feat: prepare for config scanning (#1005)

* temp: disable config scanning
2025-12-21 23:00:42 -08:00 · 2021-05-20 09:05:36 +03:00
parent 8fc6ea6489
commit 1b66b77f69
77 changed files with 2212 additions and 2341 deletions
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -3,13 +3,13 @@ package artifact
 import (
 	"context"
 	"errors"
-	l "log"
 	"os"
 	"time"

 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/aquasecurity/fanal/analyzer/config"
 	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy/pkg/commands/operation"
@@ -24,25 +24,25 @@ var errSkipScan = errors.New("skip subsequent processes")

 // InitializeScanner type to define initialize function signature
 type InitializeScanner func(context.Context, string, cache.ArtifactCache, cache.LocalArtifactCache, time.Duration,
-	[]analyzer.Type) (scanner.Scanner, func(), error)
+	[]analyzer.Type, config.ScannerOption) (scanner.Scanner, func(), error)

-func run(ctx context.Context, conf Config, initializeScanner InitializeScanner) error {
-	ctx, cancel := context.WithTimeout(ctx, conf.Timeout)
+// InitCache defines cache initializer
+type InitCache func(c Option) (cache.Cache, error)
+
+// Run performs artifact scanning
+func Run(ctx context.Context, opt Option, initializeScanner InitializeScanner, initCache InitCache) error {
+	ctx, cancel := context.WithTimeout(ctx, opt.Timeout)
 	defer cancel()

-	err := runWithTimeout(ctx, conf, initializeScanner)
-	if xerrors.Is(err, context.DeadlineExceeded) {
-		log.Logger.Warn("Increase --timeout value")
-	}
-	return err
+	return runWithTimeout(ctx, opt, initializeScanner, initCache)
 }

-func runWithTimeout(ctx context.Context, conf Config, initializeScanner InitializeScanner) error {
-	if err := log.InitLogger(conf.Debug, conf.Quiet); err != nil {
-		l.Fatal(err)
+func runWithTimeout(ctx context.Context, opt Option, initializeScanner InitializeScanner, initCache InitCache) error {
+	if err := log.InitLogger(opt.Debug, opt.Quiet); err != nil {
+		return err
 	}

-	cacheClient, err := initCache(conf)
+	cacheClient, err := initCache(opt)
 	if err != nil {
 		if errors.Is(err, errSkipScan) {
 			return nil
@@ -51,34 +51,37 @@ func runWithTimeout(ctx context.Context, conf Config, initializeScanner Initiali
 	}
 	defer cacheClient.Close()

-	if err = initDB(conf); err != nil {
-		if errors.Is(err, errSkipScan) {
-			return nil
+	// When scanning config files, it doesn't need to download the vulnerability database.
+	if utils.StringInSlice(types.SecurityCheckVulnerability, opt.SecurityChecks) {
+		if err = initDB(opt); err != nil {
+			if errors.Is(err, errSkipScan) {
+				return nil
+			}
+			return xerrors.Errorf("DB error: %w", err)
 		}
-		return xerrors.Errorf("DB error: %w", err)
+		defer db.Close()
 	}
-	defer db.Close()

-	results, err := scan(ctx, conf, initializeScanner, cacheClient)
+	results, err := scan(ctx, opt, initializeScanner, cacheClient)
 	if err != nil {
 		return xerrors.Errorf("scan error: %w", err)
 	}

-	results, err = filter(ctx, conf, results)
+	results, err = filter(ctx, opt, results)
 	if err != nil {
 		return xerrors.Errorf("filter error: %w", err)
 	}

-	if err = report.WriteResults(conf.Format, conf.Output, conf.Severities, results, conf.Template, conf.Light); err != nil {
+	if err = report.WriteResults(opt.Format, opt.Output, opt.Severities, results, opt.Template, opt.Light); err != nil {
 		return xerrors.Errorf("unable to write results: %w", err)
 	}

-	exit(conf, results)
+	exit(opt, results)

 	return nil
 }

-func initCache(c Config) (operation.Cache, error) {
+func initFSCache(c Option) (cache.Cache, error) {
 	utils.SetCacheDir(c.CacheDir)
 	cache, err := operation.NewCache(c.CacheBackend)
 	if err != nil {
@@ -95,7 +98,7 @@ func initCache(c Config) (operation.Cache, error) {
 	}
 	if c.ClearCache {
 		defer cache.Close()
-		if err = cache.ClearImages(); err != nil {
+		if err = cache.ClearArtifacts(); err != nil {
 			return operation.Cache{}, xerrors.Errorf("cache clear error: %w", err)
 		}
 		return operation.Cache{}, errSkipScan
@@ -103,7 +106,7 @@ func initCache(c Config) (operation.Cache, error) {
 	return cache, nil
 }

-func initDB(c Config) error {
+func initDB(c Option) error {
 	// download the database file
 	noProgress := c.Quiet || c.NoProgress
 	if err := operation.DownloadDB(c.AppVersion, c.CacheDir, noProgress, c.Light, c.SkipUpdate); err != nil {
@@ -120,29 +123,36 @@ func initDB(c Config) error {
 	return nil
 }

-func scan(ctx context.Context, conf Config, initializeScanner InitializeScanner, cacheClient cache.Cache) (
+func scan(ctx context.Context, opt Option, initializeScanner InitializeScanner, cacheClient cache.Cache) (
 	report.Results, error) {
-	target := conf.Target
-	if conf.Input != "" {
-		target = conf.Input
+	target := opt.Target
+	if opt.Input != "" {
+		target = opt.Input
 	}

 	scanOptions := types.ScanOptions{
-		VulnType:            conf.VulnType,
-		ScanRemovedPackages: conf.ScanRemovedPkgs, // this is valid only for image subcommand
-		ListAllPackages:     conf.ListAllPkgs,
-		SkipFiles:           conf.SkipFiles,
-		SkipDirs:            conf.SkipDirs,
+		VulnType:            opt.VulnType,
+		SecurityChecks:      opt.SecurityChecks,
+		ScanRemovedPackages: opt.ScanRemovedPkgs, // this is valid only for image subcommand
+		ListAllPackages:     opt.ListAllPkgs,
+		SkipFiles:           opt.SkipFiles,
+		SkipDirs:            opt.SkipDirs,
 	}
 	log.Logger.Debugf("Vulnerability type:  %s", scanOptions.VulnType)

 	// It doesn't analyze apk commands by default.
 	disabledAnalyzers := []analyzer.Type{analyzer.TypeApkCommand}
-	if conf.ScanRemovedPkgs {
+	if opt.ScanRemovedPkgs {
 		disabledAnalyzers = []analyzer.Type{}
 	}

-	s, cleanup, err := initializeScanner(ctx, target, cacheClient, cacheClient, conf.Timeout, disabledAnalyzers)
+	// TODO: fix the scanner option and enable config analyzers once we finalize the specification of config scanning.
+	configScannerOptions := config.ScannerOption{}
+	disabledAnalyzers = append(disabledAnalyzers, analyzer.TypeYaml, analyzer.TypeTOML, analyzer.TypeJSON,
+		analyzer.TypeDockerfile, analyzer.TypeHCL)
+
+	s, cleanup, err := initializeScanner(ctx, target, cacheClient, cacheClient, opt.Timeout,
+		disabledAnalyzers, configScannerOptions)
 	if err != nil {
 		return nil, xerrors.Errorf("unable to initialize a scanner: %w", err)
 	}
@@ -155,12 +165,12 @@ func scan(ctx context.Context, conf Config, initializeScanner InitializeScanner,
 	return results, nil
 }

-func filter(ctx context.Context, conf Config, results report.Results) (report.Results, error) {
-	vulnClient := initializeVulnerabilityClient()
+func filter(ctx context.Context, opt Option, results report.Results) (report.Results, error) {
+	resultClient := initializeResultClient()
 	for i := range results {
-		vulnClient.FillInfo(results[i].Vulnerabilities, results[i].Type)
-		vulns, err := vulnClient.Filter(ctx, results[i].Vulnerabilities,
-			conf.Severities, conf.IgnoreUnfixed, conf.IgnoreFile, conf.IgnorePolicy)
+		resultClient.FillInfo(results[i].Vulnerabilities, results[i].Type)
+		vulns, err := resultClient.Filter(ctx, results[i].Vulnerabilities,
+			opt.Severities, opt.IgnoreUnfixed, opt.IgnoreFile, opt.IgnorePolicy)
 		if err != nil {
 			return nil, xerrors.Errorf("unable to filter vulnerabilities: %w", err)
 		}
@@ -169,12 +179,8 @@ func filter(ctx context.Context, conf Config, results report.Results) (report.Re
 	return results, nil
 }

-func exit(c Config, results report.Results) {
-	if c.ExitCode != 0 {
-		for _, result := range results {
-			if len(result.Vulnerabilities) > 0 {
-				os.Exit(c.ExitCode)
-			}
-		}
+func exit(c Option, results report.Results) {
+	if c.ExitCode != 0 && results.Failed() {
+		os.Exit(c.ExitCode)
 	}
 }