Merge branch 'master' into master

2025-12-05 20:40:16 -08:00 · 2019-11-01 11:52:26 +05:30
parent 4925873a67 f326beb1f2
commit 5a3ebc1ba9
8 changed files with 120 additions and 6 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -15,7 +15,7 @@ jobs:
            if test -z "$(gofmt -l .)"; then
              echo "Congrats! There is nothing to fix."
            else
-              "The following lines should be fixed."
+              echo "The following lines should be fixed."
              gofmt -s -d .
              exit 1
            fi
--- a/2
+++ b/2
@@ -2,4 +2,4 @@ FROM alpine:3.10
 RUN apk --no-cache add ca-certificates git rpm
 COPY trivy /usr/local/bin/trivy

-ENTRYPOINT ["trivy"]
+ENTRYPOINT ["trivy"]
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
  - [Save the results as JSON](#save-the-results-as-json)
  - [Filter the vulnerabilities by severities](#filter-the-vulnerabilities-by-severities)
  - [Filter the vulnerabilities by type](#filter-the-vulnerabilities-by-type)
-  - [Skip an update of vulnerability DB](#skip-an-update-of-vulnerability-db)
+  - [Skip an update of vulnerability DB](#skip-update-of-vulnerability-db)
  - [Ignore unfixed vulnerabilities](#ignore-unfixed-vulnerabilities)
  - [Specify exit code](#specify-exit-code)
  - [Ignore the specified vulnerabilities](#ignore-the-specified-vulnerabilities)
@@ -169,7 +169,7 @@ You also need to install `rpm` command for scanning images based on RHEL/CentOS.

 # Quick Start

-Simply specify an image name (and a tag). **The `latest` tag should be avoided as problems occur with cache.**. See [Clear image caches](#clear-image-caches).
+Simply specify an image name (and a tag). **The `latest` tag should be avoided as problems occur with the image cache.** See [Clear image caches](#clear-image-caches).

 ## Basic

@@ -899,6 +899,15 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

 </details>

+### Only download vulnerability database
+
+You can also ask `Trivy` to simply retrieve the vulnerability database. This is useful to initialize workers in Continuous Integration systems. In the first run, the `--only-update` option is silently ignored.
+
+```
+$ trivy --download-db-only
+$ trivy --download-db-only --only-update alpine
+```
+
 ### Ignore unfixed vulnerabilities

 By default, `Trivy` also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages.
@@ -1148,6 +1157,34 @@ workflows:
 Example: https://circleci.com/gh/aquasecurity/trivy-ci-test  
 Repository: https://github.com/aquasecurity/trivy-ci-test

+## GitLab
+
+```
+$ cat .gitlab-ci.yml
+stages:
+  - test
+
+trivy:
+  stage: test
+  image: docker:stable-git
+  before_script:
+    - docker build -t trivy-ci-test:${CI_COMMIT_REF_NAME} .
+    - export VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+    - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
+    - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
+  variables:
+    DOCKER_DRIVER: overlay2
+  allow_failure: true
+  services:
+    - docker:stable-dind
+  script:
+    - ./trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh trivy-ci-test:${CI_COMMIT_REF_NAME}
+    - ./trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh trivy-ci-test:${CI_COMMIT_REF_NAME}
+  cache:
+    directories:
+      - $HOME/.cache/trivy
+```   
+
 ## Authorization for Private Docker Registry

 Trivy can download images from private registry, without installing `Docker` and any 3rd party tools.
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -98,4 +98,4 @@ dockers:
      - "--label=org.label-schema.version={{ .Version }}"
      - "--label=org.label-schema.build-date={{ .Date }}"
      - "--label=org.label-schema.vcs=https://github.com/aquasecurity/trivy"
-      - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
+      - "--label=org.label-schema.vcs-ref={{ .FullCommit }}"
--- a/pkg/app.go
+++ b/pkg/app.go
@@ -32,6 +32,8 @@ OPTIONS:

 	app.Usage = "A simple and comprehensive vulnerability scanner for containers"

+	app.EnableBashCompletion = true
+
 	app.Flags = []cli.Flag{
 		cli.StringFlag{
 			Name:  "template, t",
@@ -70,6 +72,10 @@ OPTIONS:
 			Name:  "only-update",
 			Usage: "update db only specified distribution (comma separated)",
 		},
+		cli.BoolFlag{
+			Name:  "download-db-only",
+			Usage: "download/update vulnerability database but don't run a scan",
+		},
 		cli.BoolFlag{
 			Name:  "reset",
 			Usage: "remove all caches and database",
--- a/pkg/run.go
+++ b/pkg/run.go
@@ -53,12 +53,13 @@ func Run(c *cli.Context) (err error) {
 	}

 	refresh := c.Bool("refresh")
+	downloadOnly := c.Bool("download-db-only")
 	args := c.Args()
 	var noTarget bool
 	filePath := c.String("input")
 	if filePath == "" && len(args) == 0 {
 		noTarget = true
-		if !reset && !clearCache && !refresh {
+		if !reset && !clearCache && !refresh && !downloadOnly {
 			log.Logger.Info(`trivy requires at least 1 argument or --input option.`)
 			cli.ShowAppHelpAndExit(c, 1)
 		}
@@ -78,6 +79,9 @@ func Run(c *cli.Context) (err error) {
 	if skipUpdate && onlyUpdate != "" {
 		return xerrors.New("The --skip-update and --only-update option can not be specified both")
 	}
+	if skipUpdate && downloadOnly {
+		return xerrors.New("The --skip-update and --download-db-only option can not be specified both")
+	}

 	if err = db.Init(); err != nil {
 		return xerrors.Errorf("error in vulnerability DB initialize: %w", err)
@@ -109,6 +113,12 @@ func Run(c *cli.Context) (err error) {
 		if err = vulnsrc.Update(updateTargets); err != nil {
 			return xerrors.Errorf("error in vulnerability DB update: %w", err)
 		}
+		if downloadOnly {
+			if onlyUpdate != "" {
+				log.Logger.Warn("The --only-update option will be ignored if the database is empty")
+			}
+			return nil
+		}
 	}

 	dbc := db.Config{}
--- a/pkg/scanner/library/bundler/scan.go
+++ b/pkg/scanner/library/bundler/scan.go
@@ -18,10 +18,29 @@ const (
 	scannerType = "bundler"
 )

+var (
+	platformReplacer = strings.NewReplacer(
+		"-java", "+java",
+		"-mswin32", "+msin32",
+		"-mswin64", "+mswin64",
+		"-universal-mingw32", "+universal-mingw32",
+		"-x64-mingw32", "+x64-mingw32",
+		"-x86_64-mingw32", "+x86_64-mingw32",
+		"-mingw32", "+mingw32",
+	)
+)
+
 type Scanner struct {
 	db AdvisoryDB
 }

+func massageLockFileVersion(version string) string {
+	// Move the platform into "metadata" semver section.
+	// This is because otherwise we end up placing it in the "pre-release" section
+	// of the semver value, and this breaks our version comparisons in the scanner.
+	return platformReplacer.Replace(version)
+}
+
 func NewScanner() *Scanner {
 	return &Scanner{}
 }
@@ -60,6 +79,11 @@ func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) {
 	if err != nil {
 		return nil, xerrors.Errorf("invalid Gemfile.lock format: %w", err)
 	}
+
+	for _, lib := range libs {
+		lib.Version = massageLockFileVersion(lib.Version)
+	}
+
 	return libs, nil
 }

--- a/pkg/scanner/library/bundler/scan_test.go
+++ b/pkg/scanner/library/bundler/scan_test.go
@@ -0,0 +1,37 @@
+package bundler
+
+import (
+	"github.com/knqyf263/go-version"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestScanner_Detect(t *testing.T) {
+	t.Run("Issue #108", func(t *testing.T) {
+		// https://github.com/aquasecurity/trivy/issues/108
+		// Validate that the massaging that happens when parsing the lockfile
+		// allows us to better handle the platform metadata
+		s := NewScanner()
+
+		s.db = AdvisoryDB{
+			"ffi": []Advisory{
+				{
+					Gem:             "ffi",
+					PatchedVersions: []string{">= 1.9.24"},
+				},
+			},
+		}
+
+		versionStr := "1.9.25-x64-mingw32"
+
+		versionStr = platformReplacer.Replace(versionStr)
+
+		v, _ := version.NewVersion(versionStr)
+
+		vulns, err := s.Detect("ffi", v)
+
+		assert.Nil(t, err)
+
+		assert.Equal(t, len(vulns), 0)
+	})
+}