Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature for better code integration as library #1

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feature for better code integration as library #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8a5655f
feature for better code integration as library
mms-gianni Dec 23, 2021
f27873e
respect ctx timeout in lib runs
mms-gianni Dec 24, 2021
6198d98
Merge branch 'main' into feature-trivy-library
mms-gianni Dec 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions pkg/commands/artifact/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
package artifact

import (
"context"

"github.com/urfave/cli/v2"
"golang.org/x/xerrors"

"github.com/aquasecurity/fanal/analyzer"
pkgReport "github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/types"
)

Expand All @@ -28,3 +31,19 @@ func ConfigRun(ctx *cli.Context) error {
// Run filesystem command internally
return Run(ctx.Context, opt, filesystemScanner, initFSCache)
}

func ConfigRunLib(ctx context.Context, opt Option) (pkgReport.Report, error) {

// Disable OS and language analyzers
opt.DisabledAnalyzers = append(analyzer.TypeOSes, analyzer.TypeLanguages...)

// Scan only config files
opt.VulnType = nil
opt.SecurityChecks = []string{types.SecurityCheckConfig}

// Skip downloading vulnerability DB
opt.SkipDBUpdate = true

// Run filesystem command internally
return RunLib(ctx, opt, filesystemScanner, initFSCache)
}
17 changes: 17 additions & 0 deletions pkg/commands/artifact/fs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"github.com/aquasecurity/fanal/analyzer/config"
"github.com/aquasecurity/fanal/artifact"
"github.com/aquasecurity/fanal/cache"
pkgReport "github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/scanner"
)

Expand All @@ -36,6 +37,14 @@ func FilesystemRun(ctx *cli.Context) error {
return Run(ctx.Context, opt, filesystemScanner, initFSCache)
}

func FilesystemRunLib(ctx context.Context, opt Option) (pkgReport.Report, error) {

// Disable the individual package scanning
opt.DisabledAnalyzers = analyzer.TypeIndividualPkgs

return RunLib(ctx, opt, filesystemScanner, initFSCache)
}

// RootfsRun runs scan on rootfs.
func RootfsRun(ctx *cli.Context) error {
opt, err := initOption(ctx)
Expand All @@ -48,3 +57,11 @@ func RootfsRun(ctx *cli.Context) error {

return Run(ctx.Context, opt, filesystemScanner, initFSCache)
}

func RootfsRunLib(ctx context.Context, opt Option) (pkgReport.Report, error) {

// Disable the lock file scanning
opt.DisabledAnalyzers = analyzer.TypeLockfiles

return RunLib(ctx, opt, filesystemScanner, initFSCache)
}
15 changes: 15 additions & 0 deletions pkg/commands/artifact/image.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"github.com/aquasecurity/fanal/analyzer/config"
"github.com/aquasecurity/fanal/artifact"
"github.com/aquasecurity/fanal/cache"
pkgReport "github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/scanner"
)

Expand Down Expand Up @@ -49,3 +50,17 @@ func ImageRun(ctx *cli.Context) error {

return Run(ctx.Context, opt, dockerScanner, initFSCache)
}

// ImageRunLib use trivy as a library
func ImageRunLib(ctx context.Context, opt Option) (pkgReport.Report, error) {

// Disable the lock file scanning
opt.DisabledAnalyzers = analyzer.TypeLockfiles

if opt.Input != "" {
// scan tar file
return RunLib(ctx, opt, archiveScanner, initFSCache)
}

return RunLib(ctx, opt, dockerScanner, initFSCache)
}
12 changes: 12 additions & 0 deletions pkg/commands/artifact/repository.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"github.com/aquasecurity/fanal/analyzer/config"
"github.com/aquasecurity/fanal/artifact"
"github.com/aquasecurity/fanal/cache"
pkgReport "github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/scanner"
"github.com/aquasecurity/trivy/pkg/types"
)
Expand Down Expand Up @@ -39,3 +40,14 @@ func RepositoryRun(ctx *cli.Context) error {

return Run(ctx.Context, opt, repositoryScanner, initFSCache)
}

func RepositoryRunLib(ctx context.Context, opt Option) (pkgReport.Report, error) {

// Do not scan OS packages
opt.VulnType = []string{types.VulnTypeLibrary}

// Disable the OS analyzers and individual package analyzers
opt.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)

return RunLib(ctx, opt, repositoryScanner, initFSCache)
}
33 changes: 24 additions & 9 deletions pkg/commands/artifact/run.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,39 +41,54 @@ func Run(ctx context.Context, opt Option, initializeScanner InitializeScanner, i
return runWithTimeout(ctx, opt, initializeScanner, initCache)
}

// Run performs artifact scanning as library
func RunLib(ctx context.Context, opt Option, initializeScanner InitializeScanner, initCache InitCache) (pkgReport.Report, error) {
ctx, cancel := context.WithTimeout(ctx, opt.Timeout)
defer cancel()

return run(ctx, opt, initializeScanner, initCache)
}

func runWithTimeout(ctx context.Context, opt Option, initializeScanner InitializeScanner, initCache InitCache) error {
_, err := run(ctx, opt, initializeScanner, initCache)
return err
}

func run(ctx context.Context, opt Option, initializeScanner InitializeScanner, initCache InitCache) (pkgReport.Report, error) {

emptyReport := pkgReport.Report{}
if err := log.InitLogger(opt.Debug, opt.Quiet); err != nil {
return err
return emptyReport, err
}

cacheClient, err := initCache(opt)
if err != nil {
if errors.Is(err, errSkipScan) {
return nil
return emptyReport, nil
}
return xerrors.Errorf("cache error: %w", err)
return emptyReport, xerrors.Errorf("cache error: %w", err)
}
defer cacheClient.Close()

// When scanning config files, it doesn't need to download the vulnerability database.
if utils.StringInSlice(types.SecurityCheckVulnerability, opt.SecurityChecks) {
if err = initDB(opt); err != nil {
if errors.Is(err, errSkipScan) {
return nil
return emptyReport, nil
}
return xerrors.Errorf("DB error: %w", err)
return emptyReport, xerrors.Errorf("DB error: %w", err)
}
defer db.Close()
}

report, err := scan(ctx, opt, initializeScanner, cacheClient)
if err != nil {
return xerrors.Errorf("scan error: %w", err)
return emptyReport, xerrors.Errorf("scan error: %w", err)
}

report, err = filter(ctx, opt, report)
if err != nil {
return xerrors.Errorf("filter error: %w", err)
return emptyReport, xerrors.Errorf("filter error: %w", err)
}

if err = pkgReport.Write(report, pkgReport.Option{
Expand All @@ -85,12 +100,12 @@ func runWithTimeout(ctx context.Context, opt Option, initializeScanner Initializ
IncludeNonFailures: opt.IncludeNonFailures,
Trace: opt.Trace,
}); err != nil {
return xerrors.Errorf("unable to write results: %w", err)
return emptyReport, xerrors.Errorf("unable to write results: %w", err)
}

exit(opt, report.Results)

return nil
return report, nil
}

func initFSCache(c Option) (cache.Cache, error) {
Expand Down