-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(report): output plugin #4863
Conversation
[skip ci]
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
@itaysk After all, I added another flag to take the plugin arguments as is, like |
Signed-off-by: knqyf263 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left few small comments.
Also i found 1 case:
We don't stop Trivy, if plugin argument is invalid:
➜ trivy git:(output_plugin) ✗ ./trivy image --format json --output plugin=count --output-plugin-arg "--published-afterrrrr 2022-10-01" debian:12
...
flag provided but not defined: -published-afterrrrr
Usage of /Users/work/.trivy/plugins/count/count:
-published-after string
take vulnerabilities published after the specified timestamp (ex. 2019-11-04)
-published-before string
take vulnerabilities published before the specified timestamp (ex. 2019-11-04)
IMO it's worth adding at least the |
Do you mean we should exit early? Any ideas on implementation? |
I'm supposed to do that in another PR. |
No. Trivy simply freezes when plugin returns error (e.g. wrong flag or incorrect data format). I checked this case and found a pattern: e.g. i moved json decoding for var report types.Report
if err := json.NewDecoder(os.Stdin).Decode(&report); err != nil {
return err
}
publishedBefore := flag.String("published-before", "", "take vulnerabilities published before the specified timestamp (ex. 2019-11-04)")
publishedAfter := flag.String("published-after", "", "take vulnerabilities published after the specified timestamp (ex. 2019-11-04)")
flag.Parse()
... In this case Trivy works correctly: ➜ trivy git:(output_plugin) ✗ ./trivy image --format json --output plugin=count --output-plugin-arg "--published-after 20222-10-01" debian:12
2023-11-30T12:00:14.895+0600 INFO Vulnerability scanning is enabled
2023-11-30T12:00:14.895+0600 INFO Secret scanning is enabled
2023-11-30T12:00:14.895+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-30T12:00:14.895+0600 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-11-30T12:00:22.221+0600 INFO Detected OS: debian
2023-11-30T12:00:22.221+0600 INFO Detecting Debian vulnerabilities...
2023-11-30T12:00:22.232+0600 INFO Number of language-specific files: 0
2023/11/30 12:00:22 parsing time "20222-10-01" as "2006-01-02": cannot parse "2-10-01" as "-"
2023-11-30T12:00:22.252+0600 FATAL report error: unable to write results: plugin error: exit status 1 It looks like we can add a timeout (I think we need to add a timeout for the plugin as output anyway) or add information to docs that |
Description
This PR adds support for output plugins.
Examples
$ trivy plugin install github.com/aquasecurity/trivy-output-plugin-count $ trivy image -f json -o plugin=count --output-plugin-arg "--publish-after 2023-10-01" debian:12
trivy image -f json -o plugin=webhook --output-plugin-arg "--url=http://localhost:8080" debian:12
trivy image -f cyclonedx -o plugin=referrer --output-plugin-arg "put --insecure" debian:12
Related issues
Checklist