Skip to content

Commit

Permalink
fix: Fix --file-patterns flag
Browse files Browse the repository at this point in the history
Resolves #774

Signed-off-by: Liam Galvin <liam.galvin@aquasec.com>
  • Loading branch information
liamg committed Jul 29, 2022
1 parent c2a7ad5 commit 893b639
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 1 deletion.
17 changes: 17 additions & 0 deletions integration/fs_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ func TestFilesystem(t *testing.T) {
listAllPkgs bool
input string
secretConfig string
filePatterns []string
}
tests := []struct {
name string
Expand Down Expand Up @@ -79,6 +80,16 @@ func TestFilesystem(t *testing.T) {
},
golden: "testdata/dockerfile.json.golden",
},
{
name: "dockerfile with custom file pattern",
args: args{
securityChecks: "config",
input: "testdata/fixtures/fs/dockerfile_file_pattern",
namespaces: []string{"testing"},
filePatterns: []string{"dockerfile:Customfile"},
},
golden: "testdata/dockerfile_file_pattern.json.golden",
},
{
name: "dockerfile with rule exception",
args: args{
Expand Down Expand Up @@ -178,6 +189,12 @@ func TestFilesystem(t *testing.T) {
defer os.Remove(trivyIgnore)
}

if len(tt.args.filePatterns) != 0 {
for _, filePattern := range tt.args.filePatterns {
osArgs = append(osArgs, "--file-patterns", filePattern)
}
}

// Setup the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
if *update {
Expand Down
56 changes: 56 additions & 0 deletions integration/testdata/dockerfile_file_pattern.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/dockerfile_file_pattern",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Customfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
FROM alpine:3.13
13 changes: 12 additions & 1 deletion pkg/fanal/handler/misconf/misconf.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ func init() {
const version = 1

type misconfPostHandler struct {
options artifact.Option
scanners map[string]scanners.Scanner
}

Expand Down Expand Up @@ -177,6 +178,7 @@ func newMisconfPostHandler(artifactOpt artifact.Option) (handler.PostHandler, er
}

return misconfPostHandler{
options: artifactOpt,
scanners: map[string]scanners.Scanner{
types.Terraform: tfscanner.New(opts...),
types.CloudFormation: cfscanner.New(opts...),
Expand All @@ -197,6 +199,15 @@ var enabledDefsecTypes = map[detection.FileType]string{
detection.FileTypeRbac: types.Rbac,
}

func (h misconfPostHandler) hasCustomPatternForType(t string) bool {
for _, pattern := range h.options.MisconfScannerOption.FilePatterns {
if strings.HasPrefix(pattern, t+":") {
return true
}
}
return false
}

// Handle detects misconfigurations.
func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.AnalysisResult, blob *types.BlobInfo) error {
files, ok := result.Files[h.Type()]
Expand All @@ -214,7 +225,7 @@ func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.Analysi
for defsecType, localType := range enabledDefsecTypes {

buffer := bytes.NewReader(file.Content)
if !detection.IsType(file.Path, buffer, defsecType) {
if !h.hasCustomPatternForType(localType) && !detection.IsType(file.Path, buffer, defsecType) {
continue
}
// Replace with more detailed config type
Expand Down

0 comments on commit 893b639

Please sign in to comment.