gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-21 06:43:05 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(misconf): Add --reset-policy-bundle for policy bundle (#4167)

Browse Source
This commit is contained in:
simar7
2023-05-18 02:54:01 -06:00
committed by GitHub
parent 33fb04763d
commit 92f9e98d04
13 changed files with 52 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/docs/references/configuration/cli/trivy_aws.md
View File

@@ -88,6 +88,7 @@ trivy aws [flags]
--policy-namespaces strings Rego namespaces --policy-namespaces strings Rego namespaces
--region string AWS Region to scan --region string AWS Region to scan
--report string specify a report format for the output. (all,summary) (default "all") --report string specify a report format for the output. (all,summary) (default "all")
--reset-policy-bundle remove policy bundle
--service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc. --service strings Only scan AWS Service(s) specified with this flag. Can specify multiple services using --service A --service B etc.
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-policy-update skip fetching rego policy updates --skip-policy-update skip fetching rego policy updates

1
docs/docs/references/configuration/cli/trivy_config.md
View File

@@ -37,6 +37,7 @@ trivy config [flags] DIR
--redis-tls enable redis TLS with public certificates, if using redis as cache backend --redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token --registry-token string registry token
--report string specify a compliance report format for the output. (all,summary) (default "all") --report string specify a compliance report format for the output. (all,summary) (default "all")
--reset-policy-bundle remove policy bundle
-s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
--skip-dirs strings specify the directories where the traversal is skipped --skip-dirs strings specify the directories where the traversal is skipped
--skip-files strings specify the file paths to skip traversal --skip-files strings specify the file paths to skip traversal

1
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -62,6 +62,7 @@ trivy filesystem [flags] PATH
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a compliance report format for the output. (all,summary) (default "all") --report string specify a compliance report format for the output. (all,summary) (default "all")
--reset remove all caches and database --reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")

1
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -84,6 +84,7 @@ trivy image [flags] IMAGE_NAME
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) --removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--report string specify a format for the compliance report. (default "summary") --report string specify a format for the compliance report. (default "summary")
--reset remove all caches and database --reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")

1
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -71,6 +71,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a report format for the output. (all,summary) (default "all") --report string specify a report format for the output. (all,summary) (default "all")
--reset remove all caches and database --reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners string comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac") --scanners string comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")

1
docs/docs/references/configuration/cli/trivy_repository.md
View File

@@ -59,6 +59,7 @@ trivy repository [flags] REPO_URL
--registry-token string registry token --registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database --reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")

1
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -64,6 +64,7 @@ trivy rootfs [flags] ROOTDIR
--registry-token string registry token --registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database --reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")

1
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -56,6 +56,7 @@ trivy vm [flags] VM_IMAGE
--redis-tls enable redis TLS with public certificates, if using redis as cache backend --redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database --reset remove all caches and database
--reset-policy-bundle remove policy bundle
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor) --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret]) --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml") --secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")

2
pkg/commands/app.go
View File

@@ -1160,7 +1160,7 @@ func validateArgs(cmd *cobra.Command, args []string) error {
// '--clear-cache', '--download-db-only', '--download-java-db-only', '--reset' and '--generate-default-config' don't conduct the subsequent scanning // '--clear-cache', '--download-db-only', '--download-java-db-only', '--reset' and '--generate-default-config' don't conduct the subsequent scanning
if viper.GetBool(flag.ClearCacheFlag.ConfigName) || viper.GetBool(flag.DownloadDBOnlyFlag.ConfigName) || if viper.GetBool(flag.ClearCacheFlag.ConfigName) || viper.GetBool(flag.DownloadDBOnlyFlag.ConfigName) ||
viper.GetBool(flag.ResetFlag.ConfigName) || viper.GetBool(flag.GenerateDefaultConfigFlag.ConfigName) || viper.GetBool(flag.ResetFlag.ConfigName) || viper.GetBool(flag.GenerateDefaultConfigFlag.ConfigName) ||
viper.GetBool(flag.DownloadJavaDBOnlyFlag.ConfigName) { viper.GetBool(flag.DownloadJavaDBOnlyFlag.ConfigName) || viper.GetBool(flag.ResetPolicyBundleFlag.ConfigName) {
return nil return nil
} }

14
pkg/commands/artifact/run.go
View File

@@ -6,6 +6,8 @@ import (
"fmt" "fmt"
"os" "os"
"github.com/aquasecurity/trivy/pkg/policy"
"github.com/hashicorp/go-multierror" "github.com/hashicorp/go-multierror"
"github.com/spf13/viper" "github.com/spf13/viper"
"golang.org/x/exp/slices" "golang.org/x/exp/slices"
@@ -387,6 +389,18 @@ func (r *runner) initCache(opts flag.Options) error {
} }
return SkipScan return SkipScan
} }
if opts.ResetPolicyBundle {
c, err := policy.NewClient(fsutils.CacheDir(), true)
if err != nil {
return xerrors.Errorf("failed to instantiate policy client: %w", err)
}
if err := c.Clear(); err != nil {
return xerrors.Errorf("failed to remove the cache: %w", err)
}
return SkipScan
}
if opts.ClearCache { if opts.ClearCache {
defer cacheClient.Close() defer cacheClient.Close()
if err = cacheClient.ClearArtifacts(); err != nil { if err = cacheClient.ClearArtifacts(); err != nil {

11
pkg/flag/misconf_flags.go
View File

@@ -7,6 +7,12 @@ package flag
// config-policy: "custom-policy/policy" // config-policy: "custom-policy/policy"
// policy-namespaces: "user" // policy-namespaces: "user"
var ( var (
ResetPolicyBundleFlag = Flag{
Name: "reset-policy-bundle",
ConfigName: "misconfiguration.reset-policy-bundle",
Value: false,
Usage: "remove policy bundle",
}
IncludeNonFailuresFlag = Flag{ IncludeNonFailuresFlag = Flag{
Name: "include-non-failures", Name: "include-non-failures",
ConfigName: "misconfiguration.include-non-failures", ConfigName: "misconfiguration.include-non-failures",
@@ -48,6 +54,7 @@ var (
// MisconfFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning. // MisconfFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.
type MisconfFlagGroup struct { type MisconfFlagGroup struct {
IncludeNonFailures *Flag IncludeNonFailures *Flag
ResetPolicyBundle *Flag
// Values Files // Values Files
HelmValues *Flag HelmValues *Flag
@@ -59,6 +66,7 @@ type MisconfFlagGroup struct {
type MisconfOptions struct { type MisconfOptions struct {
IncludeNonFailures bool IncludeNonFailures bool
ResetPolicyBundle bool
// Values Files // Values Files
HelmValues []string HelmValues []string
@@ -71,6 +79,7 @@ type MisconfOptions struct {
func NewMisconfFlagGroup() *MisconfFlagGroup { func NewMisconfFlagGroup() *MisconfFlagGroup {
return &MisconfFlagGroup{ return &MisconfFlagGroup{
IncludeNonFailures: &IncludeNonFailuresFlag, IncludeNonFailures: &IncludeNonFailuresFlag,
ResetPolicyBundle: &ResetPolicyBundleFlag,
HelmValues: &HelmSetFlag, HelmValues: &HelmSetFlag,
HelmFileValues: &HelmSetFileFlag, HelmFileValues: &HelmSetFileFlag,
HelmStringValues: &HelmSetStringFlag, HelmStringValues: &HelmSetStringFlag,
@@ -86,6 +95,7 @@ func (f *MisconfFlagGroup) Name() string {
func (f *MisconfFlagGroup) Flags() []*Flag { func (f *MisconfFlagGroup) Flags() []*Flag {
return []*Flag{ return []*Flag{
f.IncludeNonFailures, f.IncludeNonFailures,
f.ResetPolicyBundle,
f.HelmValues, f.HelmValues,
f.HelmValueFiles, f.HelmValueFiles,
f.HelmFileValues, f.HelmFileValues,
@@ -97,6 +107,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag {
func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) { func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
return MisconfOptions{ return MisconfOptions{
IncludeNonFailures: getBool(f.IncludeNonFailures), IncludeNonFailures: getBool(f.IncludeNonFailures),
ResetPolicyBundle: getBool(f.ResetPolicyBundle),
HelmValues: getStringSlice(f.HelmValues), HelmValues: getStringSlice(f.HelmValues),
HelmValueFiles: getStringSlice(f.HelmValueFiles), HelmValueFiles: getStringSlice(f.HelmValueFiles),
HelmFileValues: getStringSlice(f.HelmFileValues), HelmFileValues: getStringSlice(f.HelmFileValues),

8
pkg/policy/policy.go
View File

@@ -222,3 +222,11 @@ func (c *Client) GetMetadata() (*Metadata, error) {
return &meta, nil return &meta, nil
} }
func (c *Client) Clear() error {
log.Logger.Info("Removing policy bundle...")
if err := os.RemoveAll(c.policyDir); err != nil {
return xerrors.Errorf("failed to remove policy bundle: %w", err)
}
return nil
}

10
pkg/policy/policy_test.go
View File

@@ -388,3 +388,13 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) {
}) })
} }
} }
func TestClient_Clear(t *testing.T) {
cacheDir := t.TempDir()
err := os.MkdirAll(filepath.Join(cacheDir, "policy"), 0755)
require.NoError(t, err)
c, err := policy.NewClient(cacheDir, true)
require.NoError(t, err)
require.NoError(t, c.Clear())
}