Skip to content

Commit

Permalink
feat: allow restricting filesystem walk to specific folders
Browse files Browse the repository at this point in the history
  • Loading branch information
lebauce committed Nov 1, 2023
1 parent e2fb3dd commit 75aabe4
Show file tree
Hide file tree
Showing 24 changed files with 173 additions and 15 deletions.
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_config.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ trivy config [flags] DIR
--include-non-failures include successes and exceptions, available with '--scanners config'
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--only-dirs strings specify the directories where the traversal is allowed
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ trivy filesystem [flags] PATH
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
--only-dirs strings specify the directories where the traversal is allowed
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ trivy image [flags] IMAGE_NAME
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
--only-dirs strings specify the directories where the traversal is allowed
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--platform string set platform in the form os/arch if image is multi-platform capable
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--no-progress suppress progress bar
--node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
--offline-scan do not issue API requests to identify dependencies
--only-dirs strings specify the directories where the traversal is allowed
-o, --output string output file name
--parallel int number (between 1-20) of goroutines enabled for parallel scanning (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
--only-dirs strings specify the directories where the traversal is allowed
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ trivy rootfs [flags] ROOTDIR
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
--only-dirs strings specify the directories where the traversal is allowed
-o, --output string output file name
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ trivy sbom [flags] SBOM_PATH
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
--only-dirs strings specify the directories where the traversal is allowed
-o, --output string output file name
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ trivy vm [flags] VM_IMAGE
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
--only-dirs strings specify the directories where the traversal is allowed
-o, --output string output file name
--policy-bundle-repository string OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/defsec:0")
--redis-ca string redis ca file location, if using redis as cache backend
Expand Down
1 change: 1 addition & 0 deletions pkg/commands/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -632,6 +632,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
// Enable only '--skip-dirs' and '--skip-files' and disable other flags
SkipDirs: &flag.SkipDirsFlag,
SkipFiles: &flag.SkipFilesFlag,
OnlyDirs: &flag.OnlyDirsFlag,
FilePatterns: &flag.FilePatternsFlag,
}

Expand Down
1 change: 1 addition & 0 deletions pkg/commands/artifact/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -627,6 +627,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
DisabledAnalyzers: disabledAnalyzers(opts),
SkipFiles: opts.SkipFiles,
SkipDirs: opts.SkipDirs,
OnlyDirs: opts.OnlyDirs,
FilePatterns: opts.FilePatterns,
Offline: opts.OfflineScan,
NoProgress: opts.NoProgress || opts.Quiet,
Expand Down
2 changes: 2 additions & 0 deletions pkg/fanal/artifact/artifact.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ type Option struct {
DisabledHandlers []types.HandlerType
SkipFiles []string
SkipDirs []string
OnlyDirs []string
FilePatterns []string
NoProgress bool
Insecure bool
Expand Down Expand Up @@ -57,6 +58,7 @@ func (o *Option) Sort() {
sort.Strings(o.SkipFiles)
sort.Strings(o.SkipDirs)
sort.Strings(o.FilePatterns)
sort.Strings(o.OnlyDirs)
}

type Artifact interface {
Expand Down
2 changes: 1 addition & 1 deletion pkg/fanal/artifact/image/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ func NewArtifact(img types.Image, c cache.ArtifactCache, opt artifact.Option) (a
return Artifact{
image: img,
cache: c,
walker: walker.NewLayerTar(opt.SkipFiles, opt.SkipDirs, opt.Slow),
walker: walker.NewLayerTar(opt.SkipFiles, opt.SkipDirs, opt.OnlyDirs, opt.Slow),
analyzer: a,
configAnalyzer: ca,
handlerManager: handlerManager,
Expand Down
2 changes: 1 addition & 1 deletion pkg/fanal/artifact/local/fs.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func NewArtifact(rootPath string, c cache.ArtifactCache, opt artifact.Option) (a
return Artifact{
rootPath: filepath.ToSlash(filepath.Clean(rootPath)),
cache: c,
walker: walker.NewFS(buildPathsToSkip(rootPath, opt.SkipFiles), buildPathsToSkip(rootPath, opt.SkipDirs),
walker: walker.NewFS(buildPathsToSkip(rootPath, opt.SkipFiles), buildPathsToSkip(rootPath, opt.SkipDirs), buildPathsToSkip(rootPath, opt.OnlyDirs),
opt.Slow, opt.WalkOption.ErrorCallback),
analyzer: a,
handlerManager: handlerManager,
Expand Down
2 changes: 1 addition & 1 deletion pkg/fanal/artifact/vm/vm.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func NewArtifact(target string, c cache.ArtifactCache, opt artifact.Option) (art
cache: c,
analyzer: a,
handlerManager: handlerManager,
walker: walker.NewVM(opt.SkipFiles, opt.SkipDirs, opt.Slow),
walker: walker.NewVM(opt.SkipFiles, opt.SkipDirs, opt.OnlyDirs, opt.Slow),
artifactOption: opt,
}

Expand Down
3 changes: 2 additions & 1 deletion pkg/fanal/cache/key.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,9 @@ func CalcKey(id string, analyzerVersions analyzer.Versions, hookVersions map[str
HookVersions map[string]int
SkipFiles []string
SkipDirs []string
OnlyDirs []string `json:",omitempty"`
FilePatterns []string `json:",omitempty"`
}{id, analyzerVersions, hookVersions, artifactOpt.SkipFiles, artifactOpt.SkipDirs, artifactOpt.FilePatterns}
}{id, analyzerVersions, hookVersions, artifactOpt.SkipFiles, artifactOpt.SkipDirs, artifactOpt.OnlyDirs, artifactOpt.FilePatterns}

if err := json.NewEncoder(h).Encode(keyBase); err != nil {
return "", xerrors.Errorf("json encode error: %w", err)
Expand Down
4 changes: 2 additions & 2 deletions pkg/fanal/walker/fs.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ type FS struct {
errCallback ErrorCallback
}

func NewFS(skipFiles, skipDirs []string, slow bool, errCallback ErrorCallback) FS {
func NewFS(skipFiles, skipDirs, onlyDirs []string, slow bool, errCallback ErrorCallback) FS {
if errCallback == nil {
errCallback = func(pathname string, err error) error {
// ignore permission errors
Expand All @@ -32,7 +32,7 @@ func NewFS(skipFiles, skipDirs []string, slow bool, errCallback ErrorCallback) F
}

return FS{
walker: newWalker(skipFiles, skipDirs, slow),
walker: newWalker(skipFiles, skipDirs, onlyDirs, slow),
errCallback: errCallback,
}
}
Expand Down
3 changes: 2 additions & 1 deletion pkg/fanal/walker/fs_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ func TestDir_Walk(t *testing.T) {
type fields struct {
skipFiles []string
skipDirs []string
onlyDirs []string
errCallback walker.ErrorCallback
}
tests := []struct {
Expand Down Expand Up @@ -93,7 +94,7 @@ func TestDir_Walk(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
w := walker.NewFS(tt.fields.skipFiles, tt.fields.skipDirs, true, tt.fields.errCallback)
w := walker.NewFS(tt.fields.skipFiles, tt.fields.skipDirs, tt.fields.onlyDirs, true, tt.fields.errCallback)

err := w.Walk(tt.rootDir, tt.analyzeFn)
if tt.wantErr != "" {
Expand Down
4 changes: 2 additions & 2 deletions pkg/fanal/walker/tar.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,14 @@ type LayerTar struct {
threshold int64
}

func NewLayerTar(skipFiles, skipDirs []string, slow bool) LayerTar {
func NewLayerTar(skipFiles, skipDirs, onlyDirs []string, slow bool) LayerTar {
threshold := defaultSizeThreshold
if slow {
threshold = slowSizeThreshold
}

return LayerTar{
walker: newWalker(skipFiles, skipDirs, slow),
walker: newWalker(skipFiles, skipDirs, onlyDirs, slow),
threshold: threshold,
}
}
Expand Down
3 changes: 2 additions & 1 deletion pkg/fanal/walker/tar_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ func TestLayerTar_Walk(t *testing.T) {
type fields struct {
skipFiles []string
skipDirs []string
onlyDirs []string
}
tests := []struct {
name string
Expand Down Expand Up @@ -81,7 +82,7 @@ func TestLayerTar_Walk(t *testing.T) {
f, err := os.Open("testdata/test.tar")
require.NoError(t, err)

w := walker.NewLayerTar(tt.fields.skipFiles, tt.fields.skipDirs, true)
w := walker.NewLayerTar(tt.fields.skipFiles, tt.fields.skipDirs, tt.fields.onlyDirs, true)

gotOpqDirs, gotWhFiles, err := w.Walk(f, tt.analyzeFn)
if tt.wantErr != "" {
Expand Down
4 changes: 2 additions & 2 deletions pkg/fanal/walker/vm.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,14 @@ type VM struct {
analyzeFn WalkFunc
}

func NewVM(skipFiles, skipDirs []string, slow bool) VM {
func NewVM(skipFiles, skipDirs, onlyDirs []string, slow bool) VM {
threshold := defaultSizeThreshold
if slow {
threshold = slowSizeThreshold
}

return VM{
walker: newWalker(skipFiles, skipDirs, slow),
walker: newWalker(skipFiles, skipDirs, onlyDirs, slow),
threshold: threshold,
}
}
Expand Down
23 changes: 22 additions & 1 deletion pkg/fanal/walker/walk.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,11 @@ type WalkFunc func(filePath string, info os.FileInfo, opener analyzer.Opener) er
type walker struct {
skipFiles []string
skipDirs []string
onlyDirs []string
slow bool
}

func newWalker(skipFiles, skipDirs []string, slow bool) walker {
func newWalker(skipFiles, skipDirs, onlyDirs []string, slow bool) walker {
var cleanSkipFiles, cleanSkipDirs []string
for _, skipFile := range skipFiles {
skipFile = filepath.ToSlash(filepath.Clean(skipFile))
Expand All @@ -49,9 +50,17 @@ func newWalker(skipFiles, skipDirs []string, slow bool) walker {
cleanSkipDirs = append(cleanSkipDirs, skipDir)
}

var cleanOnlyDirs []string
for _, onlyDir := range onlyDirs {
onlyDir = filepath.ToSlash(filepath.Clean(onlyDir))
onlyDir = strings.TrimLeft(onlyDir, "/")
cleanOnlyDirs = append(cleanOnlyDirs, onlyDir)
}

return walker{
skipFiles: cleanSkipFiles,
skipDirs: cleanSkipDirs,
onlyDirs: cleanOnlyDirs,
slow: slow,
}
}
Expand Down Expand Up @@ -91,5 +100,17 @@ func (w *walker) shouldSkipDir(dir string) bool {
}
}

if dir != "." && len(w.onlyDirs) > 0 {
for _, onlyDir := range w.onlyDirs {
match, err := doublestar.Match(onlyDir, dir)
if err != nil {
return false // return early if bad pattern
} else if match {
return false
}
}
return true
}

return false
}
112 changes: 110 additions & 2 deletions pkg/fanal/walker/walk_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ func Test_shouldSkipFile(t *testing.T) {

for i, tc := range testCases {
t.Run(fmt.Sprint(i), func(t *testing.T) {
w := newWalker(tc.skipFiles, nil, false)
w := newWalker(tc.skipFiles, nil, nil, false)
for file, skipResult := range tc.skipMap {
assert.Equal(t, skipResult, w.shouldSkipFile(filepath.ToSlash(filepath.Clean(file))), fmt.Sprintf("skipFiles: %s, file: %s", tc.skipFiles, file))
}
Expand Down Expand Up @@ -115,7 +115,115 @@ func Test_shouldSkipDir(t *testing.T) {

for i, tc := range testCases {
t.Run(fmt.Sprint(i), func(t *testing.T) {
w := newWalker(nil, tc.skipDirs, false)
w := newWalker(nil, tc.skipDirs, nil, false)
for dir, skipResult := range tc.skipMap {
assert.Equal(t, skipResult, w.shouldSkipDir(filepath.ToSlash(filepath.Clean(dir))), fmt.Sprintf("skipDirs: %s, dir: %s", tc.skipDirs, dir))
}
})
}
}

func Test_onlyDir(t *testing.T) {
testCases := []struct {
skipDirs []string
onlyDirs []string
skipMap map[string]bool
}{
{
skipDirs: nil,
onlyDirs: []string{"/etc/**"},
skipMap: map[string]bool{
"/etc/foo": false,
"/etc/foo/bar": false,
"/var/log/bar": true,
},
},
{
skipDirs: nil,
onlyDirs: []string{"/**"},
skipMap: map[string]bool{
"/etc": false,
"/etc/foo": false,
"/var/log/bar": false,
},
},
{
skipDirs: nil,
onlyDirs: []string{"/*"},
skipMap: map[string]bool{
"/etc": false,
"/etc/foo": true,
},
},
{
skipDirs: nil,
onlyDirs: []string{"/etc/foo/*"},
skipMap: map[string]bool{
"/etc/foo/bar": false,
"/etc/foo2/bar": true,
},
},
{
skipDirs: nil,
onlyDirs: []string{"/etc/**"},
skipMap: map[string]bool{
"/etc/foo/bar": false,
"/etc/foo2/bar": false,
},
},
{
skipDirs: []string{"/etc/foo2/*"},
onlyDirs: []string{"/etc/**"},
skipMap: map[string]bool{
"/etc/foo/bar": false,
"/etc/foo2/bar": true,
},
},
{
skipDirs: []string{"/etc/foo2/*"},
onlyDirs: []string{"/etc/*/bar"},
skipMap: map[string]bool{
"/etc/foo/bar": false,
"/etc/foo2/bar": true,
},
},
{
onlyDirs: []string{"/*/foo/*"},
skipMap: map[string]bool{
"/etc/foo/bar": false,
"/etc/foo2/bar": true,
},
},
{
skipDirs: []string{"/etc/foo/*"},
onlyDirs: []string{"/*/foo/*"},
skipMap: map[string]bool{
"/etc/foo/bar": true,
"/var/foo/bar": false,
"/etc/foo2/bar": true,
},
},
{
onlyDirs: []string{"/etc"},
skipMap: map[string]bool{
"/etc": false,
"/etc/foo/bar": true,
},
},
{
onlyDirs: []string{"/etc/**"},
skipMap: map[string]bool{
"/etc": false,
"/etc/foo": false,
"/etc/foo/bar": false,
"/var/foo/var": true,
},
},
}

for i, tc := range testCases {
t.Run(fmt.Sprint(i), func(t *testing.T) {
w := newWalker(nil, tc.skipDirs, tc.onlyDirs, false)
for dir, skipResult := range tc.skipMap {
assert.Equal(t, skipResult, w.shouldSkipDir(filepath.ToSlash(filepath.Clean(dir))), fmt.Sprintf("skipDirs: %s, dir: %s", tc.skipDirs, dir))
}
Expand Down
Loading

0 comments on commit 75aabe4

Please sign in to comment.