feat(filesystem): scan in client/server mode (#1829)

Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-23 15:37:50 -08:00 · 2022-03-21 19:51:18 +06:00
parent 12d0317a67
commit d6418cf0de
49 changed files with 763 additions and 1014 deletions
--- a/pkg/commands/artifact/image.go
+++ b/pkg/commands/artifact/image.go
@@ -7,36 +7,67 @@ import (
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/fanal/analyzer"
-	"github.com/aquasecurity/fanal/analyzer/config"
-	"github.com/aquasecurity/fanal/artifact"
-	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy/pkg/scanner"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

-func archiveScanner(ctx context.Context, input string, ac cache.ArtifactCache, lac cache.LocalArtifactCache,
-	_ bool, artifactOpt artifact.Option, scannerOpt config.ScannerOption) (scanner.Scanner, func(), error) {
-	s, err := initializeArchiveScanner(ctx, input, ac, lac, artifactOpt, scannerOpt)
-	if err != nil {
-		return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize the archive scanner: %w", err)
-	}
-	return s, func() {}, nil
-}
-
-func dockerScanner(ctx context.Context, imageName string, ac cache.ArtifactCache, lac cache.LocalArtifactCache,
-	insecure bool, artifactOpt artifact.Option, scannerOpt config.ScannerOption) (scanner.Scanner, func(), error) {
-	dockerOpt, err := types.GetDockerOption(insecure)
+// imageScanner initializes a container image scanner in standalone mode
+// $ trivy image alpine:3.15
+func imageScanner(ctx context.Context, conf scannerConfig) (scanner.Scanner, func(), error) {
+	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS)
 	if err != nil {
 		return scanner.Scanner{}, nil, err
 	}
-	s, cleanup, err := initializeDockerScanner(ctx, imageName, ac, lac, dockerOpt, artifactOpt, scannerOpt)
+	s, cleanup, err := initializeDockerScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache,
+		dockerOpt, conf.ArtifactOption, conf.MisconfOption)
 	if err != nil {
 		return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a docker scanner: %w", err)
 	}
 	return s, cleanup, nil
 }

-// ImageRun runs scan on docker image
+// archiveScanner initializes an image archive scanner in standalone mode
+// $ trivy image --input alpine.tar
+func archiveScanner(ctx context.Context, conf scannerConfig) (scanner.Scanner, func(), error) {
+	s, err := initializeArchiveScanner(ctx, conf.Target, conf.ArtifactCache, conf.LocalArtifactCache,
+		conf.ArtifactOption, conf.MisconfOption)
+	if err != nil {
+		return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize the archive scanner: %w", err)
+	}
+	return s, func() {}, nil
+}
+
+// remoteImageScanner initializes a container image scanner in client/server mode
+// $ trivy image --server localhost:4954 alpine:3.15
+func remoteImageScanner(ctx context.Context, conf scannerConfig) (
+	scanner.Scanner, func(), error) {
+	// Scan an image in Docker Engine, Docker Registry, etc.
+	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS)
+	if err != nil {
+		return scanner.Scanner{}, nil, err
+	}
+
+	s, cleanup, err := initializeRemoteDockerScanner(ctx, conf.Target, conf.ArtifactCache, conf.RemoteOption,
+		dockerOpt, conf.ArtifactOption, conf.MisconfOption)
+	if err != nil {
+		return scanner.Scanner{}, nil, xerrors.Errorf("unable to initialize the docker scanner: %w", err)
+	}
+	return s, cleanup, nil
+}
+
+// remoteArchiveScanner initializes an image archive scanner in client/server mode
+// $ trivy image --server localhost:4954 --input alpine.tar
+func remoteArchiveScanner(ctx context.Context, conf scannerConfig) (scanner.Scanner, func(), error) {
+	// Scan tar file
+	s, err := initializeRemoteArchiveScanner(ctx, conf.Target, conf.ArtifactCache, conf.RemoteOption,
+		conf.ArtifactOption, conf.MisconfOption)
+	if err != nil {
+		return scanner.Scanner{}, nil, xerrors.Errorf("unable to initialize the archive scanner: %w", err)
+	}
+	return s, func() {}, nil
+}
+
+// ImageRun runs scan on container image
 func ImageRun(ctx *cli.Context) error {
 	opt, err := initOption(ctx)
 	if err != nil {
@@ -47,9 +78,34 @@ func ImageRun(ctx *cli.Context) error {
 	opt.DisabledAnalyzers = analyzer.TypeLockfiles

 	if opt.Input != "" {
-		// scan tar file
-		return Run(ctx.Context, opt, archiveScanner, initFSCache)
+		return archiveImageRun(ctx.Context, opt)
 	}

-	return Run(ctx.Context, opt, dockerScanner, initFSCache)
+	return imageRun(ctx.Context, opt)
+}
+
+func archiveImageRun(ctx context.Context, opt Option) error {
+	// standalone mode
+	scanner := archiveScanner
+
+	if opt.RemoteAddr != "" {
+		// client/server mode
+		scanner = remoteArchiveScanner
+	}
+
+	// scan tar file
+	return Run(ctx, opt, scanner, initCache)
+}
+
+func imageRun(ctx context.Context, opt Option) error {
+	// standalone mode
+	scanner := imageScanner
+
+	if opt.RemoteAddr != "" {
+		// client/server mode
+		scanner = remoteImageScanner
+	}
+
+	// scan container image
+	return Run(ctx, opt, scanner, initCache)
 }