Open nikpivkin opened 1 day ago
thanks @nikpivkin for creating the issue
fwiw, my thinking was to add
// when returning from recursive calls, archives that were previously processed were also removed from fs,
// ref: https://github.com/aquasecurity/trivy/blob/9514148767865baddd73a49245385574927f7a74/pkg/iac/scanners/helm/parser/parser_tar.go#L101
// but they might be already picked by fs.WalkDir(), so we need to skip them
// note that checking entry.Info() might not work:
// "If the file has been removed or renamed since the directory read, Info *may* return an error satisfying errors.Is(err, ErrNotExist)."
// ref: https://pkg.go.dev/io/fs#DirEntry
if matches, err := fs.Glob(p.workingFS, path); err == nil && matches == nil {
return nil
}
just after this line https://github.com/aquasecurity/trivy/blob/9514148767865baddd73a49245385574927f7a74/pkg/iac/scanners/helm/parser/parser.go#L98
@prezha I think you can use fs.Stat
to check if the file exists. In any case, Helm knows how to handle dependencies in the archive, so we may not extract them to avoid re-scanning all files.
@nikpivkin you're right, fs.Stat
would be simpler/better than fs.Glob
to check if archive file exists and skip it if not
Discussed in https://github.com/aquasecurity/trivy/discussions/7778