From c5ae69d205dc9cdb2713f42203fe50d2e98fbb3c Mon Sep 17 00:00:00 2001 From: Simar Date: Sat, 21 Sep 2024 02:05:18 -0600 Subject: [PATCH 1/6] feat(misconf): Support `--skip-*` for all included modules Resolves: https://github.com/aquasecurity/trivy/issues/7220 --- pkg/commands/artifact/run.go | 2 + pkg/fanal/walker/walk.go | 2 - pkg/iac/scanners/terraform/options.go | 16 +++++ pkg/iac/scanners/terraform/parser/option.go | 12 ++++ pkg/iac/scanners/terraform/parser/parser.go | 31 +++++++++ pkg/iac/scanners/terraform/scanner_test.go | 75 +++++++++++++++++++++ pkg/misconf/scanner.go | 4 ++ 7 files changed, 140 insertions(+), 2 deletions(-) diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index fa454c0cd276..49d7be7a08cd 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -659,5 +659,7 @@ func initMisconfScannerOption(opts flag.Options) (misconf.ScannerOption, error) TfExcludeDownloaded: opts.TfExcludeDownloaded, FilePatterns: opts.FilePatterns, ConfigFileSchemas: configSchemas, + SkipFiles: opts.SkipFiles, + SkipDirs: opts.SkipDirs, }, nil } diff --git a/pkg/fanal/walker/walk.go b/pkg/fanal/walker/walk.go index 52c13808d86b..ac16c47bb48b 100644 --- a/pkg/fanal/walker/walk.go +++ b/pkg/fanal/walker/walk.go @@ -9,7 +9,6 @@ import ( "github.com/samber/lo" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" - "github.com/aquasecurity/trivy/pkg/log" ) const defaultSizeThreshold = int64(100) << 20 // 200MB @@ -44,7 +43,6 @@ func SkipPath(path string, skipPaths []string) bool { if err != nil { return false // return early if bad pattern } else if match { - log.Debug("Skipping path", log.String("path", path)) return true } } diff --git a/pkg/iac/scanners/terraform/options.go b/pkg/iac/scanners/terraform/options.go index d256f0a34daa..5a665a05638f 100644 --- a/pkg/iac/scanners/terraform/options.go +++ b/pkg/iac/scanners/terraform/options.go @@ -84,3 +84,19 @@ func ScannerWithConfigsFileSystem(fsys fs.FS) options.ScannerOption { } } } + +func ScannerWithSkipFiles(files []string) options.ScannerOption { + return func(s options.ConfigurableScanner) { + if tf, ok := s.(ConfigurableTerraformScanner); ok { + tf.AddParserOptions(parser.OptionWithSkipFiles(files)) + } + } +} + +func ScannerWithSkipDirs(dirs []string) options.ScannerOption { + return func(s options.ConfigurableScanner) { + if tf, ok := s.(ConfigurableTerraformScanner); ok { + tf.AddParserOptions(parser.OptionWithSkipDirs(dirs)) + } + } +} diff --git a/pkg/iac/scanners/terraform/parser/option.go b/pkg/iac/scanners/terraform/parser/option.go index 277cf2a58c61..f9ada6545225 100644 --- a/pkg/iac/scanners/terraform/parser/option.go +++ b/pkg/iac/scanners/terraform/parser/option.go @@ -49,3 +49,15 @@ func OptionWithConfigsFS(fsys fs.FS) Option { p.configsFS = fsys } } + +func OptionWithSkipFiles(files []string) Option { + return func(p *Parser) { + p.skipPaths = files + } +} + +func OptionWithSkipDirs(dirs []string) Option { + return func(p *Parser) { + p.skipPaths = dirs + } +} diff --git a/pkg/iac/scanners/terraform/parser/parser.go b/pkg/iac/scanners/terraform/parser/parser.go index 60940d6c6241..9034cc2f0f51 100644 --- a/pkg/iac/scanners/terraform/parser/parser.go +++ b/pkg/iac/scanners/terraform/parser/parser.go @@ -11,8 +11,10 @@ import ( "sort" "strings" + "github.com/bmatcuk/doublestar/v4" "github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2/hclparse" + "github.com/samber/lo" "github.com/zclconf/go-cty/cty" "github.com/aquasecurity/trivy/pkg/iac/ignore" @@ -47,6 +49,7 @@ type Parser struct { skipCachedModules bool fsMap map[string]fs.FS configsFS fs.FS + skipPaths []string } // New creates a new Parser @@ -62,6 +65,7 @@ func New(moduleFS fs.FS, moduleSource string, opts ...Option) *Parser { configsFS: moduleFS, logger: log.WithPrefix("terraform parser").With("module", "root"), tfvars: make(map[string]cty.Value), + skipPaths: []string{}, } for _, option := range opts { @@ -78,6 +82,7 @@ func (p *Parser) newModuleParser(moduleFS fs.FS, moduleSource, modulePath, modul mp.moduleName = moduleName mp.logger = log.WithPrefix("terraform parser").With("module", moduleName) mp.projectRoot = p.projectRoot + mp.skipPaths = p.skipPaths p.children = append(p.children, mp) for _, option := range p.options { option(mp) @@ -155,6 +160,10 @@ func (p *Parser) ParseFS(ctx context.Context, dir string) error { if info.IsDir() { continue } + if SkipPath(realPath, CleanSkipPaths(p.skipPaths)) { + p.logger.Debug("Skipping path based on input glob", log.FilePath(realPath), log.Any("glob", p.skipPaths)) + continue + } paths = append(paths, realPath) } sort.Strings(paths) @@ -358,3 +367,25 @@ func (s *paramParser) Parse(str string) bool { func (s *paramParser) Param() any { return s.params } + +func CleanSkipPaths(skipPaths []string) []string { + return lo.Map(skipPaths, func(skipPath string, index int) string { + skipPath = filepath.ToSlash(filepath.Clean(skipPath)) + return strings.TrimLeft(skipPath, "/") + }) +} + +func SkipPath(path string, skipPaths []string) bool { + path = strings.TrimLeft(path, "/") + + // skip files + for _, pattern := range skipPaths { + match, err := doublestar.Match(pattern, path) + if err != nil { + return false // return early if bad pattern + } else if match { + return true + } + } + return false +} diff --git a/pkg/iac/scanners/terraform/scanner_test.go b/pkg/iac/scanners/terraform/scanner_test.go index 39ee35e81321..45475d31274d 100644 --- a/pkg/iac/scanners/terraform/scanner_test.go +++ b/pkg/iac/scanners/terraform/scanner_test.go @@ -1118,3 +1118,78 @@ func TestSkipDeprecatedGoChecks(t *testing.T) { require.Len(t, results, 1) }) } + +func TestSkipDir(t *testing.T) { + fs := testutil.CreateFS(t, map[string]string{ + "deployments/main.tf": ` +module "use_bad_configuration" { + source = "../modules" +} + +module "use_bad_configuration_2" { + source = "../modules/modules2" +} +`, + "modules/misconfig.tf": `data "aws_iam_policy_document" "bad" { + statement { + actions = [ + "apigateway:*", + ] + + resources = [ + "*", + ] + } +} + +resource "aws_iam_policy" "bad_configuration" { + name_prefix = local.setup_role_name + policy = data.aws_iam_policy_document.bad.json +} +`, + "modules/modules2/misconfig.tf": `data "aws_iam_policy_document" "bad" { + statement { + actions = [ + "apigateway:*", + ] + + resources = [ + "*", + ] + } +} + +resource "aws_iam_policy" "bad_configuration" { + name_prefix = local.setup_role_name + policy = data.aws_iam_policy_document.bad.json +} +`, + }) + + t.Run("use skip-dir option", func(t *testing.T) { + scanner := New( + options.ScannerWithIncludeDeprecatedChecks(true), + ScannerWithSkipDirs([]string{"**/modules/**"}), + ScannerWithAllDirectories(true), + ) + + results, err := scanner.ScanFS(context.TODO(), fs, "deployments") + require.NoError(t, err) + + assert.Len(t, results, 0) + }) + + t.Run("use skip-files option", func(t *testing.T) { + scanner := New( + options.ScannerWithIncludeDeprecatedChecks(true), + ScannerWithSkipFiles([]string{"**/modules/**/*.tf"}), + ScannerWithAllDirectories(true), + ) + + results, err := scanner.ScanFS(context.TODO(), fs, "deployments") + require.NoError(t, err) + + assert.Len(t, results, 0) + }) + +} diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index 78f4f4bdb158..7bec3ed6fe14 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -76,6 +76,8 @@ type ScannerOption struct { ConfigFileSchemas []*ConfigFileSchema DisabledCheckIDs []string + SkipFiles []string + SkipDirs []string } func (o *ScannerOption) Sort() { @@ -297,6 +299,8 @@ func addTFOpts(opts []options.ScannerOption, scannerOption ScannerOption) ([]opt opts = append(opts, terraform.ScannerWithAllDirectories(true), terraform.ScannerWithSkipDownloaded(scannerOption.TfExcludeDownloaded), + terraform.ScannerWithSkipFiles(scannerOption.SkipFiles), + terraform.ScannerWithSkipDirs(scannerOption.SkipDirs), ) return opts, nil From c22062c87d903223d0eb7ef50a57e2be98524b80 Mon Sep 17 00:00:00 2001 From: Simar Date: Mon, 23 Sep 2024 23:48:40 -0600 Subject: [PATCH 2/6] refactor `SkipPath()` to utils --- pkg/fanal/utils/utils.go | 27 ++++++++++++++++++++ pkg/fanal/walker/fs.go | 7 +++--- pkg/fanal/walker/tar.go | 8 +++--- pkg/fanal/walker/vm.go | 5 ++-- pkg/fanal/walker/walk.go | 27 -------------------- pkg/fanal/walker/walk_test.go | 4 +-- pkg/iac/scanners/terraform/parser/parser.go | 28 ++------------------- 7 files changed, 42 insertions(+), 64 deletions(-) diff --git a/pkg/fanal/utils/utils.go b/pkg/fanal/utils/utils.go index 1c5ea54b2612..8c9032a40bf6 100644 --- a/pkg/fanal/utils/utils.go +++ b/pkg/fanal/utils/utils.go @@ -8,8 +8,12 @@ import ( "os" "os/exec" "path/filepath" + "strings" + "github.com/aquasecurity/trivy/pkg/log" xio "github.com/aquasecurity/trivy/pkg/x/io" + "github.com/bmatcuk/doublestar/v4" + "github.com/samber/lo" ) var ( @@ -93,3 +97,26 @@ func IsBinary(content xio.ReadSeekerAt, fileSize int64) (bool, error) { return false, nil } + +func CleanSkipPaths(skipPaths []string) []string { + return lo.Map(skipPaths, func(skipPath string, index int) string { + skipPath = filepath.ToSlash(filepath.Clean(skipPath)) + return strings.TrimLeft(skipPath, "/") + }) +} + +func SkipPath(path string, skipPaths []string) bool { + path = strings.TrimLeft(path, "/") + + // skip files + for _, pattern := range skipPaths { + match, err := doublestar.Match(pattern, path) + if err != nil { + return false // return early if bad pattern + } else if match { + log.Debug("Skipping path", log.String("path", path)) + return true + } + } + return false +} diff --git a/pkg/fanal/walker/fs.go b/pkg/fanal/walker/fs.go index f6bec84d1fc2..759ec8d8fca5 100644 --- a/pkg/fanal/walker/fs.go +++ b/pkg/fanal/walker/fs.go @@ -7,6 +7,7 @@ import ( "path/filepath" "strings" + "github.com/aquasecurity/trivy/pkg/fanal/utils" "golang.org/x/xerrors" "github.com/aquasecurity/trivy/pkg/log" @@ -53,13 +54,13 @@ func (w *FS) WalkDirFunc(root string, fn WalkFunc, opt Option) fs.WalkDirFunc { // Skip unnecessary files switch { case d.IsDir(): - if SkipPath(relPath, opt.SkipDirs) { + if utils.SkipPath(relPath, opt.SkipDirs) { return filepath.SkipDir } return nil case !d.Type().IsRegular(): return nil - case SkipPath(relPath, opt.SkipFiles): + case utils.SkipPath(relPath, opt.SkipFiles): return nil } @@ -148,7 +149,7 @@ func (w *FS) BuildSkipPaths(base string, paths []string) []string { relativePaths = append(relativePaths, relPath) } - relativePaths = CleanSkipPaths(relativePaths) + relativePaths = utils.CleanSkipPaths(relativePaths) return relativePaths } diff --git a/pkg/fanal/walker/tar.go b/pkg/fanal/walker/tar.go index 51f185d89c50..0c7d0bee9d5d 100644 --- a/pkg/fanal/walker/tar.go +++ b/pkg/fanal/walker/tar.go @@ -27,8 +27,8 @@ type LayerTar struct { func NewLayerTar(opt Option) LayerTar { return LayerTar{ - skipFiles: CleanSkipPaths(opt.SkipFiles), - skipDirs: CleanSkipPaths(opt.SkipDirs), + skipFiles: utils.CleanSkipPaths(opt.SkipFiles), + skipDirs: utils.CleanSkipPaths(opt.SkipDirs), } } @@ -63,12 +63,12 @@ func (w LayerTar) Walk(layer io.Reader, analyzeFn WalkFunc) ([]string, []string, switch hdr.Typeflag { case tar.TypeDir: - if SkipPath(filePath, w.skipDirs) { + if utils.SkipPath(filePath, w.skipDirs) { skippedDirs = append(skippedDirs, filePath) continue } case tar.TypeReg: - if SkipPath(filePath, w.skipFiles) { + if utils.SkipPath(filePath, w.skipFiles) { continue } // symlinks and hardlinks have no content in reader, skip them diff --git a/pkg/fanal/walker/vm.go b/pkg/fanal/walker/vm.go index 0bc3e87ac86d..b7e5218477b6 100644 --- a/pkg/fanal/walker/vm.go +++ b/pkg/fanal/walker/vm.go @@ -8,6 +8,7 @@ import ( "slices" "strings" + "github.com/aquasecurity/trivy/pkg/fanal/utils" "github.com/masahiro331/go-disk" diskFs "github.com/masahiro331/go-disk/fs" "github.com/masahiro331/go-disk/gpt" @@ -131,13 +132,13 @@ func (w *VM) fsWalk(fsys fs.FS, path string, d fs.DirEntry, err error) error { pathName := strings.TrimPrefix(filepath.Clean(path), "/") switch { case fi.IsDir(): - if SkipPath(pathName, w.skipDirs) { + if utils.SkipPath(pathName, w.skipDirs) { return filepath.SkipDir } return nil case !fi.Mode().IsRegular(): return nil - case SkipPath(pathName, w.skipFiles): + case utils.SkipPath(pathName, w.skipFiles): return nil case fi.Mode()&0x1000 == 0x1000 || fi.Mode()&0x2000 == 0x2000 || diff --git a/pkg/fanal/walker/walk.go b/pkg/fanal/walker/walk.go index ac16c47bb48b..0785cef41606 100644 --- a/pkg/fanal/walker/walk.go +++ b/pkg/fanal/walker/walk.go @@ -2,11 +2,6 @@ package walker import ( "os" - "path/filepath" - "strings" - - "github.com/bmatcuk/doublestar/v4" - "github.com/samber/lo" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" ) @@ -26,25 +21,3 @@ type Option struct { } type WalkFunc func(filePath string, info os.FileInfo, opener analyzer.Opener) error - -func CleanSkipPaths(skipPaths []string) []string { - return lo.Map(skipPaths, func(skipPath string, index int) string { - skipPath = filepath.ToSlash(filepath.Clean(skipPath)) - return strings.TrimLeft(skipPath, "/") - }) -} - -func SkipPath(path string, skipPaths []string) bool { - path = strings.TrimLeft(path, "/") - - // skip files - for _, pattern := range skipPaths { - match, err := doublestar.Match(pattern, path) - if err != nil { - return false // return early if bad pattern - } else if match { - return true - } - } - return false -} diff --git a/pkg/fanal/walker/walk_test.go b/pkg/fanal/walker/walk_test.go index 0bac6009d04f..fbb672a6b778 100644 --- a/pkg/fanal/walker/walk_test.go +++ b/pkg/fanal/walker/walk_test.go @@ -64,7 +64,7 @@ func TestSkipFile(t *testing.T) { t.Run(tt.name, func(t *testing.T) { for file, want := range tt.wants { file = filepath.ToSlash(filepath.Clean(file)) - got := walker.SkipPath(file, walker.CleanSkipPaths(tt.skipFiles)) + got := utils.SkipPath(file, walker.CleanSkipPaths(tt.skipFiles)) assert.Equal(t, want, got, fmt.Sprintf("skipFiles: %s, file: %s", tt.skipFiles, file)) } }) @@ -138,7 +138,7 @@ func TestSkipDir(t *testing.T) { t.Run(tt.name, func(t *testing.T) { for dir, want := range tt.wants { dir = filepath.ToSlash(filepath.Clean(dir)) - got := walker.SkipPath(dir, walker.CleanSkipPaths(tt.skipDirs)) + got := utils.SkipPath(dir, walker.CleanSkipPaths(tt.skipDirs)) assert.Equal(t, want, got, fmt.Sprintf("defaultSkipDirs: %s, dir: %s", tt.skipDirs, dir)) } }) diff --git a/pkg/iac/scanners/terraform/parser/parser.go b/pkg/iac/scanners/terraform/parser/parser.go index 9034cc2f0f51..66cf980361fa 100644 --- a/pkg/iac/scanners/terraform/parser/parser.go +++ b/pkg/iac/scanners/terraform/parser/parser.go @@ -11,10 +11,9 @@ import ( "sort" "strings" - "github.com/bmatcuk/doublestar/v4" + "github.com/aquasecurity/trivy/pkg/fanal/utils" "github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2/hclparse" - "github.com/samber/lo" "github.com/zclconf/go-cty/cty" "github.com/aquasecurity/trivy/pkg/iac/ignore" @@ -65,7 +64,6 @@ func New(moduleFS fs.FS, moduleSource string, opts ...Option) *Parser { configsFS: moduleFS, logger: log.WithPrefix("terraform parser").With("module", "root"), tfvars: make(map[string]cty.Value), - skipPaths: []string{}, } for _, option := range opts { @@ -160,7 +158,7 @@ func (p *Parser) ParseFS(ctx context.Context, dir string) error { if info.IsDir() { continue } - if SkipPath(realPath, CleanSkipPaths(p.skipPaths)) { + if utils.SkipPath(realPath, utils.CleanSkipPaths(p.skipPaths)) { p.logger.Debug("Skipping path based on input glob", log.FilePath(realPath), log.Any("glob", p.skipPaths)) continue } @@ -367,25 +365,3 @@ func (s *paramParser) Parse(str string) bool { func (s *paramParser) Param() any { return s.params } - -func CleanSkipPaths(skipPaths []string) []string { - return lo.Map(skipPaths, func(skipPath string, index int) string { - skipPath = filepath.ToSlash(filepath.Clean(skipPath)) - return strings.TrimLeft(skipPath, "/") - }) -} - -func SkipPath(path string, skipPaths []string) bool { - path = strings.TrimLeft(path, "/") - - // skip files - for _, pattern := range skipPaths { - match, err := doublestar.Match(pattern, path) - if err != nil { - return false // return early if bad pattern - } else if match { - return true - } - } - return false -} From b6cb2471142dbd407d8ba01f4705d3308a4fb997 Mon Sep 17 00:00:00 2001 From: Simar Date: Thu, 26 Sep 2024 00:12:47 -0600 Subject: [PATCH 3/6] fix lint --- pkg/fanal/utils/utils.go | 5 +++-- pkg/fanal/walker/fs.go | 2 +- pkg/fanal/walker/vm.go | 2 +- pkg/fanal/walker/walk_test.go | 6 +++--- pkg/iac/scanners/terraform/parser/parser.go | 2 +- pkg/iac/scanners/terraform/scanner_test.go | 4 ++-- 6 files changed, 11 insertions(+), 10 deletions(-) diff --git a/pkg/fanal/utils/utils.go b/pkg/fanal/utils/utils.go index 8c9032a40bf6..cdd0373e39bf 100644 --- a/pkg/fanal/utils/utils.go +++ b/pkg/fanal/utils/utils.go @@ -10,10 +10,11 @@ import ( "path/filepath" "strings" - "github.com/aquasecurity/trivy/pkg/log" - xio "github.com/aquasecurity/trivy/pkg/x/io" "github.com/bmatcuk/doublestar/v4" "github.com/samber/lo" + + "github.com/aquasecurity/trivy/pkg/log" + xio "github.com/aquasecurity/trivy/pkg/x/io" ) var ( diff --git a/pkg/fanal/walker/fs.go b/pkg/fanal/walker/fs.go index 759ec8d8fca5..3ebfb7258459 100644 --- a/pkg/fanal/walker/fs.go +++ b/pkg/fanal/walker/fs.go @@ -7,9 +7,9 @@ import ( "path/filepath" "strings" - "github.com/aquasecurity/trivy/pkg/fanal/utils" "golang.org/x/xerrors" + "github.com/aquasecurity/trivy/pkg/fanal/utils" "github.com/aquasecurity/trivy/pkg/log" xio "github.com/aquasecurity/trivy/pkg/x/io" ) diff --git a/pkg/fanal/walker/vm.go b/pkg/fanal/walker/vm.go index b7e5218477b6..f8ef63ce0252 100644 --- a/pkg/fanal/walker/vm.go +++ b/pkg/fanal/walker/vm.go @@ -8,7 +8,6 @@ import ( "slices" "strings" - "github.com/aquasecurity/trivy/pkg/fanal/utils" "github.com/masahiro331/go-disk" diskFs "github.com/masahiro331/go-disk/fs" "github.com/masahiro331/go-disk/gpt" @@ -18,6 +17,7 @@ import ( "github.com/masahiro331/go-xfs-filesystem/xfs" "golang.org/x/xerrors" + "github.com/aquasecurity/trivy/pkg/fanal/utils" "github.com/aquasecurity/trivy/pkg/fanal/vm/filesystem" "github.com/aquasecurity/trivy/pkg/log" xio "github.com/aquasecurity/trivy/pkg/x/io" diff --git a/pkg/fanal/walker/walk_test.go b/pkg/fanal/walker/walk_test.go index fbb672a6b778..09d55527c0fe 100644 --- a/pkg/fanal/walker/walk_test.go +++ b/pkg/fanal/walker/walk_test.go @@ -7,7 +7,7 @@ import ( "github.com/stretchr/testify/assert" - "github.com/aquasecurity/trivy/pkg/fanal/walker" + "github.com/aquasecurity/trivy/pkg/fanal/utils" ) func TestSkipFile(t *testing.T) { @@ -64,7 +64,7 @@ func TestSkipFile(t *testing.T) { t.Run(tt.name, func(t *testing.T) { for file, want := range tt.wants { file = filepath.ToSlash(filepath.Clean(file)) - got := utils.SkipPath(file, walker.CleanSkipPaths(tt.skipFiles)) + got := utils.SkipPath(file, utils.CleanSkipPaths(tt.skipFiles)) assert.Equal(t, want, got, fmt.Sprintf("skipFiles: %s, file: %s", tt.skipFiles, file)) } }) @@ -138,7 +138,7 @@ func TestSkipDir(t *testing.T) { t.Run(tt.name, func(t *testing.T) { for dir, want := range tt.wants { dir = filepath.ToSlash(filepath.Clean(dir)) - got := utils.SkipPath(dir, walker.CleanSkipPaths(tt.skipDirs)) + got := utils.SkipPath(dir, utils.CleanSkipPaths(tt.skipDirs)) assert.Equal(t, want, got, fmt.Sprintf("defaultSkipDirs: %s, dir: %s", tt.skipDirs, dir)) } }) diff --git a/pkg/iac/scanners/terraform/parser/parser.go b/pkg/iac/scanners/terraform/parser/parser.go index 66cf980361fa..695cbee4fb25 100644 --- a/pkg/iac/scanners/terraform/parser/parser.go +++ b/pkg/iac/scanners/terraform/parser/parser.go @@ -11,11 +11,11 @@ import ( "sort" "strings" - "github.com/aquasecurity/trivy/pkg/fanal/utils" "github.com/hashicorp/hcl/v2" "github.com/hashicorp/hcl/v2/hclparse" "github.com/zclconf/go-cty/cty" + "github.com/aquasecurity/trivy/pkg/fanal/utils" "github.com/aquasecurity/trivy/pkg/iac/ignore" "github.com/aquasecurity/trivy/pkg/iac/terraform" tfcontext "github.com/aquasecurity/trivy/pkg/iac/terraform/context" diff --git a/pkg/iac/scanners/terraform/scanner_test.go b/pkg/iac/scanners/terraform/scanner_test.go index 45475d31274d..4cd4e5a9174f 100644 --- a/pkg/iac/scanners/terraform/scanner_test.go +++ b/pkg/iac/scanners/terraform/scanner_test.go @@ -1176,7 +1176,7 @@ resource "aws_iam_policy" "bad_configuration" { results, err := scanner.ScanFS(context.TODO(), fs, "deployments") require.NoError(t, err) - assert.Len(t, results, 0) + assert.Empty(t, results) }) t.Run("use skip-files option", func(t *testing.T) { @@ -1189,7 +1189,7 @@ resource "aws_iam_policy" "bad_configuration" { results, err := scanner.ScanFS(context.TODO(), fs, "deployments") require.NoError(t, err) - assert.Len(t, results, 0) + assert.Empty(t, results) }) } From f8002ae76dc99a0f8a8f986fc07c4ed03a9114af Mon Sep 17 00:00:00 2001 From: Simar Date: Sat, 28 Sep 2024 00:29:58 -0600 Subject: [PATCH 4/6] update tests --- pkg/iac/scanners/terraform/scanner_test.go | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/pkg/iac/scanners/terraform/scanner_test.go b/pkg/iac/scanners/terraform/scanner_test.go index 4cd4e5a9174f..e71ad09b64b3 100644 --- a/pkg/iac/scanners/terraform/scanner_test.go +++ b/pkg/iac/scanners/terraform/scanner_test.go @@ -1192,4 +1192,28 @@ resource "aws_iam_policy" "bad_configuration" { assert.Empty(t, results) }) + t.Run("non existing value for skip-files option", func(t *testing.T) { + scanner := New( + options.ScannerWithIncludeDeprecatedChecks(true), + ScannerWithSkipFiles([]string{"foo/bar*.tf"}), + ScannerWithAllDirectories(true), + ) + + results, err := scanner.ScanFS(context.TODO(), fs, "deployments") + require.NoError(t, err) + + assert.Equal(t, 4, len(results)) + }) + + t.Run("empty skip-files option", func(t *testing.T) { + scanner := New( + options.ScannerWithIncludeDeprecatedChecks(true), + ScannerWithAllDirectories(true), + ) + + results, err := scanner.ScanFS(context.TODO(), fs, "deployments") + require.NoError(t, err) + + assert.Equal(t, 4, len(results)) + }) } From b49dc9cdeb7510d3c6a8d5be85e1723d4f32adb4 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Mon, 30 Sep 2024 15:23:34 +0600 Subject: [PATCH 5/6] chore: fix linter issues Signed-off-by: nikpivkin --- pkg/iac/scanners/terraform/scanner_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/iac/scanners/terraform/scanner_test.go b/pkg/iac/scanners/terraform/scanner_test.go index e71ad09b64b3..a7020b4ddd06 100644 --- a/pkg/iac/scanners/terraform/scanner_test.go +++ b/pkg/iac/scanners/terraform/scanner_test.go @@ -1202,7 +1202,7 @@ resource "aws_iam_policy" "bad_configuration" { results, err := scanner.ScanFS(context.TODO(), fs, "deployments") require.NoError(t, err) - assert.Equal(t, 4, len(results)) + assert.Len(t, results, 4) }) t.Run("empty skip-files option", func(t *testing.T) { @@ -1214,6 +1214,6 @@ resource "aws_iam_policy" "bad_configuration" { results, err := scanner.ScanFS(context.TODO(), fs, "deployments") require.NoError(t, err) - assert.Equal(t, 4, len(results)) + assert.Len(t, results, 4) }) } From 38b8f8346857e6fc4cfa850121b2fea2eded9745 Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 1 Oct 2024 16:23:25 -0600 Subject: [PATCH 6/6] fix rebase --- pkg/fanal/utils/utils.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/fanal/utils/utils.go b/pkg/fanal/utils/utils.go index 592f6372380d..463c8dd1f255 100644 --- a/pkg/fanal/utils/utils.go +++ b/pkg/fanal/utils/utils.go @@ -12,9 +12,9 @@ import ( "strings" "unicode" - "golang.org/x/xerrors" "github.com/bmatcuk/doublestar/v4" "github.com/samber/lo" + "golang.org/x/xerrors" "github.com/aquasecurity/trivy/pkg/log" xio "github.com/aquasecurity/trivy/pkg/x/io" @@ -123,6 +123,7 @@ func SkipPath(path string, skipPaths []string) bool { } } return false +} func ExtractPrintableBytes(content xio.ReadSeekerAt) ([]byte, error) { const minLength = 4 // Minimum length of strings to extract