Merge branch 'main' into support-cf-params-2

docs/docs/references/configuration/cli/trivy_aws.md

@@ -7,6 +7,7 @@
 Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
 
 The following services are supported:
+
 - accessanalyzer
 - api-gateway
 - athena

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -80,7 +80,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --reset                             remove all caches and database
       --reset-policy-bundle               remove policy bundle
       --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners string                   comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
+      --scanners strings                  comma-separated list of what security issues to detect (vuln,config,secret,rbac) (default [vuln,config,secret,rbac])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --skip-db-update                    skip updating vulnerability database

go.mod

@@ -376,7 +376,7 @@ require (
 	google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 // indirect
-	google.golang.org/grpc v1.58.2 // indirect
+	google.golang.org/grpc v1.58.3 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect

go.sum

@@ -2386,8 +2386,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu
 google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.58.2 h1:SXUpjxeVF3FKrTYQI4f4KvbGD5u2xccdYdurwowix5I=
-google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
+google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ=
+google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

magefiles/docs.go

@@ -3,6 +3,8 @@
 package main
 
 import (
+	"os"
+
 	"github.com/spf13/cobra/doc"
 
 	"github.com/aquasecurity/trivy/pkg/commands"
@@ -16,6 +18,9 @@ func main() {
 	flag.CacheDirFlag.Default = "/path/to/cache"
 	flag.ModuleDirFlag.Default = "$HOME/.trivy/modules"
 
+	// Set a dummy path not to load plugins
+	os.Setenv("XDG_DATA_HOME", os.TempDir())
+
 	cmd := commands.NewApp()
 	cmd.DisableAutoGenTag = true
 	if err := doc.GenMarkdownTree(cmd, "./docs/docs/references/configuration/cli"); err != nil {

pkg/cloud/aws/commands/run_test.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"bytes"
 	"context"
 	"os"
 	"path/filepath"
@@ -1135,8 +1136,8 @@ Summary Report for compliance: my-custom-spec
 				}()
 			}
 
-			output := filepath.Join(t.TempDir(), "output")
-			test.options.Output = output
+			output := bytes.NewBuffer(nil)
+			test.options.SetOutputWriter(output)
 			test.options.Debug = true
 			test.options.GlobalOptions.Timeout = time.Minute
 			if test.options.Format == "" {
@@ -1178,10 +1179,7 @@ Summary Report for compliance: my-custom-spec
 				return
 			}
 			assert.NoError(t, err)
-
-			b, err := os.ReadFile(output)
-			require.NoError(t, err)
-			assert.Equal(t, test.want, string(b))
+			assert.Equal(t, test.want, output.String())
 		})
 	}
 }

pkg/cloud/report/report.go

@@ -59,11 +59,11 @@ func (r *Report) Failed() bool {
 
 // Write writes the results in the give format
 func Write(rep *Report, opt flag.Options, fromCache bool) error {
-	output, err := opt.OutputWriter()
+	output, cleanup, err := opt.OutputWriter()
 	if err != nil {
 		return xerrors.Errorf("failed to create output file: %w", err)
 	}
-	defer output.Close()
+	defer cleanup()
 
 	if opt.Compliance.Spec.ID != "" {
 		return writeCompliance(rep, opt, output)
@@ -104,7 +104,7 @@ func Write(rep *Report, opt flag.Options, fromCache bool) error {
 
 		// ensure color/formatting is disabled for pipes/non-pty
 		var useANSI bool
-		if opt.Output == "" {
+		if output == os.Stdout {
 			if o, err := os.Stdout.Stat(); err == nil {
 				useANSI = (o.Mode() & os.ModeCharDevice) == os.ModeCharDevice
 			}

pkg/cloud/report/resource_test.go

@@ -1,8 +1,7 @@
 package report
 
 import (
-	"os"
-	"path/filepath"
+	"bytes"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -110,18 +109,15 @@ No problems detected.
 				tt.options.AWSOptions.Services,
 			)
 
-			output := filepath.Join(t.TempDir(), "output")
-			tt.options.Output = output
+			output := bytes.NewBuffer(nil)
+			tt.options.SetOutputWriter(output)
 			require.NoError(t, Write(report, tt.options, tt.fromCache))
 
 			assert.Equal(t, "AWS", report.Provider)
 			assert.Equal(t, tt.options.AWSOptions.Account, report.AccountID)
 			assert.Equal(t, tt.options.AWSOptions.Region, report.Region)
 			assert.ElementsMatch(t, tt.options.AWSOptions.Services, report.ServicesInScope)
-
-			b, err := os.ReadFile(output)
-			require.NoError(t, err)
-			assert.Equal(t, tt.expected, string(b))
+			assert.Equal(t, tt.expected, output.String())
 		})
 	}
 }

pkg/cloud/report/result_test.go

@@ -1,8 +1,7 @@
 package report
 
 import (
-	"os"
-	"path/filepath"
+	"bytes"
 	"strings"
 	"testing"
 
@@ -69,18 +68,15 @@ See https://avd.aquasec.com/misconfig/avd-aws-9999
 				tt.options.AWSOptions.Services,
 			)
 
-			output := filepath.Join(t.TempDir(), "output")
-			tt.options.Output = output
+			output := bytes.NewBuffer(nil)
+			tt.options.SetOutputWriter(output)
 			require.NoError(t, Write(report, tt.options, tt.fromCache))
 
-			b, err := os.ReadFile(output)
-			require.NoError(t, err)
-
 			assert.Equal(t, "AWS", report.Provider)
 			assert.Equal(t, tt.options.AWSOptions.Account, report.AccountID)
 			assert.Equal(t, tt.options.AWSOptions.Region, report.Region)
 			assert.ElementsMatch(t, tt.options.AWSOptions.Services, report.ServicesInScope)
-			assert.Equal(t, tt.expected, strings.ReplaceAll(string(b), "\r\n", "\n"))
+			assert.Equal(t, tt.expected, strings.ReplaceAll(output.String(), "\r\n", "\n"))
 		})
 	}
 }

pkg/cloud/report/service_test.go

@@ -1,8 +1,7 @@
 package report
 
 import (
-	"os"
-	"path/filepath"
+	"bytes"
 	"testing"
 
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
@@ -317,22 +316,20 @@ Scan Overview for AWS Account
 				tt.options.AWSOptions.Services,
 			)
 
-			output := filepath.Join(t.TempDir(), "output")
-			tt.options.Output = output
+			output := bytes.NewBuffer(nil)
+			tt.options.SetOutputWriter(output)
 			require.NoError(t, Write(report, tt.options, tt.fromCache))
 
 			assert.Equal(t, "AWS", report.Provider)
 			assert.Equal(t, tt.options.AWSOptions.Account, report.AccountID)
 			assert.Equal(t, tt.options.AWSOptions.Region, report.Region)
 			assert.ElementsMatch(t, tt.options.AWSOptions.Services, report.ServicesInScope)
 
-			b, err := os.ReadFile(output)
-			require.NoError(t, err)
 			if tt.options.Format == "json" {
 				// json output can be formatted/ordered differently - we just care that the data matches
-				assert.JSONEq(t, tt.expected, string(b))
+				assert.JSONEq(t, tt.expected, output.String())
 			} else {
-				assert.Equal(t, tt.expected, string(b))
+				assert.Equal(t, tt.expected, output.String())
 			}
 		})
 	}

pkg/commands/app.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"sort"
 	"strings"
 	"time"
 
@@ -862,13 +863,14 @@ func NewModuleCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	scanFlags := flag.NewScanFlagGroup()
 	scanners := flag.ScannersFlag
-	scanners.Default = fmt.Sprintf( // overwrite the default value
-		"%s,%s,%s,%s",
+	// overwrite the default scanners
+	scanners.Values = xstrings.ToStringSlice(types.Scanners{
 		types.VulnerabilityScanner,
 		types.MisconfigScanner,
 		types.SecretScanner,
 		types.RBACScanner,
-	)
+	})
+	scanners.Default = scanners.Values
 	scanFlags.Scanners = &scanners
 	scanFlags.IncludeDevDeps = nil // disable '--include-dev-deps'
 
@@ -971,6 +973,7 @@ func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	}
 
 	services := awsScanner.AllSupportedServices()
+	sort.Strings(services)
 
 	cmd := &cobra.Command{
 		Use:     "aws [flags]",
@@ -981,6 +984,7 @@ func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		Long: fmt.Sprintf(`Scan an AWS account for misconfigurations. Trivy uses the same authentication methods as the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
 
 The following services are supported:
+
 - %s
 `, strings.Join(services, "\n- ")),
 		Example: `  # basic scanning

pkg/flag/kubernetes_flags.go

@@ -223,8 +223,8 @@ func optionToTolerations(tolerationsOptions []string) ([]corev1.Toleration, erro
 			if err != nil {
 				return nil, fmt.Errorf("TolerationSeconds must must be a number")
 			}
+			toleration.TolerationSeconds = lo.ToPtr(int64(tolerationSec))
 		}
-		toleration.TolerationSeconds = lo.ToPtr(int64(tolerationSec))
 		tolerations = append(tolerations, toleration)
 	}
 	return tolerations, nil

pkg/flag/kubernetes_flags_test.go

@@ -0,0 +1,51 @@
+package flag
+
+import (
+	"testing"
+
+	"github.com/samber/lo"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestOptionToToleration(t *testing.T) {
+
+	tests := []struct {
+		name               string
+		tolerationsOptions []string
+		want               []corev1.Toleration
+	}{
+		{
+			name:               "no execute",
+			tolerationsOptions: []string{"key1=CriticalAddonsOnly:NoExecute:3600"},
+			want: []corev1.Toleration{
+				{
+					Key:               "key1",
+					Operator:          "Equal",
+					Value:             "CriticalAddonsOnly",
+					Effect:            "NoExecute",
+					TolerationSeconds: lo.ToPtr(int64(3600)),
+				},
+			},
+		},
+		{
+			name:               "no schedule",
+			tolerationsOptions: []string{"key1=CriticalAddonsOnly:NoSchedule"},
+			want: []corev1.Toleration{
+				{
+					Key:      "key1",
+					Operator: "Equal",
+					Value:    "CriticalAddonsOnly",
+					Effect:   "NoSchedule",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := optionToTolerations(tt.tolerationsOptions)
+			assert.NoError(t, err)
+			assert.Equal(t, got, tt.want)
+		})
+	}
+}

pkg/flag/options.go

@@ -20,7 +20,6 @@ import (
 	"github.com/aquasecurity/trivy/pkg/result"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/version"
-	xio "github.com/aquasecurity/trivy/pkg/x/io"
 	xstrings "github.com/aquasecurity/trivy/pkg/x/strings"
 )
 
@@ -114,6 +113,10 @@ type Options struct {
 
 	// We don't want to allow disabled analyzers to be passed by users, but it is necessary for internal use.
 	DisabledAnalyzers []analyzer.Type
+
+	// outputWriter is not initialized via the CLI.
+	// It is mainly used for testing purposes or by tools that use Trivy as a library.
+	outputWriter io.Writer
 }
 
 // Align takes consistency of options
@@ -159,17 +162,26 @@ func (o *Options) FilterOpts() result.FilterOption {
 	}
 }
 
+// SetOutputWriter sets an output writer.
+func (o *Options) SetOutputWriter(w io.Writer) {
+	o.outputWriter = w
+}
+
 // OutputWriter returns an output writer.
 // If the output file is not specified, it returns os.Stdout.
-func (o *Options) OutputWriter() (io.WriteCloser, error) {
+func (o *Options) OutputWriter() (io.Writer, func(), error) {
+	if o.outputWriter != nil {
+		return o.outputWriter, func() {}, nil
+	}
+
 	if o.Output != "" {
 		f, err := os.Create(o.Output)
 		if err != nil {
-			return nil, xerrors.Errorf("failed to create output file: %w", err)
+			return nil, nil, xerrors.Errorf("failed to create output file: %w", err)
 		}
-		return f, nil
+		return f, func() { _ = f.Close() }, nil
 	}
-	return xio.NopCloser(os.Stdout), nil
+	return os.Stdout, func() {}, nil
 }
 
 func addFlag(cmd *cobra.Command, flag *Flag) {

pkg/k8s/commands/run.go

@@ -95,11 +95,11 @@ func (r *runner) run(ctx context.Context, artifacts []*k8sArtifacts.Artifact) er
 		return xerrors.Errorf("k8s scan error: %w", err)
 	}
 
-	output, err := r.flagOpts.OutputWriter()
+	output, cleanup, err := r.flagOpts.OutputWriter()
 	if err != nil {
 		return xerrors.Errorf("failed to create output file: %w", err)
 	}
-	defer output.Close()
+	defer cleanup()
 
 	if r.flagOpts.Compliance.Spec.ID != "" {
 		var scanResults []types.Results

pkg/report/table/table.go

@@ -15,7 +15,6 @@ import (
 	"github.com/aquasecurity/tml"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/types"
-	xio "github.com/aquasecurity/trivy/pkg/x/io"
 )
 
 var (
@@ -137,7 +136,7 @@ func IsOutputToTerminal(output io.Writer) bool {
 		return false
 	}
 
-	if output != xio.NopCloser(os.Stdout) {
+	if output != os.Stdout {
 		return false
 	}
 	o, err := os.Stdout.Stat()