From ed7ab54b36008b6cce7fdc7e7b47217e29de0154 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Meira?= Date: Thu, 29 Aug 2024 13:33:08 +0100 Subject: [PATCH] fix: Specify types of dependencies to analyze It's only necessary to specifiy these types when running the scanners directly, as we do. When running Trivy via the command line it's not necessary. See https://github.com/aquasecurity/trivy/pull/7237 --- internal/tool/tool.go | 8 ++++++-- internal/tool/tool_test.go | 26 ++++++++++++++------------ 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/internal/tool/tool.go b/internal/tool/tool.go index aa87c8e..0bd03a2 100644 --- a/internal/tool/tool.go +++ b/internal/tool/tool.go @@ -11,8 +11,10 @@ import ( "strings" "github.com/aquasecurity/trivy/pkg/fanal/secret" + ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/flag" "github.com/aquasecurity/trivy/pkg/log" + ptypes "github.com/aquasecurity/trivy/pkg/types" types "github.com/aquasecurity/trivy/pkg/types" codacy "github.com/codacy/codacy-engine-golang-seed/v6" "github.com/samber/lo" @@ -97,7 +99,9 @@ func (t codacyTrivy) runVulnerabilityScanning(ctx context.Context, toolExecution }, PackageOptions: flag.PackageOptions{ // Only scan libraries not OS packages. - PkgTypes: []string{types.PkgTypeLibrary}, + PkgTypes: []string{ptypes.PkgTypeLibrary}, + // Scan libraries with all possible relationships (direct, indirect, etc). + PkgRelationships: ftypes.Relationships, }, ReportOptions: flag.ReportOptions{ // Listing all packages will allow to obtain the line number of a vulnerability. @@ -106,7 +110,7 @@ func (t codacyTrivy) runVulnerabilityScanning(ctx context.Context, toolExecution ScanOptions: flag.ScanOptions{ // Do not try to connect to the internet to download vulnerability DBs, for example. OfflineScan: true, - Scanners: types.Scanners{types.VulnerabilityScanner}, + Scanners: ptypes.Scanners{ptypes.VulnerabilityScanner}, // Instead of scanning files individually, scan the whole source directory since it's faster. // Then filter issues from files that were not supposed to be analysed. Target: toolExecution.SourceDir, diff --git a/internal/tool/tool_test.go b/internal/tool/tool_test.go index 57df35c..7f2ed23 100644 --- a/internal/tool/tool_test.go +++ b/internal/tool/tool_test.go @@ -10,7 +10,7 @@ import ( "github.com/aquasecurity/trivy/pkg/commands/artifact" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/flag" - "github.com/aquasecurity/trivy/pkg/types" + ptypes "github.com/aquasecurity/trivy/pkg/types" codacy "github.com/codacy/codacy-engine-golang-seed/v6" "github.com/stretchr/testify/assert" "go.uber.org/mock/gomock" @@ -61,20 +61,21 @@ func TestRun(t *testing.T) { SkipJavaDBUpdate: true, }, PackageOptions: flag.PackageOptions{ - PkgTypes: []string{types.PkgTypeLibrary}, + PkgTypes: []string{ptypes.PkgTypeLibrary}, + PkgRelationships: ftypes.Relationships, }, ReportOptions: flag.ReportOptions{ ListAllPkgs: true, }, ScanOptions: flag.ScanOptions{ OfflineScan: true, - Scanners: types.Scanners{types.VulnerabilityScanner}, + Scanners: ptypes.Scanners{ptypes.VulnerabilityScanner}, Target: sourceDir, }, } - report := types.Report{ - Results: types.Results{ + report := ptypes.Report{ + Results: ptypes.Results{ { Target: file1, Packages: ftypes.Packages{ @@ -90,7 +91,7 @@ func TestRun(t *testing.T) { ID: packageID2, }, }, - Vulnerabilities: []types.DetectedVulnerability{ + Vulnerabilities: []ptypes.DetectedVulnerability{ { PkgID: packageID1, VulnerabilityID: "vuln id", @@ -119,13 +120,13 @@ func TestRun(t *testing.T) { }, { Target: file2, - Secrets: []types.DetectedSecret{ + Secrets: []ptypes.DetectedSecret{ { StartLine: 2, Title: "secret title", }, }, - Vulnerabilities: []types.DetectedVulnerability{ + Vulnerabilities: []ptypes.DetectedVulnerability{ { PkgID: "packageID10", VulnerabilityID: "no line", @@ -138,7 +139,7 @@ func TestRun(t *testing.T) { }, { Target: "file-3", - Secrets: []types.DetectedSecret{ + Secrets: []ptypes.DetectedSecret{ { StartLine: 10, Title: "unkown file", @@ -294,14 +295,15 @@ func TestRunScanFilesystemError(t *testing.T) { SkipJavaDBUpdate: true, }, PackageOptions: flag.PackageOptions{ - PkgTypes: []string{types.PkgTypeLibrary}, + PkgTypes: []string{ptypes.PkgTypeLibrary}, + PkgRelationships: ftypes.Relationships, }, ReportOptions: flag.ReportOptions{ ListAllPkgs: true, }, ScanOptions: flag.ScanOptions{ OfflineScan: true, - Scanners: types.Scanners{types.VulnerabilityScanner}, + Scanners: ptypes.Scanners{ptypes.VulnerabilityScanner}, Target: sourceDir, }, } @@ -315,7 +317,7 @@ func TestRunScanFilesystemError(t *testing.T) { mockRunner.EXPECT().ScanFilesystem( gomock.Eq(ctx), gomock.Eq(config), - ).Return(types.Report{}, assert.AnError).Times(1) + ).Return(ptypes.Report{}, assert.AnError).Times(1) mockRunner.EXPECT().Close( gomock.Eq(ctx), ).Return(nil).Times(1)