 +220,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/requirements.txt", Type: types.ArtifactFilesystem, - ID: "sha256:874588e7714441c06344a11526d73fe4d8c386d85e6d5498eab3cde13cae05ac", + ID: "sha256:f767640b56a10986108cb081574bd507b4a0ccce358924c48bbcd06d7b471f38", BlobIDs: []string{ - "sha256:874588e7714441c06344a11526d73fe4d8c386d85e6d5498eab3cde13cae05ac", + "sha256:f767640b56a10986108cb081574bd507b4a0ccce358924c48bbcd06d7b471f38", }, }, }, @@ -414,9 +414,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/terraform/single-failure/src", Type: types.ArtifactFilesystem, - ID: "sha256:b17b243265d2c555c049753f42c76d3dc478d55851cc9461cbd23e618cb8f0eb", + ID: "sha256:9281326373416c61dcea587de5cc2bc4d9ffea9cfc2dcbb65af41c22dd3943fd", BlobIDs: []string{ - "sha256:b17b243265d2c555c049753f42c76d3dc478d55851cc9461cbd23e618cb8f0eb", + "sha256:9281326373416c61dcea587de5cc2bc4d9ffea9cfc2dcbb65af41c22dd3943fd", }, }, }, @@ -524,9 +524,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/terraform/multiple-failures/src", Type: types.ArtifactFilesystem, - ID: "sha256:4f9b3fe0f3d7b75fa7120740fe2f179eb5c250646d30186f47bc5eb148a77229", + ID: "sha256:c0a3eae332223696324cb3db3315160cc2e18673a60b408e0874398bdac5e039", BlobIDs: []string{ - "sha256:4f9b3fe0f3d7b75fa7120740fe2f179eb5c250646d30186f47bc5eb148a77229", + "sha256:c0a3eae332223696324cb3db3315160cc2e18673a60b408e0874398bdac5e039", }, }, }, @@ -554,9 +554,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/terraform/no-results/src", Type: types.ArtifactFilesystem, - ID: "sha256:cf90e43f7fb29358faf6f486db722ee739122347ec94839c7f3861489f242213", + ID: "sha256:05058ae537280d42d5ddb2b0aece31bfcb31dab3171fab27456c1cef8452ee10", BlobIDs: []string{ - "sha256:cf90e43f7fb29358faf6f486db722ee739122347ec94839c7f3861489f242213", + "sha256:05058ae537280d42d5ddb2b0aece31bfcb31dab3171fab27456c1cef8452ee10", }, }, }, @@ -610,9 +610,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/terraform/passed/src", Type: types.ArtifactFilesystem, - ID: "sha256:4a7baddfc7b3e06e3f246c0680d879aecf539a07a08b48ae5710e997ec486d75", + ID: "sha256:007914a86eeea2d37f62221adfcc710e1d5a5a6738e146a09c715202fe44a3fc", BlobIDs: []string{ - "sha256:4a7baddfc7b3e06e3f246c0680d879aecf539a07a08b48ae5710e997ec486d75", + "sha256:007914a86eeea2d37f62221adfcc710e1d5a5a6738e146a09c715202fe44a3fc", }, }, }, @@ -692,9 +692,9 @@ func TestTerraformMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/terraform/busted-relative-paths/src/child/main.tf", Type: types.ArtifactFilesystem, - ID: "sha256:3f85f73698c7f29b181030749808d634575547aecab68d17c114fefaaa67f990", + ID: "sha256:7c79d746733c6f69c3b45b0ef44243cb3955d4a48b47af67b137090d19977123", BlobIDs: []string{ - "sha256:3f85f73698c7f29b181030749808d634575547aecab68d17c114fefaaa67f990", + "sha256:7c79d746733c6f69c3b45b0ef44243cb3955d4a48b47af67b137090d19977123", }, }, }, @@ -781,9 +781,9 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/cloudformation/single-failure/src", Type: types.ArtifactFilesystem, - ID: "sha256:3b083e0be1a8bfd270abc53a573d5491c3a39c41b88f4e978b0c48e79754e12a", + ID: "sha256:eb0e35f6dc14416d063672e2fe6ea3fecd982a7e16c251c934425bbf79f22f68", BlobIDs: []string{ - "sha256:3b083e0be1a8bfd270abc53a573d5491c3a39c41b88f4e978b0c48e79754e12a", + "sha256:eb0e35f6dc14416d063672e2fe6ea3fecd982a7e16c251c934425bbf79f22f68", }, }, }, @@ -863,9 +863,9 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/cloudformation/multiple-failures/src", Type: types.ArtifactFilesystem, - ID: "sha256:e167a0b5edc1a723a6f6e37adfd72ebf5cd05a578d69a564cba2a2954f47ea5e", + ID: "sha256:41b1ab21ec1cd5754e2434ba820cb4d500002be532b0127ba6610fa06095e468", BlobIDs: []string{ - "sha256:e167a0b5edc1a723a6f6e37adfd72ebf5cd05a578d69a564cba2a2954f47ea5e", + "sha256:41b1ab21ec1cd5754e2434ba820cb4d500002be532b0127ba6610fa06095e468", }, }, }, @@ -893,9 +893,9 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/cloudformation/no-results/src", Type: types.ArtifactFilesystem, - ID: "sha256:cf90e43f7fb29358faf6f486db722ee739122347ec94839c7f3861489f242213", + ID: "sha256:05058ae537280d42d5ddb2b0aece31bfcb31dab3171fab27456c1cef8452ee10", BlobIDs: []string{ - "sha256:cf90e43f7fb29358faf6f486db722ee739122347ec94839c7f3861489f242213", + "sha256:05058ae537280d42d5ddb2b0aece31bfcb31dab3171fab27456c1cef8452ee10", }, }, }, @@ -949,9 +949,9 @@ func TestCloudFormationMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/cloudformation/passed/src", Type: types.ArtifactFilesystem, - ID: "sha256:68de62641f1c26e9973cc699aa7f84f3cb02a305d73238eba6cace5d749e4549", + ID: "sha256:ffd24497c68df889ee8c44731579efcabdfb426261de2f18b298b5e76e4aecc1", BlobIDs: []string{ - "sha256:68de62641f1c26e9973cc699aa7f84f3cb02a305d73238eba6cace5d749e4549", + "sha256:ffd24497c68df889ee8c44731579efcabdfb426261de2f18b298b5e76e4aecc1", }, }, }, @@ -1035,9 +1035,9 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/dockerfile/single-failure/src", Type: types.ArtifactFilesystem, - ID: "sha256:998908fee16ac8aa658138e5bda73f5ffba4f1d194e9d3b3e274a8082b4af580", + ID: "sha256:11e0cfb5d1d4111f0630f7ee1cd297b2139fc6789fafafe311fa3f729bd18d05", BlobIDs: []string{ - "sha256:998908fee16ac8aa658138e5bda73f5ffba4f1d194e9d3b3e274a8082b4af580", + "sha256:11e0cfb5d1d4111f0630f7ee1cd297b2139fc6789fafafe311fa3f729bd18d05", }, }, }, @@ -1092,9 +1092,9 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/dockerfile/multiple-failures/src", Type: types.ArtifactFilesystem, - ID: "sha256:998908fee16ac8aa658138e5bda73f5ffba4f1d194e9d3b3e274a8082b4af580", + ID: "sha256:11e0cfb5d1d4111f0630f7ee1cd297b2139fc6789fafafe311fa3f729bd18d05", BlobIDs: []string{ - "sha256:998908fee16ac8aa658138e5bda73f5ffba4f1d194e9d3b3e274a8082b4af580", + "sha256:11e0cfb5d1d4111f0630f7ee1cd297b2139fc6789fafafe311fa3f729bd18d05", }, }, }, @@ -1122,9 +1122,9 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/dockerfile/no-results/src", Type: types.ArtifactFilesystem, - ID: "sha256:cf90e43f7fb29358faf6f486db722ee739122347ec94839c7f3861489f242213", + ID: "sha256:05058ae537280d42d5ddb2b0aece31bfcb31dab3171fab27456c1cef8452ee10", BlobIDs: []string{ - "sha256:cf90e43f7fb29358faf6f486db722ee739122347ec94839c7f3861489f242213", + "sha256:05058ae537280d42d5ddb2b0aece31bfcb31dab3171fab27456c1cef8452ee10", }, }, }, @@ -1181,9 +1181,9 @@ func TestDockerfileMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/dockerfile/passed/src", Type: types.ArtifactFilesystem, - ID: "sha256:836ab9fec50d3ff799f01dee1db9d5340294fa0348011370d55848be04696f6b", + ID: "sha256:50f0edafd50b395a831377ebf7dfb925785c30071a64e6c420e2e07c5053d05a", BlobIDs: []string{ - "sha256:836ab9fec50d3ff799f01dee1db9d5340294fa0348011370d55848be04696f6b", + "sha256:50f0edafd50b395a831377ebf7dfb925785c30071a64e6c420e2e07c5053d05a", }, }, }, @@ -1272,9 +1272,9 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/kubernetes/single-failure/src", Type: types.ArtifactFilesystem, - ID: "sha256:c2ff22ba22599a7b5423c1b275b013aab56cc22eb732624db4b1bfbdf6b62743", + ID: "sha256:7b0f460cc674e4441452f5a3dac509107beee01340a8f92ecef8f3ebb9e7e313", BlobIDs: []string{ - "sha256:c2ff22ba22599a7b5423c1b275b013aab56cc22eb732624db4b1bfbdf6b62743", + "sha256:7b0f460cc674e4441452f5a3dac509107beee01340a8f92ecef8f3ebb9e7e313", }, }, }, @@ -1357,9 +1357,9 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/kubernetes/multiple-failures/src", Type: types.ArtifactFilesystem, - ID: "sha256:485e85ab412143ca5ab48f09c2a3dcacf8283c28c4f451a4b63d377ba2a21c15", + ID: "sha256:e0431ae66dc0bf292ba98c1118f3324e8a99003a471458bcd5aaad7fcb891814", BlobIDs: []string{ - "sha256:485e85ab412143ca5ab48f09c2a3dcacf8283c28c4f451a4b63d377ba2a21c15", + "sha256:e0431ae66dc0bf292ba98c1118f3324e8a99003a471458bcd5aaad7fcb891814", }, }, }, @@ -1387,9 +1387,9 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/kubernetes/no-results/src", Type: types.ArtifactFilesystem, - ID: "sha256:e68b0e0ac19f7ef311025a3dd587cab0512e51cd19f80e3a8f7dde342979933a", + ID: "sha256:ecfb11dad741057925d1d543242a9ef4455075ad9c488d23bd9c31cb14d007f2", BlobIDs: []string{ - "sha256:e68b0e0ac19f7ef311025a3dd587cab0512e51cd19f80e3a8f7dde342979933a", + "sha256:ecfb11dad741057925d1d543242a9ef4455075ad9c488d23bd9c31cb14d007f2", }, }, }, @@ -1446,9 +1446,9 @@ func TestKubernetesMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/kubernetes/passed/src", Type: types.ArtifactFilesystem, - ID: "sha256:f6d3e8b62915ad822e643fabf146214e8e3a8349ea2ba509366748e858a42159", + ID: "sha256:3d7e579c2a4c29934252858fca2edd03403c036e04971288f543b9010f65d840", BlobIDs: []string{ - "sha256:f6d3e8b62915ad822e643fabf146214e8e3a8349ea2ba509366748e858a42159", + "sha256:3d7e579c2a4c29934252858fca2edd03403c036e04971288f543b9010f65d840", }, }, }, @@ -1535,9 +1535,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/azurearm/single-failure/src", Type: types.ArtifactFilesystem, - ID: "sha256:96697231b9abb6529c3fab2df31316730edd53ec2e8fbb5f7dbd2179e1c8bf3b", + ID: "sha256:75c786f38dd23a65db3b875d572818e539d1828be4a11dabced2ea1418d764a8", BlobIDs: []string{ - "sha256:96697231b9abb6529c3fab2df31316730edd53ec2e8fbb5f7dbd2179e1c8bf3b", + "sha256:75c786f38dd23a65db3b875d572818e539d1828be4a11dabced2ea1418d764a8", }, }, }, @@ -1617,9 +1617,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/azurearm/multiple-failures/src", Type: types.ArtifactFilesystem, - ID: "sha256:682771ea4115a19d2835e83c0b5b49caf9a5f97664c69c2f9f5c18eae34cac88", + ID: "sha256:d323ab12607f38d3cb4b532c574ef7bc88b3de76309e3c085cd057a678755b1f", BlobIDs: []string{ - "sha256:682771ea4115a19d2835e83c0b5b49caf9a5f97664c69c2f9f5c18eae34cac88", + "sha256:d323ab12607f38d3cb4b532c574ef7bc88b3de76309e3c085cd057a678755b1f", }, }, }, @@ -1647,9 +1647,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/azurearm/no-results/src", Type: types.ArtifactFilesystem, - ID: "sha256:cf90e43f7fb29358faf6f486db722ee739122347ec94839c7f3861489f242213", + ID: "sha256:05058ae537280d42d5ddb2b0aece31bfcb31dab3171fab27456c1cef8452ee10", BlobIDs: []string{ - "sha256:cf90e43f7fb29358faf6f486db722ee739122347ec94839c7f3861489f242213", + "sha256:05058ae537280d42d5ddb2b0aece31bfcb31dab3171fab27456c1cef8452ee10", }, }, }, @@ -1703,9 +1703,9 @@ func TestAzureARMMisconfigurationScan(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/misconfig/azurearm/passed/src", Type: types.ArtifactFilesystem, - ID: "sha256:e266ca6dc704e6d71a55370d65bd72c5a6bcbb38eb2cff19db827863c4af68f3", + ID: "sha256:c8bccd3c672c0f3818f73246126caab11851ae1e2e7a5ed183ce3c6769264c68", BlobIDs: []string{ - "sha256:e266ca6dc704e6d71a55370d65bd72c5a6bcbb38eb2cff19db827863c4af68f3", + "sha256:c8bccd3c672c0f3818f73246126caab11851ae1e2e7a5ed183ce3c6769264c68", }, }, }, diff --git a/pkg/fanal/artifact/remote/git_test.go b/pkg/fanal/artifact/remote/git_test.go index 484c12ddfaca..2661b54780a6 100644 --- a/pkg/fanal/artifact/remote/git_test.go +++ b/pkg/fanal/artifact/remote/git_test.go @@ -184,9 +184,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: ts.URL + "/test.git", Type: types.ArtifactRemoteRepository, - ID: "sha256:37247f99bb62bd4b866758a2aff29374eba956dc82a73430efbf405f5a2fd60b", + ID: "sha256:6527ebf2ffe89ff2f1accde988cd82a6626d3206990625830ebfcc25d69db873", BlobIDs: []string{ - "sha256:37247f99bb62bd4b866758a2aff29374eba956dc82a73430efbf405f5a2fd60b", + "sha256:6527ebf2ffe89ff2f1accde988cd82a6626d3206990625830ebfcc25d69db873", }, }, }, diff --git a/pkg/fanal/artifact/sbom/sbom_test.go b/pkg/fanal/artifact/sbom/sbom_test.go index 1692a0171c5c..66d32d6a9ded 100644 --- a/pkg/fanal/artifact/sbom/sbom_test.go +++ b/pkg/fanal/artifact/sbom/sbom_test.go @@ -29,7 +29,7 @@ func TestArtifact_Inspect(t *testing.T) { filePath: filepath.Join("testdata", "bom.json"), putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:f02a38a70e35a84032402711b68c75c6aafa1f77a01506a8e974cefd40e9038b", + BlobID: "sha256:c285f85ad78b3303c7a81f018b451a5177de693047e3d5ae94789fa821df0407", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, OS: types.OS{ @@ -125,9 +125,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: filepath.Join("testdata", "bom.json"), Type: types.ArtifactCycloneDX, - ID: "sha256:f02a38a70e35a84032402711b68c75c6aafa1f77a01506a8e974cefd40e9038b", + ID: "sha256:c285f85ad78b3303c7a81f018b451a5177de693047e3d5ae94789fa821df0407", BlobIDs: []string{ - "sha256:f02a38a70e35a84032402711b68c75c6aafa1f77a01506a8e974cefd40e9038b", + "sha256:c285f85ad78b3303c7a81f018b451a5177de693047e3d5ae94789fa821df0407", }, }, }, @@ -136,7 +136,7 @@ func TestArtifact_Inspect(t *testing.T) { filePath: filepath.Join("testdata", "sbom.cdx.intoto.jsonl"), putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:f02a38a70e35a84032402711b68c75c6aafa1f77a01506a8e974cefd40e9038b", + BlobID: "sha256:c285f85ad78b3303c7a81f018b451a5177de693047e3d5ae94789fa821df0407", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, OS: types.OS{ @@ -232,9 +232,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: filepath.Join("testdata", "sbom.cdx.intoto.jsonl"), Type: types.ArtifactCycloneDX, - ID: "sha256:f02a38a70e35a84032402711b68c75c6aafa1f77a01506a8e974cefd40e9038b", + ID: "sha256:c285f85ad78b3303c7a81f018b451a5177de693047e3d5ae94789fa821df0407", BlobIDs: []string{ - "sha256:f02a38a70e35a84032402711b68c75c6aafa1f77a01506a8e974cefd40e9038b", + "sha256:c285f85ad78b3303c7a81f018b451a5177de693047e3d5ae94789fa821df0407", }, }, }, @@ -248,7 +248,7 @@ func TestArtifact_Inspect(t *testing.T) { filePath: filepath.Join("testdata", "os-only-bom.json"), putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:033dc76e6daf7d8ba439d678dc7e33400687098f3e9f563f6975adf4eb440eee", + BlobID: "sha256:e5db6fee106daee3ec32ad6b87fd74c48d1f7b062985dad757640b9e775138d5", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, OS: types.OS{ diff --git a/pkg/fanal/artifact/vm/vm_test.go b/pkg/fanal/artifact/vm/vm_test.go index aa393b240586..7a61e497f1f5 100644 --- a/pkg/fanal/artifact/vm/vm_test.go +++ b/pkg/fanal/artifact/vm/vm_test.go @@ -86,7 +86,7 @@ func TestArtifact_Inspect(t *testing.T) { filePath: "testdata/AmazonLinux2.img.gz", putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:4289951ca507f1d2e3e5428f018bde5e94684ee3f6e0aa7d72456b1283478178", + BlobID: "sha256:d45897a07e4a9b083cf92688371d421053898f7474a7bdd4d3a2b06d27453bb5", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, OS: types.OS{ @@ -106,7 +106,7 @@ func TestArtifact_Inspect(t *testing.T) { putArtifactExpectations: []cache.ArtifactCachePutArtifactExpectation{ { Args: cache.ArtifactCachePutArtifactArgs{ - ArtifactID: "sha256:4289951ca507f1d2e3e5428f018bde5e94684ee3f6e0aa7d72456b1283478178", + ArtifactID: "sha256:d45897a07e4a9b083cf92688371d421053898f7474a7bdd4d3a2b06d27453bb5", ArtifactInfo: types.ArtifactInfo{ SchemaVersion: types.ArtifactJSONSchemaVersion, }, @@ -117,9 +117,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "testdata/AmazonLinux2.img.gz", Type: types.ArtifactVM, - ID: "sha256:4289951ca507f1d2e3e5428f018bde5e94684ee3f6e0aa7d72456b1283478178", + ID: "sha256:d45897a07e4a9b083cf92688371d421053898f7474a7bdd4d3a2b06d27453bb5", BlobIDs: []string{ - "sha256:4289951ca507f1d2e3e5428f018bde5e94684ee3f6e0aa7d72456b1283478178", + "sha256:d45897a07e4a9b083cf92688371d421053898f7474a7bdd4d3a2b06d27453bb5", }, }, }, @@ -128,13 +128,13 @@ func TestArtifact_Inspect(t *testing.T) { filePath: "ebs:ebs-012345", missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ - ArtifactID: "sha256:f26b9c7c836259bd2d11516c755a7aec8e94bbfa7588f98b491bc9b0ca03df73", - BlobIDs: []string{"sha256:f26b9c7c836259bd2d11516c755a7aec8e94bbfa7588f98b491bc9b0ca03df73"}, + ArtifactID: "sha256:93a1f60d95fbd8294736d7ec2ce771eff86710b3e3f2f41cc019ab71ca90bf0d", + BlobIDs: []string{"sha256:93a1f60d95fbd8294736d7ec2ce771eff86710b3e3f2f41cc019ab71ca90bf0d"}, }, }, putBlobExpectation: cache.ArtifactCachePutBlobExpectation{ Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:f26b9c7c836259bd2d11516c755a7aec8e94bbfa7588f98b491bc9b0ca03df73", + BlobID: "sha256:93a1f60d95fbd8294736d7ec2ce771eff86710b3e3f2f41cc019ab71ca90bf0d", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, OS: types.OS{ @@ -154,7 +154,7 @@ func TestArtifact_Inspect(t *testing.T) { putArtifactExpectations: []cache.ArtifactCachePutArtifactExpectation{ { Args: cache.ArtifactCachePutArtifactArgs{ - ArtifactID: "sha256:f26b9c7c836259bd2d11516c755a7aec8e94bbfa7588f98b491bc9b0ca03df73", + ArtifactID: "sha256:93a1f60d95fbd8294736d7ec2ce771eff86710b3e3f2f41cc019ab71ca90bf0d", ArtifactInfo: types.ArtifactInfo{ SchemaVersion: types.ArtifactJSONSchemaVersion, }, @@ -164,9 +164,9 @@ func TestArtifact_Inspect(t *testing.T) { want: types.ArtifactReference{ Name: "ebs-012345", Type: types.ArtifactVM, - ID: "sha256:f26b9c7c836259bd2d11516c755a7aec8e94bbfa7588f98b491bc9b0ca03df73", + ID: "sha256:93a1f60d95fbd8294736d7ec2ce771eff86710b3e3f2f41cc019ab71ca90bf0d", BlobIDs: []string{ - "sha256:f26b9c7c836259bd2d11516c755a7aec8e94bbfa7588f98b491bc9b0ca03df73", + "sha256:93a1f60d95fbd8294736d7ec2ce771eff86710b3e3f2f41cc019ab71ca90bf0d", }, }, }, diff --git a/pkg/fanal/cache/key_test.go b/pkg/fanal/cache/key_test.go index ed0a1aa21de9..603a8e193195 100644 --- a/pkg/fanal/cache/key_test.go +++ b/pkg/fanal/cache/key_test.go @@ -18,6 +18,7 @@ func TestCalcKey(t *testing.T) { hookVersions map[string]int skipFiles []string skipDirs []string + thirdPartyOSPkgs []string patterns []string policy []string data []string @@ -42,7 +43,7 @@ func TestCalcKey(t *testing.T) { "python-pkg": 1, }, }, - want: "sha256:c720b502991465ea11929cfefc71cf4b5aeaa9a8c0ae59fdaf597f957f5cdb18", + want: "sha256:e1869e8e674badac5f3f940a1a67c486a9b05b7b3286d51eeb61915fa9c9058f", }, { name: "with disabled analyzer", @@ -59,7 +60,7 @@ func TestCalcKey(t *testing.T) { "python-pkg": 1, }, }, - want: "sha256:d63724cc72729edd3c81205739d64fcb414a4e6345dd4dde7f0fe6bdd56bedf9", + want: "sha256:2b0965d8bab4d008f4d64161943365518310b7b26b3e9ccf2a011f3e2c8306eb", }, { name: "with empty slice file patterns", @@ -73,7 +74,7 @@ func TestCalcKey(t *testing.T) { }, patterns: []string{}, }, - want: "sha256:9f7afa4d27c4c4f371dc6bb47bcc09e7a4a00b1d870e8156f126e35d8f6522e6", + want: "sha256:f947b945d3b3f494fa8f871eb627cc7b4a223733cfb90992b17e4aa13fb359be", }, { name: "with single empty string in file patterns", @@ -87,7 +88,7 @@ func TestCalcKey(t *testing.T) { }, patterns: []string{""}, }, - want: "sha256:bcfc5da13ef9bf0b85e719584800a010063474546f1051a781b78bd83de01102", + want: "sha256:a408cd958b192d07f1283e4a1548da0c458a9bf15568ae07933b10d0fe3b9ae1", }, { name: "with single non empty string in file patterns", @@ -101,7 +102,7 @@ func TestCalcKey(t *testing.T) { }, patterns: []string{"test"}, }, - want: "sha256:8c9750b8eca507628417f21d7db707a7876d2e22c3e75b13f31a795af4051c57", + want: "sha256:6580886916ab4b096242b312b000ea3da31bc376048e08c1cde0a45b8ef8fb51", }, { name: "with non empty followed by empty string in file patterns", @@ -115,7 +116,7 @@ func TestCalcKey(t *testing.T) { }, patterns: []string{"test", ""}, }, - want: "sha256:71abf09bf1422531e2838db692b80f9b9f48766f56b7d3d02aecdb36b019e103", + want: "sha256:95b2152ce27471ba076e1da987a5efd62372076a833874f9d04c8c5d16dbfb28", }, { name: "with non empty preceded by empty string in file patterns", @@ -129,7 +130,7 @@ func TestCalcKey(t *testing.T) { }, patterns: []string{"", "test"}, }, - want: "sha256:71abf09bf1422531e2838db692b80f9b9f48766f56b7d3d02aecdb36b019e103", + want: "sha256:95b2152ce27471ba076e1da987a5efd62372076a833874f9d04c8c5d16dbfb28", }, { name: "with policy", @@ -143,7 +144,7 @@ func TestCalcKey(t *testing.T) { }, policy: []string{"testdata/policy"}, }, - want: "sha256:9602d5ef5af086112cc9fae8310390ed3fb79f4b309d8881b9807e379c8dfa57", + want: "sha256:46538f674ad7373e6f63273fc09edabe63085eaa37c95abb40a7a0ed14160db5", }, { name: "skip files and dirs", @@ -159,7 +160,21 @@ func TestCalcKey(t *testing.T) { skipDirs: []string{"usr/java"}, policy: []string{"testdata/policy"}, }, - want: "sha256:363f70f4ee795f250873caea11c2fc94ef12945444327e7e2f8a99e3884695e0", + want: "sha256:2bf2573e9f381b81c1d7563b0ef2f1c78cc3cf8d626ff31c6c1aa934b59f5a71", + }, + { + name: "third party os pkgs", + args: args{ + key: "sha256:5c534be56eca62e756ef2ef51523feda0f19cd7c15bb0c015e3d6e3ae090bf6e", + analyzerVersions: analyzer.Versions{ + Analyzers: map[string]int{ + "alpine": 1, + "debian": 1, + }, + }, + thirdPartyOSPkgs: []string{"busybox"}, + }, + want: "sha256:0c131167d441f8131d263f9ff6b0eb429b63da2e9923bb73992d87b1d80feaf1", }, { name: "with policy/non-existent dir", @@ -179,9 +194,10 @@ func TestCalcKey(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { artifactOpt := artifact.Option{ - SkipFiles: tt.args.skipFiles, - SkipDirs: tt.args.skipDirs, - FilePatterns: tt.args.patterns, + SkipFiles: tt.args.skipFiles, + SkipDirs: tt.args.skipDirs, + FilePatterns: tt.args.patterns, + ThirdPartyOSPkgs: tt.args.thirdPartyOSPkgs, MisconfScannerOption: misconf.ScannerOption{ PolicyPaths: tt.args.policy, From a22d5976dd0b7e20fc258a480cd4b2b8900be3f1 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 27 Apr 2023 15:56:31 +0600 Subject: [PATCH 08/12] add experimental prefix to CLI description --- .../configuration/cli/trivy_image.md | 2 +- .../configuration/cli/trivy_rootfs.md | 2 +- .../references/configuration/cli/trivy_vm.md | 103 +++++++++--------- pkg/flag/scan_flags.go | 2 +- 4 files changed, 55 insertions(+), 54 deletions(-) diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index eedcef48b655..971fa79edf1f 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -96,7 +96,7 @@ trivy image [flags] IMAGE_NAME --slow scan over time with lower CPU and memory utilization -t, --template string output template --tf-vars strings specify paths to override the Terraform tfvars files - --third-party-os-pkgs strings parse files of these os packages as language packages (use GitHub and GitLab database for these files) + --third-party-os-pkgs strings [EXPERIMENTAL] parse files of these os packages as language packages (use GitHub and GitLab database for these files) --token string for authentication in client/server mode --token-header string specify a header name for token in client/server mode (default "Trivy-Token") --trace enable more verbose trace output for custom queries diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index 2c9cbdba9dbc..00520df1dfd0 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -77,7 +77,7 @@ trivy rootfs [flags] ROOTDIR --slow scan over time with lower CPU and memory utilization -t, --template string output template --tf-vars strings specify paths to override the Terraform tfvars files - --third-party-os-pkgs strings parse files of these os packages as language packages (use GitHub and GitLab database for these files) + --third-party-os-pkgs strings [EXPERIMENTAL] parse files of these os packages as language packages (use GitHub and GitLab database for these files) --token string for authentication in client/server mode --token-header string specify a header name for token in client/server mode (default "Trivy-Token") --trace enable more verbose trace output for custom queries diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index 827f117d99f6..24669ea99034 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -20,57 +20,58 @@ trivy vm [flags] VM_IMAGE ### Options ``` - --aws-region string AWS region to scan - --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") - --cache-ttl duration cache TTL when using redis as cache backend - --clear-cache clear image caches without scanning - --compliance string compliance report to generate - --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") - --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages - --download-db-only download/update vulnerability database but don't run a scan - --download-java-db-only download/update Java index database but don't run a scan - --enable-modules strings [EXPERIMENTAL] module names to enable - --exit-code int specify exit code when any security issues are found - --exit-on-eol int exit with the specified code when the OS reaches end of service/life - --file-patterns strings specify config file patterns - -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") - --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) - --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) - --helm-values strings specify paths to override the Helm values.yaml files - -h, --help help for vm - --ignore-policy string specify the Rego file path to evaluate each vulnerability - --ignore-unfixed display only fixed vulnerabilities - --ignorefile string specify .trivyignore file (default ".trivyignore") - --include-non-failures include successes and exceptions, available with '--scanners config' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") - --list-all-pkgs enabling the option will output all packages regardless of vulnerability - --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") - --no-progress suppress progress bar - --offline-scan do not issue API requests to identify dependencies - -o, --output string output file name - --redis-ca string redis ca file location, if using redis as cache backend - --redis-cert string redis certificate file location, if using redis as cache backend - --redis-key string redis key file location, if using redis as cache backend - --redis-tls enable redis TLS with public certificates, if using redis as cache backend - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --reset remove all caches and database - --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) - --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) - --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") - --server string server address in client mode - -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") - --skip-db-update skip updating vulnerability database - --skip-dirs strings specify the directories where the traversal is skipped - --skip-files strings specify the file paths to skip traversal - --skip-java-db-update skip updating Java index database - --slow scan over time with lower CPU and memory utilization - -t, --template string output template - --tf-vars strings specify paths to override the Terraform tfvars files - --token string for authentication in client/server mode - --token-header string specify a header name for token in client/server mode (default "Trivy-Token") - --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") + --aws-region string AWS region to scan + --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") + --cache-ttl duration cache TTL when using redis as cache backend + --clear-cache clear image caches without scanning + --compliance string compliance report to generate + --custom-headers strings custom headers in client mode + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages + --download-db-only download/update vulnerability database but don't run a scan + --download-java-db-only download/update Java index database but don't run a scan + --enable-modules strings [EXPERIMENTAL] module names to enable + --exit-code int specify exit code when any security issues are found + --exit-on-eol int exit with the specified code when the OS reaches end of service/life + --file-patterns strings specify config file patterns + -f, --format string format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table") + --helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-set-file strings specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) + --helm-set-string strings specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2) + --helm-values strings specify paths to override the Helm values.yaml files + -h, --help help for vm + --ignore-policy string specify the Rego file path to evaluate each vulnerability + --ignore-unfixed display only fixed vulnerabilities + --ignorefile string specify .trivyignore file (default ".trivyignore") + --include-non-failures include successes and exceptions, available with '--scanners config' + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --list-all-pkgs enabling the option will output all packages regardless of vulnerability + --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") + --no-progress suppress progress bar + --offline-scan do not issue API requests to identify dependencies + -o, --output string output file name + --redis-ca string redis ca file location, if using redis as cache backend + --redis-cert string redis certificate file location, if using redis as cache backend + --redis-key string redis key file location, if using redis as cache backend + --redis-tls enable redis TLS with public certificates, if using redis as cache backend + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --reset remove all caches and database + --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) + --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) + --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") + --server string server address in client mode + -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") + --skip-db-update skip updating vulnerability database + --skip-dirs strings specify the directories where the traversal is skipped + --skip-files strings specify the file paths to skip traversal + --skip-java-db-update skip updating Java index database + --slow scan over time with lower CPU and memory utilization + -t, --template string output template + --tf-vars strings specify paths to override the Terraform tfvars files + --third-party-os-pkgs strings [EXPERIMENTAL] parse files of these os packages as language packages (use GitHub and GitLab database for these files) + --token string for authentication in client/server mode + --token-header string specify a header name for token in client/server mode (default "Trivy-Token") + --vuln-type string comma-separated list of vulnerability types (os,library) (default "os,library") ``` ### Options inherited from parent commands diff --git a/pkg/flag/scan_flags.go b/pkg/flag/scan_flags.go index e9e816e8fd5c..695ce1653508 100644 --- a/pkg/flag/scan_flags.go +++ b/pkg/flag/scan_flags.go @@ -70,7 +70,7 @@ var ( Name: "third-party-os-pkgs", ConfigName: "scan.third-party-os-pkgs", Value: []string{}, - Usage: "parse files of these os packages as language packages (use GitHub and GitLab database for these files)", + Usage: "[EXPERIMENTAL] parse files of these os packages as language packages (use GitHub and GitLab database for these files)", } ) From 8a1e7c615aec4a5ce4bce6d18ea3a335ac3ca64a Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 28 Jun 2023 13:49:34 +0600 Subject: [PATCH 09/12] fix linter error --- pkg/fanal/analyzer/pkg/dpkg/dpkg.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go index 15b6be4cac03..331db7f818d8 100644 --- a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go +++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go @@ -5,7 +5,6 @@ import ( "context" "errors" "fmt" - "golang.org/x/exp/slices" "io" "io/fs" "net/textproto" @@ -18,6 +17,7 @@ import ( debVersion "github.com/knqyf263/go-deb-version" "github.com/samber/lo" "go.uber.org/zap" + "golang.org/x/exp/slices" "golang.org/x/xerrors" dio "github.com/aquasecurity/go-dep-parser/pkg/io" From f902185acea3cbe61710f70510d067b08c9faa7c Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 19 Jul 2023 09:36:31 +0600 Subject: [PATCH 10/12] gofmt --- pkg/flag/scan_flags.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/pkg/flag/scan_flags.go b/pkg/flag/scan_flags.go index c35c6a50fb60..496372f3d568 100644 --- a/pkg/flag/scan_flags.go +++ b/pkg/flag/scan_flags.go @@ -79,7 +79,7 @@ var ( ThirdPartyOSPkgs = Flag{ Name: "third-party-os-pkgs", ConfigName: "scan.third-party-os-pkgs", - Default: []string{}, + Default: []string{}, Usage: "[EXPERIMENTAL] parse files of these os packages as language packages (use GitHub and GitLab database for these files)", } ) @@ -152,16 +152,16 @@ func (f *ScanFlagGroup) ToOptions(args []string) (ScanOptions, error) { } return ScanOptions{ - Target: target, - SkipDirs: getStringSlice(f.SkipDirs), - SkipFiles: getStringSlice(f.SkipFiles), - OfflineScan: getBool(f.OfflineScan), - Scanners: getUnderlyingStringSlice[types.Scanner](f.Scanners), - FilePatterns: getStringSlice(f.FilePatterns), - Slow: getBool(f.Slow), - SBOMSources: getStringSlice(f.SBOMSources), - RekorURL: getString(f.RekorURL), - IncludeDevDeps: getBool(f.IncludeDevDeps), + Target: target, + SkipDirs: getStringSlice(f.SkipDirs), + SkipFiles: getStringSlice(f.SkipFiles), + OfflineScan: getBool(f.OfflineScan), + Scanners: getUnderlyingStringSlice[types.Scanner](f.Scanners), + FilePatterns: getStringSlice(f.FilePatterns), + Slow: getBool(f.Slow), + SBOMSources: getStringSlice(f.SBOMSources), + RekorURL: getString(f.RekorURL), + IncludeDevDeps: getBool(f.IncludeDevDeps), ThirdPartyOSPkgs: getStringSlice(f.ThirdPartyOSPkgs), }, nil } From eb98c04f08c4ad31a6050b98ab7c5459b9dea9fe Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 19 Jul 2023 09:54:40 +0600 Subject: [PATCH 11/12] update cache test case --- pkg/fanal/cache/key_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/fanal/cache/key_test.go b/pkg/fanal/cache/key_test.go index 7bfe5b028bc4..1396c8ffa583 100644 --- a/pkg/fanal/cache/key_test.go +++ b/pkg/fanal/cache/key_test.go @@ -158,7 +158,7 @@ func TestCalcKey(t *testing.T) { }, policy: []string{"testdata/policy/test.rego"}, }, - want: "sha256:9602d5ef5af086112cc9fae8310390ed3fb79f4b309d8881b9807e379c8dfa57", + want: "sha256:46538f674ad7373e6f63273fc09edabe63085eaa37c95abb40a7a0ed14160db5", }, { name: "skip files and dirs", From 937916285fc333dc5418d2d2175c601a351f0a84 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 24 Jul 2023 12:06:04 +0600 Subject: [PATCH 12/12] update tests --- pkg/commands/app.go | 6 +++--- pkg/fanal/cache/key_test.go | 6 ++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/pkg/commands/app.go b/pkg/commands/app.go index 5e91f4fbfde6..2484bf7a7138 100644 --- a/pkg/commands/app.go +++ b/pkg/commands/app.go @@ -451,9 +451,9 @@ func NewRepositoryCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command { VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(), RepoFlagGroup: flag.NewRepoFlagGroup(), } - repoFlags.ReportFlagGroup.ReportFormat = nil // TODO: support --report summary - repoFlags.ReportFlagGroup.Compliance = nil // disable '--compliance' - repoFlags.ReportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol' + repoFlags.ReportFlagGroup.ReportFormat = nil // TODO: support --report summary + repoFlags.ReportFlagGroup.Compliance = nil // disable '--compliance' + repoFlags.ReportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol' repoFlags.ScanFlagGroup.ThirdPartyOSPkgs = nil // disable `--third-party-os-pkgs` cmd := &cobra.Command{ diff --git a/pkg/fanal/cache/key_test.go b/pkg/fanal/cache/key_test.go index d99cba2ea174..f516d138ea3f 100644 --- a/pkg/fanal/cache/key_test.go +++ b/pkg/fanal/cache/key_test.go @@ -192,7 +192,6 @@ func TestCalcKey(t *testing.T) { want: "sha256:0c131167d441f8131d263f9ff6b0eb429b63da2e9923bb73992d87b1d80feaf1", }, { - name: "secret config", args: args{ key: "sha256:5c534be56eca62e756ef2ef51523feda0f19cd7c15bb0c015e3d6e3ae090bf6e", @@ -207,10 +206,9 @@ func TestCalcKey(t *testing.T) { }, secretConfigPath: "testdata/trivy-secret.yaml", }, - want: "sha256:d3fb9503f2851ae9bdb250b7ef55c00c0bfa1250b19d4d398a9219c2c0e20958", + want: "sha256:027f3b455e9649d290491a9bc329d2d9fa065f1d28c0f76a82220133eca0bef7", }, { - name: "secret config file doesn't exist", args: args{ key: "sha256:5c534be56eca62e756ef2ef51523feda0f19cd7c15bb0c015e3d6e3ae090bf6e", @@ -225,7 +223,7 @@ func TestCalcKey(t *testing.T) { }, secretConfigPath: "trivy-secret.yaml", }, - want: "sha256:c720b502991465ea11929cfefc71cf4b5aeaa9a8c0ae59fdaf597f957f5cdb18", + want: "sha256:e1869e8e674badac5f3f940a1a67c486a9b05b7b3286d51eeb61915fa9c9058f", }, { name: "with policy/non-existent dir",