mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-22 07:10:41 -08:00
fix(aws): resolve endpoint if endpoint is passed (#4925)
* fix(aws): resolve endpoint to get identity if endpoint is passed * resolve endpoint for ami and ebs * return an error if aws region is missing
This commit is contained in:
Nikita Pivkin
8
go.mod
8
go.mod
@@ -61,7 +61,7 @@ require (
|
||||
github.com/magefile/mage v1.15.0
|
||||
github.com/mailru/easyjson v0.7.7
|
||||
github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
|
||||
github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3
|
||||
github.com/masahiro331/go-ebs-file v0.0.0-20230228042409-005c81d4ae43
|
||||
github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1
|
||||
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
|
||||
github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
|
||||
@@ -161,7 +161,7 @@ require (
|
||||
github.com/aws/aws-sdk-go-v2/service/codebuild v1.19.17 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/docdb v1.19.11 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ebs v1.18.1 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ecs v1.28.1 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/efs v1.20.3 // indirect
|
||||
@@ -188,8 +188,8 @@ require (
|
||||
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.2 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sns v1.20.10 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sqs v1.20.6 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.12.10 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.13.1 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.1 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/service/workspaces v1.23.0 // indirect
|
||||
github.com/aws/smithy-go v1.14.0 // indirect
|
||||
github.com/beorn7/perks v1.0.1 // indirect
|
||||
|
||||
14
go.sum
14
go.sum
@@ -430,8 +430,8 @@ github.com/aws/aws-sdk-go-v2/service/docdb v1.19.11 h1:+jNOF3BdrSwCHWHU+lXYR78DC
|
||||
github.com/aws/aws-sdk-go-v2/service/docdb v1.19.11/go.mod h1:p2/C5LVvGstUjTb0z0qQNDf356iVEDrAMOvFJAkJQbA=
|
||||
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7 h1:/TwGWNd3vnjXaPMau8eY7s5j6Afe4WxnRfIB64r4jEk=
|
||||
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.17.7/go.mod h1:BiglbKCG56L8tmMnUEyEQo422BO9xnNR8vVHnOsByf8=
|
||||
github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19 h1:6S06aB1xyXs3C9RE5RyJROw1v1ByXGHo/cxTZ13VRp0=
|
||||
github.com/aws/aws-sdk-go-v2/service/ebs v1.15.19/go.mod h1:pJhytP5qZaPIqCF2BewXttD4bc29KIPm6LMSIBhMCFI=
|
||||
github.com/aws/aws-sdk-go-v2/service/ebs v1.18.1 h1:iUgGXA8fg41B4Of0F+BS766SRQ7c8rr5jtka8RgaocQ=
|
||||
github.com/aws/aws-sdk-go-v2/service/ebs v1.18.1/go.mod h1:9n0SC5yHomD8IjsR37+/txpdfNdpGSgV1RzmsTHrbWg=
|
||||
github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0 h1:WblDV33AG9dhv0zFEPEmGtD5UECSNpKMxtdENULfR8M=
|
||||
github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0/go.mod h1:L3ZT0N/vBsw77mOAawXmRnREpEjcHd2v5Hzf7AkIH8M=
|
||||
github.com/aws/aws-sdk-go-v2/service/ecr v1.17.18 h1:uiF/RI+Up8H2xdgT2GWa20YzxiKEalHieqNjm6HC3Xk=
|
||||
@@ -491,10 +491,12 @@ github.com/aws/aws-sdk-go-v2/service/sns v1.20.10 h1:pJ/iXyg9aD5Hg2FRHQjrWPDyabs
|
||||
github.com/aws/aws-sdk-go-v2/service/sns v1.20.10/go.mod h1:WjBcrd28zNbbuAcIRO/n89sSeOxTuOZPiuxNXU/2WrI=
|
||||
github.com/aws/aws-sdk-go-v2/service/sqs v1.20.6 h1:4P/vyx7zCI5yBhlDZ2kwhoLjMJi0X7iR3cxqjNfbego=
|
||||
github.com/aws/aws-sdk-go-v2/service/sqs v1.20.6/go.mod h1:HQHh1eChX10zDnGmD53WLYk8nPhUKO/JkAUUzDZ530Y=
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.12.10 h1:UBQjaMTCKwyUYwiVnUt6toEJwGXsLBI6al083tpjJzY=
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.12.10/go.mod h1:ouy2P4z6sJN70fR3ka3wD3Ro3KezSxU6eKGQI2+2fjI=
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10 h1:PkHIIJs8qvq0e5QybnZoG1K/9QTrLr9OsqCIo59jOBA=
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.13.1 h1:DSNpSbfEgFXRV+IfEcKE5kTbqxm+MeF5WgyeRlsLnHY=
|
||||
github.com/aws/aws-sdk-go-v2/service/sso v1.13.1/go.mod h1:TC9BubuFMVScIU+TLKamO6VZiYTkYoEHqlSQwAe2omw=
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10/go.mod h1:AFvkxc8xfBe8XA+5St5XIHHrQQtkxqrRincx4hmMHOk=
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.1 h1:hd0SKLMdOL/Sl6Z0np1PX9LeH2gqNtBe0MhTedA8MGI=
|
||||
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.1/go.mod h1:XO/VcyoQ8nKyKfFW/3DMsRQXsfh/052tHTWmg3xBXRg=
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.19.0/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8=
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.21.0 h1:HI1YIL5Q9FtucxF5tcNpzCEyLnkeUcqg6xtOx8u09S4=
|
||||
github.com/aws/aws-sdk-go-v2/service/sts v1.21.0/go.mod h1:G8SbvL0rFk4WOJroU8tKBczhsbhj2p/YY7qeJezJ3CI=
|
||||
@@ -1277,8 +1279,8 @@ github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kN
|
||||
github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho=
|
||||
github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac h1:QyRucnGOLHJag1eB9CtuZwZk+/LpvTSYr5mnFLLFlgA=
|
||||
github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac/go.mod h1:J7Vb0sf0JzOhT0uHTeCqO6dqP/ELVcQvQ6yQ/56ZRGw=
|
||||
github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3 h1:CCX8exCYIPHrMKba1KDhM37PxC3/amBUZXH8yoJOAMQ=
|
||||
github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3/go.mod h1:5NOkqebMwu8UiOTSjwqam1Ykdr7fci52TVE2xDQnIiM=
|
||||
github.com/masahiro331/go-ebs-file v0.0.0-20230228042409-005c81d4ae43 h1:umYrurEClKuDjU29DKNNPmnWJNt4mnR0fWLOpWsDg0M=
|
||||
github.com/masahiro331/go-ebs-file v0.0.0-20230228042409-005c81d4ae43/go.mod h1:5NOkqebMwu8UiOTSjwqam1Ykdr7fci52TVE2xDQnIiM=
|
||||
github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1 h1:jQ0px48V+wp35FSimlg9e/bB8XSrBz0SxPLbnYCq6/4=
|
||||
github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1/go.mod h1:3XMMY1M486mWGTD13WPItg6FsgflQR72ZMAkd+gsyoQ=
|
||||
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 h1:AevUBW4cc99rAF8q8vmddIP8qd/0J5s/UyltGbp66dg=
|
||||
|
||||
@@ -32,7 +32,7 @@ func TestAwsCommandRun(t *testing.T) {
|
||||
"AWS_ACCESS_KEY_ID": "test",
|
||||
"AWS_SECRET_ACCESS_KEY": "test",
|
||||
},
|
||||
wantErr: "Invalid Configuration: Missing Region",
|
||||
wantErr: "aws region is required",
|
||||
},
|
||||
{
|
||||
name: "fail without creds",
|
||||
|
||||
@@ -5,7 +5,6 @@ import (
|
||||
"errors"
|
||||
"strings"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/config"
|
||||
"github.com/aws/aws-sdk-go-v2/service/sts"
|
||||
"golang.org/x/exp/slices"
|
||||
"golang.org/x/xerrors"
|
||||
@@ -13,6 +12,7 @@ import (
|
||||
"github.com/aquasecurity/defsec/pkg/errs"
|
||||
awsScanner "github.com/aquasecurity/defsec/pkg/scanners/cloud/aws"
|
||||
"github.com/aquasecurity/trivy/pkg/cloud"
|
||||
"github.com/aquasecurity/trivy/pkg/cloud/aws/config"
|
||||
"github.com/aquasecurity/trivy/pkg/cloud/aws/scanner"
|
||||
"github.com/aquasecurity/trivy/pkg/cloud/report"
|
||||
"github.com/aquasecurity/trivy/pkg/commands/operation"
|
||||
@@ -22,16 +22,13 @@ import (
|
||||
|
||||
var allSupportedServicesFunc = awsScanner.AllSupportedServices
|
||||
|
||||
func getAccountIDAndRegion(ctx context.Context, region string) (string, string, error) {
|
||||
func getAccountIDAndRegion(ctx context.Context, region, endpoint string) (string, string, error) {
|
||||
log.Logger.Debug("Looking for AWS credentials provider...")
|
||||
|
||||
cfg, err := config.LoadDefaultConfig(context.TODO())
|
||||
cfg, err := config.LoadDefaultAWSConfig(ctx, region, endpoint)
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
if region != "" {
|
||||
cfg.Region = region
|
||||
}
|
||||
|
||||
svc := sts.NewFromConfig(cfg)
|
||||
|
||||
@@ -82,7 +79,7 @@ func processOptions(ctx context.Context, opt *flag.Options) error {
|
||||
|
||||
if opt.Account == "" || opt.Region == "" {
|
||||
var err error
|
||||
opt.Account, opt.Region, err = getAccountIDAndRegion(ctx, opt.Region)
|
||||
opt.Account, opt.Region, err = getAccountIDAndRegion(ctx, opt.Region, opt.Endpoint)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
47
pkg/cloud/aws/config/config.go
Normal file
47
pkg/cloud/aws/config/config.go
Normal file
@@ -0,0 +1,47 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
awsconfig "github.com/aws/aws-sdk-go-v2/config"
|
||||
"golang.org/x/xerrors"
|
||||
)
|
||||
|
||||
func EndpointResolver(endpoint string) aws.EndpointResolverWithOptionsFunc {
|
||||
return aws.EndpointResolverWithOptionsFunc(func(_, reg string, options ...interface{}) (aws.Endpoint, error) {
|
||||
return aws.Endpoint{
|
||||
PartitionID: "aws",
|
||||
URL: endpoint,
|
||||
SigningRegion: reg,
|
||||
Source: aws.EndpointSourceCustom,
|
||||
}, nil
|
||||
})
|
||||
}
|
||||
|
||||
func MakeAWSOptions(region, endpoint string) []func(*awsconfig.LoadOptions) error {
|
||||
var options []func(*awsconfig.LoadOptions) error
|
||||
|
||||
if region != "" {
|
||||
options = append(options, awsconfig.WithRegion(region))
|
||||
}
|
||||
|
||||
if endpoint != "" {
|
||||
options = append(options, awsconfig.WithEndpointResolverWithOptions(EndpointResolver(endpoint)))
|
||||
}
|
||||
|
||||
return options
|
||||
}
|
||||
|
||||
func LoadDefaultAWSConfig(ctx context.Context, region, endpoint string) (aws.Config, error) {
|
||||
cfg, err := awsconfig.LoadDefaultConfig(ctx, MakeAWSOptions(region, endpoint)...)
|
||||
if err != nil {
|
||||
return aws.Config{}, xerrors.Errorf("aws config load error: %w", err)
|
||||
}
|
||||
|
||||
if cfg.Region == "" {
|
||||
return aws.Config{}, xerrors.New("aws region is required")
|
||||
}
|
||||
|
||||
return cfg, nil
|
||||
}
|
||||
@@ -641,6 +641,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
|
||||
//Platform: opts.Platform,
|
||||
Slow: opts.Slow,
|
||||
AWSRegion: opts.Region,
|
||||
AWSEndpoint: opts.Endpoint,
|
||||
FileChecksum: fileChecksum,
|
||||
|
||||
// For image scanning
|
||||
|
||||
@@ -25,6 +25,7 @@ type Option struct {
|
||||
RekorURL string
|
||||
Slow bool // Lower CPU and memory
|
||||
AWSRegion string
|
||||
AWSEndpoint string
|
||||
FileChecksum bool // For SPDX
|
||||
|
||||
// Git repositories
|
||||
|
||||
@@ -3,10 +3,10 @@ package vm
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/aquasecurity/trivy/pkg/cloud/aws/config"
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/types"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/config"
|
||||
"github.com/aws/aws-sdk-go-v2/service/ec2"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
@@ -19,15 +19,12 @@ type AMI struct {
|
||||
imageID string
|
||||
}
|
||||
|
||||
func newAMI(imageID string, storage Storage, region string) (*AMI, error) {
|
||||
func newAMI(imageID string, storage Storage, region, endpoint string) (*AMI, error) {
|
||||
// TODO: propagate context
|
||||
ctx := context.TODO()
|
||||
cfg, err := config.LoadDefaultConfig(ctx)
|
||||
cfg, err := config.LoadDefaultAWSConfig(ctx, region, endpoint)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("aws config load error: %w", err)
|
||||
}
|
||||
if region != "" {
|
||||
cfg.Region = region
|
||||
return nil, err
|
||||
}
|
||||
client := ec2.NewFromConfig(cfg)
|
||||
output, err := client.DescribeImages(ctx, &ec2.DescribeImagesInput{
|
||||
@@ -46,7 +43,7 @@ func newAMI(imageID string, storage Storage, region string) (*AMI, error) {
|
||||
continue
|
||||
}
|
||||
log.Logger.Infof("Snapshot %s found", snapshotID)
|
||||
ebs, err := newEBS(snapshotID, storage, region)
|
||||
ebs, err := newEBS(snapshotID, storage, region, endpoint)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("new EBS error: %w", err)
|
||||
}
|
||||
|
||||
@@ -8,6 +8,7 @@ import (
|
||||
ebsfile "github.com/masahiro331/go-ebs-file"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
"github.com/aquasecurity/trivy/pkg/cloud/aws/config"
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/cache"
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/types"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
@@ -24,10 +25,9 @@ type EBS struct {
|
||||
ebs ebsfile.EBSAPI
|
||||
}
|
||||
|
||||
func newEBS(snapshotID string, vm Storage, region string) (*EBS, error) {
|
||||
ebs, err := ebsfile.New(ebsfile.Option{
|
||||
AwsRegion: region,
|
||||
})
|
||||
func newEBS(snapshotID string, vm Storage, region, endpoint string) (*EBS, error) {
|
||||
|
||||
ebs, err := ebsfile.New(context.TODO(), config.MakeAWSOptions(region, endpoint)...)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("new ebsfile error: %w", err)
|
||||
}
|
||||
|
||||
@@ -143,10 +143,10 @@ func NewArtifact(target string, c cache.ArtifactCache, opt artifact.Option) (art
|
||||
switch targetType {
|
||||
case TypeAMI:
|
||||
target = strings.TrimPrefix(target, TypeAMI.Prefix())
|
||||
return newAMI(target, storage, opt.AWSRegion)
|
||||
return newAMI(target, storage, opt.AWSRegion, opt.AWSEndpoint)
|
||||
case TypeEBS:
|
||||
target = strings.TrimPrefix(target, TypeEBS.Prefix())
|
||||
e, err := newEBS(target, storage, opt.AWSRegion)
|
||||
e, err := newEBS(target, storage, opt.AWSRegion, opt.AWSEndpoint)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("new EBS error: %w", err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user