diff --git a/pkg/fanal/image/registry/azure/azure.go b/pkg/fanal/image/registry/azure/azure.go index 491fce4e27c3..fe348eaac9f5 100644 --- a/pkg/fanal/image/registry/azure/azure.go +++ b/pkg/fanal/image/registry/azure/azure.go @@ -20,7 +20,7 @@ type Registry struct { } const ( - azureURL = "azurecr.io" + azureURL = ".azurecr.io" scope = "https://management.azure.com/.default" scheme = "https" ) diff --git a/pkg/fanal/image/registry/azure/azure_test.go b/pkg/fanal/image/registry/azure/azure_test.go index ae823b82a65a..dc4d03fc078e 100644 --- a/pkg/fanal/image/registry/azure/azure_test.go +++ b/pkg/fanal/image/registry/azure/azure_test.go @@ -19,6 +19,11 @@ func TestRegistry_CheckOptions(t *testing.T) { name: "happy path", domain: "test.azurecr.io", }, + { + name: "invalidURL", + domain: "not-azurecr.io", + wantErr: "Azure registry: invalid url pattern", + }, { name: "invalidURL", domain: "alpine:3.9", diff --git a/pkg/fanal/image/registry/ecr/ecr.go b/pkg/fanal/image/registry/ecr/ecr.go index e675ed47afaf..90dc4ef69f09 100644 --- a/pkg/fanal/image/registry/ecr/ecr.go +++ b/pkg/fanal/image/registry/ecr/ecr.go @@ -14,7 +14,8 @@ import ( "github.com/aquasecurity/trivy/pkg/fanal/types" ) -const ecrURL = "amazonaws.com" +const ecrURLSuffix = ".amazonaws.com" +const ecrURLPartial = ".dkr.ecr" type ecrAPI interface { GetAuthorizationToken(ctx context.Context, params *ecr.GetAuthorizationTokenInput, optFns ...func(*ecr.Options)) (*ecr.GetAuthorizationTokenOutput, error) @@ -37,7 +38,7 @@ func getSession(option types.RegistryOptions) (aws.Config, error) { } func (e *ECR) CheckOptions(domain string, option types.RegistryOptions) error { - if !strings.HasSuffix(domain, ecrURL) { + if !strings.HasSuffix(domain, ecrURLSuffix) && !strings.Contains(domain, ecrURLPartial) { return xerrors.Errorf("ECR : %w", types.InvalidURLPattern) } diff --git a/pkg/fanal/image/registry/ecr/ecr_test.go b/pkg/fanal/image/registry/ecr/ecr_test.go index 63ae1858114c..f968cf1d850d 100644 --- a/pkg/fanal/image/registry/ecr/ecr_test.go +++ b/pkg/fanal/image/registry/ecr/ecr_test.go @@ -21,6 +21,14 @@ func TestCheckOptions(t *testing.T) { domain: "alpine:3.9", wantErr: types.InvalidURLPattern, }, + "InvalidDomain": { + domain: "xxx.ecr.ap-northeast-1.not-amazonaws.com", + wantErr: types.InvalidURLPattern, + }, + "InvalidSubdomain": { + domain: "xxx.s3.ap-northeast-1.amazonaws.com", + wantErr: types.InvalidURLPattern, + }, "NoOption": { domain: "xxx.ecr.ap-northeast-1.amazonaws.com", }, diff --git a/pkg/fanal/image/registry/google/google.go b/pkg/fanal/image/registry/google/google.go index f4e7a7414260..fe52c85f7493 100644 --- a/pkg/fanal/image/registry/google/google.go +++ b/pkg/fanal/image/registry/google/google.go @@ -18,13 +18,14 @@ type Registry struct { } // Google container registry -const gcrURL = "gcr.io" +const gcrURLDomain = "gcr.io" +const gcrURLSuffix = ".gcr.io" // Google artifact registry -const garURL = "docker.pkg.dev" +const garURLSuffix = "-docker.pkg.dev" func (g *Registry) CheckOptions(domain string, option types.RegistryOptions) error { - if !strings.HasSuffix(domain, gcrURL) && !strings.HasSuffix(domain, garURL) { + if domain != gcrURLDomain && !strings.HasSuffix(domain, gcrURLSuffix) && !strings.HasSuffix(domain, garURLSuffix) { return xerrors.Errorf("Google registry: %w", types.InvalidURLPattern) } g.domain = domain diff --git a/pkg/fanal/image/registry/google/google_test.go b/pkg/fanal/image/registry/google/google_test.go index 62a2b1f57627..2e4ba64d663e 100644 --- a/pkg/fanal/image/registry/google/google_test.go +++ b/pkg/fanal/image/registry/google/google_test.go @@ -21,6 +21,10 @@ func TestCheckOptions(t *testing.T) { domain: "alpine:3.9", wantErr: types.InvalidURLPattern, }, + "InvalidDomain": { + domain: "not-gcr.io", + wantErr: types.InvalidURLPattern, + }, "NoOption": { domain: "gcr.io", gcr: &Registry{domain: "gcr.io"},