From b19cf821ffc4c6af724e1191e7c15e82c23119db Mon Sep 17 00:00:00 2001 From: Danny Kulchinsky <61992380+dkulchinsky@users.noreply.github.com> Date: Wed, 28 Sep 2022 11:27:39 -0400 Subject: [PATCH] default security-checks flag to vuln and allow it to be tuned via env var (#261) * default security-checks flag to vuln and allow it to be tuned via env var * fix integration tests * fix formatting * update docs --- README.md | 1 + pkg/etc/config.go | 25 +++++---- pkg/etc/config_test.go | 80 ++++++++++++++------------- pkg/http/api/v1/handler.go | 17 +++--- pkg/http/api/v1/handler_test.go | 42 ++++++++------ pkg/trivy/wrapper.go | 1 + pkg/trivy/wrapper_test.go | 25 +++++---- test/integration/api/rest_api_test.go | 16 +++--- 8 files changed, 113 insertions(+), 94 deletions(-) diff --git a/README.md b/README.md index 21d07e6d..1f8f921e 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,7 @@ Configuration of the adapter is done via environment variables at startup. | `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory | | `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode | | `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | +| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. | | `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed | | `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities | | `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file | diff --git a/pkg/etc/config.go b/pkg/etc/config.go index 8ec9fc3a..7e1e8219 100644 --- a/pkg/etc/config.go +++ b/pkg/etc/config.go @@ -24,18 +24,19 @@ type Config struct { } type Trivy struct { - CacheDir string `env:"SCANNER_TRIVY_CACHE_DIR" envDefault:"/home/scanner/.cache/trivy"` - ReportsDir string `env:"SCANNER_TRIVY_REPORTS_DIR" envDefault:"/home/scanner/.cache/reports"` - DebugMode bool `env:"SCANNER_TRIVY_DEBUG_MODE" envDefault:"false"` - VulnType string `env:"SCANNER_TRIVY_VULN_TYPE" envDefault:"os,library"` - Severity string `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"` - IgnoreUnfixed bool `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"` - IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"` - SkipUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"` - OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"` - GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"` - Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"` - Timeout time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"` + CacheDir string `env:"SCANNER_TRIVY_CACHE_DIR" envDefault:"/home/scanner/.cache/trivy"` + ReportsDir string `env:"SCANNER_TRIVY_REPORTS_DIR" envDefault:"/home/scanner/.cache/reports"` + DebugMode bool `env:"SCANNER_TRIVY_DEBUG_MODE" envDefault:"false"` + VulnType string `env:"SCANNER_TRIVY_VULN_TYPE" envDefault:"os,library"` + SecurityChecks string `env:"SCANNER_TRIVY_SECURITY_CHECKS" envDefault:"vuln"` + Severity string `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"` + IgnoreUnfixed bool `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"` + IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"` + SkipUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"` + OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"` + GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"` + Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"` + Timeout time.Duration `env:"SCANNER_TRIVY_TIMEOUT" envDefault:"5m0s"` } type API struct { diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go index d2731f6d..e3758756 100644 --- a/pkg/etc/config_test.go +++ b/pkg/etc/config_test.go @@ -67,14 +67,15 @@ func TestGetConfig(t *testing.T) { IdleTimeout: parseDuration(t, "60s"), }, Trivy: Trivy{ - DebugMode: true, - CacheDir: "/home/scanner/.cache/trivy", - ReportsDir: "/home/scanner/.cache/reports", - VulnType: "os,library", - Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", - Insecure: false, - GitHubToken: "", - Timeout: parseDuration(t, "5m0s"), + DebugMode: true, + CacheDir: "/home/scanner/.cache/trivy", + ReportsDir: "/home/scanner/.cache/reports", + VulnType: "os,library", + SecurityChecks: "vuln", + Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + Insecure: false, + GitHubToken: "", + Timeout: parseDuration(t, "5m0s"), }, RedisPool: RedisPool{ URL: "redis://localhost:6379", @@ -105,14 +106,15 @@ func TestGetConfig(t *testing.T) { IdleTimeout: parseDuration(t, "60s"), }, Trivy: Trivy{ - DebugMode: false, - CacheDir: "/home/scanner/.cache/trivy", - ReportsDir: "/home/scanner/.cache/reports", - VulnType: "os,library", - Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", - Insecure: false, - GitHubToken: "", - Timeout: parseDuration(t, "5m0s"), + DebugMode: false, + CacheDir: "/home/scanner/.cache/trivy", + ReportsDir: "/home/scanner/.cache/reports", + VulnType: "os,library", + SecurityChecks: "vuln", + Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + Insecure: false, + GitHubToken: "", + Timeout: parseDuration(t, "5m0s"), }, RedisPool: RedisPool{ URL: "redis://localhost:6379", @@ -146,17 +148,18 @@ func TestGetConfig(t *testing.T) { "SCANNER_API_SERVER_WRITE_TIMEOUT": "2m", "SCANNER_API_SERVER_IDLE_TIMEOUT": "3m10s", - "SCANNER_TRIVY_CACHE_DIR": "/home/scanner/trivy-cache", - "SCANNER_TRIVY_REPORTS_DIR": "/home/scanner/trivy-reports", - "SCANNER_TRIVY_DEBUG_MODE": "true", - "SCANNER_TRIVY_VULN_TYPE": "os,library", - "SCANNER_TRIVY_SEVERITY": "CRITICAL", - "SCANNER_TRIVY_IGNORE_UNFIXED": "true", - "SCANNER_TRIVY_INSECURE": "true", - "SCANNER_TRIVY_SKIP_UPDATE": "true", - "SCANNER_TRIVY_OFFLINE_SCAN": "true", - "SCANNER_TRIVY_GITHUB_TOKEN": "", - "SCANNER_TRIVY_TIMEOUT": "15m30s", + "SCANNER_TRIVY_CACHE_DIR": "/home/scanner/trivy-cache", + "SCANNER_TRIVY_REPORTS_DIR": "/home/scanner/trivy-reports", + "SCANNER_TRIVY_DEBUG_MODE": "true", + "SCANNER_TRIVY_VULN_TYPE": "os,library", + "SCANNER_TRIVY_SECURITY_CHECKS": "vuln", + "SCANNER_TRIVY_SEVERITY": "CRITICAL", + "SCANNER_TRIVY_IGNORE_UNFIXED": "true", + "SCANNER_TRIVY_INSECURE": "true", + "SCANNER_TRIVY_SKIP_UPDATE": "true", + "SCANNER_TRIVY_OFFLINE_SCAN": "true", + "SCANNER_TRIVY_GITHUB_TOKEN": "", + "SCANNER_TRIVY_TIMEOUT": "15m30s", "SCANNER_STORE_REDIS_NAMESPACE": "store.ns", "SCANNER_STORE_REDIS_SCAN_JOB_TTL": "2h45m15s", @@ -180,17 +183,18 @@ func TestGetConfig(t *testing.T) { IdleTimeout: parseDuration(t, "3m10s"), }, Trivy: Trivy{ - CacheDir: "/home/scanner/trivy-cache", - ReportsDir: "/home/scanner/trivy-reports", - DebugMode: true, - VulnType: "os,library", - Severity: "CRITICAL", - IgnoreUnfixed: true, - SkipUpdate: true, - OfflineScan: true, - Insecure: true, - GitHubToken: "", - Timeout: parseDuration(t, "15m30s"), + CacheDir: "/home/scanner/trivy-cache", + ReportsDir: "/home/scanner/trivy-reports", + DebugMode: true, + VulnType: "os,library", + SecurityChecks: "vuln", + Severity: "CRITICAL", + IgnoreUnfixed: true, + SkipUpdate: true, + OfflineScan: true, + Insecure: true, + GitHubToken: "", + Timeout: parseDuration(t, "15m30s"), }, RedisPool: RedisPool{ URL: "redis://harbor-harbor-redis:6379", diff --git a/pkg/http/api/v1/handler.go b/pkg/http/api/v1/handler.go index 67924ef1..7f38ccc1 100644 --- a/pkg/http/api/v1/handler.go +++ b/pkg/http/api/v1/handler.go @@ -219,14 +219,15 @@ func (h *requestHandler) GetMetadata(res http.ResponseWriter, _ *http.Request) { "org.label-schema.vcs-ref": h.info.Commit, "org.label-schema.vcs": "https://github.com/aquasecurity/harbor-scanner-trivy", - "env.SCANNER_TRIVY_SKIP_UPDATE": strconv.FormatBool(h.config.Trivy.SkipUpdate), - "env.SCANNER_TRIVY_OFFLINE_SCAN": strconv.FormatBool(h.config.Trivy.OfflineScan), - "env.SCANNER_TRIVY_IGNORE_UNFIXED": strconv.FormatBool(h.config.Trivy.IgnoreUnfixed), - "env.SCANNER_TRIVY_DEBUG_MODE": strconv.FormatBool(h.config.Trivy.DebugMode), - "env.SCANNER_TRIVY_INSECURE": strconv.FormatBool(h.config.Trivy.Insecure), - "env.SCANNER_TRIVY_VULN_TYPE": h.config.Trivy.VulnType, - "env.SCANNER_TRIVY_SEVERITY": h.config.Trivy.Severity, - "env.SCANNER_TRIVY_TIMEOUT": h.config.Trivy.Timeout.String(), + "env.SCANNER_TRIVY_SKIP_UPDATE": strconv.FormatBool(h.config.Trivy.SkipUpdate), + "env.SCANNER_TRIVY_OFFLINE_SCAN": strconv.FormatBool(h.config.Trivy.OfflineScan), + "env.SCANNER_TRIVY_IGNORE_UNFIXED": strconv.FormatBool(h.config.Trivy.IgnoreUnfixed), + "env.SCANNER_TRIVY_DEBUG_MODE": strconv.FormatBool(h.config.Trivy.DebugMode), + "env.SCANNER_TRIVY_INSECURE": strconv.FormatBool(h.config.Trivy.Insecure), + "env.SCANNER_TRIVY_VULN_TYPE": h.config.Trivy.VulnType, + "env.SCANNER_TRIVY_SECURITY_CHECKS": h.config.Trivy.SecurityChecks, + "env.SCANNER_TRIVY_SEVERITY": h.config.Trivy.Severity, + "env.SCANNER_TRIVY_TIMEOUT": h.config.Trivy.Timeout.String(), } vi, err := h.wrapper.GetVersion() diff --git a/pkg/http/api/v1/handler_test.go b/pkg/http/api/v1/handler_test.go index 55cb4c95..32c49aee 100644 --- a/pkg/http/api/v1/handler_test.go +++ b/pkg/http/api/v1/handler_test.go @@ -447,13 +447,14 @@ func TestRequestHandler_GetMetadata(t *testing.T) { }, }, config: etc.Config{Trivy: etc.Trivy{ - SkipUpdate: false, - IgnoreUnfixed: true, - DebugMode: true, - Insecure: true, - VulnType: "os,library", - Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", - Timeout: 5 * time.Minute, + SkipUpdate: false, + IgnoreUnfixed: true, + DebugMode: true, + Insecure: true, + VulnType: "os,library", + SecurityChecks: "vuln", + Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + Timeout: 5 * time.Minute, }}, expectedHTTPCode: http.StatusOK, expectedResp: `{ @@ -487,6 +488,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) { "env.SCANNER_TRIVY_DEBUG_MODE": "true", "env.SCANNER_TRIVY_INSECURE": "true", "env.SCANNER_TRIVY_VULN_TYPE": "os,library", + "env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln", "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "env.SCANNER_TRIVY_TIMEOUT": "5m0s" } @@ -499,13 +501,14 @@ func TestRequestHandler_GetMetadata(t *testing.T) { Version: "v0.5.2-17-g3c9af62", }, config: etc.Config{Trivy: etc.Trivy{ - SkipUpdate: false, - IgnoreUnfixed: true, - DebugMode: true, - Insecure: true, - VulnType: "os,library", - Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", - Timeout: 5 * time.Minute, + SkipUpdate: false, + IgnoreUnfixed: true, + DebugMode: true, + Insecure: true, + VulnType: "os,library", + SecurityChecks: "vuln", + Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + Timeout: 5 * time.Minute, }}, expectedHTTPCode: http.StatusOK, expectedResp: `{ @@ -537,6 +540,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) { "env.SCANNER_TRIVY_DEBUG_MODE": "true", "env.SCANNER_TRIVY_INSECURE": "true", "env.SCANNER_TRIVY_VULN_TYPE": "os,library", + "env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln", "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "env.SCANNER_TRIVY_TIMEOUT": "5m0s" } @@ -548,10 +552,11 @@ func TestRequestHandler_GetMetadata(t *testing.T) { buildInfo: etc.BuildInfo{Version: "0.1", Commit: "abc", Date: "2019-01-03T13:40"}, config: etc.Config{ Trivy: etc.Trivy{ - VulnType: "os,library", - Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", - Timeout: 5 * time.Minute, - OfflineScan: true, + VulnType: "os,library", + SecurityChecks: "vuln", + Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + Timeout: 5 * time.Minute, + OfflineScan: true, }, }, expectedHTTPCode: http.StatusOK, @@ -584,6 +589,7 @@ func TestRequestHandler_GetMetadata(t *testing.T) { "env.SCANNER_TRIVY_DEBUG_MODE": "false", "env.SCANNER_TRIVY_INSECURE": "false", "env.SCANNER_TRIVY_VULN_TYPE": "os,library", + "env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln", "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "env.SCANNER_TRIVY_TIMEOUT": "5m0s" } diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go index 7f3bc400..1653b61f 100644 --- a/pkg/trivy/wrapper.go +++ b/pkg/trivy/wrapper.go @@ -122,6 +122,7 @@ func (w *wrapper) prepareScanCmd(imageRef ImageRef, outputFile string) (*exec.Cm "--no-progress", "--severity", w.config.Severity, "--vuln-type", w.config.VulnType, + "--security-checks", w.config.SecurityChecks, "--format", "json", "--output", outputFile, imageRef.Name, diff --git a/pkg/trivy/wrapper_test.go b/pkg/trivy/wrapper_test.go index b4f2834c..04b0d42f 100644 --- a/pkg/trivy/wrapper_test.go +++ b/pkg/trivy/wrapper_test.go @@ -90,17 +90,18 @@ func TestWrapper_Scan(t *testing.T) { ambassador.On("LookPath", "trivy").Return("/usr/local/bin/trivy", nil) config := etc.Trivy{ - CacheDir: "/home/scanner/.cache/trivy", - ReportsDir: "/home/scanner/.cache/reports", - DebugMode: true, - VulnType: "os,library", - Severity: "CRITICAL,MEDIUM", - IgnoreUnfixed: true, - IgnorePolicy: "/home/scanner/opa/policy.rego", - SkipUpdate: true, - GitHubToken: "", - Insecure: true, - Timeout: 5 * time.Minute, + CacheDir: "/home/scanner/.cache/trivy", + ReportsDir: "/home/scanner/.cache/reports", + DebugMode: true, + VulnType: "os,library", + SecurityChecks: "vuln", + Severity: "CRITICAL,MEDIUM", + IgnoreUnfixed: true, + IgnorePolicy: "/home/scanner/opa/policy.rego", + SkipUpdate: true, + GitHubToken: "", + Insecure: true, + Timeout: 5 * time.Minute, } imageRef := ImageRef{ @@ -124,6 +125,8 @@ func TestWrapper_Scan(t *testing.T) { "CRITICAL,MEDIUM", "--vuln-type", "os,library", + "--security-checks", + "vuln", "--format", "json", "--output", diff --git a/test/integration/api/rest_api_test.go b/test/integration/api/rest_api_test.go index 2c056a8b..7fbfa2d0 100644 --- a/test/integration/api/rest_api_test.go +++ b/test/integration/api/rest_api_test.go @@ -41,13 +41,14 @@ func TestRestApi(t *testing.T) { }, etc.Config{ Trivy: etc.Trivy{ - SkipUpdate: false, - IgnoreUnfixed: true, - DebugMode: true, - Insecure: true, - VulnType: "os,library", - Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", - Timeout: 5 * time.Minute, + SkipUpdate: false, + IgnoreUnfixed: true, + DebugMode: true, + Insecure: true, + VulnType: "os,library", + Severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + SecurityChecks: "vuln", + Timeout: 5 * time.Minute, }, }, enqueuer, store, wrapper) @@ -218,6 +219,7 @@ func TestRestApi(t *testing.T) { "env.SCANNER_TRIVY_INSECURE": "true", "env.SCANNER_TRIVY_VULN_TYPE": "os,library", "env.SCANNER_TRIVY_SEVERITY": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + "env.SCANNER_TRIVY_SECURITY_CHECKS": "vuln", "env.SCANNER_TRIVY_TIMEOUT": "5m0s" } }`, string(bodyBytes))