feat(cli): add --skip-files option (aquasecurity#624)

* feat(cli): add --skip-files * test(integration): add --skip-files and --skip-dirs * chore(docs): update README * chore(docs): correct a grammar mistake
pippo · Sep 8, 2020 · 5e308da · 5e308da
1 parent 2231e40
commit 5e308da
Show file tree

Hide file tree

Showing 9 changed files with 194 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
     + [Filter the vulnerabilities by severities](#filter-the-vulnerabilities-by-severities)
     + [Filter the vulnerabilities by type](#filter-the-vulnerabilities-by-type)
     + [Filter the vulnerabilities by Open Policy Agent](#filter-the-vulnerabilities-by-open-policy-agent-policy)
+    + [Skip traversal of the specific files](#skip-traversal-of-the-specific-files)
     + [Skip traversal in the specific directory](#skip-traversal-in-the-specific-directory)
     + [Skip update of vulnerability DB](#skip-update-of-vulnerability-db)
     + [Only download vulnerability database](#only-download-vulnerability-database)
@@ -1139,6 +1140,13 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
 </details>
 
+### Skip traversal of the specific files
+Trivy traversals directories and looks for all lock files by default. If your image contains lock files which are not maintained by you, you can skip the file.
+
+```
+$ trivy image --skip-files "/Gemfile.lock,/app/Pipfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
+```
+
 ### Skip traversal in the specific directory
 Trivy traversals directories and look for all lock files by default. If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.
 
@@ -1747,6 +1755,7 @@ OPTIONS:
    --timeout value     docker timeout (default: 2m0s) [$TRIVY_TIMEOUT]
    --light             light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
    --list-all-pkgs     enabling the option will output all packages regardless of vulnerability [$TRIVY_LIST_ALL_PKGS]
+   --skip-files value  specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value   specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --help, -h          show help (default: false)
 ```

diff --git a/integration/standalone_tar_test.go b/integration/standalone_tar_test.go
@@ -24,6 +24,8 @@ func TestRun_WithTar(t *testing.T) {
 		IgnoreIDs           []string
 		Format              string
 		Input               string
+		SkipDirs            []string
+		SkipFiles           []string
 	}
 	cases := []struct {
 		name     string
@@ -352,6 +354,22 @@ func TestRun_WithTar(t *testing.T) {
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
+		{
+			name: "fluentd with multiple lock files",
+			testArgs: args{
+				Version:       "dev",
+				SkipUpdate:    true,
+				IgnoreUnfixed: true,
+				Format:        "json",
+				Input:         "testdata/fixtures/fluentd-multiple-lockfiles.tar.gz",
+				SkipFiles:     []string{"/Gemfile.lock"},
+				SkipDirs: []string{
+					"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0",
+					"/var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13",
+				},
+			},
+			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
+		},
 	}
 
 	// Copy DB file
@@ -391,7 +409,14 @@ func TestRun_WithTar(t *testing.T) {
 				defer os.Remove(trivyIgnore)
 			}
 			if c.testArgs.Input != "" {
-				osArgs = append(osArgs, []string{"--input", c.testArgs.Input}...)
+				osArgs = append(osArgs, "--input", c.testArgs.Input)
+			}
+
+			if len(c.testArgs.SkipFiles) != 0 {
+				osArgs = append(osArgs, "--skip-files", strings.Join(c.testArgs.SkipFiles, ","))
+			}
+			if len(c.testArgs.SkipDirs) != 0 {
+				osArgs = append(osArgs, "--skip-dirs", strings.Join(c.testArgs.SkipDirs, ","))
 			}
 
 			// Setup the output file

diff --git a/integration/testdata/fluentd-multiple-lockfiles.json.golden b/integration/testdata/fluentd-multiple-lockfiles.json.golden
@@ -0,0 +1,114 @@
+[
+  {
+    "Target": "testdata/fixtures/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
+    "Type": "debian",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2019-5188",
+        "PkgName": "e2fsprogs",
+        "InstalledVersion": "1.44.5-1+deb10u2",
+        "FixedVersion": "1.44.5-1+deb10u3",
+        "Layer": {
+          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        "SeveritySource": "nvd",
+        "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
+        "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
+          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
+          "https://usn.ubuntu.com/4249-1/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5188",
+        "PkgName": "libcom-err2",
+        "InstalledVersion": "1.44.5-1+deb10u2",
+        "FixedVersion": "1.44.5-1+deb10u3",
+        "Layer": {
+          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        "SeveritySource": "nvd",
+        "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
+        "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
+          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
+          "https://usn.ubuntu.com/4249-1/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5188",
+        "PkgName": "libext2fs2",
+        "InstalledVersion": "1.44.5-1+deb10u2",
+        "FixedVersion": "1.44.5-1+deb10u3",
+        "Layer": {
+          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        "SeveritySource": "nvd",
+        "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
+        "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
+          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
+          "https://usn.ubuntu.com/4249-1/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-18224",
+        "PkgName": "libidn2-0",
+        "InstalledVersion": "2.0.5-1",
+        "FixedVersion": "2.0.5-1+deb10u1",
+        "Layer": {
+          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        "SeveritySource": "nvd",
+        "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
+        "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
+        "Severity": "HIGH",
+        "References": [
+          "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
+          "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
+          "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
+          "https://usn.ubuntu.com/4168-1/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5188",
+        "PkgName": "libss2",
+        "InstalledVersion": "1.44.5-1+deb10u2",
+        "FixedVersion": "1.44.5-1+deb10u3",
+        "Layer": {
+          "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
+        },
+        "SeveritySource": "nvd",
+        "Title": "e2fsprogs: Out-of-bounds write in  e2fsck/rehash.c",
+        "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
+          "https://lists.fedoraproject.org/archives/list/[email protected]/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
+          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973",
+          "https://usn.ubuntu.com/4249-1/"
+        ]
+      }
+    ]
+  }
+]
diff --git a/internal/app.go b/internal/app.go
@@ -188,6 +188,12 @@ var (
 		EnvVars: []string{"TRIVY_LIST_ALL_PKGS"},
 	}
 
+	skipFiles = cli.StringFlag{
+		Name:    "skip-files",
+		Usage:   "specify the file path to skip traversal",
+		EnvVars: []string{"TRIVY_SKIP_FILES"},
+	}
+
 	skipDirectories = cli.StringFlag{
 		Name:    "skip-dirs",
 		Usage:   "specify the directory where the traversal is skipped",
@@ -220,6 +226,7 @@ var (
 		&lightFlag,
 		&ignorePolicy,
 		&listAllPackages,
+		&skipFiles,
 		&skipDirectories,
 	}
 
@@ -375,6 +382,7 @@ func NewFilesystemCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&skipFiles,
 			&skipDirectories,
 		},
 	}
@@ -406,6 +414,7 @@ func NewRepositoryCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&skipFiles,
 			&skipDirectories,
 		},
 	}

diff --git a/internal/artifact/run.go b/internal/artifact/run.go
@@ -77,6 +77,7 @@ func run(c config.Config, initializeScanner InitializeScanner) error {
 		VulnType:            c.VulnType,
 		ScanRemovedPackages: c.ScanRemovedPkgs, // this is valid only for image subcommand
 		ListAllPackages:     c.ListAllPkgs,
+		SkipFiles:           c.SkipFiles,
 		SkipDirectories:     c.SkipDirectories,
 	}
 	log.Logger.Debugf("Vulnerability type:  %s", scanOptions.VulnType)

diff --git a/internal/config/artifact.go b/internal/config/artifact.go
@@ -16,6 +16,8 @@ type ArtifactConfig struct {
 
 	skipDirectories string
 	SkipDirectories []string
+	skipFiles       string
+	SkipFiles       []string
 
 	// this field is populated in Init()
 	Target string
@@ -26,6 +28,7 @@ func NewArtifactConfig(c *cli.Context) ArtifactConfig {
 		Input:           c.String("input"),
 		Timeout:         c.Duration("timeout"),
 		ClearCache:      c.Bool("clear-cache"),
+		skipFiles:       c.String("skip-files"),
 		skipDirectories: c.String("skip-dirs"),
 	}
 }
@@ -49,5 +52,9 @@ func (c *ArtifactConfig) Init(args cli.Args, logger *zap.SugaredLogger) (err err
 		c.SkipDirectories = strings.Split(c.skipDirectories, ",")
 	}
 
+	if c.skipFiles != "" {
+		c.SkipFiles = strings.Split(c.skipFiles, ",")
+	}
+
 	return nil
 }
diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go
@@ -150,7 +150,7 @@ func (s Scanner) scanLibrary(apps []ftypes.Application, options types.ScanOption
 			return nil, xerrors.Errorf("failed vulnerability detection of libraries: %w", err)
 		}
 
-		if skipped(app.FilePath, options.SkipDirectories) {
+		if skipped(app.FilePath, options.SkipFiles, options.SkipDirectories) {
 			continue
 		}
 
@@ -181,7 +181,14 @@ func (s Scanner) scanLibrary(apps []ftypes.Application, options types.ScanOption
 	return results, nil
 }
 
-func skipped(filePath string, skipDirectories []string) bool {
+func skipped(filePath string, skipFiles, skipDirectories []string) bool {
+	for _, skipFile := range skipFiles {
+		skipFile = strings.TrimLeft(filepath.Clean(skipFile), string(os.PathSeparator))
+		if filePath == skipFile {
+			return true
+		}
+	}
+
 	for _, skipDir := range skipDirectories {
 		skipDir = strings.TrimLeft(filepath.Clean(skipDir), string(os.PathSeparator))
 		rel, err := filepath.Rel(skipDir, filePath)

diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go
@@ -1082,6 +1082,7 @@ func TestScanner_Scan(t *testing.T) {
 func Test_skipped(t *testing.T) {
 	type args struct {
 		filePath        string
+		skipFiles       []string
 		skipDirectories []string
 	}
 	tests := []struct {
@@ -1113,6 +1114,22 @@ func Test_skipped(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "skip file with the leading slash",
+			args: args{
+				filePath:  "Gemfile.lock",
+				skipFiles: []string{"/Gemfile.lock"},
+			},
+			want: true,
+		},
+		{
+			name: "skip file without a slash",
+			args: args{
+				filePath:  "Gemfile.lock",
+				skipFiles: []string{"Gemfile.lock"},
+			},
+			want: true,
+		},
 		{
 			name: "not skipped",
 			args: args{
@@ -1124,7 +1141,7 @@ func Test_skipped(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := skipped(tt.args.filePath, tt.args.skipDirectories)
+			got := skipped(tt.args.filePath, tt.args.skipFiles, tt.args.skipDirectories)
 			assert.Equal(t, tt.want, got)
 		})
 	}

diff --git a/pkg/types/scanoptions.go b/pkg/types/scanoptions.go
@@ -4,5 +4,6 @@ type ScanOptions struct {
 	VulnType            []string
 	ScanRemovedPackages bool
 	ListAllPackages     bool
+	SkipFiles           []string
 	SkipDirectories     []string
 }