Skip to content

Commit

Permalink
fix: Specify types of dependencies to analyze
Browse files Browse the repository at this point in the history 
It's only necessary to specifiy these types when running the scanners directly, as we do.
When running Trivy via the command line it's not necessary.

See aquasecurity/trivy#7237
  • Loading branch information
@afsmeira
afsmeira committed Aug 29, 2024
1 parent 0e10696 commit ed7ab54
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 14 deletions.
8 changes: 6 additions & 2 deletions internal/tool/tool.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,10 @@ import (
"strings"

"github.com/aquasecurity/trivy/pkg/fanal/secret"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/flag"
"github.com/aquasecurity/trivy/pkg/log"
ptypes "github.com/aquasecurity/trivy/pkg/types"
types "github.com/aquasecurity/trivy/pkg/types"
codacy "github.com/codacy/codacy-engine-golang-seed/v6"
"github.com/samber/lo"
Expand Down Expand Up @@ -97,7 +99,9 @@ func (t codacyTrivy) runVulnerabilityScanning(ctx context.Context, toolExecution
},
PackageOptions: flag.PackageOptions{
// Only scan libraries not OS packages.
PkgTypes: []string{types.PkgTypeLibrary},
PkgTypes: []string{ptypes.PkgTypeLibrary},
// Scan libraries with all possible relationships (direct, indirect, etc).
PkgRelationships: ftypes.Relationships,
},
ReportOptions: flag.ReportOptions{
// Listing all packages will allow to obtain the line number of a vulnerability.
Expand All @@ -106,7 +110,7 @@ func (t codacyTrivy) runVulnerabilityScanning(ctx context.Context, toolExecution
ScanOptions: flag.ScanOptions{
// Do not try to connect to the internet to download vulnerability DBs, for example.
OfflineScan: true,
Scanners: types.Scanners{types.VulnerabilityScanner},
Scanners: ptypes.Scanners{ptypes.VulnerabilityScanner},
// Instead of scanning files individually, scan the whole source directory since it's faster.
// Then filter issues from files that were not supposed to be analysed.
Target: toolExecution.SourceDir,
Expand Down
26 changes: 14 additions & 12 deletions internal/tool/tool_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"github.com/aquasecurity/trivy/pkg/commands/artifact"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/flag"
"github.com/aquasecurity/trivy/pkg/types"
ptypes "github.com/aquasecurity/trivy/pkg/types"
codacy "github.com/codacy/codacy-engine-golang-seed/v6"
"github.com/stretchr/testify/assert"
"go.uber.org/mock/gomock"
Expand Down Expand Up @@ -61,20 +61,21 @@ func TestRun(t *testing.T) {
SkipJavaDBUpdate: true,
},
PackageOptions: flag.PackageOptions{
PkgTypes: []string{types.PkgTypeLibrary},
PkgTypes: []string{ptypes.PkgTypeLibrary},
PkgRelationships: ftypes.Relationships,
},
ReportOptions: flag.ReportOptions{
ListAllPkgs: true,
},
ScanOptions: flag.ScanOptions{
OfflineScan: true,
Scanners: types.Scanners{types.VulnerabilityScanner},
Scanners: ptypes.Scanners{ptypes.VulnerabilityScanner},
Target: sourceDir,
},
}

report := types.Report{
Results: types.Results{
report := ptypes.Report{
Results: ptypes.Results{
{
Target: file1,
Packages: ftypes.Packages{
Expand All @@ -90,7 +91,7 @@ func TestRun(t *testing.T) {
ID: packageID2,
},
},
Vulnerabilities: []types.DetectedVulnerability{
Vulnerabilities: []ptypes.DetectedVulnerability{
{
PkgID: packageID1,
VulnerabilityID: "vuln id",
Expand Down Expand Up @@ -119,13 +120,13 @@ func TestRun(t *testing.T) {
},
{
Target: file2,
Secrets: []types.DetectedSecret{
Secrets: []ptypes.DetectedSecret{
{
StartLine: 2,
Title: "secret title",
},
},
Vulnerabilities: []types.DetectedVulnerability{
Vulnerabilities: []ptypes.DetectedVulnerability{
{
PkgID: "packageID10",
VulnerabilityID: "no line",
Expand All @@ -138,7 +139,7 @@ func TestRun(t *testing.T) {
},
{
Target: "file-3",
Secrets: []types.DetectedSecret{
Secrets: []ptypes.DetectedSecret{
{
StartLine: 10,
Title: "unkown file",
Expand Down Expand Up @@ -294,14 +295,15 @@ func TestRunScanFilesystemError(t *testing.T) {
SkipJavaDBUpdate: true,
},
PackageOptions: flag.PackageOptions{
PkgTypes: []string{types.PkgTypeLibrary},
PkgTypes: []string{ptypes.PkgTypeLibrary},
PkgRelationships: ftypes.Relationships,
},
ReportOptions: flag.ReportOptions{
ListAllPkgs: true,
},
ScanOptions: flag.ScanOptions{
OfflineScan: true,
Scanners: types.Scanners{types.VulnerabilityScanner},
Scanners: ptypes.Scanners{ptypes.VulnerabilityScanner},
Target: sourceDir,
},
}
Expand All @@ -315,7 +317,7 @@ func TestRunScanFilesystemError(t *testing.T) {
mockRunner.EXPECT().ScanFilesystem(
gomock.Eq(ctx),
gomock.Eq(config),
).Return(types.Report{}, assert.AnError).Times(1)
).Return(ptypes.Report{}, assert.AnError).Times(1)
mockRunner.EXPECT().Close(
gomock.Eq(ctx),
).Return(nil).Times(1)
Expand Down

0 comments on commit ed7ab54

Please sign in to comment.