Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Fix --file-patterns flag #2625

Merged
merged 2 commits into from
Jul 29, 2022
Merged

fix: Fix --file-patterns flag #2625

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
893b639
fix: Fix --file-patterns flag
liamg Jul 29, 2022
1a01f98
refactor: store only required option in handler
liamg Jul 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions integration/fs_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ func TestFilesystem(t *testing.T) {
listAllPkgs bool
input string
secretConfig string
filePatterns []string
}
tests := []struct {
name string
Expand Down Expand Up @@ -79,6 +80,16 @@ func TestFilesystem(t *testing.T) {
},
golden: "testdata/dockerfile.json.golden",
},
{
name: "dockerfile with custom file pattern",
args: args{
securityChecks: "config",
input: "testdata/fixtures/fs/dockerfile_file_pattern",
namespaces: []string{"testing"},
filePatterns: []string{"dockerfile:Customfile"},
},
golden: "testdata/dockerfile_file_pattern.json.golden",
},
{
name: "dockerfile with rule exception",
args: args{
Expand Down Expand Up @@ -178,6 +189,12 @@ func TestFilesystem(t *testing.T) {
defer os.Remove(trivyIgnore)
}

if len(tt.args.filePatterns) != 0 {
for _, filePattern := range tt.args.filePatterns {
osArgs = append(osArgs, "--file-patterns", filePattern)
}
}

// Setup the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
if *update {
Expand Down
56 changes: 56 additions & 0 deletions integration/testdata/dockerfile_file_pattern.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/dockerfile_file_pattern",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "Customfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 21,
"Failures": 1,
"Exceptions": 0
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
"Namespace": "builtin.dockerfile.DS002",
"Query": "data.builtin.dockerfile.DS002.deny",
"Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds002"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"Code": {
"Lines": null
}
}
}
]
}
]
}
1 change: 1 addition & 0 deletions integration/testdata/fixtures/fs/dockerfile_file_pattern/Customfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
FROM alpine:3.13
13 changes: 12 additions & 1 deletion pkg/fanal/handler/misconf/misconf.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ func init() {
const version = 1

type misconfPostHandler struct {
options artifact.Option
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if we only store options.MisconfScannerOption.FilePatterns here?
I think we don't need to keep all "options".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's true, done 👍

scanners map[string]scanners.Scanner
}

Expand Down Expand Up @@ -177,6 +178,7 @@ func newMisconfPostHandler(artifactOpt artifact.Option) (handler.PostHandler, er
}

return misconfPostHandler{
options: artifactOpt,
scanners: map[string]scanners.Scanner{
types.Terraform: tfscanner.New(opts...),
types.CloudFormation: cfscanner.New(opts...),
Expand All @@ -197,6 +199,15 @@ var enabledDefsecTypes = map[detection.FileType]string{
detection.FileTypeRbac: types.Rbac,
}

func (h misconfPostHandler) hasCustomPatternForType(t string) bool {
for _, pattern := range h.options.MisconfScannerOption.FilePatterns {
if strings.HasPrefix(pattern, t+":") {
return true
}
}
return false
}

// Handle detects misconfigurations.
func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.AnalysisResult, blob *types.BlobInfo) error {
files, ok := result.Files[h.Type()]
Expand All @@ -214,7 +225,7 @@ func (h misconfPostHandler) Handle(ctx context.Context, result *analyzer.Analysi
for defsecType, localType := range enabledDefsecTypes {

buffer := bytes.NewReader(file.Content)
if !detection.IsType(file.Path, buffer, defsecType) {
if !h.hasCustomPatternForType(localType) && !detection.IsType(file.Path, buffer, defsecType) {
continue
}
// Replace with more detailed config type
Expand Down