Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Fix --file-patterns flag #2625

Merged
merged 2 commits into from
Jul 29, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions integration/fs_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ func TestFilesystem(t *testing.T) {
listAllPkgs bool
input string
secretConfig string
filePatterns []string
}
tests := []struct {
name string
Expand Down Expand Up @@ -79,6 +80,16 @@ func TestFilesystem(t *testing.T) {
},
golden: "testdata/dockerfile.json.golden",
},
{
name: "dockerfile with custom file pattern",
args: args{
securityChecks: "config",
input: "testdata/fixtures/fs/dockerfile_file_pattern",
namespaces: []string{"testing"},
filePatterns: []string{"dockerfile:Customfile"},
},
golden: "testdata/dockerfile_file_pattern.json.golden",
},
{
name: "dockerfile with rule exception",
args: args{
Expand Down Expand Up @@ -178,6 +189,12 @@ func TestFilesystem(t *testing.T) {
defer os.Remove(trivyIgnore)
}

if len(tt.args.filePatterns) != 0 {
for _, filePattern := range tt.args.filePatterns {
osArgs = append(osArgs, "--file-patterns", filePattern)
}
}

// Setup the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
if *update {
Expand Down
56 changes: 56 additions & 0 deletions integration/testdata/dockerfile_file_pattern.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/dockerfile_file_pattern",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Customfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
FROM alpine:3.13
15 changes: 13 additions & 2 deletions pkg/fanal/handler/misconf/misconf.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ func init() {
const version = 1

type misconfPostHandler struct {
scanners map[string]scanners.Scanner
filePatterns []string
scanners map[string]scanners.Scanner
}

// for a given set of paths, find the most specific filesystem path that contains all the descendants
Expand Down Expand Up @@ -177,6 +178,7 @@ func newMisconfPostHandler(artifactOpt artifact.Option) (handler.PostHandler, er
}

return misconfPostHandler{
filePatterns: artifactOpt.MisconfScannerOption.FilePatterns,
scanners: map[string]scanners.Scanner{
types.Terraform: tfscanner.New(opts...),
types.CloudFormation: cfscanner.New(opts...),
Expand All @@ -197,6 +199,15 @@ var enabledDefsecTypes = map[detection.FileType]string{
detection.FileTypeRbac: types.Rbac,
}

func (h misconfPostHandler) hasCustomPatternForType(t string) bool {
for _, pattern := range h.filePatterns {
if strings.HasPrefix(pattern, t+":") {
return true
}
}
return false
}

// Handle detects misconfigurations.
func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.AnalysisResult, blob *types.BlobInfo) error {
files, ok := result.Files[h.Type()]
Expand All @@ -214,7 +225,7 @@ func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.Analysi
for defsecType, localType := range enabledDefsecTypes {

buffer := bytes.NewReader(file.Content)
if !detection.IsType(file.Path, buffer, defsecType) {
if !h.hasCustomPatternForType(localType) && !detection.IsType(file.Path, buffer, defsecType) {
continue
}
// Replace with more detailed config type
Expand Down