Merge branch 'aquasecurity:main' into main

integration/client_server_test.go

@@ -559,7 +559,7 @@ func TestClientServerWithRedis(t *testing.T) {
 	})
 
 	// Terminate the Redis container
-	require.NoError(t, redisC.Terminate(ctx))
+	require.NoError(t, testcontainers.TerminateContainer(redisC))
 
 	t.Run("sad path", func(t *testing.T) {
 		osArgs := setupClient(t, testArgs, addr, cacheDir)

integration/registry_test.go

@@ -132,15 +132,15 @@ func TestRegistry(t *testing.T) {
 	// set up auth server
 	authC, err := setupAuthServer(ctx, baseDir)
 	require.NoError(t, err)
-	defer authC.Terminate(ctx)
+	testcontainers.CleanupContainer(t, authC)
 
 	authURL, err := getURL(ctx, authC, authPort)
 	require.NoError(t, err)
 
 	// set up registry
 	registryC, err := setupRegistry(ctx, baseDir, authURL)
 	require.NoError(t, err)
-	defer registryC.Terminate(ctx)
+	testcontainers.CleanupContainer(t, registryC)
 
 	registryURL, err := getURL(ctx, registryC, registryPort)
 	require.NoError(t, err)

pkg/fanal/artifact/local/fs.go

@@ -82,6 +82,7 @@ func (a Artifact) Inspect(ctx context.Context) (artifact.Reference, error) {
 	if err != nil {
 		return artifact.Reference{}, xerrors.Errorf("failed to prepare filesystem for post analysis: %w", err)
 	}
+	defer composite.Cleanup()
 
 	err = a.walker.Walk(a.rootPath, a.artifactOption.WalkerOption, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
 		dir := a.rootPath

pkg/fanal/image/daemon/containerd.go

@@ -10,12 +10,12 @@ import (
 	"strings"
 	"time"
 
-	"github.com/containerd/containerd"
-	"github.com/containerd/containerd/content"
-	"github.com/containerd/containerd/images/archive"
-	"github.com/containerd/containerd/namespaces"
-	"github.com/containerd/containerd/platforms"
-	refdocker "github.com/containerd/containerd/reference/docker"
+	"github.com/containerd/containerd/v2/client"
+	"github.com/containerd/containerd/v2/core/content"
+	"github.com/containerd/containerd/v2/core/images/archive"
+	"github.com/containerd/containerd/v2/pkg/namespaces"
+	"github.com/containerd/platforms"
+	"github.com/distribution/reference"
 	api "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/go-connections/nat"
@@ -52,12 +52,12 @@ func (n familiarNamed) String() string {
 	return string(n)
 }
 
-func imageWriter(client *containerd.Client, img containerd.Image, platform types.Platform) imageSave {
+func imageWriter(c *client.Client, img client.Image, platform types.Platform) imageSave {
 	return func(ctx context.Context, ref []string) (io.ReadCloser, error) {
 		if len(ref) < 1 {
 			return nil, xerrors.New("no image reference")
 		}
-		imgOpts := archive.WithImage(client.ImageService(), ref[0])
+		imgOpts := archive.WithImage(c.ImageService(), ref[0])
 		manifestOpts := archive.WithManifest(img.Target())
 
 		var platformMatchComparer platforms.MatchComparer
@@ -69,7 +69,7 @@ func imageWriter(client *containerd.Client, img containerd.Image, platform types
 		platOpts := archive.WithPlatform(platformMatchComparer)
 		pr, pw := io.Pipe()
 		go func() {
-			pw.CloseWithError(archive.Export(ctx, client.ContentStore(), pw, imgOpts, manifestOpts, platOpts))
+			pw.CloseWithError(archive.Export(ctx, c.ContentStore(), pw, imgOpts, manifestOpts, platOpts))
 		}()
 		return pr, nil
 	}
@@ -94,17 +94,17 @@ func ContainerdImage(ctx context.Context, imageName string, opts types.ImageOpti
 		return nil, cleanup, err
 	}
 
-	var options []containerd.ClientOpt
+	var options []client.Opt
 	if opts.RegistryOptions.Platform.Platform != nil {
 		ociPlatform, err := platforms.Parse(opts.RegistryOptions.Platform.String())
 		if err != nil {
 			return nil, cleanup, err
 		}
 
-		options = append(options, containerd.WithDefaultPlatform(platforms.OnlyStrict(ociPlatform)))
+		options = append(options, client.WithDefaultPlatform(platforms.OnlyStrict(ociPlatform)))
 	}
 
-	client, err := containerd.New(addr, options...)
+	c, err := client.New(addr, options...)
 	if err != nil {
 		return nil, cleanup, xerrors.Errorf("failed to initialize a containerd client: %w", err)
 	}
@@ -116,7 +116,7 @@ func ContainerdImage(ctx context.Context, imageName string, opts types.ImageOpti
 
 	ctx = namespaces.WithNamespace(ctx, namespace)
 
-	imgs, err := client.ListImages(ctx, searchFilters...)
+	imgs, err := c.ListImages(ctx, searchFilters...)
 	if err != nil {
 		return nil, cleanup, xerrors.Errorf("failed to list images from containerd client: %w", err)
 	}
@@ -133,7 +133,7 @@ func ContainerdImage(ctx context.Context, imageName string, opts types.ImageOpti
 	}
 
 	cleanup = func() {
-		_ = client.Close()
+		_ = c.Close()
 		_ = f.Close()
 		_ = os.Remove(f.Name())
 	}
@@ -144,21 +144,21 @@ func ContainerdImage(ctx context.Context, imageName string, opts types.ImageOpti
 	}
 
 	return &image{
-		opener:  imageOpener(ctx, ref.String(), f, imageWriter(client, img, opts.RegistryOptions.Platform)),
+		opener:  imageOpener(ctx, ref.String(), f, imageWriter(c, img, opts.RegistryOptions.Platform)),
 		inspect: insp,
 		history: history,
 	}, cleanup, nil
 }
 
-func parseReference(imageName string) (refdocker.Reference, []string, error) {
-	ref, err := refdocker.ParseAnyReference(imageName)
+func parseReference(imageName string) (reference.Reference, []string, error) {
+	ref, err := reference.ParseAnyReference(imageName)
 	if err != nil {
 		return nil, nil, xerrors.Errorf("parse error: %w", err)
 	}
 
-	d, isDigested := ref.(refdocker.Digested)
-	n, isNamed := ref.(refdocker.Named)
-	nt, isNamedAndTagged := ref.(refdocker.NamedTagged)
+	d, isDigested := ref.(reference.Digested)
+	n, isNamed := ref.(reference.Named)
+	nt, isNamedAndTagged := ref.(reference.NamedTagged)
 
 	// a name plus a digest
 	// example: name@sha256:41adb3ef...
@@ -168,7 +168,7 @@ func parseReference(imageName string) (refdocker.Reference, []string, error) {
 		// comma-separated filter is logically anded
 		return ref, []string{
 			fmt.Sprintf(`name~="^%s(:|@).*",target.digest==%q`, n.Name(), dgst),
-			fmt.Sprintf(`name~="^%s(:|@).*",target.digest==%q`, refdocker.FamiliarName(n), dgst),
+			fmt.Sprintf(`name~="^%s(:|@).*",target.digest==%q`, reference.FamiliarName(n), dgst),
 		}, nil
 	}
 
@@ -184,7 +184,7 @@ func parseReference(imageName string) (refdocker.Reference, []string, error) {
 		tag := nt.Tag()
 		return familiarNamed(imageName), []string{
 			fmt.Sprintf(`name=="%s:%s"`, nt.Name(), tag),
-			fmt.Sprintf(`name=="%s:%s"`, refdocker.FamiliarName(nt), tag),
+			fmt.Sprintf(`name=="%s:%s"`, reference.FamiliarName(nt), tag),
 		}, nil
 	}
 
@@ -193,7 +193,7 @@ func parseReference(imageName string) (refdocker.Reference, []string, error) {
 
 // readImageConfig reads the config spec (`application/vnd.oci.image.config.v1+json`) for img.platform from content store.
 // ported from https://github.com/containerd/nerdctl/blob/7dfbaa2122628921febeb097e7a8a86074dc931d/pkg/imgutil/imgutil.go#L377-L393
-func readImageConfig(ctx context.Context, img containerd.Image) (ocispec.Image, ocispec.Descriptor, error) {
+func readImageConfig(ctx context.Context, img client.Image) (ocispec.Image, ocispec.Descriptor, error) {
 	var config ocispec.Image
 
 	configDesc, err := img.Config(ctx) // aware of img.platform
@@ -211,19 +211,19 @@ func readImageConfig(ctx context.Context, img containerd.Image) (ocispec.Image,
 }
 
 // ported from https://github.com/containerd/nerdctl/blob/d110fea18018f13c3f798fa6565e482f3ff03591/pkg/inspecttypes/dockercompat/dockercompat.go#L279-L321
-func inspect(ctx context.Context, img containerd.Image, ref refdocker.Reference) (api.ImageInspect, []v1.History, refdocker.Reference, error) {
-	if _, ok := ref.(refdocker.Digested); ok {
+func inspect(ctx context.Context, img client.Image, ref reference.Reference) (api.ImageInspect, []v1.History, reference.Reference, error) {
+	if _, ok := ref.(reference.Digested); ok {
 		ref = familiarNamed(img.Name())
 	}
 
 	var tag string
-	if tagged, ok := ref.(refdocker.Tagged); ok {
+	if tagged, ok := ref.(reference.Tagged); ok {
 		tag = tagged.Tag()
 	}
 
 	var repository string
-	if n, isNamed := ref.(refdocker.Named); isNamed {
-		repository = refdocker.FamiliarName(n)
+	if n, isNamed := ref.(reference.Named); isNamed {
+		repository = reference.FamiliarName(n)
 	}
 
 	imgConfig, imgConfigDesc, err := readImageConfig(ctx, img)

pkg/fanal/test/integration/containerd_test.go

@@ -15,13 +15,12 @@ import (
 	"testing"
 	"time"
 
-	"github.com/samber/lo"
-
-	"github.com/containerd/containerd"
-	"github.com/containerd/containerd/images"
-	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/v2/client"
+	"github.com/containerd/containerd/v2/core/images"
+	"github.com/containerd/containerd/v2/pkg/namespaces"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/testcontainers/testcontainers-go"
@@ -37,7 +36,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
 )
 
-func setupContainerd(t *testing.T, ctx context.Context, namespace string) *containerd.Client {
+func setupContainerd(t *testing.T, ctx context.Context, namespace string) *client.Client {
 	t.Helper()
 	tmpDir := t.TempDir()
 
@@ -54,23 +53,23 @@ func setupContainerd(t *testing.T, ctx context.Context, namespace string) *conta
 	startContainerd(t, ctx, tmpDir)
 
 	// Retry up to 3 times until containerd is ready
-	var client *containerd.Client
+	var c *client.Client
 	iteration, _, err := lo.AttemptWhileWithDelay(3, 1*time.Second, func(int, time.Duration) (error, bool) {
-		client, err = containerd.New(socketPath)
+		c, err = client.New(socketPath)
 		if err != nil {
 			if !errors.Is(err, os.ErrPermission) {
 				return err, false // unexpected error
 			}
 			return err, true
 		}
 		t.Cleanup(func() {
-			require.NoError(t, client.Close())
+			require.NoError(t, c.Close())
 		})
 		return nil, false
 	})
 	require.NoErrorf(t, err, "attempted %d times ", iteration)
 
-	return client
+	return c
 }
 
 func startContainerd(t *testing.T, ctx context.Context, hostPath string) {
@@ -102,17 +101,14 @@ func startContainerd(t *testing.T, ctx context.Context, hostPath string) {
 		Started:          true,
 	})
 	require.NoError(t, err)
+	testcontainers.CleanupContainer(t, containerdC)
 
 	_, _, err = containerdC.Exec(ctx, []string{
 		"chmod",
 		"666",
 		"/run/containerd/containerd.sock",
 	})
 	require.NoError(t, err)
-
-	t.Cleanup(func() {
-		require.NoError(t, containerdC.Terminate(ctx))
-	})
 }
 
 // Each of these tests imports an image and tags it with the name found in the

pkg/fanal/test/integration/registry_test.go

@@ -73,7 +73,7 @@ func TestTLSRegistry(t *testing.T) {
 		Started:          true,
 	})
 	require.NoError(t, err)
-	defer registryC.Terminate(ctx)
+	testcontainers.CleanupContainer(t, registryC)
 
 	registryURL, err := getRegistryURL(ctx, registryC, registryPort)
 	require.NoError(t, err)

pkg/iac/scanners/cloudformation/parser/file_context.go

@@ -1,6 +1,8 @@
 package parser
 
 import (
+	"github.com/samber/lo"
+
 	"github.com/aquasecurity/trivy/pkg/iac/ignore"
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
@@ -71,3 +73,11 @@ func (t *FileContext) missingParameterValues() []string {
 	}
 	return missing
 }
+
+func (t *FileContext) stripNullProperties() {
+	for _, resource := range t.Resources {
+		resource.Inner.Properties = lo.OmitBy(resource.Inner.Properties, func(k string, v *Property) bool {
+			return v.IsNil()
+		})
+	}
+}