gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 07:29:00 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix: Fix --file-patterns flag (#2625)

Browse Source
This commit is contained in:
Liam Galvin
2022-07-29 19:54:57 +01:00
committed by GitHub
parent c2a7ad5c01
commit 27027cf40d
4 changed files with 87 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
integration/fs_test.go
View File

@@ -23,6 +23,7 @@ func TestFilesystem(t *testing.T) {
listAllPkgs bool listAllPkgs bool
input string input string
secretConfig string secretConfig string
filePatterns []string
} }
tests := []struct { tests := []struct {
name string name string
@@ -79,6 +80,16 @@ func TestFilesystem(t *testing.T) {
}, },
golden: "testdata/dockerfile.json.golden", golden: "testdata/dockerfile.json.golden",
}, },
{
name: "dockerfile with custom file pattern",
args: args{
securityChecks: "config",
input: "testdata/fixtures/fs/dockerfile_file_pattern",
namespaces: []string{"testing"},
filePatterns: []string{"dockerfile:Customfile"},
},
golden: "testdata/dockerfile_file_pattern.json.golden",
},
{ {
name: "dockerfile with rule exception", name: "dockerfile with rule exception",
args: args{ args: args{
@@ -178,6 +189,12 @@ func TestFilesystem(t *testing.T) {
defer os.Remove(trivyIgnore) defer os.Remove(trivyIgnore)
} }
if len(tt.args.filePatterns) != 0 {
for _, filePattern := range tt.args.filePatterns {
osArgs = append(osArgs, "--file-patterns", filePattern)
}
}
// Setup the output file // Setup the output file
outputFile := filepath.Join(t.TempDir(), "output.json") outputFile := filepath.Join(t.TempDir(), "output.json")
if *update { if *update {

56
integration/testdata/dockerfile_file_pattern.json.golden vendored Normal file
View File

@@ -0,0 +1,56 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/dockerfile_file_pattern",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Customfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}

1
integration/testdata/fixtures/fs/dockerfile_file_pattern/Customfile vendored Normal file
View File

@@ -0,0 +1 @@
FROM alpine:3.13

13
pkg/fanal/handler/misconf/misconf.go
View File

@@ -39,6 +39,7 @@ func init() {
const version = 1 const version = 1
type misconfPostHandler struct { type misconfPostHandler struct {
filePatterns []string
scanners map[string]scanners.Scanner scanners map[string]scanners.Scanner
} }
@@ -177,6 +178,7 @@ func newMisconfPostHandler(artifactOpt artifact.Option) (handler.PostHandler, er
} }
return misconfPostHandler{ return misconfPostHandler{
filePatterns: artifactOpt.MisconfScannerOption.FilePatterns,
scanners: map[string]scanners.Scanner{ scanners: map[string]scanners.Scanner{
types.Terraform: tfscanner.New(opts...), types.Terraform: tfscanner.New(opts...),
types.CloudFormation: cfscanner.New(opts...), types.CloudFormation: cfscanner.New(opts...),
@@ -197,6 +199,15 @@ var enabledDefsecTypes = map[detection.FileType]string{
detection.FileTypeRbac: types.Rbac, detection.FileTypeRbac: types.Rbac,
} }
func (h misconfPostHandler) hasCustomPatternForType(t string) bool {
for _, pattern := range h.filePatterns {
if strings.HasPrefix(pattern, t+":") {
return true
}
}
return false
}
// Handle detects misconfigurations. // Handle detects misconfigurations.
func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.AnalysisResult, blob *types.BlobInfo) error { func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.AnalysisResult, blob *types.BlobInfo) error {
files, ok := result.Files[h.Type()] files, ok := result.Files[h.Type()]
@@ -214,7 +225,7 @@ func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.Analysi
for defsecType, localType := range enabledDefsecTypes { for defsecType, localType := range enabledDefsecTypes {
buffer := bytes.NewReader(file.Content) buffer := bytes.NewReader(file.Content)
if !detection.IsType(file.Path, buffer, defsecType) { if !h.hasCustomPatternForType(localType) && !detection.IsType(file.Path, buffer, defsecType) {
continue continue
} }
// Replace with more detailed config type // Replace with more detailed config type