search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.14k stars 2.18k forks source link

bug(conan): file filters for conan lock no longer working #6946

Closed DmitriyLewen closed 2 weeks ago

DmitriyLewen commented 3 weeks ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6942

Originally posted by **bruchar1** June 14, 2024 ### Description My conan.lock files have names like `debug.lock` or `release.lock`. I use the following config: ``` scan: file-patterns: - conan-lock:.*\.lock$ ``` It works with Trivy 0.50.x, but not with 0.51.x or 0.52.x. On those versions, only lock files named `conan.lock` are detected. ### Desired Behavior Conan lock files with names different that `conan.lock` should be scanned ### Actual Behavior Only `conan.lock` files are scanned ### Reproduction Steps ```bash 1. Use the config described above 2. Run `trivy repo .` on a repository containing conan (v1) lock files with different names (e.g. `debug.lock`, `release.lock`) ``` ### Target Git Repository ### Scanner Vulnerability ### Output Format JSON ### Mode Standalone ### Debug Output ```bash (in a repo containing only one file: base.lock) $ trivy.exe repo . --debug 2024/06/14 13:53:20 INFO Loaded file_path=trivy.yaml 2024-06-14T13:53:20-04:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL] 2024-06-14T13:53:20-04:00 DEBUG Ignore statuses statuses=[] 2024-06-14T13:53:20-04:00 DEBUG Cache dir dir="C:\\Users\\charles.brunet\\AppData\\Local\\trivy" 2024-06-14T13:53:20-04:00 DEBUG DB update was skipped because the local DB is the latest 2024-06-14T13:53:20-04:00 DEBUG DB info schema=2 updated_at=2024-06-14T12:12:23.195463377Z next_update=2024-06-14T18:12:23.195463016Z downloaded_at=2024-06-14T13:38:29.6233946Z 2024-06-14T13:53:20-04:00 INFO Vulnerability scanning is enabled 2024-06-14T13:53:20-04:00 DEBUG Vulnerability type type=[library] 2024-06-14T13:53:20-04:00 INFO Secret scanning is enabled 2024-06-14T13:53:20-04:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-06-14T13:53:20-04:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection 2024-06-14T13:53:20-04:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-06-14T13:53:20-04:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml" 2024-06-14T13:53:21-04:00 DEBUG OS is not detected. 2024-06-14T13:53:21-04:00 INFO Number of language-specific files num=0 $ mv base.lock conan.lock $ trivy.exe repo . --debug 2024/06/14 13:57:49 INFO Loaded file_path=trivy.yaml 2024-06-14T13:57:49-04:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL] 2024-06-14T13:57:49-04:00 DEBUG Ignore statuses statuses=[] 2024-06-14T13:57:49-04:00 DEBUG Cache dir dir="C:\\Users\\charles.brunet\\AppData\\Local\\trivy" 2024-06-14T13:57:49-04:00 DEBUG DB update was skipped because the local DB is the latest 2024-06-14T13:57:49-04:00 DEBUG DB info schema=2 updated_at=2024-06-14T12:12:23.195463377Z next_update=2024-06-14T18:12:23.195463016Z downloaded_at=2024-06-14T17:57:36.7072649Z 2024-06-14T13:57:49-04:00 INFO Vulnerability scanning is enabled 2024-06-14T13:57:49-04:00 DEBUG Vulnerability type type=[library] 2024-06-14T13:57:49-04:00 INFO Secret scanning is enabled 2024-06-14T13:57:49-04:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-06-14T13:57:49-04:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection 2024-06-14T13:57:49-04:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-06-14T13:57:49-04:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml" 2024-06-14T13:57:50-04:00 DEBUG [conan] Handling conan lockfile as v1.x 2024-06-14T13:57:50-04:00 DEBUG OS is not detected. 2024-06-14T13:57:50-04:00 INFO Number of language-specific files num=1 2024-06-14T13:57:50-04:00 INFO [conan] Detecting vulnerabilities... 2024-06-14T13:57:50-04:00 DEBUG [conan] Scanning packages for vulnerabilities file_path="conan.lock" conan.lock (conan) ================== Total: 14 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 6, CRITICAL: 1) ... ``` ### Operating System Windows (and also Linux docker) ### Version ```bash $ trivy.exe --version 2024/06/14 13:55:00 INFO Loaded file_path=trivy.yaml Version: 0.52.2 Vulnerability DB: Version: 2 UpdatedAt: 2024-06-14 12:12:23.195463377 +0000 UTC NextUpdate: 2024-06-14 18:12:23.195463016 +0000 UTC DownloadedAt: 2024-06-14 13:38:29.6233946 +0000 UTC ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
knqyf263 commented 2 weeks ago

Actually, --file-patterns doesn't work with most post-analyzers now as --file-patterns is not taken into account in post-analyzers. We also need to fix it.

e.g. https://github.com/aquasecurity/trivy/blob/3eecfc6b6e1d6cef1497f7ff0044e676da159243/pkg/fanal/analyzer/language/nodejs/npm/npm.go#L49-L51).

DmitriyLewen commented 2 weeks ago

I thought about it. But other-post analyzers use immutable file names (for example, npm always uses file name package-lock.json). conan supports a flag to set the filename. Also mix has the same option (but we use analyzer for mix).

But anyway we need to update our logic. I created #6962 for that.

UPD: I think we can merge fix for conan now. To fix file-patterns we will create separate PR.

knqyf263 commented 2 weeks ago

I think we can merge fix for conan now. To fix file-patterns we will create separate PR.

Yes, I'll review and merge #6949 first.