gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 07:40:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(repo): support local repositories (#4890)

Browse Source 
* feat(repo): support local repositories

* fix tests

* test: fix client/server tests

* docs: update

* test: add fs tests

* test: do not update golden files if overridden

* docs: remove a comment about fs deprecation
This commit is contained in:
Teppei Fukuda
2023-07-31 14:27:36 +03:00
committed by GitHub
parent 3c19761875
commit d19c7d9f29
124 changed files with 454 additions and 446 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
docs/docs/target/git-repository.md
View File

@@ -1,236 +0,0 @@
# Git Repository
Scan your remote git repositories for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
```bash
$ trivy repo [YOUR_REPO_URL]
```
## Scanners
### Vulnerabilities
It is enabled by default.
Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
See [here](../scanner/vulnerability/index.md) for the detail.
```
$ trivy repo https://github.com/knqyf263/trivy-ci-test
```
<details>
<summary>Result</summary>
```
2021-03-09T15:04:19.003+0200 INFO Detecting cargo vulnerabilities...
2021-03-09T15:04:19.005+0200 INFO Detecting pipenv vulnerabilities...
Cargo.lock
==========
Total: 7 (UNKNOWN: 7, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
| ammonia | RUSTSEC-2019-0001 | UNKNOWN | 1.9.0 | >= 2.1.0 | Uncontrolled recursion leads |
| | | | | | to abort in HTML serialization |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0001 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| openssl | RUSTSEC-2016-0001 | | 0.8.3 | >= 0.9.0 | SSL/TLS MitM vulnerability |
| | | | | | due to insecure defaults |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2016-0001 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| smallvec | RUSTSEC-2018-0018 | | 0.6.9 | >= 0.6.13 | smallvec creates uninitialized |
| | | | | | value of any type |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0018 |
+ +-------------------+ + +------------------------------+---------------------------------------------+
| | RUSTSEC-2019-0009 | | | >= 0.6.10 | Double-free and use-after-free |
| | | | | | in SmallVec::grow() |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0009 |
+ +-------------------+ + + +---------------------------------------------+
| | RUSTSEC-2019-0012 | | | | Memory corruption in SmallVec::grow() |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2019-0012 |
+ +-------------------+ + +------------------------------+---------------------------------------------+
| | RUSTSEC-2021-0003 | | | >= 0.6.14, < 1.0.0, >= 1.6.1 | Buffer overflow in SmallVec::insert_many |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2021-0003 |
+----------+-------------------+ +-------------------+------------------------------+---------------------------------------------+
| tempdir | RUSTSEC-2018-0017 | | 0.3.7 | | `tempdir` crate has been |
| | | | | | deprecated; use `tempfile` instead |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0017 |
+----------+-------------------+----------+-------------------+------------------------------+---------------------------------------------+
Pipfile.lock
============
Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| django | CVE-2019-19844 | CRITICAL | 2.0.9 | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
| | | | | | allows account takeover |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19844 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-7471 | | | 3.0.3, 2.2.10, 1.11.28 | django: potential SQL injection |
| | | | | | via StringAgg(delimiter) |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7471 |
+ +------------------+----------+ +------------------------+---------------------------------------+
| | CVE-2019-6975 | HIGH | | 2.1.6, 2.0.11, 1.11.19 | python-django: memory exhaustion in |
| | | | | | django.utils.numberformat.format() |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-6975 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-9402 | | | 3.0.4, 2.2.11, 1.11.29 | django: potential SQL injection |
| | | | | | via "tolerance" parameter in |
| | | | | | GIS functions and aggregates... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9402 |
+ +------------------+----------+ +------------------------+---------------------------------------+
| | CVE-2019-3498 | MEDIUM | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content spoofing |
| | | | | | via URL path in default 404 page |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-3498 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-13254 | | | 3.0.7, 2.2.13 | django: potential data leakage |
| | | | | | via malformed memcached keys |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13254 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-13596 | | | | django: possible XSS via |
| | | | | | admin ForeignKeyRawIdWidget |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13596 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| django-cors-headers | pyup.io-37132 | UNKNOWN | 2.5.2 | 3.0.0 | In django-cors-headers |
| | | | | | version 3.0.0, |
| | | | | | ``CORS_ORIGIN_WHITELIST`` |
| | | | | | requires URI schemes, and |
| | | | | | optionally ports. This... |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| djangorestframework | CVE-2020-25626 | MEDIUM | 3.9.2 | 3.11.2 | django-rest-framework: XSS |
| | | | | | Vulnerability in API viewer |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-25626 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| httplib2 | CVE-2021-21240 | HIGH | 0.12.1 | 0.19.0 | python-httplib2: Regular |
| | | | | | expression denial of |
| | | | | | service via malicious header |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21240 |
+ +------------------+----------+ +------------------------+---------------------------------------+
| | CVE-2020-11078 | MEDIUM | | 0.18.0 | python-httplib2: CRLF injection |
| | | | | | via an attacker controlled |
| | | | | | unescaped part of uri for... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-11078 |
+ +------------------+----------+ + +---------------------------------------+
| | pyup.io-38303 | UNKNOWN | | | Httplib2 0.18.0 is an |
| | | | | | important security update to |
| | | | | | patch a CWE-93 CRLF... |
+---------------------+------------------+ +-------------------+------------------------+---------------------------------------+
| jinja2 | pyup.io-39525 | | 2.10.1 | 2.11.3 | This affects the package |
| | | | | | jinja2 from 0.0.0 and before |
| | | | | | 2.11.3. The ReDOS... |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| py | CVE-2020-29651 | HIGH | 1.8.0 | | python-py: ReDoS in the py.path.svnwc |
| | | | | | component via malicious input |
| | | | | | to blame functionality... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29651 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| pyyaml | CVE-2019-20477 | CRITICAL | 5.1 | | PyYAML: command execution |
| | | | | | through python/object/apply |
| | | | | | constructor in FullLoader |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20477 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-14343 | | | 5.4 | PyYAML: incomplete |
| | | | | | fix for CVE-2020-1747 |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-14343 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-1747 | | | 5.3.1 | PyYAML: arbitrary command |
| | | | | | execution through python/object/new |
| | | | | | when FullLoader is used |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-1747 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
| urllib3 | CVE-2019-11324 | HIGH | 1.24.1 | 1.24.2 | python-urllib3: Certification |
| | | | | | mishandle when error should be thrown |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-11324 |
+ +------------------+----------+ +------------------------+---------------------------------------+
| | CVE-2019-11236 | MEDIUM | | | python-urllib3: CRLF injection |
| | | | | | due to not encoding the |
| | | | | | '\r\n' sequence leading to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-11236 |
+ +------------------+ + +------------------------+---------------------------------------+
| | CVE-2020-26137 | | | 1.25.9 | python-urllib3: CRLF injection |
| | | | | | via HTTP request method |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-26137 |
+---------------------+------------------+----------+-------------------+------------------------+---------------------------------------+
```
</details>
### Misconfigurations
It is disabled by default and can be enabled with `--scanners config`.
See [here](../scanner/misconfiguration/index.md) for the detail.
```shell
$ trivy repo --scanners config [YOUR_REPO_URL]
```
### Secrets
It is enabled by default.
See [here](../scanner/secret.md) for the detail.
```shell
$ trivy repo [YOUR_REPO_URL]
```
### Licenses
It is disabled by default.
See [here](../scanner/license.md) for the detail.
```shell
$ trivy repo --scanners license [YOUR_REPO_URL]
```
## SBOM generation
Trivy can generate SBOM for git repositories.
See [here](../supply-chain/sbom.md) for the detail.
## References
### Scanning a Branch
Pass a `--branch` argument with a valid branch name on the remote repository provided:
```
$ trivy repo --branch <branch-name> <repo-name>
```
### Scanning upto a Commit
Pass a `--commit` argument with a valid commit hash on the remote repository provided:
```
$ trivy repo --commit <commit-hash> <repo-name>
```
### Scanning a Tag
Pass a `--tag` argument with a valid tag on the remote repository provided:
```
$ trivy repo --tag <tag-name> <repo-name>
```
### Scanning Private Repositories
In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
You can find how to generate your GitHub Token in the following [GitHub documentation.](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
For example:
```
$ export GITHUB_TOKEN="your_private_github_token"
$ trivy repo <your private GitHub repo URL>
$
$ # or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>
```

155
docs/docs/target/repository.md Normal file
View File

@@ -0,0 +1,155 @@
# Code Repository
Scan your local or remote code repositories for
- Vulnerabilities
- Misconfigurations
- Secrets
- Licenses
By default, vulnerability and secret scanning are enabled, and you can configure that with `--scanners`.
```bash
$ trivy repo (REPO_PATH | REPO_URL)
```
For example, you can scan a local repository as below.
```bash
$ trivy repo ./
```
It's also possible to scan a single file.
```
$ trivy repo ./trivy-ci-test/Pipfile.lock
```
To scan remote code repositories, you need to specify the URL.
```bash
$ trivy repo https://github.com/aquasecurity/trivy-ci-test
```
## Rationale
`trivy repo` is designed to scan code repositories, and it is intended to be used for scanning local/remote repositories in your machine or in your CI environment.
Therefore, unlike container/VM image scanning, it targets lock files such as package-lock.json and does not target artifacts like JAR files, binary files, etc.
See [here](../scanner/vulnerability/language/index.md) for the detail.
## Scanners
### Vulnerabilities
It is enabled by default.
Trivy will look for vulnerabilities based on lock files such as Gemfile.lock and package-lock.json.
See [here](../scanner/vulnerability/index.md) for the detail.
```
$ trivy repo ~/src/github.com/aquasecurity/trivy-ci-test
```
<details>
<summary>Result</summary>
```
2020-06-01T17:06:58.652+0300 WARN OS is not detected and vulnerabilities in OS packages are not detected.
2020-06-01T17:06:58.652+0300 INFO Detecting pipenv vulnerabilities...
2020-06-01T17:06:58.691+0300 INFO Detecting cargo vulnerabilities...
Pipfile.lock
============
Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
| django | CVE-2020-7471 | HIGH | 2.0.9 | 3.0.3, 2.2.10, 1.11.28 | django: potential |
| | | | | | SQL injection via |
| | | | | | StringAgg(delimiter) |
+ +------------------+----------+ +------------------------+------------------------------------+
| | CVE-2019-19844 | MEDIUM | | 3.0.1, 2.2.9, 1.11.27 | Django: crafted email address |
| | | | | | allows account takeover |
+ +------------------+ + +------------------------+------------------------------------+
| | CVE-2019-3498 | | | 2.1.5, 2.0.10, 1.11.18 | python-django: Content |
| | | | | | spoofing via URL path in |
| | | | | | default 404 page |
+ +------------------+ + +------------------------+------------------------------------+
| | CVE-2019-6975 | | | 2.1.6, 2.0.11, 1.11.19 | python-django: |
| | | | | | memory exhaustion in |
| | | | | | django.utils.numberformat.format() |
+---------------------+------------------+----------+-------------------+------------------------+------------------------------------+
...
```
</details>
### Misconfigurations
It is disabled by default and can be enabled with `--scanners config`.
See [here](../scanner/misconfiguration/index.md) for the detail.
```shell
$ trivy repo --scanners config [YOUR_REPO_URL]
```
### Secrets
It is enabled by default.
See [here](../scanner/secret.md) for the detail.
```shell
$ trivy repo [YOUR_REPO_URL]
```
### Licenses
It is disabled by default.
See [here](../scanner/license.md) for the detail.
```shell
$ trivy repo --scanners license [YOUR_REPO_URL]
```
## SBOM generation
Trivy can generate SBOM for code repositories.
See [here](../supply-chain/sbom.md) for the detail.
## References
The following flags and environmental variables are available for remote git repositories.
### Scanning a Branch
Pass a `--branch` argument with a valid branch name on the remote repository provided:
```
$ trivy repo --branch <branch-name> <repo-name>
```
### Scanning upto a Commit
Pass a `--commit` argument with a valid commit hash on the remote repository provided:
```
$ trivy repo --commit <commit-hash> <repo-name>
```
### Scanning a Tag
Pass a `--tag` argument with a valid tag on the remote repository provided:
```
$ trivy repo --tag <tag-name> <repo-name>
```
### Scanning Private Repositories
In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
You can find how to generate your GitHub Token in the following [GitHub documentation.](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
For example:
```
$ export GITHUB_TOKEN="your_private_github_token"
$ trivy repo <your private GitHub repo URL>
# or
$ export GITLAB_TOKEN="your_private_gitlab_token"
$ trivy repo <your private GitLab repo URL>
```

2
docs/getting-started/coverage.md
View File

@@ -55,4 +55,4 @@ Trivy reads IaC & configuration languages for the purpose of misconfiguration de
- Azure ARM Template
- Helm Chart
For more information about checks [see here](../docs/misconfiguration/policy/builtin.md).
For more information about checks [see here](../docs/scanner/misconfiguration/policy/builtin.md).

2
docs/getting-started/faq.md
View File

@@ -21,3 +21,5 @@ See [here](../docs/configuration/reporting.md#converting).
### How to run Trivy under air-gapped environment?
See [here](../docs/advanced/air-gap.md).
### Why `trivy fs` and `trivy repo` does not scan JAR files for vulnerabilities?
See [here](../docs/target/repository.md#rationale).

24
integration/client_server_test.go
View File

@@ -236,21 +236,21 @@ func TestClientServer(t *testing.T) {
golden: "testdata/busybox-with-lockfile.json.golden",
},
{
name: "scan pox.xml with fs command in client/server mode",
name: "scan pox.xml with repo command in client/server mode",
args: csArgs{
Command: "fs",
Command: "repo",
RemoteAddrOption: "--server",
Target: "testdata/fixtures/fs/pom/",
Target: "testdata/fixtures/repo/pom/",
},
golden: "testdata/pom.json.golden",
},
{
name: "scan sample.pem with fs command in client/server mode",
name: "scan sample.pem with repo command in client/server mode",
args: csArgs{
Command: "fs",
Command: "repo",
RemoteAddrOption: "--server",
secretConfig: "testdata/fixtures/fs/secrets/trivy-secret.yaml",
Target: "testdata/fixtures/fs/secrets/",
secretConfig: "testdata/fixtures/repo/secrets/trivy-secret.yaml",
Target: "testdata/fixtures/repo/secrets/",
},
golden: "testdata/secrets.json.golden",
},
@@ -279,7 +279,7 @@ func TestClientServer(t *testing.T) {
err := execute(osArgs)
require.NoError(t, err)
compareReports(t, c.golden, outputFile)
compareReports(t, c.golden, outputFile, nil)
})
}
}
@@ -328,11 +328,11 @@ func TestClientServerWithFormat(t *testing.T) {
{
name: "scan secrets with ASFF template",
args: csArgs{
Command: "fs",
Command: "repo",
RemoteAddrOption: "--server",
Format: "template",
TemplatePath: "@../contrib/asff.tpl",
Target: "testdata/fixtures/fs/secrets/",
Target: "testdata/fixtures/repo/secrets/",
},
golden: "testdata/secrets.asff.golden",
},
@@ -501,7 +501,7 @@ func TestClientServerWithToken(t *testing.T) {
}
require.NoError(t, err, c.name)
compareReports(t, c.golden, outputFile)
compareReports(t, c.golden, outputFile, nil)
})
}
}
@@ -528,7 +528,7 @@ func TestClientServerWithRedis(t *testing.T) {
err := execute(osArgs)
require.NoError(t, err)
compareReports(t, golden, outputFile)
compareReports(t, golden, outputFile, nil)
})
// Terminate the Redis container

2
integration/docker_engine_test.go
View File

@@ -285,7 +285,7 @@ func TestDockerEngine(t *testing.T) {
assert.NoError(t, err, tt.name)
// check for vulnerability output info
compareReports(t, tt.golden, output)
compareReports(t, tt.golden, output, nil)
// cleanup
_, err = cli.ImageRemove(ctx, tt.input, api.ImageRemoveOptions{

5
integration/integration_test.go
View File

@@ -199,9 +199,12 @@ func execute(osArgs []string) error {
return app.Execute()
}
func compareReports(t *testing.T, wantFile, gotFile string) {
func compareReports(t *testing.T, wantFile, gotFile string, override func(*types.Report)) {
want := readReport(t, wantFile)
got := readReport(t, gotFile)
if override != nil {
override(&want)
}
assert.Equal(t, want, got)
}

3
integration/module_test.go
View File

@@ -1,4 +1,5 @@
//go:build module_integration
package integration
import (
@@ -70,7 +71,7 @@ func TestModule(t *testing.T) {
}()
// Compare want and got
compareReports(t, tt.golden, outputFile)
compareReports(t, tt.golden, outputFile, nil)
})
}
}

130
integration/fs_test.go → integration/repo_test.go
View File

@@ -1,5 +1,4 @@
//go:build integration
// +build integration
package integration
@@ -12,13 +11,14 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestFilesystem(t *testing.T) {
// TestRepository tests `trivy repo` with the local code repositories
func TestRepository(t *testing.T) {
type args struct {
scanner types.Scanner
severity []string
ignoreIDs []string
policyPaths []string
namespaces []string
@@ -35,15 +35,16 @@ func TestFilesystem(t *testing.T) {
includeDevDeps bool
}
tests := []struct {
name string
args args
golden string
name string
args args
golden string
override func(*types.Report)
}{
{
name: "gomod",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/gomod",
input: "testdata/fixtures/repo/gomod",
},
golden: "testdata/gomod.json.golden",
},
@@ -51,8 +52,8 @@ func TestFilesystem(t *testing.T) {
name: "gomod with skip files",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/gomod",
skipFiles: []string{"testdata/fixtures/fs/gomod/submod2/go.mod"},
input: "testdata/fixtures/repo/gomod",
skipFiles: []string{"testdata/fixtures/repo/gomod/submod2/go.mod"},
},
golden: "testdata/gomod-skip.json.golden",
},
@@ -60,8 +61,8 @@ func TestFilesystem(t *testing.T) {
name: "gomod with skip dirs",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/gomod",
skipDirs: []string{"testdata/fixtures/fs/gomod/submod2"},
input: "testdata/fixtures/repo/gomod",
skipDirs: []string{"testdata/fixtures/repo/gomod/submod2"},
},
golden: "testdata/gomod-skip.json.golden",
},
@@ -69,7 +70,7 @@ func TestFilesystem(t *testing.T) {
name: "npm",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/npm",
input: "testdata/fixtures/repo/npm",
listAllPkgs: true,
},
golden: "testdata/npm.json.golden",
@@ -78,7 +79,7 @@ func TestFilesystem(t *testing.T) {
name: "npm with dev deps",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/npm",
input: "testdata/fixtures/repo/npm",
listAllPkgs: true,
includeDevDeps: true,
},
@@ -88,7 +89,7 @@ func TestFilesystem(t *testing.T) {
name: "yarn",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/yarn",
input: "testdata/fixtures/repo/yarn",
listAllPkgs: true,
},
golden: "testdata/yarn.json.golden",
@@ -97,7 +98,7 @@ func TestFilesystem(t *testing.T) {
name: "pnpm",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/pnpm",
input: "testdata/fixtures/repo/pnpm",
},
golden: "testdata/pnpm.json.golden",
},
@@ -106,7 +107,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/pip",
input: "testdata/fixtures/repo/pip",
},
golden: "testdata/pip.json.golden",
},
@@ -115,7 +116,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/pipenv",
input: "testdata/fixtures/repo/pipenv",
},
golden: "testdata/pipenv.json.golden",
},
@@ -124,7 +125,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/poetry",
input: "testdata/fixtures/repo/poetry",
},
golden: "testdata/poetry.json.golden",
},
@@ -132,7 +133,7 @@ func TestFilesystem(t *testing.T) {
name: "pom",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/pom",
input: "testdata/fixtures/repo/pom",
},
golden: "testdata/pom.json.golden",
},
@@ -140,7 +141,7 @@ func TestFilesystem(t *testing.T) {
name: "gradle",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/fs/gradle",
input: "testdata/fixtures/repo/gradle",
},
golden: "testdata/gradle.json.golden",
},
@@ -149,7 +150,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/conan",
input: "testdata/fixtures/repo/conan",
},
golden: "testdata/conan.json.golden",
},
@@ -158,7 +159,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/nuget",
input: "testdata/fixtures/repo/nuget",
},
golden: "testdata/nuget.json.golden",
},
@@ -167,7 +168,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/dotnet",
input: "testdata/fixtures/repo/dotnet",
},
golden: "testdata/dotnet.json.golden",
},
@@ -176,7 +177,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/cocoapods",
input: "testdata/fixtures/repo/cocoapods",
},
golden: "testdata/cocoapods.json.golden",
},
@@ -185,7 +186,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/pubspec",
input: "testdata/fixtures/repo/pubspec",
},
golden: "testdata/pubspec.lock.json.golden",
},
@@ -194,7 +195,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/mixlock",
input: "testdata/fixtures/repo/mixlock",
},
golden: "testdata/mix.lock.json.golden",
},
@@ -203,7 +204,7 @@ func TestFilesystem(t *testing.T) {
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/fs/composer",
input: "testdata/fixtures/repo/composer",
},
golden: "testdata/composer.lock.json.golden",
},
@@ -211,7 +212,7 @@ func TestFilesystem(t *testing.T) {
name: "dockerfile",
args: args{
scanner: types.MisconfigScanner,
input: "testdata/fixtures/fs/dockerfile",
input: "testdata/fixtures/repo/dockerfile",
namespaces: []string{"testing"},
},
golden: "testdata/dockerfile.json.golden",
@@ -220,7 +221,7 @@ func TestFilesystem(t *testing.T) {
name: "dockerfile with custom file pattern",
args: args{
scanner: types.MisconfigScanner,
input: "testdata/fixtures/fs/dockerfile_file_pattern",
input: "testdata/fixtures/repo/dockerfile_file_pattern",
namespaces: []string{"testing"},
filePatterns: []string{"dockerfile:Customfile"},
},
@@ -230,8 +231,8 @@ func TestFilesystem(t *testing.T) {
name: "dockerfile with rule exception",
args: args{
scanner: types.MisconfigScanner,
policyPaths: []string{"testdata/fixtures/fs/rule-exception/policy"},
input: "testdata/fixtures/fs/rule-exception",
policyPaths: []string{"testdata/fixtures/repo/rule-exception/policy"},
input: "testdata/fixtures/repo/rule-exception",
},
golden: "testdata/dockerfile-rule-exception.json.golden",
},
@@ -239,8 +240,8 @@ func TestFilesystem(t *testing.T) {
name: "dockerfile with namespace exception",
args: args{
scanner: types.MisconfigScanner,
policyPaths: []string{"testdata/fixtures/fs/namespace-exception/policy"},
input: "testdata/fixtures/fs/namespace-exception",
policyPaths: []string{"testdata/fixtures/repo/namespace-exception/policy"},
input: "testdata/fixtures/repo/namespace-exception",
},
golden: "testdata/dockerfile-namespace-exception.json.golden",
},
@@ -248,9 +249,9 @@ func TestFilesystem(t *testing.T) {
name: "dockerfile with custom policies",
args: args{
scanner: types.MisconfigScanner,
policyPaths: []string{"testdata/fixtures/fs/custom-policy/policy"},
policyPaths: []string{"testdata/fixtures/repo/custom-policy/policy"},
namespaces: []string{"user"},
input: "testdata/fixtures/fs/custom-policy",
input: "testdata/fixtures/repo/custom-policy",
},
golden: "testdata/dockerfile-custom-policies.json.golden",
},
@@ -258,7 +259,7 @@ func TestFilesystem(t *testing.T) {
name: "tarball helm chart scanning with builtin policies",
args: args{
scanner: types.MisconfigScanner,
input: "testdata/fixtures/fs/helm",
input: "testdata/fixtures/repo/helm",
},
golden: "testdata/helm.json.golden",
},
@@ -266,7 +267,7 @@ func TestFilesystem(t *testing.T) {
name: "helm chart directory scanning with builtin policies",
args: args{
scanner: types.MisconfigScanner,
input: "testdata/fixtures/fs/helm_testchart",
input: "testdata/fixtures/repo/helm_testchart",
},
golden: "testdata/helm_testchart.json.golden",
},
@@ -274,7 +275,7 @@ func TestFilesystem(t *testing.T) {
name: "helm chart directory scanning with value overrides using set",
args: args{
scanner: types.MisconfigScanner,
input: "testdata/fixtures/fs/helm_testchart",
input: "testdata/fixtures/repo/helm_testchart",
helmSet: []string{"securityContext.runAsUser=0"},
},
golden: "testdata/helm_testchart.overridden.json.golden",
@@ -283,8 +284,8 @@ func TestFilesystem(t *testing.T) {
name: "helm chart directory scanning with value overrides using value file",
args: args{
scanner: types.MisconfigScanner,
input: "testdata/fixtures/fs/helm_testchart",
helmValuesFile: []string{"testdata/fixtures/fs/helm_values/values.yaml"},
input: "testdata/fixtures/repo/helm_testchart",
helmValuesFile: []string{"testdata/fixtures/repo/helm_values/values.yaml"},
},
golden: "testdata/helm_testchart.overridden.json.golden",
},
@@ -292,7 +293,7 @@ func TestFilesystem(t *testing.T) {
name: "helm chart directory scanning with builtin policies and non string Chart name",
args: args{
scanner: types.MisconfigScanner,
input: "testdata/fixtures/fs/helm_badname",
input: "testdata/fixtures/repo/helm_badname",
},
golden: "testdata/helm_badname.json.golden",
},
@@ -300,8 +301,8 @@ func TestFilesystem(t *testing.T) {
name: "secrets",
args: args{
scanner: "vuln,secret",
input: "testdata/fixtures/fs/secrets",
secretConfig: "testdata/fixtures/fs/secrets/trivy-secret.yaml",
input: "testdata/fixtures/repo/secrets",
secretConfig: "testdata/fixtures/repo/secrets/trivy-secret.yaml",
},
golden: "testdata/secrets.json.golden",
},
@@ -310,7 +311,7 @@ func TestFilesystem(t *testing.T) {
args: args{
command: "rootfs",
format: "cyclonedx",
input: "testdata/fixtures/fs/conda",
input: "testdata/fixtures/repo/conda",
},
golden: "testdata/conda-cyclonedx.json.golden",
},
@@ -319,10 +320,37 @@ func TestFilesystem(t *testing.T) {
args: args{
command: "rootfs",
format: "spdx-json",
input: "testdata/fixtures/fs/conda",
input: "testdata/fixtures/repo/conda",
},
golden: "testdata/conda-spdx.json.golden",
},
{
name: "gomod with fs subcommand",
args: args{
command: "fs",
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/repo/gomod",
skipFiles: []string{"testdata/fixtures/repo/gomod/submod2/go.mod"},
},
golden: "testdata/gomod-skip.json.golden",
override: func(report *types.Report) {
report.ArtifactType = ftypes.ArtifactFilesystem
},
},
{
name: "dockerfile with fs subcommand",
args: args{
command: "fs",
scanner: types.MisconfigScanner,
policyPaths: []string{"testdata/fixtures/repo/custom-policy/policy"},
namespaces: []string{"user"},
input: "testdata/fixtures/repo/custom-policy",
},
golden: "testdata/dockerfile-custom-policies.json.golden",
override: func(report *types.Report) {
report.ArtifactType = ftypes.ArtifactFilesystem
},
},
}
// Set up testing DB
@@ -334,7 +362,7 @@ func TestFilesystem(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
command := "fs"
command := "repo"
if tt.args.command != "" {
command = tt.args.command
}
@@ -372,10 +400,6 @@ func TestFilesystem(t *testing.T) {
}
}
if len(tt.args.severity) != 0 {
osArgs = append(osArgs, "--severity", strings.Join(tt.args.severity, ","))
}
if len(tt.args.ignoreIDs) != 0 {
trivyIgnore := ".trivyignore"
err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.args.ignoreIDs, "\n")), 0444)
@@ -415,7 +439,7 @@ func TestFilesystem(t *testing.T) {
// Setup the output file
outputFile := filepath.Join(t.TempDir(), "output.json")
if *update {
if *update && tt.override == nil {
outputFile = tt.golden
}
@@ -434,7 +458,7 @@ func TestFilesystem(t *testing.T) {
osArgs = append(osArgs, "--output", outputFile)
osArgs = append(osArgs, tt.args.input)
// Run "trivy fs"
// Run "trivy repo"
err := execute(osArgs)
require.NoError(t, err)
@@ -445,7 +469,7 @@ func TestFilesystem(t *testing.T) {
case "spdx-json":
compareSpdxJson(t, tt.golden, outputFile)
case "json":
compareReports(t, tt.golden, outputFile)
compareReports(t, tt.golden, outputFile, tt.override)
default:
require.Fail(t, "invalid format", "format: %s", format)
}

6
integration/standalone_tar_test.go
View File

@@ -418,7 +418,7 @@ func TestTar(t *testing.T) {
require.NoError(t, err)
// Compare want and got
compareReports(t, tt.golden, outputFile)
compareReports(t, tt.golden, outputFile, nil)
})
}
}
@@ -513,7 +513,7 @@ func TestTarWithEnv(t *testing.T) {
require.NoError(t, err)
// Compare want and got
compareReports(t, tt.golden, outputFile)
compareReports(t, tt.golden, outputFile, nil)
})
}
}
@@ -588,7 +588,7 @@ cache:
require.NoError(t, err)
// Compare want and got
compareReports(t, tt.golden, outputFile)
compareReports(t, tt.golden, outputFile, nil)
})
}
}

4
integration/testdata/cocoapods.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/cocoapods",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/cocoapods",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/composer.lock.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/composer",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/composer",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/conan.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/conan",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/conan",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

2
integration/testdata/conda-cyclonedx.json.golden vendored
View File

@@ -15,7 +15,7 @@
"component": {
"bom-ref": "cd0ebb00-5c53-4b82-a3f7-271add663c51",
"type": "application",
"name": "testdata/fixtures/fs/conda",
"name": "testdata/fixtures/repo/conda",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",

12
integration/testdata/conda-spdx.json.golden vendored
View File

@@ -2,8 +2,8 @@
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "testdata/fixtures/fs/conda",
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/fs/conda-2738b2fe-b40c-4ecb-b8ae-5b3cc4cbc004",
"name": "testdata/fixtures/repo/conda",
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-08df146c-0996-4718-8648-b2a45769ab79",
"creationInfo": {
"licenseListVersion": "",
"creators": [
@@ -58,8 +58,8 @@
"primaryPackagePurpose": "LIBRARY"
},
{
"name": "testdata/fixtures/fs/conda",
"SPDXID": "SPDXRef-Filesystem-6e0ac6a0fab50ab4",
"name": "testdata/fixtures/repo/conda",
"SPDXID": "SPDXRef-Filesystem-2e2426fd0f2580ef",
"downloadLocation": "NONE",
"copyrightText": "",
"attributionTexts": [
@@ -95,11 +95,11 @@
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-Filesystem-6e0ac6a0fab50ab4",
"relatedSpdxElement": "SPDXRef-Filesystem-2e2426fd0f2580ef",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-Filesystem-6e0ac6a0fab50ab4",
"spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
"relatedSpdxElement": "SPDXRef-Application-ee5ef1aa4ac89125",
"relationshipType": "CONTAINS"
},

4
integration/testdata/dockerfile-custom-policies.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/custom-policy",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/custom-policy",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/dockerfile-namespace-exception.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/namespace-exception",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/namespace-exception",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/dockerfile-rule-exception.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/rule-exception",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/rule-exception",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/dockerfile.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/dockerfile",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/dockerfile",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/dockerfile_file_pattern.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/dockerfile_file_pattern",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/dockerfile_file_pattern",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/dotnet.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/dotnet",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/dotnet",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

0
integration/testdata/fixtures/fs/cocoapods/Podfile.lock → integration/testdata/fixtures/repo/cocoapods/Podfile.lock vendored
View File

0
integration/testdata/fixtures/fs/composer/composer.json → integration/testdata/fixtures/repo/composer/composer.json vendored
View File

0
integration/testdata/fixtures/fs/composer/composer.lock → integration/testdata/fixtures/repo/composer/composer.lock generated vendored
View File

0
integration/testdata/fixtures/fs/conan/conan.lock → integration/testdata/fixtures/repo/conan/conan.lock vendored
View File

0
integration/testdata/fixtures/fs/conda/miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json → integration/testdata/fixtures/repo/conda/miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json vendored
View File

0
integration/testdata/fixtures/fs/conda/miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json → integration/testdata/fixtures/repo/conda/miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json vendored
View File

0
integration/testdata/fixtures/fs/custom-policy/Dockerfile → integration/testdata/fixtures/repo/custom-policy/Dockerfile vendored
View File

0
integration/testdata/fixtures/fs/custom-policy/policy/bar.rego → integration/testdata/fixtures/repo/custom-policy/policy/bar.rego vendored
View File

0
integration/testdata/fixtures/fs/custom-policy/policy/foo.rego → integration/testdata/fixtures/repo/custom-policy/policy/foo.rego vendored
View File

0
integration/testdata/fixtures/fs/dockerfile/Dockerfile → integration/testdata/fixtures/repo/dockerfile/Dockerfile vendored
View File

0
integration/testdata/fixtures/fs/dockerfile_file_pattern/Customfile → integration/testdata/fixtures/repo/dockerfile_file_pattern/Customfile vendored
View File

0
integration/testdata/fixtures/fs/dotnet/datacollector.deps.json → integration/testdata/fixtures/repo/dotnet/datacollector.deps.json vendored
View File

0
integration/testdata/fixtures/fs/gomod/go.mod → integration/testdata/fixtures/repo/gomod/go.mod vendored
View File

0
integration/testdata/fixtures/fs/gomod/go.sum → integration/testdata/fixtures/repo/gomod/go.sum vendored
View File

0
integration/testdata/fixtures/fs/gomod/submod/go.mod → integration/testdata/fixtures/repo/gomod/submod/go.mod vendored
View File

3
integration/testdata/fixtures/fs/gomod/submod/go.sum → integration/testdata/fixtures/repo/gomod/submod/go.sum vendored
View File

@@ -1,4 +1,5 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -7,4 +8,4 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

0
integration/testdata/fixtures/fs/gomod/submod2/go.mod → integration/testdata/fixtures/repo/gomod/submod2/go.mod vendored
View File

0
integration/testdata/fixtures/fs/gomod/submod2/go.sum → integration/testdata/fixtures/repo/gomod/submod2/go.sum vendored
View File

0
integration/testdata/fixtures/fs/gradle/gradle.lockfile → integration/testdata/fixtures/repo/gradle/gradle.lockfile vendored
View File

0
integration/testdata/fixtures/fs/helm/testchart.tar.gz → integration/testdata/fixtures/repo/helm/testchart.tar.gz vendored
View File

0
integration/testdata/fixtures/fs/helm_badname/Chart.yaml → integration/testdata/fixtures/repo/helm_badname/Chart.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/.helmignore → integration/testdata/fixtures/repo/helm_testchart/.helmignore vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/Chart.yaml → integration/testdata/fixtures/repo/helm_testchart/Chart.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/templates/NOTES.txt → integration/testdata/fixtures/repo/helm_testchart/templates/NOTES.txt vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/templates/_helpers.tpl → integration/testdata/fixtures/repo/helm_testchart/templates/_helpers.tpl vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/templates/deployment.yaml → integration/testdata/fixtures/repo/helm_testchart/templates/deployment.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/templates/hpa.yaml → integration/testdata/fixtures/repo/helm_testchart/templates/hpa.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/templates/ingress.yaml → integration/testdata/fixtures/repo/helm_testchart/templates/ingress.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/templates/service.yaml → integration/testdata/fixtures/repo/helm_testchart/templates/service.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/templates/serviceaccount.yaml → integration/testdata/fixtures/repo/helm_testchart/templates/serviceaccount.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/templates/tests/test-connection.yaml → integration/testdata/fixtures/repo/helm_testchart/templates/tests/test-connection.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_testchart/values.yaml → integration/testdata/fixtures/repo/helm_testchart/values.yaml vendored
View File

0
integration/testdata/fixtures/fs/helm_values/values.yaml → integration/testdata/fixtures/repo/helm_values/values.yaml vendored
View File

0
integration/testdata/fixtures/fs/mixlock/mix.lock → integration/testdata/fixtures/repo/mixlock/mix.lock vendored
View File

0
integration/testdata/fixtures/fs/namespace-exception/Dockerfile → integration/testdata/fixtures/repo/namespace-exception/Dockerfile vendored
View File

0
integration/testdata/fixtures/fs/namespace-exception/policy/exception.rego → integration/testdata/fixtures/repo/namespace-exception/policy/exception.rego vendored
View File

0
integration/testdata/fixtures/fs/npm/node_modules/jquery/package.json → integration/testdata/fixtures/repo/npm/node_modules/jquery/package.json generated vendored
View File

0
integration/testdata/fixtures/fs/npm/node_modules/promise/package.json → integration/testdata/fixtures/repo/npm/node_modules/promise/package.json generated vendored
View File

0
integration/testdata/fixtures/fs/npm/node_modules/react-is/package.json → integration/testdata/fixtures/repo/npm/node_modules/react-is/package.json generated vendored
View File

0
integration/testdata/fixtures/fs/npm/node_modules/react/package.json → integration/testdata/fixtures/repo/npm/node_modules/react/package.json generated vendored
View File

0
integration/testdata/fixtures/fs/npm/node_modules/redux/package.json → integration/testdata/fixtures/repo/npm/node_modules/redux/package.json generated vendored
View File

0
integration/testdata/fixtures/fs/npm/node_modules/z-lock/package.json → integration/testdata/fixtures/repo/npm/node_modules/z-lock/package.json generated vendored
View File

0
integration/testdata/fixtures/fs/npm/package-lock.json → integration/testdata/fixtures/repo/npm/package-lock.json generated vendored
View File

0
integration/testdata/fixtures/fs/nuget/packages.lock.json → integration/testdata/fixtures/repo/nuget/packages.lock.json vendored
View File

0
integration/testdata/fixtures/fs/pip/requirements.txt → integration/testdata/fixtures/repo/pip/requirements.txt vendored
View File

0
integration/testdata/fixtures/fs/pipenv/Pipfile.lock → integration/testdata/fixtures/repo/pipenv/Pipfile.lock generated vendored
View File

0
integration/testdata/fixtures/fs/pnpm/pnpm-lock.yaml → integration/testdata/fixtures/repo/pnpm/pnpm-lock.yaml generated vendored
View File

0
integration/testdata/fixtures/fs/poetry/poetry.lock → integration/testdata/fixtures/repo/poetry/poetry.lock generated vendored
View File

0
integration/testdata/fixtures/fs/poetry/pyproject.toml → integration/testdata/fixtures/repo/poetry/pyproject.toml vendored
View File

0
integration/testdata/fixtures/fs/pom/pom.xml → integration/testdata/fixtures/repo/pom/pom.xml vendored
View File

0
integration/testdata/fixtures/fs/pubspec/pubspec.lock → integration/testdata/fixtures/repo/pubspec/pubspec.lock vendored
View File

0
integration/testdata/fixtures/fs/rule-exception/Dockerfile → integration/testdata/fixtures/repo/rule-exception/Dockerfile vendored
View File

0
integration/testdata/fixtures/fs/rule-exception/policy/exception.rego → integration/testdata/fixtures/repo/rule-exception/policy/exception.rego vendored
View File

0
integration/testdata/fixtures/fs/secrets/deploy.sh → integration/testdata/fixtures/repo/secrets/deploy.sh vendored
View File

0
integration/testdata/fixtures/fs/secrets/trivy-secret.yaml → integration/testdata/fixtures/repo/secrets/trivy-secret.yaml vendored
View File

0
integration/testdata/fixtures/fs/yarn/package.json → integration/testdata/fixtures/repo/yarn/package.json vendored
View File

0
integration/testdata/fixtures/fs/yarn/yarn.lock → integration/testdata/fixtures/repo/yarn/yarn.lock vendored
View File

4
integration/testdata/gomod-skip.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/gomod",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/gomod",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/gomod.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/gomod",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/gomod",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/gradle.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/gradle",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/gradle",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/helm.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/helm",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/helm",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/helm_badname.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/helm_badname",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/helm_badname",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/helm_testchart.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/helm_testchart",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/helm_testchart",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/helm_testchart",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/helm_testchart",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/mix.lock.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/mixlock",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/mixlock",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/npm-with-dev.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/npm",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/npm",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/npm.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/npm",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/npm",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/nuget.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/nuget",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/nuget",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/pip.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/pip",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/pip",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/pipenv.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/pipenv",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/pipenv",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/pnpm.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/pnpm",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/pnpm",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/poetry.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/poetry",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/poetry",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/pom.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/pom",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/pom",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/pubspec.lock.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/pubspec",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/pubspec",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/secrets.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/secrets",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/secrets",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

4
integration/testdata/yarn.json.golden vendored
View File

@@ -1,7 +1,7 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/yarn",
"ArtifactType": "filesystem",
"ArtifactName": "testdata/fixtures/repo/yarn",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",

2
integration/vm_test.go
View File

@@ -113,7 +113,7 @@ func TestVM(t *testing.T) {
// Run "trivy vm"
err = execute(osArgs)
require.NoError(t, err)
compareReports(t, goldenFile, outputFile)
compareReports(t, goldenFile, outputFile, nil)
})
}
}

2
mkdocs.yml
View File

@@ -42,7 +42,7 @@ nav:
- Container Image: docs/target/container_image.md
- Filesystem: docs/target/filesystem.md
- Rootfs: docs/target/rootfs.md
- Git Repository: docs/target/git-repository.md
- Code Repository: docs/target/repository.md
- Virtual Machine Image: docs/target/vm.md
- Kubernetes: docs/target/kubernetes.md
- AWS: docs/target/aws.md

6
pkg/commands/artifact/wire_gen.go
View File

@@ -13,7 +13,7 @@ import (
"github.com/aquasecurity/trivy/pkg/fanal/artifact"
image2 "github.com/aquasecurity/trivy/pkg/fanal/artifact/image"
local2 "github.com/aquasecurity/trivy/pkg/fanal/artifact/local"
"github.com/aquasecurity/trivy/pkg/fanal/artifact/remote"
"github.com/aquasecurity/trivy/pkg/fanal/artifact/repo"
"github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom"
"github.com/aquasecurity/trivy/pkg/fanal/artifact/vm"
"github.com/aquasecurity/trivy/pkg/fanal/cache"
@@ -98,7 +98,7 @@ func initializeRepositoryScanner(ctx context.Context, url string, artifactCache
config := db.Config{}
client := vulnerability.NewClient(config)
localScanner := local.NewScanner(applierApplier, ospkgScanner, langpkgScanner, client)
artifactArtifact, cleanup, err := remote.NewArtifact(url, artifactCache, artifactOption)
artifactArtifact, cleanup, err := repo.NewArtifact(url, artifactCache, artifactOption)
if err != nil {
return scanner.Scanner{}, nil, err
}
@@ -198,7 +198,7 @@ func initializeRemoteFilesystemScanner(ctx context.Context, path string, artifac
func initializeRemoteRepositoryScanner(ctx context.Context, url string, artifactCache cache.ArtifactCache, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
v := _wireValue
clientScanner := client.NewScanner(remoteScanOptions, v...)
artifactArtifact, cleanup, err := remote.NewArtifact(url, artifactCache, artifactOption)
artifactArtifact, cleanup, err := repo.NewArtifact(url, artifactCache, artifactOption)
if err != nil {
return scanner.Scanner{}, nil, err
}

Some files were not shown because too many files have changed in this diff Show More