mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-23 07:29:00 -08:00
feat(misconf): Support private registries for misconf check bundle (#6327)
This commit is contained in:
Jeff Rescignano
@@ -69,7 +69,7 @@ func (s *AWSScanner) Scan(ctx context.Context, option flag.Options) (scan.Result
|
|||||||
var policyPaths []string
|
var policyPaths []string
|
||||||
var downloadedPolicyPaths []string
|
var downloadedPolicyPaths []string
|
||||||
var err error
|
var err error
|
||||||
downloadedPolicyPaths, err = operation.InitBuiltinPolicies(context.Background(), option.CacheDir, option.Quiet, option.SkipPolicyUpdate, option.MisconfOptions.PolicyBundleRepository)
|
downloadedPolicyPaths, err = operation.InitBuiltinPolicies(context.Background(), option.CacheDir, option.Quiet, option.SkipPolicyUpdate, option.MisconfOptions.PolicyBundleRepository, option.RegistryOpts())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if !option.SkipPolicyUpdate {
|
if !option.SkipPolicyUpdate {
|
||||||
log.Logger.Errorf("Falling back to embedded policies: %s", err)
|
log.Logger.Errorf("Falling back to embedded policies: %s", err)
|
||||||
|
|||||||
@@ -584,7 +584,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
|
|||||||
|
|
||||||
var downloadedPolicyPaths []string
|
var downloadedPolicyPaths []string
|
||||||
var disableEmbedded bool
|
var disableEmbedded bool
|
||||||
downloadedPolicyPaths, err := operation.InitBuiltinPolicies(context.Background(), opts.CacheDir, opts.Quiet, opts.SkipPolicyUpdate, opts.MisconfOptions.PolicyBundleRepository)
|
downloadedPolicyPaths, err := operation.InitBuiltinPolicies(context.Background(), opts.CacheDir, opts.Quiet, opts.SkipPolicyUpdate, opts.MisconfOptions.PolicyBundleRepository, opts.RegistryOpts())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if !opts.SkipPolicyUpdate {
|
if !opts.SkipPolicyUpdate {
|
||||||
log.Logger.Errorf("Falling back to embedded policies: %s", err)
|
log.Logger.Errorf("Falling back to embedded policies: %s", err)
|
||||||
|
|||||||
@@ -148,7 +148,7 @@ func showDBInfo(cacheDir string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// InitBuiltinPolicies downloads the built-in policies and loads them
|
// InitBuiltinPolicies downloads the built-in policies and loads them
|
||||||
func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate bool, policyBundleRepository string) ([]string, error) {
|
func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate bool, policyBundleRepository string, registryOpts ftypes.RegistryOptions) ([]string, error) {
|
||||||
mu.Lock()
|
mu.Lock()
|
||||||
defer mu.Unlock()
|
defer mu.Unlock()
|
||||||
|
|
||||||
@@ -159,7 +159,7 @@ func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate
|
|||||||
|
|
||||||
needsUpdate := false
|
needsUpdate := false
|
||||||
if !skipUpdate {
|
if !skipUpdate {
|
||||||
needsUpdate, err = client.NeedsUpdate(ctx)
|
needsUpdate, err = client.NeedsUpdate(ctx, registryOpts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, xerrors.Errorf("unable to check if built-in policies need to be updated: %w", err)
|
return nil, xerrors.Errorf("unable to check if built-in policies need to be updated: %w", err)
|
||||||
}
|
}
|
||||||
@@ -168,7 +168,7 @@ func InitBuiltinPolicies(ctx context.Context, cacheDir string, quiet, skipUpdate
|
|||||||
if needsUpdate {
|
if needsUpdate {
|
||||||
log.Logger.Info("Need to update the built-in policies")
|
log.Logger.Info("Need to update the built-in policies")
|
||||||
log.Logger.Info("Downloading the built-in policies...")
|
log.Logger.Info("Downloading the built-in policies...")
|
||||||
if err = client.DownloadBuiltinPolicies(ctx); err != nil {
|
if err = client.DownloadBuiltinPolicies(ctx, registryOpts); err != nil {
|
||||||
return nil, xerrors.Errorf("failed to download built-in policies: %w", err)
|
return nil, xerrors.Errorf("failed to download built-in policies: %w", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -89,10 +89,10 @@ func NewClient(cacheDir string, quiet bool, policyBundleRepo string, opts ...Opt
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Client) populateOCIArtifact() error {
|
func (c *Client) populateOCIArtifact(registryOpts types.RegistryOptions) error {
|
||||||
if c.artifact == nil {
|
if c.artifact == nil {
|
||||||
log.Logger.Debugf("Using URL: %s to load policy bundle", c.policyBundleRepo)
|
log.Logger.Debugf("Using URL: %s to load policy bundle", c.policyBundleRepo)
|
||||||
art, err := oci.NewArtifact(c.policyBundleRepo, c.quiet, types.RegistryOptions{})
|
art, err := oci.NewArtifact(c.policyBundleRepo, c.quiet, registryOpts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return xerrors.Errorf("OCI artifact error: %w", err)
|
return xerrors.Errorf("OCI artifact error: %w", err)
|
||||||
}
|
}
|
||||||
@@ -102,8 +102,8 @@ func (c *Client) populateOCIArtifact() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// DownloadBuiltinPolicies download default policies from GitHub Pages
|
// DownloadBuiltinPolicies download default policies from GitHub Pages
|
||||||
func (c *Client) DownloadBuiltinPolicies(ctx context.Context) error {
|
func (c *Client) DownloadBuiltinPolicies(ctx context.Context, registryOpts types.RegistryOptions) error {
|
||||||
if err := c.populateOCIArtifact(); err != nil {
|
if err := c.populateOCIArtifact(registryOpts); err != nil {
|
||||||
return xerrors.Errorf("OPA bundle error: %w", err)
|
return xerrors.Errorf("OPA bundle error: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -154,7 +154,7 @@ func (c *Client) LoadBuiltinPolicies() ([]string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// NeedsUpdate returns if the default policy should be updated
|
// NeedsUpdate returns if the default policy should be updated
|
||||||
func (c *Client) NeedsUpdate(ctx context.Context) (bool, error) {
|
func (c *Client) NeedsUpdate(ctx context.Context, registryOpts types.RegistryOptions) (bool, error) {
|
||||||
meta, err := c.GetMetadata()
|
meta, err := c.GetMetadata()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return true, nil
|
return true, nil
|
||||||
@@ -165,7 +165,7 @@ func (c *Client) NeedsUpdate(ctx context.Context) (bool, error) {
|
|||||||
return false, nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = c.populateOCIArtifact(); err != nil {
|
if err = c.populateOCIArtifact(registryOpts); err != nil {
|
||||||
return false, xerrors.Errorf("OPA bundle error: %w", err)
|
return false, xerrors.Errorf("OPA bundle error: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -264,7 +264,7 @@ func TestClient_NeedsUpdate(t *testing.T) {
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// Assert results
|
// Assert results
|
||||||
got, err := c.NeedsUpdate(context.Background())
|
got, err := c.NeedsUpdate(context.Background(), ftypes.RegistryOptions{})
|
||||||
assert.Equal(t, tt.wantErr, err != nil)
|
assert.Equal(t, tt.wantErr, err != nil)
|
||||||
assert.Equal(t, tt.want, got)
|
assert.Equal(t, tt.want, got)
|
||||||
})
|
})
|
||||||
@@ -367,7 +367,7 @@ func TestClient_DownloadBuiltinPolicies(t *testing.T) {
|
|||||||
c, err := policy.NewClient(tempDir, true, "", policy.WithClock(tt.clock), policy.WithOCIArtifact(art))
|
c, err := policy.NewClient(tempDir, true, "", policy.WithClock(tt.clock), policy.WithOCIArtifact(art))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
err = c.DownloadBuiltinPolicies(context.Background())
|
err = c.DownloadBuiltinPolicies(context.Background(), ftypes.RegistryOptions{})
|
||||||
if tt.wantErr != "" {
|
if tt.wantErr != "" {
|
||||||
require.NotNil(t, err)
|
require.NotNil(t, err)
|
||||||
assert.Contains(t, err.Error(), tt.wantErr)
|
assert.Contains(t, err.Error(), tt.wantErr)
|
||||||
|
|||||||
Reference in New Issue
Block a user