gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix(misconf): add missing fields to proto (#4861)

Browse Source 
* fix(misconf): add missing fields to proto

* mark deleted fields as reserved
This commit is contained in:
Nikita Pivkin
2023-07-30 14:15:36 +03:00
committed by GitHub
parent 8b8e0e83d1
commit e1c2a8c804
7 changed files with 832 additions and 281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile.protoc
View File

@@ -1,4 +1,4 @@
FROM golang:1.19 FROM --platform=linux/amd64 golang:1.19
# Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html) # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

2
magefiles/magefile.go
View File

@@ -154,7 +154,7 @@ func Protoc() error {
if err := sh.RunV("bash", "-c", "docker build -t trivy-protoc - < Dockerfile.protoc"); err != nil { if err := sh.RunV("bash", "-c", "docker build -t trivy-protoc - < Dockerfile.protoc"); err != nil {
return err return err
} }
return sh.Run("docker", "run", "--rm", "-it", "-v", "${PWD}:/app", "-w", "/app", "trivy-protoc", "mage", "protoc") return sh.Run("docker", "run", "--rm", "-it", "--platform", "linux/x86_64", "-v", "${PWD}:/app", "-w", "/app", "trivy-protoc", "mage", "protoc")
} }
// Yacc generates parser // Yacc generates parser

2
pkg/cache/remote.go vendored
View File

@@ -53,7 +53,7 @@ func (c RemoteCache) PutArtifact(imageID string, artifactInfo types.ArtifactInfo
func (c RemoteCache) PutBlob(diffID string, blobInfo types.BlobInfo) error { func (c RemoteCache) PutBlob(diffID string, blobInfo types.BlobInfo) error {
err := rpc.Retry(func() error { err := rpc.Retry(func() error {
var err error var err error
_, err = c.client.PutBlob(c.ctx, rpc.ConvertToRPCBlobInfo(diffID, blobInfo)) _, err = c.client.PutBlob(c.ctx, rpc.ConvertToRPCPutBlobRequest(diffID, blobInfo))
return err return err
}) })
if err != nil { if err != nil {

140
pkg/rpc/convert.go
View File

@@ -217,18 +217,21 @@ func ConvertToRPCMisconfs(misconfs []types.DetectedMisconfiguration) []*common.D
} }
rpcMisconfs = append(rpcMisconfs, &common.DetectedMisconfiguration{ rpcMisconfs = append(rpcMisconfs, &common.DetectedMisconfiguration{
Type: m.Type, Type: m.Type,
Id: m.ID, Id: m.ID,
Title: m.Title, AvdId: m.AVDID,
Description: m.Description, Title: m.Title,
Message: m.Message, Description: m.Description,
Namespace: m.Namespace, Message: m.Message,
Resolution: m.Resolution, Namespace: m.Namespace,
Severity: common.Severity(severity), Query: m.Query,
PrimaryUrl: m.PrimaryURL, Resolution: m.Resolution,
References: m.References, Severity: common.Severity(severity),
Status: string(m.Status), PrimaryUrl: m.PrimaryURL,
Layer: ConvertToRPCLayer(m.Layer), References: m.References,
Status: string(m.Status),
Layer: ConvertToRPCLayer(m.Layer),
CauseMetadata: ConvertToRPCCauseMetadata(m.CauseMetadata),
}) })
} }
return rpcMisconfs return rpcMisconfs
@@ -243,6 +246,30 @@ func ConvertToRPCLayer(layer ftypes.Layer) *common.Layer {
} }
} }
func ConvertToRPCPolicyMetadata(policy ftypes.PolicyMetadata) *common.PolicyMetadata {
return &common.PolicyMetadata{
Id: policy.ID,
AdvId: policy.AVDID,
Type: policy.Type,
Title: policy.Title,
Description: policy.Description,
Severity: policy.Severity,
RecommendedActions: policy.RecommendedActions,
References: policy.References,
}
}
func ConvertToRPCCauseMetadata(cause ftypes.CauseMetadata) *common.CauseMetadata {
return &common.CauseMetadata{
Resource: cause.Resource,
Provider: cause.Provider,
Service: cause.Service,
StartLine: int32(cause.StartLine),
EndLine: int32(cause.EndLine),
Code: ConvertToRPCCode(cause.Code),
}
}
// ConvertToRPCDataSource returns common.DataSource // ConvertToRPCDataSource returns common.DataSource
func ConvertToRPCDataSource(ds *dbTypes.DataSource) *common.DataSource { func ConvertToRPCDataSource(ds *dbTypes.DataSource) *common.DataSource {
if ds == nil { if ds == nil {
@@ -407,18 +434,21 @@ func ConvertFromRPCMisconfs(rpcMisconfs []*common.DetectedMisconfiguration) []ty
var misconfs []types.DetectedMisconfiguration var misconfs []types.DetectedMisconfiguration
for _, rpcMisconf := range rpcMisconfs { for _, rpcMisconf := range rpcMisconfs {
misconfs = append(misconfs, types.DetectedMisconfiguration{ misconfs = append(misconfs, types.DetectedMisconfiguration{
Type: rpcMisconf.Type, Type: rpcMisconf.Type,
ID: rpcMisconf.Id, ID: rpcMisconf.Id,
Title: rpcMisconf.Title, AVDID: rpcMisconf.AvdId,
Description: rpcMisconf.Description, Title: rpcMisconf.Title,
Message: rpcMisconf.Message, Description: rpcMisconf.Description,
Namespace: rpcMisconf.Namespace, Message: rpcMisconf.Message,
Resolution: rpcMisconf.Resolution, Namespace: rpcMisconf.Namespace,
Severity: rpcMisconf.Severity.String(), Query: rpcMisconf.Query,
PrimaryURL: rpcMisconf.PrimaryUrl, Resolution: rpcMisconf.Resolution,
References: rpcMisconf.References, Severity: rpcMisconf.Severity.String(),
Status: types.MisconfStatus(rpcMisconf.Status), PrimaryURL: rpcMisconf.PrimaryUrl,
Layer: ConvertFromRPCLayer(rpcMisconf.Layer), References: rpcMisconf.References,
Status: types.MisconfStatus(rpcMisconf.Status),
Layer: ConvertFromRPCLayer(rpcMisconf.Layer),
CauseMetadata: ConvertFromRPCCauseMetadata(rpcMisconf.CauseMetadata),
}) })
} }
return misconfs return misconfs
@@ -430,8 +460,40 @@ func ConvertFromRPCLayer(rpcLayer *common.Layer) ftypes.Layer {
return ftypes.Layer{} return ftypes.Layer{}
} }
return ftypes.Layer{ return ftypes.Layer{
Digest: rpcLayer.Digest, Digest: rpcLayer.Digest,
DiffID: rpcLayer.DiffId, DiffID: rpcLayer.DiffId,
CreatedBy: rpcLayer.CreatedBy,
}
}
func ConvertFromRPCPolicyMetadata(rpcPolicy *common.PolicyMetadata) ftypes.PolicyMetadata {
if rpcPolicy == nil {
return ftypes.PolicyMetadata{}
}
return ftypes.PolicyMetadata{
ID: rpcPolicy.Id,
AVDID: rpcPolicy.AdvId,
Type: rpcPolicy.Type,
Title: rpcPolicy.Title,
Description: rpcPolicy.Description,
Severity: rpcPolicy.Severity,
RecommendedActions: rpcPolicy.RecommendedActions,
References: rpcPolicy.References,
}
}
func ConvertFromRPCCauseMetadata(rpcCause *common.CauseMetadata) ftypes.CauseMetadata {
if rpcCause == nil {
return ftypes.CauseMetadata{}
}
return ftypes.CauseMetadata{
Resource: rpcCause.Resource,
Provider: rpcCause.Provider,
Service: rpcCause.Service,
StartLine: int(rpcCause.StartLine),
EndLine: int(rpcCause.EndLine),
Code: ConvertFromRPCCode(rpcCause.Code),
} }
} }
@@ -518,14 +580,10 @@ func ConvertFromRPCMisconfResults(rpcResults []*common.MisconfResult) []ftypes.M
var results []ftypes.MisconfResult var results []ftypes.MisconfResult
for _, r := range rpcResults { for _, r := range rpcResults {
results = append(results, ftypes.MisconfResult{ results = append(results, ftypes.MisconfResult{
Namespace: r.Namespace, Namespace: r.Namespace,
Message: r.Message, Message: r.Message,
PolicyMetadata: ftypes.PolicyMetadata{ PolicyMetadata: ConvertFromRPCPolicyMetadata(r.PolicyMetadata),
ID: r.Id, CauseMetadata: ConvertFromRPCCauseMetadata(r.CauseMetadata),
Type: r.Type,
Title: r.Title,
Severity: r.Severity,
},
}) })
} }
return results return results
@@ -603,8 +661,8 @@ func ConvertToRPCArtifactInfo(imageID string, imageInfo ftypes.ArtifactInfo) *ca
} }
} }
// ConvertToRPCBlobInfo returns PutBlobRequest // ConvertToRPCPutBlobRequest returns PutBlobRequest
func ConvertToRPCBlobInfo(diffID string, blobInfo ftypes.BlobInfo) *cache.PutBlobRequest { func ConvertToRPCPutBlobRequest(diffID string, blobInfo ftypes.BlobInfo) *cache.PutBlobRequest {
var packageInfos []*common.PackageInfo var packageInfos []*common.PackageInfo
for _, pkgInfo := range blobInfo.PackageInfos { for _, pkgInfo := range blobInfo.PackageInfos {
packageInfos = append(packageInfos, &common.PackageInfo{ packageInfos = append(packageInfos, &common.PackageInfo{
@@ -677,12 +735,10 @@ func ConvertToMisconfResults(results []ftypes.MisconfResult) []*common.MisconfRe
var rpcResults []*common.MisconfResult var rpcResults []*common.MisconfResult
for _, r := range results { for _, r := range results {
rpcResults = append(rpcResults, &common.MisconfResult{ rpcResults = append(rpcResults, &common.MisconfResult{
Namespace: r.Namespace, Namespace: r.Namespace,
Message: r.Message, Message: r.Message,
Id: r.ID, PolicyMetadata: ConvertToRPCPolicyMetadata(r.PolicyMetadata),
Type: r.Type, CauseMetadata: ConvertToRPCCauseMetadata(r.CauseMetadata),
Title: r.Title,
Severity: r.Severity,
}) })
} }
return rpcResults return rpcResults

204
pkg/rpc/convert_test.go
View File

@@ -465,3 +465,207 @@ func TestConvertFromRPCResults(t *testing.T) {
}) })
} }
} }
func TestConvertFromRPCMisconfs(t *testing.T) {
type args struct {
misconfs []*common.DetectedMisconfiguration
}
tests := []struct {
name string
args args
want []types.DetectedMisconfiguration
}{
{
name: "happy path misconf",
args: args{misconfs: []*common.DetectedMisconfiguration{
{
Type: "Dockerfile Security Check",
Id: "DS005",
AvdId: "AVD-DS-0005",
Title: "ADD instead of COPY",
Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
Message: "Consider using 'COPY . /app' command instead of 'ADD . /app'",
Namespace: "builtin.dockerfile.DS005",
Query: "data.builtin.dockerfile.DS005.deny",
Resolution: "Use COPY instead of ADD",
Severity: common.Severity_LOW,
PrimaryUrl: "https://avd.aquasec.com/misconfig/ds005",
References: []string{
"https://docs.docker.com/engine/reference/builder/#add",
"https://avd.aquasec.com/misconfig/ds005",
},
Status: "FAIL",
Layer: &common.Layer{},
CauseMetadata: &common.CauseMetadata{
Provider: "Dockerfile",
Service: "general",
StartLine: 3,
EndLine: 3,
Code: &common.Code{
Lines: []*common.Line{
{
Number: 3,
Content: "ADD . /app",
IsCause: true,
Annotation: "",
Truncated: false,
FirstCause: true,
LastCause: true,
},
},
},
},
},
}},
want: []types.DetectedMisconfiguration{
{
Type: "Dockerfile Security Check",
ID: "DS005",
AVDID: "AVD-DS-0005",
Title: "ADD instead of COPY",
Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
Message: "Consider using 'COPY . /app' command instead of 'ADD . /app'",
Namespace: "builtin.dockerfile.DS005",
Query: "data.builtin.dockerfile.DS005.deny",
Resolution: "Use COPY instead of ADD",
Severity: "LOW",
PrimaryURL: "https://avd.aquasec.com/misconfig/ds005",
References: []string{
"https://docs.docker.com/engine/reference/builder/#add",
"https://avd.aquasec.com/misconfig/ds005",
},
Status: "FAIL",
Layer: ftypes.Layer{},
CauseMetadata: ftypes.CauseMetadata{
Provider: "Dockerfile",
Service: "general",
StartLine: 3,
EndLine: 3,
Code: ftypes.Code{
Lines: []ftypes.Line{
{
Number: 3,
Content: "ADD . /app",
IsCause: true,
Annotation: "",
Truncated: false,
FirstCause: true,
LastCause: true,
},
},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := ConvertFromRPCMisconfs(tt.args.misconfs)
assert.Equal(t, tt.want, got, tt.name)
})
}
}
func TestConvertToRPCMiconfs(t *testing.T) {
type args struct {
misconfs []types.DetectedMisconfiguration
}
tests := []struct {
name string
args args
want []*common.DetectedMisconfiguration
}{
{
name: "happy path misconf",
args: args{misconfs: []types.DetectedMisconfiguration{
{
Type: "Dockerfile Security Check",
ID: "DS005",
AVDID: "AVD-DS-0005",
Title: "ADD instead of COPY",
Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
Message: "Consider using 'COPY . /app' command instead of 'ADD . /app'",
Namespace: "builtin.dockerfile.DS005",
Query: "data.builtin.dockerfile.DS005.deny",
Resolution: "Use COPY instead of ADD",
Severity: "LOW",
PrimaryURL: "https://avd.aquasec.com/misconfig/ds005",
References: []string{
"https://docs.docker.com/engine/reference/builder/#add",
"https://avd.aquasec.com/misconfig/ds005",
},
Status: "FAIL",
Layer: ftypes.Layer{},
CauseMetadata: ftypes.CauseMetadata{
Provider: "Dockerfile",
Service: "general",
StartLine: 3,
EndLine: 3,
Code: ftypes.Code{
Lines: []ftypes.Line{
{
Number: 3,
Content: "ADD . /app",
IsCause: true,
Annotation: "",
Truncated: false,
FirstCause: true,
LastCause: true,
},
},
},
},
},
}},
want: []*common.DetectedMisconfiguration{
{
Type: "Dockerfile Security Check",
Id: "DS005",
AvdId: "AVD-DS-0005",
Title: "ADD instead of COPY",
Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
Message: "Consider using 'COPY . /app' command instead of 'ADD . /app'",
Namespace: "builtin.dockerfile.DS005",
Query: "data.builtin.dockerfile.DS005.deny",
Resolution: "Use COPY instead of ADD",
Severity: common.Severity_LOW,
PrimaryUrl: "https://avd.aquasec.com/misconfig/ds005",
References: []string{
"https://docs.docker.com/engine/reference/builder/#add",
"https://avd.aquasec.com/misconfig/ds005",
},
Status: "FAIL",
Layer: &common.Layer{},
CauseMetadata: &common.CauseMetadata{
Provider: "Dockerfile",
Service: "general",
StartLine: 3,
EndLine: 3,
Code: &common.Code{
Lines: []*common.Line{
{
Number: 3,
Content: "ADD . /app",
IsCause: true,
Annotation: "",
Truncated: false,
FirstCause: true,
LastCause: true,
},
},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := ConvertToRPCMisconfs(tt.args.misconfs)
assert.Equal(t, tt.want, got, tt.name)
})
}
}

708
rpc/common/service.pb.go
View File

File diff suppressed because it is too large Load Diff

55
rpc/common/service.proto
View File

@@ -65,25 +65,39 @@ message Misconfiguration {
message MisconfResult { message MisconfResult {
string namespace = 1; string namespace = 1;
string message = 2; string message = 2;
string type = 3; reserved 3 to 6;
string id = 4; reserved "type", "id", "title", "severity";
string title = 5; PolicyMetadata policy_metadata = 7;
string severity = 6; CauseMetadata cause_metadata = 8;
}
message PolicyMetadata {
string id = 1;
string adv_id = 2;
string type = 3;
string title = 4;
string description = 5;
string severity = 6;
string recommended_actions = 7;
repeated string references = 8;
} }
message DetectedMisconfiguration { message DetectedMisconfiguration {
string type = 1; string type = 1;
string id = 2; string id = 2;
string title = 3; string title = 3;
string description = 4; string description = 4;
string message = 5; string message = 5;
string namespace = 6; string namespace = 6;
string resolution = 7; string resolution = 7;
Severity severity = 8; Severity severity = 8;
string primary_url = 9; string primary_url = 9;
repeated string references = 10; repeated string references = 10;
string status = 11; string status = 11;
Layer layer = 12; Layer layer = 12;
CauseMetadata cause_metadata = 13;
string avd_id = 14;
string query = 15;
} }
message Vulnerability { message Vulnerability {
@@ -124,6 +138,15 @@ message Layer {
string created_by = 3; string created_by = 3;
} }
message CauseMetadata {
string resource = 1;
string provider = 2;
string service = 3;
int32 start_line = 4;
int32 end_line = 5;
Code code = 6;
}
enum Severity { enum Severity {
UNKNOWN = 0; UNKNOWN = 0;
LOW = 1; LOW = 1;