Allow restricting filesystem walk to specific folders

pkg/commands/app.go

@@ -632,6 +632,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 		// Enable only '--skip-dirs' and '--skip-files' and disable other flags
 		SkipDirs:     &flag.SkipDirsFlag,
 		SkipFiles:    &flag.SkipFilesFlag,
+		OnlyDirs:     &flag.OnlyDirsFlag,
 		FilePatterns: &flag.FilePatternsFlag,
 	}
 

pkg/commands/artifact/run.go

@@ -627,6 +627,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			DisabledAnalyzers: disabledAnalyzers(opts),
 			SkipFiles:         opts.SkipFiles,
 			SkipDirs:          opts.SkipDirs,
+			OnlyDirs:          opts.OnlyDirs,
 			FilePatterns:      opts.FilePatterns,
 			Offline:           opts.OfflineScan,
 			NoProgress:        opts.NoProgress || opts.Quiet,

pkg/fanal/artifact/artifact.go

@@ -16,6 +16,7 @@ type Option struct {
 	DisabledHandlers  []types.HandlerType
 	SkipFiles         []string
 	SkipDirs          []string
+	OnlyDirs          []string
 	FilePatterns      []string
 	NoProgress        bool
 	Insecure          bool
@@ -57,6 +58,7 @@ func (o *Option) Sort() {
 	sort.Strings(o.SkipFiles)
 	sort.Strings(o.SkipDirs)
 	sort.Strings(o.FilePatterns)
+	sort.Strings(o.OnlyDirs)
 }
 
 type Artifact interface {

pkg/fanal/artifact/image/image.go

@@ -75,7 +75,7 @@ func NewArtifact(img types.Image, c cache.ArtifactCache, opt artifact.Option) (a
 	return Artifact{
 		image:          img,
 		cache:          c,
-		walker:         walker.NewLayerTar(opt.SkipFiles, opt.SkipDirs, opt.Slow),
+		walker:         walker.NewLayerTar(opt.SkipFiles, opt.SkipDirs, opt.OnlyDirs, opt.Slow),
 		analyzer:       a,
 		configAnalyzer: ca,
 		handlerManager: handlerManager,

pkg/fanal/artifact/local/fs.go

@@ -55,7 +55,7 @@ func NewArtifact(rootPath string, c cache.ArtifactCache, opt artifact.Option) (a
 	return Artifact{
 		rootPath: filepath.ToSlash(filepath.Clean(rootPath)),
 		cache:    c,
-		walker: walker.NewFS(buildPathsToSkip(rootPath, opt.SkipFiles), buildPathsToSkip(rootPath, opt.SkipDirs),
+		walker: walker.NewFS(buildPathsToSkip(rootPath, opt.SkipFiles), buildPathsToSkip(rootPath, opt.SkipDirs), buildPathsToSkip(rootPath, opt.OnlyDirs),
 			opt.Slow, opt.WalkOption.ErrorCallback),
 		analyzer:       a,
 		handlerManager: handlerManager,

pkg/fanal/artifact/vm/vm.go

@@ -135,7 +135,7 @@ func NewArtifact(target string, c cache.ArtifactCache, opt artifact.Option) (art
 		cache:          c,
 		analyzer:       a,
 		handlerManager: handlerManager,
-		walker:         walker.NewVM(opt.SkipFiles, opt.SkipDirs, opt.Slow),
+		walker:         walker.NewVM(opt.SkipFiles, opt.SkipDirs, opt.OnlyDirs, opt.Slow),
 		artifactOption: opt,
 	}
 

pkg/fanal/cache/key.go

@@ -29,8 +29,9 @@ func CalcKey(id string, analyzerVersions analyzer.Versions, hookVersions map[str
 		HookVersions     map[string]int
 		SkipFiles        []string
 		SkipDirs         []string
+		OnlyDirs         []string
 		FilePatterns     []string `json:",omitempty"`
-	}{id, analyzerVersions, hookVersions, artifactOpt.SkipFiles, artifactOpt.SkipDirs, artifactOpt.FilePatterns}
+	}{id, analyzerVersions, hookVersions, artifactOpt.SkipFiles, artifactOpt.SkipDirs, artifactOpt.OnlyDirs, artifactOpt.FilePatterns}
 
 	if err := json.NewEncoder(h).Encode(keyBase); err != nil {
 		return "", xerrors.Errorf("json encode error: %w", err)

pkg/fanal/walker/fs.go

@@ -19,7 +19,7 @@ type FS struct {
 	errCallback ErrorCallback
 }
 
-func NewFS(skipFiles, skipDirs []string, slow bool, errCallback ErrorCallback) FS {
+func NewFS(skipFiles, skipDirs, onlyDirs []string, slow bool, errCallback ErrorCallback) FS {
 	if errCallback == nil {
 		errCallback = func(pathname string, err error) error {
 			// ignore permission errors
@@ -32,7 +32,7 @@ func NewFS(skipFiles, skipDirs []string, slow bool, errCallback ErrorCallback) F
 	}
 
 	return FS{
-		walker:      newWalker(skipFiles, skipDirs, slow),
+		walker:      newWalker(skipFiles, skipDirs, onlyDirs, slow),
 		errCallback: errCallback,
 	}
 }

pkg/fanal/walker/fs_test.go

@@ -18,6 +18,7 @@ func TestDir_Walk(t *testing.T) {
 	type fields struct {
 		skipFiles   []string
 		skipDirs    []string
+		onlyDirs    []string
 		errCallback walker.ErrorCallback
 	}
 	tests := []struct {
@@ -93,7 +94,7 @@ func TestDir_Walk(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			w := walker.NewFS(tt.fields.skipFiles, tt.fields.skipDirs, true, tt.fields.errCallback)
+			w := walker.NewFS(tt.fields.skipFiles, tt.fields.skipDirs, tt.fields.onlyDirs, true, tt.fields.errCallback)
 
 			err := w.Walk(tt.rootDir, tt.analyzeFn)
 			if tt.wantErr != "" {

pkg/fanal/walker/tar.go

@@ -25,14 +25,14 @@ type LayerTar struct {
 	threshold int64
 }
 
-func NewLayerTar(skipFiles, skipDirs []string, slow bool) LayerTar {
+func NewLayerTar(skipFiles, skipDirs, onlyDirs []string, slow bool) LayerTar {
 	threshold := defaultSizeThreshold
 	if slow {
 		threshold = slowSizeThreshold
 	}
 
 	return LayerTar{
-		walker:    newWalker(skipFiles, skipDirs, slow),
+		walker:    newWalker(skipFiles, skipDirs, onlyDirs, slow),
 		threshold: threshold,
 	}
 }

pkg/fanal/walker/tar_test.go

@@ -18,6 +18,7 @@ func TestLayerTar_Walk(t *testing.T) {
 	type fields struct {
 		skipFiles []string
 		skipDirs  []string
+		onlyDirs  []string
 	}
 	tests := []struct {
 		name        string
@@ -81,7 +82,7 @@ func TestLayerTar_Walk(t *testing.T) {
 			f, err := os.Open("testdata/test.tar")
 			require.NoError(t, err)
 
-			w := walker.NewLayerTar(tt.fields.skipFiles, tt.fields.skipDirs, true)
+			w := walker.NewLayerTar(tt.fields.skipFiles, tt.fields.skipDirs, tt.fields.onlyDirs, true)
 
 			gotOpqDirs, gotWhFiles, err := w.Walk(f, tt.analyzeFn)
 			if tt.wantErr != "" {

pkg/fanal/walker/vm.go

@@ -39,14 +39,14 @@ type VM struct {
 	analyzeFn WalkFunc
 }
 
-func NewVM(skipFiles, skipDirs []string, slow bool) VM {
+func NewVM(skipFiles, skipDirs, onlyDirs []string, slow bool) VM {
 	threshold := defaultSizeThreshold
 	if slow {
 		threshold = slowSizeThreshold
 	}
 
 	return VM{
-		walker:    newWalker(skipFiles, skipDirs, slow),
+		walker:    newWalker(skipFiles, skipDirs, onlyDirs, slow),
 		threshold: threshold,
 	}
 }

pkg/fanal/walker/walk.go

@@ -32,10 +32,11 @@ type WalkFunc func(filePath string, info os.FileInfo, opener analyzer.Opener) er
 type walker struct {
 	skipFiles []string
 	skipDirs  []string
+	onlyDirs  []string
 	slow      bool
 }
 
-func newWalker(skipFiles, skipDirs []string, slow bool) walker {
+func newWalker(skipFiles, skipDirs, onlyDirs []string, slow bool) walker {
 	var cleanSkipFiles, cleanSkipDirs []string
 	for _, skipFile := range skipFiles {
 		skipFile = filepath.ToSlash(filepath.Clean(skipFile))
@@ -49,9 +50,17 @@ func newWalker(skipFiles, skipDirs []string, slow bool) walker {
 		cleanSkipDirs = append(cleanSkipDirs, skipDir)
 	}
 
+	var cleanOnlyDirs []string
+	for _, onlyDir := range onlyDirs {
+		onlyDir = filepath.ToSlash(filepath.Clean(onlyDir))
+		onlyDir = strings.TrimLeft(onlyDir, "/")
+		cleanOnlyDirs = append(cleanOnlyDirs, onlyDir)
+	}
+
 	return walker{
 		skipFiles: cleanSkipFiles,
 		skipDirs:  cleanSkipDirs,
+		onlyDirs:  cleanOnlyDirs,
 		slow:      slow,
 	}
 }
@@ -91,5 +100,14 @@ func (w *walker) shouldSkipDir(dir string) bool {
 		}
 	}
 
+	if dir != "." && len(w.onlyDirs) > 0 {
+		for _, onlyDir := range w.onlyDirs {
+			if strings.HasPrefix(dir, onlyDir) || strings.HasPrefix(onlyDir, dir) {
+				return false
+			}
+		}
+		return true
+	}
+
 	return false
 }

pkg/flag/scan_flags.go

@@ -18,6 +18,12 @@ var (
 		Default:    []string{},
 		Usage:      "specify the files or glob patterns to skip",
 	}
+	OnlyDirsFlag = Flag{
+		Name:       "only-dirs",
+		ConfigName: "scan.only-dirs",
+		Default:    []string{},
+		Usage:      "specify the directories where the traversal is allowed",
+	}
 	OfflineScanFlag = Flag{
 		Name:       "offline-scan",
 		ConfigName: "scan.offline",
@@ -82,6 +88,7 @@ var (
 type ScanFlagGroup struct {
 	SkipDirs       *Flag
 	SkipFiles      *Flag
+	OnlyDirs       *Flag
 	OfflineScan    *Flag
 	Scanners       *Flag
 	FilePatterns   *Flag
@@ -95,6 +102,7 @@ type ScanOptions struct {
 	Target         string
 	SkipDirs       []string
 	SkipFiles      []string
+	OnlyDirs       []string
 	OfflineScan    bool
 	Scanners       types.Scanners
 	FilePatterns   []string
@@ -108,6 +116,7 @@ func NewScanFlagGroup() *ScanFlagGroup {
 	return &ScanFlagGroup{
 		SkipDirs:       &SkipDirsFlag,
 		SkipFiles:      &SkipFilesFlag,
+		OnlyDirs:       &OnlyDirsFlag,
 		OfflineScan:    &OfflineScanFlag,
 		Scanners:       &ScannersFlag,
 		FilePatterns:   &FilePatternsFlag,
@@ -126,6 +135,7 @@ func (f *ScanFlagGroup) Flags() []*Flag {
 	return []*Flag{
 		f.SkipDirs,
 		f.SkipFiles,
+		f.OnlyDirs,
 		f.OfflineScan,
 		f.Scanners,
 		f.FilePatterns,
@@ -146,6 +156,7 @@ func (f *ScanFlagGroup) ToOptions(args []string) (ScanOptions, error) {
 		Target:         target,
 		SkipDirs:       getStringSlice(f.SkipDirs),
 		SkipFiles:      getStringSlice(f.SkipFiles),
+		OnlyDirs:       getStringSlice(f.OnlyDirs),
 		OfflineScan:    getBool(f.OfflineScan),
 		Scanners:       getUnderlyingStringSlice[types.Scanner](f.Scanners),
 		FilePatterns:   getStringSlice(f.FilePatterns),

pkg/flag/scan_flags_test.go

@@ -15,6 +15,7 @@ func TestScanFlagGroup_ToOptions(t *testing.T) {
 	type fields struct {
 		skipDirs    []string
 		skipFiles   []string
+		onlyDirs    []string
 		offlineScan bool
 		scanners    string
 	}
@@ -111,13 +112,15 @@ func TestScanFlagGroup_ToOptions(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			viper.Set(flag.SkipDirsFlag.ConfigName, tt.fields.skipDirs)
 			viper.Set(flag.SkipFilesFlag.ConfigName, tt.fields.skipFiles)
+			viper.Set(flag.OnlyDirsFlag.ConfigName, tt.fields.onlyDirs)
 			viper.Set(flag.OfflineScanFlag.ConfigName, tt.fields.offlineScan)
 			viper.Set(flag.ScannersFlag.ConfigName, tt.fields.scanners)
 
 			// Assert options
 			f := &flag.ScanFlagGroup{
 				SkipDirs:    &flag.SkipDirsFlag,
 				SkipFiles:   &flag.SkipFilesFlag,
+				OnlyDirs:    &flag.OnlyDirsFlag,
 				OfflineScan: &flag.OfflineScanFlag,
 				Scanners:    &flag.ScannersFlag,
 			}