fix(misconf): terraform relative paths (aquasecurity#4571)

DmitriyLewen · Jun 8, 2023 · 8ca1bfd · 8ca1bfd
1 parent c20d466
commit 8ca1bfd
Show file tree

Hide file tree

Showing 21 changed files with 183 additions and 257 deletions.
diff --git a/pkg/fanal/analyzer/fs.go b/pkg/fanal/analyzer/fs.go
@@ -6,7 +6,6 @@ import (
 	"io/fs"
 	"os"
 	"path"
-	"path/filepath"
 
 	"golang.org/x/xerrors"
 
@@ -65,14 +64,14 @@ func (c *CompositeFS) CopyFileToTemp(opener Opener, info os.FileInfo) (string, e
 
 // CreateLink creates a link in the virtual filesystem that corresponds to a real file.
 // The linked virtual file will have the same path as the real file path provided.
-func (c *CompositeFS) CreateLink(analyzerTypes []Type, virtualPath, realPath string, setRoot bool) error {
+func (c *CompositeFS) CreateLink(analyzerTypes []Type, rootDir, virtualPath, realPath string) error {
 	// Create fs.FS for each post-analyzer that wants to analyze the current file
 	for _, t := range analyzerTypes {
 		// Since filesystem scanning may require access outside the specified path, (e.g. Terraform modules)
 		// it allows "../" access with "WithUnderlyingRoot".
 		var opts []mapfs.Option
-		if setRoot {
-			opts = append(opts, mapfs.WithUnderlyingRoot(filepath.Dir(realPath)))
+		if rootDir != "" {
+			opts = append(opts, mapfs.WithUnderlyingRoot(rootDir))
 		}
 		mfs, _ := c.files.LoadOrStore(t, mapfs.New(opts...))
 		if d := path.Dir(virtualPath); d != "." {

diff --git a/pkg/fanal/artifact/image/image.go b/pkg/fanal/artifact/image/image.go
@@ -293,7 +293,7 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable
 		if err != nil {
 			return xerrors.Errorf("failed to copy file to temp: %w", err)
 		}
-		if err = composite.CreateLink(analyzerTypes, filePath, tmpFilePath, false); err != nil {
+		if err = composite.CreateLink(analyzerTypes, "", filePath, tmpFilePath); err != nil {
 			return xerrors.Errorf("failed to write a file: %w", err)
 		}
 

diff --git a/pkg/fanal/artifact/local/fs.go b/pkg/fanal/artifact/local/fs.go
@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"encoding/json"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -52,7 +53,7 @@ func NewArtifact(rootPath string, c cache.ArtifactCache, opt artifact.Option) (a
 	}
 
 	return Artifact{
-		rootPath: filepath.Clean(rootPath),
+		rootPath: filepath.ToSlash(filepath.Clean(rootPath)),
 		cache:    c,
 		walker: walker.NewFS(buildPathsToSkip(rootPath, opt.SkipFiles), buildPathsToSkip(rootPath, opt.SkipDirs),
 			opt.Slow, opt.WalkOption.ErrorCallback),
@@ -139,7 +140,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 		// When the directory is the same as the filePath, a file was given
 		// instead of a directory, rewrite the file path and directory in this case.
 		if filePath == "." {
-			dir, filePath = filepath.Split(a.rootPath)
+			dir, filePath = path.Split(a.rootPath)
 		}
 
 		if err = a.analyzer.AnalyzeFile(ctx, &wg, limit, result, dir, filePath, info, opener, nil, opts); err != nil {
@@ -153,7 +154,7 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 		}
 
 		// Build filesystem for post analysis
-		if err = composite.CreateLink(analyzerTypes, filePath, filepath.Join(dir, filePath), true); err != nil {
+		if err = composite.CreateLink(analyzerTypes, dir, filePath, filepath.Join(dir, filePath)); err != nil {
 			return xerrors.Errorf("failed to create link: %w", err)
 		}