feat(flag): Add glob support to --skip-dirs and --skip-files (aqu…

…asecurity#3866)
AnaisUrlichs · Mar 30, 2023 · abff139 · abff139
1 parent b40f60c
commit abff139
Show file tree

Hide file tree

Showing 3 changed files with 144 additions and 3 deletions.
diff --git a/docs/docs/vulnerability/examples/others.md b/docs/docs/vulnerability/examples/others.md
@@ -8,6 +8,14 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```
 
+It's possible to specify globs as part of the value. 
+
+```bash
+$ trivy image --skip-files "./testdata/*/bar" .
+```
+
+Will skip any file named `bar` in the subdirectories of testdata.
+
 ## Skip Directories
 Trivy traversals directories and look for all lock files by default.
 If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.
@@ -16,6 +24,14 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```
 
+It's possible to specify globs as part of the value.
+
+```bash
+$ trivy image --skip-dirs "./testdata/*" .
+```
+
+Will skip all subdirectories of the testdata directory.
+
 ## File patterns
 When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
 The default file patterns are [here](../../misconfiguration/custom/index.md).

diff --git a/pkg/fanal/walker/walk.go b/pkg/fanal/walker/walk.go
@@ -2,11 +2,13 @@ package walker
 
 import (
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/utils"
+	"github.com/aquasecurity/trivy/pkg/log"
 )
 
 var (
@@ -53,7 +55,16 @@ func (w *walker) shouldSkipFile(filePath string) bool {
 	filePath = strings.TrimLeft(filePath, "/")
 
 	// skip files
-	return utils.StringInSlice(filePath, w.skipFiles)
+	for _, pattern := range w.skipFiles {
+		match, err := path.Match(pattern, filePath)
+		if err != nil {
+			return false // return early if bad pattern
+		} else if match {
+			log.Logger.Debugf("Skipping file: %s", filePath)
+			return true
+		}
+	}
+	return false
 }
 
 func (w *walker) shouldSkipDir(dir string) bool {
@@ -66,8 +77,13 @@ func (w *walker) shouldSkipDir(dir string) bool {
 	}
 
 	// Skip system dirs and specified dirs (absolute path)
-	if utils.StringInSlice(dir, w.skipDirs) {
-		return true
+	for _, pattern := range w.skipDirs {
+		if match, err := path.Match(pattern, dir); err != nil {
+			return false // return early if bad pattern
+		} else if match {
+			log.Logger.Debugf("Skipping directory: %s", dir)
+			return true
+		}
 	}
 
 	return false

diff --git a/pkg/fanal/walker/walk_test.go b/pkg/fanal/walker/walk_test.go
@@ -0,0 +1,109 @@
+package walker
+
+import (
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_shouldSkipFile(t *testing.T) {
+	testCases := []struct {
+		skipFiles []string
+		skipMap   map[string]bool
+	}{
+		{
+			skipFiles: []string{filepath.Join("/etc/*")},
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):     true,
+				filepath.Join("/etc/foo/bar"): false,
+			},
+		},
+		{
+			skipFiles: []string{filepath.Join("/etc/*/*")},
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):     false,
+				filepath.Join("/etc/foo/bar"): true,
+			},
+		},
+		{
+			skipFiles: []string{filepath.Join("/etc/*/*"), filepath.Join("/var/log/*.txt")},
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):         false,
+				filepath.Join("/etc/foo/bar"):     true,
+				filepath.Join("/var/log/bar.txt"): true,
+			},
+		},
+		{
+			skipFiles: []string{filepath.Join(`[^etc`)}, // filepath.Match returns ErrBadPattern
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):     false,
+				filepath.Join("/etc/foo/bar"): false,
+			},
+		},
+	}
+
+	for i, tc := range testCases {
+		t.Run(fmt.Sprint(i), func(t *testing.T) {
+			w := newWalker(tc.skipFiles, nil, false)
+			for file, skipResult := range tc.skipMap {
+				assert.Equal(t, skipResult, w.shouldSkipFile(filepath.ToSlash(filepath.Clean(file))), fmt.Sprintf("skipFiles: %s, file: %s", tc.skipFiles, file))
+			}
+		})
+	}
+}
+
+func Test_shouldSkipDir(t *testing.T) {
+	testCases := []struct {
+		skipDirs []string
+		skipMap  map[string]bool
+	}{
+		{
+			skipDirs: nil,
+			skipMap: map[string]bool{
+				".git":    true,  // AppDir
+				"proc":    true,  // SystemDir
+				"foo.bar": false, // random directory
+			},
+		},
+		{
+			skipDirs: []string{filepath.Join("/*")},
+			skipMap: map[string]bool{
+				filepath.Join("/etc"):         true,
+				filepath.Join("/etc/foo/bar"): false,
+			},
+		},
+		{
+			skipDirs: []string{filepath.Join("/etc/*/*")},
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):     false,
+				filepath.Join("/etc/foo/bar"): true,
+			},
+		},
+		{
+			skipDirs: []string{filepath.Join("/etc/*/*"), filepath.Join("/var/log/*")},
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):     false,
+				filepath.Join("/etc/foo/bar"): true,
+				filepath.Join("/var/log/bar"): true,
+			},
+		},
+		{
+			skipDirs: []string{filepath.Join(`[^etc`)}, // filepath.Match returns ErrBadPattern
+			skipMap: map[string]bool{
+				filepath.Join("/etc/foo"):     false,
+				filepath.Join("/etc/foo/bar"): false,
+			},
+		},
+	}
+
+	for i, tc := range testCases {
+		t.Run(fmt.Sprint(i), func(t *testing.T) {
+			w := newWalker(nil, tc.skipDirs, false)
+			for dir, skipResult := range tc.skipMap {
+				assert.Equal(t, skipResult, w.shouldSkipDir(filepath.ToSlash(filepath.Clean(dir))), fmt.Sprintf("skipDirs: %s, dir: %s", tc.skipDirs, dir))
+			}
+		})
+	}
+}