Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(purl): skip unsupported library type #4577

Merged
merged 3 commits into from
Jun 8, 2023
Merged

fix(purl): skip unsupported library type #4577

merged 3 commits into from
Jun 8, 2023

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Jun 7, 2023
edited
Loading

Description

I think we can skip dependency detection for an unsupported library type, rather than throwing an error and stopping scanning.

Before:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.42.0 image docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2 --debug
2023-06-07T06:22:02.716Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-07T06:22:02.718Z	DEBUG	cache dir:  /root/.cache/trivy
2023-06-07T06:22:02.719Z	DEBUG	DB update was skipped because the local DB is the latest
2023-06-07T06:22:02.719Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-06-07 06:07:05.537434966 +0000 UTC, NextUpdate: 2023-06-07 12:07:05.537434566 +0000 UTC, DownloadedAt: 2023-06-07 06:22:00.465958296 +0000 UTC
2023-06-07T06:22:02.719Z	INFO	Vulnerability scanning is enabled
2023-06-07T06:22:02.719Z	DEBUG	Vulnerability type:  [os library]
2023-06-07T06:22:02.719Z	INFO	Secret scanning is enabled
2023-06-07T06:22:02.719Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-07T06:22:02.719Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-07T06:22:02.725Z	DEBUG	No secret config detected: trivy-secret.yaml
2023-06-07T06:22:02.726Z	DEBUG	Image ID: sha256:c380a14b64f7d96b1a66f20f372ed0f4005ac6fe9295a7d66ec6d0a849d58fb9
2023-06-07T06:22:02.726Z	DEBUG	Diff IDs: [sha256:bd543f134be8b19df8d7f3fe385989200bd3dfac2ea09f8781f3c4c234dc754c]
2023-06-07T06:22:02.726Z	DEBUG	Base Layers: []
2023-06-07T06:22:02.730Z	INFO	Detected OS: debian
2023-06-07T06:22:02.730Z	INFO	Detecting Debian vulnerabilities...
2023-06-07T06:22:02.731Z	DEBUG	debian: os version: 11
2023-06-07T06:22:02.731Z	DEBUG	debian: the number of packages: 111
2023-06-07T06:22:02.741Z	INFO	Number of language-specific files: 1
2023-06-07T06:22:02.741Z	INFO	Detecting bitnami vulnerabilities...
2023-06-07T06:22:02.741Z	DEBUG	Detecting library vulnerabilities, type: bitnami, path: opt/bitnami/rabbitmq/bin/rabbitmq
2023-06-07T06:22:02.741Z	FATAL	image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:426
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:268
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:683
  - scan failed:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:154
  - failed to detect vulnerabilities:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.Scan
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:102
  - failed to scan application libraries:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanVulnerabilities
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:189
  - failed vulnerability detection of libraries:
    github.com/aquasecurity/trivy/pkg/scanner/langpkg.(*scanner).Scan
        /home/runner/work/trivy/trivy/pkg/scanner/langpkg/scan.go:80
  - failed to initialize a driver:
    github.com/aquasecurity/trivy/pkg/detector/library.Detect
        /home/runner/work/trivy/trivy/pkg/detector/library/detect.go:19
  - unsupported type bitnami:
    github.com/aquasecurity/trivy/pkg/detector/library.NewDriver
        /home/runner/work/trivy/trivy/pkg/detector/library/driver.go:72

After:

2023-06-07T12:23:37.512+0600	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-07T12:23:37.527+0600	DEBUG	cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-06-07T12:23:37.527+0600	DEBUG	DB update was skipped because the local DB is the latest
2023-06-07T12:23:37.527+0600	DEBUG	DB Schema: 2, UpdatedAt: 2023-06-07 06:07:05.537434966 +0000 UTC, NextUpdate: 2023-06-07 12:07:05.537434566 +0000 UTC, DownloadedAt: 2023-06-07 06:22:00.465958296 +0000 UTC
2023-06-07T12:23:37.527+0600	INFO	Vulnerability scanning is enabled
2023-06-07T12:23:37.527+0600	DEBUG	Vulnerability type:  [os library]
2023-06-07T12:23:37.527+0600	INFO	Secret scanning is enabled
2023-06-07T12:23:37.527+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-07T12:23:37.527+0600	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2023-06-07T12:23:37.559+0600	DEBUG	No secret config detected: trivy-secret.yaml
2023-06-07T12:23:37.559+0600	DEBUG	Image ID: sha256:c380a14b64f7d96b1a66f20f372ed0f4005ac6fe9295a7d66ec6d0a849d58fb9
2023-06-07T12:23:37.559+0600	DEBUG	Diff IDs: [sha256:bd543f134be8b19df8d7f3fe385989200bd3dfac2ea09f8781f3c4c234dc754c]
2023-06-07T12:23:37.559+0600	DEBUG	Base Layers: []
2023-06-07T12:23:37.566+0600	INFO	Detected OS: debian
2023-06-07T12:23:37.566+0600	INFO	Detecting Debian vulnerabilities...
2023-06-07T12:23:37.566+0600	DEBUG	debian: os version: 11
2023-06-07T12:23:37.566+0600	DEBUG	debian: the number of packages: 111
2023-06-07T12:23:37.587+0600	INFO	Number of language-specific files: 1
2023-06-07T12:23:37.587+0600	INFO	Detecting bitnami vulnerabilities...
2023-06-07T12:23:37.587+0600	DEBUG	Detecting library vulnerabilities, type: bitnami, path: opt/bitnami/rabbitmq/bin/rabbitmq
2023-06-07T12:23:37.587+0600	WARN	The bitnami library type is not supported. Skipping vulnerability detection

docker.io/bitnami/rabbitmq:3.11.17-debian-11-r2 (debian 11.7)
=============================================================
Total: 119 (UNKNOWN: 0, LOW: 85, MEDIUM: 6, HIGH: 23, CRITICAL: 5)
....

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

afdesk
afdesk requested changes Jun 7, 2023
View reviewed changes
pkg/detector/library/detect.go Outdated
@@ -13,7 +13,7 @@ import (
func Detect(libType string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
driver, err := NewDriver(libType)
if err != nil {
if errors.Is(err, ErrSBOMSupportOnly) {
if errors.Is(err, ErrSBOMSupportOnly) || errors.Is(err, ErrUnsupportedType) {
return nil, nil
}
return nil, xerrors.Errorf("failed to initialize a driver: %w", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this code is unreachable now, because NewDriver can return either ErrSBOMSupportOnly or ErrUnsupportedType.
so we have to change this statement.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@nikpivkin nikpivkin requested a review from afdesk June 7, 2023 07:16
@afdesk afdesk marked this pull request as ready for review June 7, 2023 07:55
@afdesk afdesk requested a review from knqyf263 as a code owner June 7, 2023 07:55
@knqyf263 knqyf263 requested a review from tonaim June 7, 2023 09:09
@knqyf263 knqyf263 merged commit c20d466 into aquasecurity:main Jun 8, 2023
@nikpivkin nikpivkin deleted the fix/skip-unsupported-type branch June 16, 2023 09:23
AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Aug 10, 2023
@nikpivkin @AnaisUrlichs
fix(purl): skip unsupported library type (aquasecurity#4577)
8d24400
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@afdesk afdesk afdesk approved these changes

@tonaim tonaim Awaiting requested review from tonaim

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trivy 0.42.0 crashes with "unsupported type bitnami" message SBOM scan: unsupported type github
3 participants
@nikpivkin @knqyf263 @afdesk