From 12f9f21d6b38089d81bb7a8a35baac7942a73fcc Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Mon, 14 Oct 2024 14:49:08 +0600 Subject: [PATCH 1/2] docs: add note about disabled DS016 check Signed-off-by: nikpivkin --- docs/docs/target/container_image.md | 2 ++ .../analyzer/imgconf/dockerfile/dockerfile.go | 9 ++++++--- pkg/misconf/scanner.go | 20 +++++++++++++++---- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/docs/docs/target/container_image.md b/docs/docs/target/container_image.md index 6f514db29fb5..4b12017d9576 100644 --- a/docs/docs/target/container_image.md +++ b/docs/docs/target/container_image.md @@ -154,6 +154,8 @@ See https://avd.aquasec.com/misconfig/ds026 !!! tip You can see how each layer is created with `docker history`. +The [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) check is disabled for this scan type, see [issue](https://github.com/aquasecurity/trivy/issues/7368) for details. + ### Secrets Trivy detects secrets on the configuration of container images. The image config is converted into JSON and Trivy scans the file for secrets. diff --git a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go index c79a81f54c61..35a4fc12fea1 100644 --- a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go +++ b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go @@ -16,8 +16,11 @@ import ( "github.com/aquasecurity/trivy/pkg/misconf" ) -var disabledChecks = []string{ - "DS016", // See https://github.com/aquasecurity/trivy/issues/7368 +var disabledChecks = []misconf.DisabledCheck{ + { + ID: "DS016", Scanner: string(analyzer.TypeHistoryDockerfile), + Reason: "See https://github.com/aquasecurity/trivy/issues/7368", + }, } const analyzerVersion = 1 @@ -31,7 +34,7 @@ type historyAnalyzer struct { } func newHistoryAnalyzer(opts analyzer.ConfigAnalyzerOptions) (analyzer.ConfigAnalyzer, error) { - opts.MisconfScannerOption.DisabledCheckIDs = append(opts.MisconfScannerOption.DisabledCheckIDs, disabledChecks...) + opts.MisconfScannerOption.DisabledChecks = append(opts.MisconfScannerOption.DisabledChecks, disabledChecks...) s, err := misconf.NewScanner(detection.FileTypeDockerfile, opts.MisconfScannerOption) if err != nil { return nil, xerrors.Errorf("misconfiguration scanner error: %w", err) diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index 04fc28bc5296..ef1f67eb8b69 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -50,6 +50,12 @@ var enablediacTypes = map[detection.FileType]types.ConfigType{ detection.FileTypeYAML: types.YAML, } +type DisabledCheck struct { + ID string + Scanner string // For logging + Reason string // For logging +} + type ScannerOption struct { Trace bool RegoOnly bool @@ -74,9 +80,9 @@ type ScannerOption struct { FilePatterns []string ConfigFileSchemas []*ConfigFileSchema - DisabledCheckIDs []string - SkipFiles []string - SkipDirs []string + DisabledChecks []DisabledCheck + SkipFiles []string + SkipDirs []string } func (o *ScannerOption) Sort() { @@ -211,11 +217,17 @@ func (s *Scanner) filterFS(fsys fs.FS) (fs.FS, error) { } func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerOption, error) { + disabledCheckIDs := lo.Map(opt.DisabledChecks, func(check DisabledCheck, _ int) string { + log.Info("Check disabled", log.String("ID", check.ID), + log.String("scanner", check.Scanner), log.String("reason", check.Reason)) + return check.ID + }) + opts := []options.ScannerOption{ rego.WithEmbeddedPolicies(!opt.DisableEmbeddedPolicies), rego.WithEmbeddedLibraries(!opt.DisableEmbeddedLibraries), options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks), - rego.WithDisabledCheckIDs(opt.DisabledCheckIDs...), + rego.WithDisabledCheckIDs(disabledCheckIDs...), } policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths) From bd91532def985554c43ee53b0fb85a4129eba895 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Mon, 14 Oct 2024 19:38:47 +0600 Subject: [PATCH 2/2] add log prefix Signed-off-by: nikpivkin --- pkg/misconf/scanner.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go index ef1f67eb8b69..7a3642dfe895 100644 --- a/pkg/misconf/scanner.go +++ b/pkg/misconf/scanner.go @@ -139,6 +139,7 @@ func NewScanner(t detection.FileType, opt ScannerOption) (*Scanner, error) { } func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguration, error) { + ctx = log.WithContextPrefix(ctx, log.PrefixMisconfiguration) newfs, err := s.filterFS(fsys) if err != nil { return nil, xerrors.Errorf("fs filter error: %w", err) @@ -147,12 +148,12 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio return nil, nil } - log.Debug("Scanning files for misconfigurations...", log.String("scanner", s.scanner.Name())) + log.DebugContext(ctx, "Scanning files for misconfigurations...", log.String("scanner", s.scanner.Name())) results, err := s.scanner.ScanFS(ctx, newfs, ".") if err != nil { var invalidContentError *cfparser.InvalidContentError if errors.As(err, &invalidContentError) { - log.Error("scan was broken with InvalidContentError", s.scanner.Name(), log.Err(err)) + log.ErrorContext(ctx, "scan was broken with InvalidContentError", s.scanner.Name(), log.Err(err)) return nil, nil } return nil, xerrors.Errorf("scan config error: %w", err) @@ -218,7 +219,7 @@ func (s *Scanner) filterFS(fsys fs.FS) (fs.FS, error) { func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerOption, error) { disabledCheckIDs := lo.Map(opt.DisabledChecks, func(check DisabledCheck, _ int) string { - log.Info("Check disabled", log.String("ID", check.ID), + log.Info("Check disabled", log.Prefix(log.PrefixMisconfiguration), log.String("ID", check.ID), log.String("scanner", check.Scanner), log.String("reason", check.Reason)) return check.ID })