mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-21 23:00:42 -08:00
refactor: move from urfave/cli to spf13/cobra (#2458)
Co-authored-by: afdesk <work@afdesk.com> Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
This commit is contained in:
Teppei Fukuda
@@ -6,7 +6,6 @@ import (
|
||||
"os"
|
||||
|
||||
"github.com/hashicorp/go-multierror"
|
||||
"github.com/urfave/cli/v2"
|
||||
"golang.org/x/exp/slices"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
@@ -18,6 +17,7 @@ import (
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/secret"
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/artifact"
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/cache"
|
||||
"github.com/aquasecurity/trivy/pkg/flag"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/module"
|
||||
pkgReport "github.com/aquasecurity/trivy/pkg/report"
|
||||
@@ -65,19 +65,19 @@ type ScannerConfig struct {
|
||||
|
||||
type Runner interface {
|
||||
// ScanImage scans an image
|
||||
ScanImage(ctx context.Context, opt Option) (types.Report, error)
|
||||
ScanImage(ctx context.Context, opts flag.Options) (types.Report, error)
|
||||
// ScanFilesystem scans a filesystem
|
||||
ScanFilesystem(ctx context.Context, opt Option) (types.Report, error)
|
||||
ScanFilesystem(ctx context.Context, opts flag.Options) (types.Report, error)
|
||||
// ScanRootfs scans rootfs
|
||||
ScanRootfs(ctx context.Context, opt Option) (types.Report, error)
|
||||
ScanRootfs(ctx context.Context, opts flag.Options) (types.Report, error)
|
||||
// ScanRepository scans repository
|
||||
ScanRepository(ctx context.Context, opt Option) (types.Report, error)
|
||||
ScanRepository(ctx context.Context, opts flag.Options) (types.Report, error)
|
||||
// ScanSBOM scans SBOM
|
||||
ScanSBOM(ctx context.Context, opt Option) (types.Report, error)
|
||||
ScanSBOM(ctx context.Context, opts flag.Options) (types.Report, error)
|
||||
// Filter filter a report
|
||||
Filter(ctx context.Context, opt Option, report types.Report) (types.Report, error)
|
||||
Filter(ctx context.Context, opts flag.Options, report types.Report) (types.Report, error)
|
||||
// Report a writes a report
|
||||
Report(opt Option, report types.Report) error
|
||||
Report(opts flag.Options, report types.Report) error
|
||||
// Close closes runner
|
||||
Close(ctx context.Context) error
|
||||
}
|
||||
@@ -93,6 +93,7 @@ type runner struct {
|
||||
type runnerOption func(*runner)
|
||||
|
||||
// WithCacheClient takes a custom cache implementation
|
||||
// It is useful when Trivy is imported as a library.
|
||||
func WithCacheClient(c cache.Cache) runnerOption {
|
||||
return func(r *runner) {
|
||||
r.cache = c
|
||||
@@ -101,23 +102,23 @@ func WithCacheClient(c cache.Cache) runnerOption {
|
||||
|
||||
// NewRunner initializes Runner that provides scanning functionalities.
|
||||
// It is possible to return SkipScan and it must be handled by caller.
|
||||
func NewRunner(cliOption Option, opts ...runnerOption) (Runner, error) {
|
||||
func NewRunner(ctx context.Context, cliOptions flag.Options, opts ...runnerOption) (Runner, error) {
|
||||
r := &runner{}
|
||||
for _, opt := range opts {
|
||||
opt(r)
|
||||
}
|
||||
|
||||
err := log.InitLogger(cliOption.Debug, cliOption.Quiet)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("logger error: %w", err)
|
||||
}
|
||||
|
||||
if err = r.initCache(cliOption); err != nil {
|
||||
if err := r.initCache(cliOptions); err != nil {
|
||||
return nil, xerrors.Errorf("cache error: %w", err)
|
||||
}
|
||||
|
||||
// Update the vulnerability database if needed.
|
||||
if err := r.initDB(cliOptions); err != nil {
|
||||
return nil, xerrors.Errorf("DB error: %w", err)
|
||||
}
|
||||
|
||||
// Initialize WASM modules
|
||||
m, err := module.NewManager(cliOption.Context.Context)
|
||||
m, err := module.NewManager(ctx)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("WASM module error: %w", err)
|
||||
}
|
||||
@@ -146,46 +147,46 @@ func (r *runner) Close(ctx context.Context) error {
|
||||
return errs
|
||||
}
|
||||
|
||||
func (r *runner) ScanImage(ctx context.Context, opt Option) (types.Report, error) {
|
||||
func (r *runner) ScanImage(ctx context.Context, opts flag.Options) (types.Report, error) {
|
||||
// Disable the lock file scanning
|
||||
opt.DisabledAnalyzers = analyzer.TypeLockfiles
|
||||
opts.DisabledAnalyzers = analyzer.TypeLockfiles
|
||||
|
||||
var s InitializeScanner
|
||||
switch {
|
||||
case opt.Input != "" && opt.RemoteAddr == "":
|
||||
case opts.Input != "" && opts.ServerAddr == "":
|
||||
// Scan image tarball in standalone mode
|
||||
s = archiveStandaloneScanner
|
||||
case opt.Input != "" && opt.RemoteAddr != "":
|
||||
case opts.Input != "" && opts.ServerAddr != "":
|
||||
// Scan image tarball in client/server mode
|
||||
s = archiveRemoteScanner
|
||||
case opt.Input == "" && opt.RemoteAddr == "":
|
||||
case opts.Input == "" && opts.ServerAddr == "":
|
||||
// Scan container image in standalone mode
|
||||
s = imageStandaloneScanner
|
||||
case opt.Input == "" && opt.RemoteAddr != "":
|
||||
case opts.Input == "" && opts.ServerAddr != "":
|
||||
// Scan container image in client/server mode
|
||||
s = imageRemoteScanner
|
||||
}
|
||||
|
||||
return r.scanArtifact(ctx, opt, s)
|
||||
return r.scanArtifact(ctx, opts, s)
|
||||
}
|
||||
|
||||
func (r *runner) ScanFilesystem(ctx context.Context, opt Option) (types.Report, error) {
|
||||
func (r *runner) ScanFilesystem(ctx context.Context, opts flag.Options) (types.Report, error) {
|
||||
// Disable the individual package scanning
|
||||
opt.DisabledAnalyzers = append(opt.DisabledAnalyzers, analyzer.TypeIndividualPkgs...)
|
||||
opts.DisabledAnalyzers = append(opts.DisabledAnalyzers, analyzer.TypeIndividualPkgs...)
|
||||
|
||||
return r.scanFS(ctx, opt)
|
||||
return r.scanFS(ctx, opts)
|
||||
}
|
||||
|
||||
func (r *runner) ScanRootfs(ctx context.Context, opt Option) (types.Report, error) {
|
||||
func (r *runner) ScanRootfs(ctx context.Context, opts flag.Options) (types.Report, error) {
|
||||
// Disable the lock file scanning
|
||||
opt.DisabledAnalyzers = append(opt.DisabledAnalyzers, analyzer.TypeLockfiles...)
|
||||
opts.DisabledAnalyzers = append(opts.DisabledAnalyzers, analyzer.TypeLockfiles...)
|
||||
|
||||
return r.scanFS(ctx, opt)
|
||||
return r.scanFS(ctx, opts)
|
||||
}
|
||||
|
||||
func (r *runner) scanFS(ctx context.Context, opt Option) (types.Report, error) {
|
||||
func (r *runner) scanFS(ctx context.Context, opts flag.Options) (types.Report, error) {
|
||||
var s InitializeScanner
|
||||
if opt.RemoteAddr == "" {
|
||||
if opts.ServerAddr == "" {
|
||||
// Scan filesystem in standalone mode
|
||||
s = filesystemStandaloneScanner
|
||||
} else {
|
||||
@@ -193,26 +194,22 @@ func (r *runner) scanFS(ctx context.Context, opt Option) (types.Report, error) {
|
||||
s = filesystemRemoteScanner
|
||||
}
|
||||
|
||||
return r.scanArtifact(ctx, opt, s)
|
||||
return r.scanArtifact(ctx, opts, s)
|
||||
}
|
||||
|
||||
func (r *runner) ScanRepository(ctx context.Context, opt Option) (types.Report, error) {
|
||||
func (r *runner) ScanRepository(ctx context.Context, opts flag.Options) (types.Report, error) {
|
||||
// Do not scan OS packages
|
||||
opt.VulnType = []string{types.VulnTypeLibrary}
|
||||
opts.VulnType = []string{types.VulnTypeLibrary}
|
||||
|
||||
// Disable the OS analyzers and individual package analyzers
|
||||
opt.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
|
||||
opts.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
|
||||
|
||||
return r.scanArtifact(ctx, opt, repositoryStandaloneScanner)
|
||||
return r.scanArtifact(ctx, opts, repositoryStandaloneScanner)
|
||||
}
|
||||
|
||||
func (r *runner) ScanSBOM(ctx context.Context, opt Option) (types.Report, error) {
|
||||
// Scan vulnerabilities
|
||||
opt.ReportOption.VulnType = []string{types.VulnTypeOS, types.VulnTypeLibrary}
|
||||
opt.ReportOption.SecurityChecks = []string{types.SecurityCheckVulnerability}
|
||||
|
||||
func (r *runner) ScanSBOM(ctx context.Context, opts flag.Options) (types.Report, error) {
|
||||
var s InitializeScanner
|
||||
if opt.RemoteAddr == "" {
|
||||
if opts.ServerAddr == "" {
|
||||
// Scan cycloneDX in standalone mode
|
||||
s = sbomStandaloneScanner
|
||||
} else {
|
||||
@@ -220,16 +217,12 @@ func (r *runner) ScanSBOM(ctx context.Context, opt Option) (types.Report, error)
|
||||
s = sbomRemoteScanner
|
||||
}
|
||||
|
||||
return r.scanArtifact(ctx, opt, s)
|
||||
return r.scanArtifact(ctx, opts, s)
|
||||
}
|
||||
|
||||
func (r *runner) scanArtifact(ctx context.Context, opt Option, initializeScanner InitializeScanner) (types.Report, error) {
|
||||
// Update the vulnerability database if needed.
|
||||
if err := r.initDB(opt); err != nil {
|
||||
return types.Report{}, xerrors.Errorf("DB error: %w", err)
|
||||
}
|
||||
func (r *runner) scanArtifact(ctx context.Context, opts flag.Options, initializeScanner InitializeScanner) (types.Report, error) {
|
||||
|
||||
report, err := scan(ctx, opt, initializeScanner, r.cache)
|
||||
report, err := scan(ctx, opts, initializeScanner, r.cache)
|
||||
if err != nil {
|
||||
return types.Report{}, xerrors.Errorf("scan error: %w", err)
|
||||
}
|
||||
@@ -237,13 +230,13 @@ func (r *runner) scanArtifact(ctx context.Context, opt Option, initializeScanner
|
||||
return report, nil
|
||||
}
|
||||
|
||||
func (r *runner) Filter(ctx context.Context, opt Option, report types.Report) (types.Report, error) {
|
||||
func (r *runner) Filter(ctx context.Context, opts flag.Options, report types.Report) (types.Report, error) {
|
||||
results := report.Results
|
||||
|
||||
// Filter results
|
||||
for i := range results {
|
||||
vulns, misconfSummary, misconfs, secrets, err := result.Filter(ctx, results[i].Vulnerabilities, results[i].Misconfigurations, results[i].Secrets,
|
||||
opt.Severities, opt.IgnoreUnfixed, opt.IncludeNonFailures, opt.IgnoreFile, opt.IgnorePolicy)
|
||||
opts.Severities, opts.IgnoreUnfixed, opts.IncludeNonFailures, opts.IgnoreFile, opts.IgnorePolicy)
|
||||
if err != nil {
|
||||
return types.Report{}, xerrors.Errorf("unable to filter vulnerabilities: %w", err)
|
||||
}
|
||||
@@ -255,16 +248,16 @@ func (r *runner) Filter(ctx context.Context, opt Option, report types.Report) (t
|
||||
return report, nil
|
||||
}
|
||||
|
||||
func (r *runner) Report(opt Option, report types.Report) error {
|
||||
func (r *runner) Report(opts flag.Options, report types.Report) error {
|
||||
if err := pkgReport.Write(report, pkgReport.Option{
|
||||
AppVersion: opt.GlobalOption.AppVersion,
|
||||
Format: opt.Format,
|
||||
Output: opt.Output,
|
||||
Tree: opt.DependencyTree,
|
||||
Severities: opt.Severities,
|
||||
OutputTemplate: opt.Template,
|
||||
IncludeNonFailures: opt.IncludeNonFailures,
|
||||
Trace: opt.Trace,
|
||||
AppVersion: opts.AppVersion,
|
||||
Format: opts.Format,
|
||||
Output: opts.Output,
|
||||
Tree: opts.DependencyTree,
|
||||
Severities: opts.Severities,
|
||||
OutputTemplate: opts.Template,
|
||||
IncludeNonFailures: opts.IncludeNonFailures,
|
||||
Trace: opts.Trace,
|
||||
}); err != nil {
|
||||
return xerrors.Errorf("unable to write results: %w", err)
|
||||
}
|
||||
@@ -272,23 +265,23 @@ func (r *runner) Report(opt Option, report types.Report) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *runner) initDB(c Option) error {
|
||||
func (r *runner) initDB(opts flag.Options) error {
|
||||
// When scanning config files or running as client mode, it doesn't need to download the vulnerability database.
|
||||
if c.RemoteAddr != "" || !slices.Contains(c.SecurityChecks, types.SecurityCheckVulnerability) {
|
||||
if opts.ServerAddr != "" || !slices.Contains(opts.SecurityChecks, types.SecurityCheckVulnerability) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// download the database file
|
||||
noProgress := c.Quiet || c.NoProgress
|
||||
if err := operation.DownloadDB(c.AppVersion, c.CacheDir, c.DBRepository, noProgress, c.Insecure, c.SkipDBUpdate); err != nil {
|
||||
noProgress := opts.Quiet || opts.NoProgress
|
||||
if err := operation.DownloadDB(opts.AppVersion, opts.CacheDir, opts.DBRepository, noProgress, opts.Insecure, opts.SkipDBUpdate); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if c.DownloadDBOnly {
|
||||
if opts.DownloadDBOnly {
|
||||
return SkipScan
|
||||
}
|
||||
|
||||
if err := db.Init(c.CacheDir); err != nil {
|
||||
if err := db.Init(opts.CacheDir); err != nil {
|
||||
return xerrors.Errorf("error in vulnerability DB initialize: %w", err)
|
||||
}
|
||||
r.dbOpen = true
|
||||
@@ -296,58 +289,59 @@ func (r *runner) initDB(c Option) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *runner) initCache(c Option) error {
|
||||
func (r *runner) initCache(opts flag.Options) error {
|
||||
// Skip initializing cache when custom cache is passed
|
||||
if r.cache != nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
// client/server mode
|
||||
if c.RemoteAddr != "" {
|
||||
remoteCache := tcache.NewRemoteCache(c.RemoteAddr, c.CustomHeaders, c.Insecure)
|
||||
if opts.ServerAddr != "" {
|
||||
remoteCache := tcache.NewRemoteCache(opts.ServerAddr, opts.CustomHeaders, opts.Insecure)
|
||||
r.cache = tcache.NopCache(remoteCache)
|
||||
return nil
|
||||
}
|
||||
|
||||
// standalone mode
|
||||
utils.SetCacheDir(c.CacheDir)
|
||||
cache, err := operation.NewCache(c.CacheOption)
|
||||
utils.SetCacheDir(opts.CacheDir)
|
||||
cacheClient, err := operation.NewCache(opts.CacheOptions)
|
||||
if err != nil {
|
||||
return xerrors.Errorf("unable to initialize the cache: %w", err)
|
||||
}
|
||||
log.Logger.Debugf("cache dir: %s", utils.CacheDir())
|
||||
|
||||
if c.Reset {
|
||||
defer cache.Close()
|
||||
if err = cache.Reset(); err != nil {
|
||||
if opts.Reset {
|
||||
defer cacheClient.Close()
|
||||
if err = cacheClient.Reset(); err != nil {
|
||||
return xerrors.Errorf("cache reset error: %w", err)
|
||||
}
|
||||
return SkipScan
|
||||
}
|
||||
if c.ClearCache {
|
||||
defer cache.Close()
|
||||
if err = cache.ClearArtifacts(); err != nil {
|
||||
if opts.ClearCache {
|
||||
defer cacheClient.Close()
|
||||
if err = cacheClient.ClearArtifacts(); err != nil {
|
||||
return xerrors.Errorf("cache clear error: %w", err)
|
||||
}
|
||||
return SkipScan
|
||||
}
|
||||
|
||||
r.cache = cache
|
||||
r.cache = cacheClient
|
||||
return nil
|
||||
}
|
||||
|
||||
// Run performs artifact scanning
|
||||
func Run(cliCtx *cli.Context, targetKind TargetKind) error {
|
||||
opt, err := InitOption(cliCtx)
|
||||
if err != nil {
|
||||
return xerrors.Errorf("InitOption: %w", err)
|
||||
}
|
||||
//func Run(cliCtx *cli.Context, targetKind TargetKind) error {
|
||||
// opt, err := InitOption(cliCtx)
|
||||
// if err != nil {
|
||||
// return xerrors.Errorf("InitOption: %w", err)
|
||||
// }
|
||||
//
|
||||
// return run(cliCtx.Context, opt, targetKind)
|
||||
//}
|
||||
|
||||
return run(cliCtx.Context, opt, targetKind)
|
||||
}
|
||||
|
||||
func run(ctx context.Context, opt Option, targetKind TargetKind) (err error) {
|
||||
ctx, cancel := context.WithTimeout(ctx, opt.Timeout)
|
||||
// Run performs artifact scanning
|
||||
func Run(ctx context.Context, opts flag.Options, targetKind TargetKind) (err error) {
|
||||
ctx, cancel := context.WithTimeout(ctx, opts.Timeout)
|
||||
defer cancel()
|
||||
|
||||
defer func() {
|
||||
@@ -356,7 +350,7 @@ func run(ctx context.Context, opt Option, targetKind TargetKind) (err error) {
|
||||
}
|
||||
}()
|
||||
|
||||
r, err := NewRunner(opt)
|
||||
r, err := NewRunner(ctx, opts)
|
||||
if err != nil {
|
||||
if errors.Is(err, SkipScan) {
|
||||
return nil
|
||||
@@ -368,121 +362,107 @@ func run(ctx context.Context, opt Option, targetKind TargetKind) (err error) {
|
||||
var report types.Report
|
||||
switch targetKind {
|
||||
case TargetContainerImage, TargetImageArchive:
|
||||
if report, err = r.ScanImage(ctx, opt); err != nil {
|
||||
if report, err = r.ScanImage(ctx, opts); err != nil {
|
||||
return xerrors.Errorf("image scan error: %w", err)
|
||||
}
|
||||
case TargetFilesystem:
|
||||
if report, err = r.ScanFilesystem(ctx, opt); err != nil {
|
||||
if report, err = r.ScanFilesystem(ctx, opts); err != nil {
|
||||
return xerrors.Errorf("filesystem scan error: %w", err)
|
||||
}
|
||||
case TargetRootfs:
|
||||
if report, err = r.ScanRootfs(ctx, opt); err != nil {
|
||||
if report, err = r.ScanRootfs(ctx, opts); err != nil {
|
||||
return xerrors.Errorf("rootfs scan error: %w", err)
|
||||
}
|
||||
case TargetRepository:
|
||||
if report, err = r.ScanRepository(ctx, opt); err != nil {
|
||||
if report, err = r.ScanRepository(ctx, opts); err != nil {
|
||||
return xerrors.Errorf("repository scan error: %w", err)
|
||||
}
|
||||
case TargetSBOM:
|
||||
if report, err = r.ScanSBOM(ctx, opt); err != nil {
|
||||
if report, err = r.ScanSBOM(ctx, opts); err != nil {
|
||||
return xerrors.Errorf("sbom scan error: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
report, err = r.Filter(ctx, opt, report)
|
||||
report, err = r.Filter(ctx, opts, report)
|
||||
if err != nil {
|
||||
return xerrors.Errorf("filter error: %w", err)
|
||||
}
|
||||
|
||||
if err = r.Report(opt, report); err != nil {
|
||||
if err = r.Report(opts, report); err != nil {
|
||||
return xerrors.Errorf("report error: %w", err)
|
||||
}
|
||||
|
||||
Exit(opt, report.Results.Failed())
|
||||
Exit(opts, report.Results.Failed())
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func InitOption(ctx *cli.Context) (Option, error) {
|
||||
opt, err := NewOption(ctx)
|
||||
if err != nil {
|
||||
return Option{}, xerrors.Errorf("option error: %w", err)
|
||||
}
|
||||
|
||||
// initialize options
|
||||
if err = opt.Init(); err != nil {
|
||||
return Option{}, xerrors.Errorf("option initialize error: %w", err)
|
||||
}
|
||||
|
||||
return opt, nil
|
||||
}
|
||||
|
||||
func disabledAnalyzers(opt Option) []analyzer.Type {
|
||||
func disabledAnalyzers(opts flag.Options) []analyzer.Type {
|
||||
// Specified analyzers to be disabled depending on scanning modes
|
||||
// e.g. The 'image' subcommand should disable the lock file scanning.
|
||||
analyzers := opt.DisabledAnalyzers
|
||||
analyzers := opts.DisabledAnalyzers
|
||||
|
||||
// It doesn't analyze apk commands by default.
|
||||
if !opt.ScanRemovedPkgs {
|
||||
if !opts.ScanRemovedPkgs {
|
||||
analyzers = append(analyzers, analyzer.TypeApkCommand)
|
||||
}
|
||||
|
||||
// Do not analyze programming language packages when not running in 'library' mode
|
||||
if !slices.Contains(opt.VulnType, types.VulnTypeLibrary) {
|
||||
if !slices.Contains(opts.VulnType, types.VulnTypeLibrary) {
|
||||
analyzers = append(analyzers, analyzer.TypeLanguages...)
|
||||
}
|
||||
|
||||
// Do not perform secret scanning when it is not specified.
|
||||
if !slices.Contains(opt.SecurityChecks, types.SecurityCheckSecret) {
|
||||
if !slices.Contains(opts.SecurityChecks, types.SecurityCheckSecret) {
|
||||
analyzers = append(analyzers, analyzer.TypeSecret)
|
||||
}
|
||||
|
||||
// Do not perform misconfiguration scanning when it is not specified.
|
||||
if !slices.Contains(opt.SecurityChecks, types.SecurityCheckConfig) {
|
||||
if !slices.Contains(opts.SecurityChecks, types.SecurityCheckConfig) {
|
||||
analyzers = append(analyzers, analyzer.TypeConfigFiles...)
|
||||
}
|
||||
|
||||
return analyzers
|
||||
}
|
||||
|
||||
func initScannerConfig(opt Option, cacheClient cache.Cache) (ScannerConfig, types.ScanOptions, error) {
|
||||
target := opt.Target
|
||||
if opt.Input != "" {
|
||||
target = opt.Input
|
||||
func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfig, types.ScanOptions, error) {
|
||||
target := opts.Target
|
||||
if opts.Input != "" {
|
||||
target = opts.Input
|
||||
}
|
||||
|
||||
scanOptions := types.ScanOptions{
|
||||
VulnType: opt.VulnType,
|
||||
SecurityChecks: opt.SecurityChecks,
|
||||
ScanRemovedPackages: opt.ScanRemovedPkgs, // this is valid only for 'image' subcommand
|
||||
ListAllPackages: opt.ListAllPkgs,
|
||||
VulnType: opts.VulnType,
|
||||
SecurityChecks: opts.SecurityChecks,
|
||||
ScanRemovedPackages: opts.ScanRemovedPkgs, // this is valid only for 'image' subcommand
|
||||
ListAllPackages: opts.ListAllPkgs,
|
||||
}
|
||||
|
||||
if slices.Contains(opt.SecurityChecks, types.SecurityCheckVulnerability) {
|
||||
if slices.Contains(opts.SecurityChecks, types.SecurityCheckVulnerability) {
|
||||
log.Logger.Info("Vulnerability scanning is enabled")
|
||||
log.Logger.Debugf("Vulnerability type: %s", scanOptions.VulnType)
|
||||
}
|
||||
|
||||
// ScannerOption is filled only when config scanning is enabled.
|
||||
var configScannerOptions config.ScannerOption
|
||||
if slices.Contains(opt.SecurityChecks, types.SecurityCheckConfig) {
|
||||
if slices.Contains(opts.SecurityChecks, types.SecurityCheckConfig) {
|
||||
log.Logger.Info("Misconfiguration scanning is enabled")
|
||||
configScannerOptions = config.ScannerOption{
|
||||
Trace: opt.Trace,
|
||||
Namespaces: append(opt.PolicyNamespaces, defaultPolicyNamespaces...),
|
||||
PolicyPaths: opt.PolicyPaths,
|
||||
DataPaths: opt.DataPaths,
|
||||
FilePatterns: opt.FilePatterns,
|
||||
Trace: opts.Trace,
|
||||
Namespaces: append(opts.PolicyNamespaces, defaultPolicyNamespaces...),
|
||||
PolicyPaths: opts.PolicyPaths,
|
||||
DataPaths: opts.DataPaths,
|
||||
FilePatterns: opts.FilePatterns,
|
||||
}
|
||||
}
|
||||
|
||||
// Do not load config file for secret scanning
|
||||
if slices.Contains(opt.SecurityChecks, types.SecurityCheckSecret) {
|
||||
if slices.Contains(opts.SecurityChecks, types.SecurityCheckSecret) {
|
||||
log.Logger.Info("Secret scanning is enabled")
|
||||
log.Logger.Info("If your scanning is slow, please try '--security-checks vuln' to disable secret scanning")
|
||||
log.Logger.Infof("Please see also https://aquasecurity.github.io/trivy/%s/docs/secret/scanning/#recommendation for faster secret detection", opt.AppVersion)
|
||||
log.Logger.Infof("Please see also https://aquasecurity.github.io/trivy/%s/docs/secret/scanning/#recommendation for faster secret detection", opts.AppVersion)
|
||||
} else {
|
||||
opt.SecretConfigPath = ""
|
||||
opts.SecretConfigPath = ""
|
||||
}
|
||||
|
||||
return ScannerConfig{
|
||||
@@ -490,33 +470,33 @@ func initScannerConfig(opt Option, cacheClient cache.Cache) (ScannerConfig, type
|
||||
ArtifactCache: cacheClient,
|
||||
LocalArtifactCache: cacheClient,
|
||||
RemoteOption: client.ScannerOption{
|
||||
RemoteURL: opt.RemoteAddr,
|
||||
CustomHeaders: opt.CustomHeaders,
|
||||
Insecure: opt.Insecure,
|
||||
RemoteURL: opts.ServerAddr,
|
||||
CustomHeaders: opts.CustomHeaders,
|
||||
Insecure: opts.Insecure,
|
||||
},
|
||||
ArtifactOption: artifact.Option{
|
||||
DisabledAnalyzers: disabledAnalyzers(opt),
|
||||
SkipFiles: opt.SkipFiles,
|
||||
SkipDirs: opt.SkipDirs,
|
||||
InsecureSkipTLS: opt.Insecure,
|
||||
Offline: opt.OfflineScan,
|
||||
NoProgress: opt.NoProgress || opt.Quiet,
|
||||
DisabledAnalyzers: disabledAnalyzers(opts),
|
||||
SkipFiles: opts.SkipFiles,
|
||||
SkipDirs: opts.SkipDirs,
|
||||
InsecureSkipTLS: opts.Insecure,
|
||||
Offline: opts.OfflineScan,
|
||||
NoProgress: opts.NoProgress || opts.Quiet,
|
||||
|
||||
// For misconfiguration scanning
|
||||
MisconfScannerOption: configScannerOptions,
|
||||
|
||||
// For secret scanning
|
||||
SecretScannerOption: secret.ScannerOption{
|
||||
ConfigPath: opt.SecretConfigPath,
|
||||
ConfigPath: opts.SecretConfigPath,
|
||||
},
|
||||
},
|
||||
}, scanOptions, nil
|
||||
}
|
||||
|
||||
func scan(ctx context.Context, opt Option, initializeScanner InitializeScanner, cacheClient cache.Cache) (
|
||||
func scan(ctx context.Context, opts flag.Options, initializeScanner InitializeScanner, cacheClient cache.Cache) (
|
||||
types.Report, error) {
|
||||
|
||||
scannerConfig, scanOptions, err := initScannerConfig(opt, cacheClient)
|
||||
scannerConfig, scanOptions, err := initScannerConfig(opts, cacheClient)
|
||||
if err != nil {
|
||||
return types.Report{}, err
|
||||
}
|
||||
@@ -534,8 +514,8 @@ func scan(ctx context.Context, opt Option, initializeScanner InitializeScanner,
|
||||
return report, nil
|
||||
}
|
||||
|
||||
func Exit(c Option, failedResults bool) {
|
||||
if c.ExitCode != 0 && failedResults {
|
||||
os.Exit(c.ExitCode)
|
||||
func Exit(opts flag.Options, failedResults bool) {
|
||||
if opts.ExitCode != 0 && failedResults {
|
||||
os.Exit(opts.ExitCode)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user