-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(misconf): Support relative paths in terraform config #3991
Conversation
Currently, if a terraform deployment contains modules that are defined with relative file paths, trivy silently ignores them and does not scan them. This PR also eliminates unnecessary scan for config types that are not found when evaluating. Signed-off-by: Simar <[email protected]>
fb55191
to
6a9e717
Compare
Signed-off-by: Simar <[email protected]>
6a9e717
to
0337b65
Compare
Signed-off-by: Simar <[email protected]>
Signed-off-by: Simar <[email protected]>
Signed-off-by: Simar <[email protected]>
535f19c
to
6a435df
Compare
Signed-off-by: Simar <[email protected]>
cbc439e
to
adeeec3
Compare
@@ -50,6 +51,7 @@ func NewScanner(filePatterns []string, opt config.ScannerOption) (Scanner, error | |||
opts := []options.ScannerOption{ | |||
options.ScannerWithSkipRequiredCheck(true), | |||
options.ScannerWithEmbeddedPolicies(!opt.DisableEmbeddedPolicies), | |||
options.ScannerWithDebug(os.Stdout), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: Remove prior to merge
499a3ac
to
1baf04c
Compare
Signed-off-by: Simar <[email protected]>
1baf04c
to
18c7925
Compare
ID: "sha256:b3ae72efb468a0e17551fa4067c1f9d9dff9a1e520b9f8191f48829ab6e8356d", | ||
BlobIDs: []string{ | ||
"sha256:b3ae72efb468a0e17551fa4067c1f9d9dff9a1e520b9f8191f48829ab6e8356d", | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: I've removed these assertions as the key is calculated over everything (including the file paths in the blob), which results in the key being different on different OS's (unix vs windows).
Arguably the content is more important in these tests, which is still asserted.
hi @knqyf263 could you review these as you are the code owner and your review is needed to merge it in. |
Sure. I cut v0.40.0 yesterday and have time to review it now. |
rootDir = strings.TrimPrefix(filepath.ToSlash(rootDir), volume+"/") | ||
} | ||
|
||
results, err = scanner.ScanFS(ctx, extrafs.OSDir("/"), rootDir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extrafs.OSDir
says
Go does not currently support symlinks in io/fs
Is it correct? DirFS seems to follow symlinks. Am I missing something?
https://pkg.go.dev/os#DirFS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And it breaks container/VM image scanning since os.DirFS
refers to the local filesystem. Putting Terraform files into container/VM images is rare, but we have actually seen it in the past. That is why we use memoryfs
instead of the OS filesystem.
IIUC, the problem here is memoryfs
and os.DirFS
don't allow accessing outside the root directory. I have a plan to replace memoryfs
with mapfs
. What if allowing mapfs
to access the outside file?
I'll raise a PR shortly. We can discuss the solution after that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extrafs.OSDir
saysGo does not currently support symlinks in io/fs
Is it correct? DirFS seems to follow symlinks. Am I missing something? https://pkg.go.dev/os#DirFS
Hmm... I don't know the origin of that comment but I do see os.DirFS does follow symlinks as you said. Maybe that comment/commit was added pre go 1.16 and isn't relevant anymore? 🤷🏼
And it breaks container/VM image scanning since
os.DirFS
refers to the local filesystem. Putting Terraform files into container/VM images is rare, but we have actually seen it in the past. That is why we usememoryfs
instead of the OS filesystem.
Oh interesting. We should have a test for this. Do we have any integration tests that test out container/VM images? Maybe we can add a symlinked terraform file in there to have this covered.
IIUC, the problem here is
memoryfs
andos.DirFS
don't allow accessing outside the root directory. I have a plan to replacememoryfs
withmapfs
. What if allowingmapfs
to access the outside file?
Yes that's the problem. I assume you are talking this mapfs
right? Does it support symlinks today? I only see that it implements these https://github.com/aquasecurity/trivy/blob/main/pkg/mapfs/fs.go#L18-L22 - I assumed you would need to implement something like this: https://github.com/aquasecurity/defsec/blob/a071f4812c575431b38ce741c2138c40cfccc423/pkg/extrafs/extrafs.go#L48-L54?
I'll raise a PR shortly. We can discuss the solution after that.
Sure, add me to the review so I'll take a look at it as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have any integration tests that test out container/VM images?
No, but you're right. We should have it. It was not a common case, so we were lazy 😄 .
@simar7 Can you add a test container image for Terraform here? Also, I assigned you another issue. It would be great if you take care of them.
aquasecurity/trivy-test-images#28
aquasecurity/trivy-test-images#27
Does it support symlinks today?
No, but it would be easy to support. I'll implement it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it support symlinks today?
It uses os.Open()
under the hood, which follows symlinks. What else do we need?
Lines 68 to 69 in cc18f92
default: // Real file | |
return os.Open(f.path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In theory, tthat should be all. The key thing would be to be able to support paths outside the memfs
, including relative paths, which is what this PR tries to do with extrafs
.
Co-authored-by: Teppei Fukuda <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where is this file used? I didn't find the test case.
Superseeded by #4094 |
Description
Currently, if a terraform deployment contains modules that are defined with relative file paths, trivy silently ignores them and does not scan them.
This PR also eliminates unnecessary scan for config types that are not found when evaluating.
Related issues
Checklist
Signed-off-by: Simar [email protected]