feat(misconf): Add special output format for misconfigurations (aquas…

…ecurity#2100)

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20220510152557-4daa0d51fdc3
+	github.com/aquasecurity/fanal v0.0.0-20220511115204-32614d79a234
 	github.com/aquasecurity/go-dep-parser v0.0.0-20220503151658-d316f5cc2cff
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
@@ -31,7 +31,7 @@ require (
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/olekukonko/tablewriter v0.0.5
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/open-policy-agent/opa v0.40.0
 	github.com/owenrumney/go-sarif/v2 v2.1.1
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
@@ -78,7 +78,7 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.56.0 // indirect
+	github.com/aquasecurity/defsec v0.57.3
 	github.com/aws/aws-sdk-go v1.44.5 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bmatcuk/doublestar v1.3.4 // indirect
@@ -141,13 +141,13 @@ require (
 	github.com/liamg/iamgo v0.0.6 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
 	github.com/liamg/memoryfs v1.4.1 // indirect
-	github.com/liamg/tml v0.6.0 // indirect
+	github.com/liamg/tml v0.6.0
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
-	github.com/mattn/go-runewidth v0.0.12 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
@@ -195,7 +195,7 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
+	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
 	golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 // indirect
 	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
@@ -239,6 +239,13 @@ require gopkg.in/yaml.v2 v2.4.0
 
 require github.com/aquasecurity/trivy-kubernetes v0.1.0
 
+require github.com/aquasecurity/table v1.2.0
+
+require (
+	github.com/alecthomas/chroma v0.10.0 // indirect
+	github.com/dlclark/regexp2 v1.4.0 // indirect
+)
+
 // To resolve CVE-2022-23648
 replace github.com/containerd/containerd v1.5.9 => github.com/containerd/containerd v1.5.10
 

go.sum

@@ -158,6 +158,8 @@ github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/alecthomas/chroma v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek=
+github.com/alecthomas/chroma v0.10.0/go.mod h1:jtJATyUxlIORhUOFNA9NZDWGAQ8wpxQQqNSB4rjA/1s=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -178,10 +180,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/defsec v0.56.0 h1:wexDTUQZzXg+hd0R+mW/H3tk7H8WAdIz6bit+yURjpg=
-github.com/aquasecurity/defsec v0.56.0/go.mod h1:erYNqVU+guUDnM06O2rEl3IKKYNtMN82T36BSR/GbTo=
-github.com/aquasecurity/fanal v0.0.0-20220510152557-4daa0d51fdc3 h1:Zc9meOMLK/9zPe1fn6oegrS3Ivf3fJUVkkEW7FxSWUU=
-github.com/aquasecurity/fanal v0.0.0-20220510152557-4daa0d51fdc3/go.mod h1:fC66mjsKr4Vq6Muq0HCRle5RNsrYbI7HjeClhFpl618=
+github.com/aquasecurity/defsec v0.57.3 h1:oiATfUTxOAcxAuXSH31RdgjtXJdQznlVzMJWdVYGmXY=
+github.com/aquasecurity/defsec v0.57.3/go.mod h1:42FxKif2itz+MHFlJ3TJjdroL9Jzj3THoexlueBTU5w=
+github.com/aquasecurity/fanal v0.0.0-20220511115204-32614d79a234 h1:NG9Qs4hocUWcGytaA0yhArPRoPmo12EPAUERwYCgvLA=
+github.com/aquasecurity/fanal v0.0.0-20220511115204-32614d79a234/go.mod h1:bqz0H4eqstkngJB0TJCk39GLXZcUtobMpuNr4ScC1vk=
 github.com/aquasecurity/go-dep-parser v0.0.0-20220503151658-d316f5cc2cff h1:YNlzRYB0n4mZtfuWx6AWaGEjnLVNekchyoFDlYFZegs=
 github.com/aquasecurity/go-dep-parser v0.0.0-20220503151658-d316f5cc2cff/go.mod h1:7EOQWQmyavVPY3fScbbPdd3dB/b0Q4ZbJ/NZCvNKrLs=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
@@ -193,11 +195,11 @@ github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46/go.
 github.com/aquasecurity/go-version v0.0.0-20201107203531-5e48ac5d022a/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI490FF0a7zuvxOxen52ddygCfNVjP0XOCMl+M=
 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU=
+github.com/aquasecurity/table v1.2.0 h1:26N9hFB5qttCjWoBgeKIlBtmlCpSwfL01BK7N+IOBN0=
+github.com/aquasecurity/table v1.2.0/go.mod h1:1MFKrEPJ8NchM917BrVGvsqoXJo1OL1Ja7dF3PgUea4=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
 github.com/aquasecurity/trivy-db v0.0.0-20220327074450-74195d9604b2 h1:q2Gza4V8uO5C1COzC2HeTbQgJIrmC6dTWaXZ8ujiWu0=
 github.com/aquasecurity/trivy-db v0.0.0-20220327074450-74195d9604b2/go.mod h1:EwiQRdzVq6k7cKOMjkss8LjWMt2FUW7NaYwE7HfZZvk=
-github.com/aquasecurity/trivy-kubernetes v0.0.1-alpha.2 h1:iF21H/OkbFZKdJFyqw5rliWHK3v4P6antB67j2Fihgs=
-github.com/aquasecurity/trivy-kubernetes v0.0.1-alpha.2/go.mod h1:9fU3sHz/wXN5ruZ5snUEJpzm2X6pUndKucv1mz9Walc=
 github.com/aquasecurity/trivy-kubernetes v0.1.0 h1:eE7JSdqo83Kn87c86DcUIsPAtW0K9UnkkHEQ4sGI030=
 github.com/aquasecurity/trivy-kubernetes v0.1.0/go.mod h1:9fU3sHz/wXN5ruZ5snUEJpzm2X6pUndKucv1mz9Walc=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -445,6 +447,8 @@ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8
 github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/distribution/distribution/v3 v3.0.0-20211118083504-a29a3c99a684/go.mod h1:UfCu3YXJJCI+IdnqGgYP82dk2+Joxmv+mUTVBES6wac=
+github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
+github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.11+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
@@ -919,8 +923,9 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-runewidth v0.0.12 h1:Y41i/hVW3Pgwr8gV+J23B9YEY0zxjptBuCWEaxmAOow=
 github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
+github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
+github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
 github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=

integration/testdata/dockerfile-custom-policies.json.golden

@@ -36,7 +36,7 @@
           "Severity": "UNKNOWN",
           "Status": "FAIL",
           "Layer": {},
-          "IacMetadata": {
+          "CauseMetadata": {
             "Provider": "Generic",
             "Service": "general"
           }
@@ -52,7 +52,7 @@
           "Severity": "UNKNOWN",
           "Status": "FAIL",
           "Layer": {},
-          "IacMetadata": {
+          "CauseMetadata": {
             "Provider": "Generic",
             "Service": "general"
           }

integration/testdata/dockerfile.json.golden

@@ -42,7 +42,7 @@
           ],
           "Status": "FAIL",
           "Layer": {},
-          "IacMetadata": {
+          "CauseMetadata": {
             "Provider": "Dockerfile",
             "Service": "general"
           }

pkg/report/misconfig.go

@@ -0,0 +1,156 @@
+package report
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+
+	"github.com/liamg/tml"
+	"golang.org/x/crypto/ssh/terminal"
+
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+const (
+	severityCritical = "CRITICAL"
+	severityHigh     = "HIGH"
+	severityMedium   = "MEDIUM"
+	severityLow      = "LOW"
+)
+
+type misconfigRenderer struct {
+	target             string
+	misconfs           []types.DetectedMisconfiguration
+	includeNonFailures bool
+	w                  *bytes.Buffer
+	width              int
+	ansi               bool
+}
+
+func NewMisconfigRenderer(target string, misconfs []types.DetectedMisconfiguration, includeNonFailures bool, ansi bool) *misconfigRenderer {
+	width, _, err := terminal.GetSize(0)
+	if err != nil || width == 0 {
+		width = 40
+	}
+	if !ansi {
+		tml.DisableFormatting()
+	}
+	return &misconfigRenderer{
+		w:                  bytes.NewBuffer([]byte{}),
+		target:             target,
+		misconfs:           misconfs,
+		includeNonFailures: includeNonFailures,
+		width:              width,
+		ansi:               ansi,
+	}
+}
+
+func (r *misconfigRenderer) Render() string {
+	for _, m := range r.misconfs {
+		r.renderSingle(m)
+	}
+	return r.w.String()
+}
+
+func (r *misconfigRenderer) printf(format string, args ...interface{}) {
+	// nolint
+	_ = tml.Fprintf(r.w, format, args...)
+}
+
+func (r *misconfigRenderer) printDoubleDivider() {
+	r.printf("<dim>%s\r\n", strings.Repeat("═", r.width))
+}
+
+func (r *misconfigRenderer) printSingleDivider() {
+	r.printf("<dim>%s\r\n", strings.Repeat("─", r.width))
+}
+
+func (r *misconfigRenderer) renderSingle(misconf types.DetectedMisconfiguration) {
+	r.renderSummary(misconf)
+	r.renderCode(misconf)
+	r.printf("\r\n\r\n")
+}
+
+func (r *misconfigRenderer) renderSummary(misconf types.DetectedMisconfiguration) {
+
+	// show pass/fail/exception unless we are only showing failures
+	if r.includeNonFailures {
+		switch misconf.Status {
+		case types.StatusPassed:
+			r.printf("<green><bold>%s: ", misconf.Status)
+		case types.StatusFailure:
+			r.printf("<red><bold>%s: ", misconf.Status)
+		case types.StatusException:
+			r.printf("<yellow><bold>%s: ", misconf.Status)
+		}
+	}
+
+	// severity
+	switch misconf.Severity {
+	case severityCritical:
+		r.printf("<red><bold>%s: ", misconf.Severity)
+	case severityHigh:
+		r.printf("<red>%s: ", misconf.Severity)
+	case severityMedium:
+		r.printf("<yellow>%s: ", misconf.Severity)
+	case severityLow:
+		r.printf("%s: ", misconf.Severity)
+	default:
+		r.printf("<blue>%s: ", misconf.Severity)
+	}
+
+	// heading
+	r.printf("%s\r\n", misconf.Message)
+	r.printDoubleDivider()
+
+	// description
+	r.printf("<dim>%s\r\n", misconf.Description)
+
+	// show link if we have one
+	if misconf.PrimaryURL != "" {
+		r.printf("\r\n<dim>See %s\r\n", misconf.PrimaryURL)
+	}
+
+	r.printSingleDivider()
+}
+
+func (r *misconfigRenderer) renderCode(misconf types.DetectedMisconfiguration) {
+	// highlight code if we can...
+	if lines := misconf.CauseMetadata.Code.Lines; len(lines) > 0 {
+
+		var lineInfo string
+		if misconf.CauseMetadata.StartLine > 0 {
+			lineInfo = tml.Sprintf("<dim>:</dim><blue>%d", misconf.CauseMetadata.StartLine)
+			if misconf.CauseMetadata.EndLine > misconf.CauseMetadata.StartLine {
+				lineInfo = tml.Sprintf("%s<blue>-%d", lineInfo, misconf.CauseMetadata.EndLine)
+			}
+		}
+		r.printf(" <blue>%s%s\r\n", r.target, lineInfo)
+		r.printSingleDivider()
+		for i, line := range lines {
+			if line.Truncated {
+				r.printf("<dim>%4s   ", strings.Repeat(".", len(fmt.Sprintf("%d", line.Number))))
+			} else if line.IsCause {
+				r.printf("<red>%4d ", line.Number)
+				switch {
+				case (line.FirstCause && line.LastCause) || len(lines) == 1:
+					r.printf("<red>[ ")
+				case line.FirstCause || i == 0:
+					r.printf("<red>┌ ")
+				case line.LastCause || i == len(lines)-1:
+					r.printf("<red>└ ")
+				default:
+					r.printf("<red>│ ")
+				}
+			} else {
+				r.printf("<dim>%4d   ", line.Number)
+			}
+			if r.ansi {
+				r.printf("%s\r\n", line.Highlighted)
+			} else {
+				r.printf("%s\r\n", line.Content)
+			}
+		}
+		r.printSingleDivider()
+	}
+}