perf(license): enable license classifier only with "--license-full" (#…

…3086)
aquasecurity · Oct 28, 2022 · 7cc83cc · 7cc83cc
1 parent 5b975de
commit 7cc83cc
Show file tree

Hide file tree

Showing 7 changed files with 47 additions and 19 deletions.
diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go
@@ -527,6 +527,11 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			SecretScannerOption: analyzer.SecretScannerOption{
 				ConfigPath: opts.SecretConfigPath,
 			},
+
+			// For license scanning
+			LicenseScannerOption: analyzer.LicenseScannerOption{
+				Full: opts.LicenseFull,
+			},
 		},
 	}, scanOptions, nil
 }

diff --git a/pkg/fanal/analyzer/analyzer.go b/pkg/fanal/analyzer/analyzer.go
@@ -39,16 +39,22 @@ var (
 
 // AnalyzerOptions is used to initialize analyzers
 type AnalyzerOptions struct {
-	Group               Group
-	FilePatterns        []string
-	DisabledAnalyzers   []Type
-	SecretScannerOption SecretScannerOption
+	Group                Group
+	FilePatterns         []string
+	DisabledAnalyzers    []Type
+	SecretScannerOption  SecretScannerOption
+	LicenseScannerOption LicenseScannerOption
 }
 
 type SecretScannerOption struct {
 	ConfigPath string
 }
 
+type LicenseScannerOption struct {
+	// Use license classifier to get better results though the classification is expensive.
+	Full bool
+}
+
 ////////////////
 // Interfaces //
 ////////////////

diff --git a/pkg/fanal/analyzer/pkg/dpkg/copyright.go b/pkg/fanal/analyzer/pkg/dpkg/copyright.go
@@ -31,17 +31,19 @@ var (
 )
 
 // dpkgLicenseAnalyzer parses copyright files and detect licenses
-type dpkgLicenseAnalyzer struct{}
+type dpkgLicenseAnalyzer struct {
+	licenseFull bool
+}
 
 // Analyze parses /usr/share/doc/*/copyright files
-func (a dpkgLicenseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
+func (a *dpkgLicenseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
 	findings, err := a.parseCopyright(input.Content)
 	if err != nil {
 		return nil, xerrors.Errorf("parse copyright %s: %w", input.FilePath, err)
 	}
 
 	// If licenses are not found, fallback to the classifier
-	if len(findings) == 0 {
+	if len(findings) == 0 && a.licenseFull {
 		// Rewind the reader to the beginning of the stream after saving
 		if _, err = input.Content.Seek(0, io.SeekStart); err != nil {
 			return nil, xerrors.Errorf("seek error: %w", err)
@@ -73,7 +75,7 @@ func (a dpkgLicenseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisI
 }
 
 // parseCopyright parses /usr/share/doc/*/copyright files
-func (a dpkgLicenseAnalyzer) parseCopyright(r dio.ReadSeekerAt) ([]types.LicenseFinding, error) {
+func (a *dpkgLicenseAnalyzer) parseCopyright(r dio.ReadSeekerAt) ([]types.LicenseFinding, error) {
 	scanner := bufio.NewScanner(r)
 	var licenses []string
 	for scanner.Scan() {
@@ -117,14 +119,19 @@ func (a dpkgLicenseAnalyzer) parseCopyright(r dio.ReadSeekerAt) ([]types.License
 
 }
 
-func (a dpkgLicenseAnalyzer) Required(filePath string, _ os.FileInfo) bool {
+func (a *dpkgLicenseAnalyzer) Init(opt analyzer.AnalyzerOptions) error {
+	a.licenseFull = opt.LicenseScannerOption.Full
+	return nil
+}
+
+func (a *dpkgLicenseAnalyzer) Required(filePath string, _ os.FileInfo) bool {
 	return strings.HasPrefix(filePath, "usr/share/doc/") && filepath.Base(filePath) == "copyright"
 }
 
-func (a dpkgLicenseAnalyzer) Type() analyzer.Type {
+func (a *dpkgLicenseAnalyzer) Type() analyzer.Type {
 	return analyzer.TypeDpkgLicense
 }
 
-func (a dpkgLicenseAnalyzer) Version() int {
+func (a *dpkgLicenseAnalyzer) Version() int {
 	return dpkgLicenseAnalyzerVersion
 }
diff --git a/pkg/fanal/artifact/artifact.go b/pkg/fanal/artifact/artifact.go
@@ -29,6 +29,7 @@ type Option struct {
 
 	MisconfScannerOption misconf.ScannerOption
 	SecretScannerOption  analyzer.SecretScannerOption
+	LicenseScannerOption analyzer.LicenseScannerOption
 }
 
 func (o *Option) Sort() {

diff --git a/pkg/fanal/artifact/image/image.go b/pkg/fanal/artifact/image/image.go
@@ -51,10 +51,11 @@ func NewArtifact(img types.Image, c cache.ArtifactCache, opt artifact.Option) (a
 	}
 
 	a, err := analyzer.NewAnalyzerGroup(analyzer.AnalyzerOptions{
-		Group:               opt.AnalyzerGroup,
-		FilePatterns:        opt.FilePatterns,
-		DisabledAnalyzers:   opt.DisabledAnalyzers,
-		SecretScannerOption: opt.SecretScannerOption,
+		Group:                opt.AnalyzerGroup,
+		FilePatterns:         opt.FilePatterns,
+		DisabledAnalyzers:    opt.DisabledAnalyzers,
+		SecretScannerOption:  opt.SecretScannerOption,
+		LicenseScannerOption: opt.LicenseScannerOption,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("analyzer group error: %w", err)

diff --git a/pkg/fanal/artifact/image/image_test.go b/pkg/fanal/artifact/image/image_test.go
@@ -46,6 +46,9 @@ func TestArtifact_Inspect(t *testing.T) {
 		{
 			name:      "happy path",
 			imagePath: "../../test/testdata/alpine-311.tar.gz",
+			artifactOpt: artifact.Option{
+				LicenseScannerOption: analyzer.LicenseScannerOption{Full: true},
+			},
 			missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{
 				Args: cache.ArtifactCacheMissingBlobsArgs{
 					ArtifactID: "sha256:059741cfbdc039e88e337d621e57e03e99b0e0a75df32f2027ebef13f839af65",
@@ -248,6 +251,9 @@ func TestArtifact_Inspect(t *testing.T) {
 		{
 			name:      "happy path: include lock files",
 			imagePath: "../../test/testdata/vuln-image.tar.gz",
+			artifactOpt: artifact.Option{
+				LicenseScannerOption: analyzer.LicenseScannerOption{Full: true},
+			},
 			missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{
 				Args: cache.ArtifactCacheMissingBlobsArgs{
 					ArtifactID: "sha256:a646bb11d39c149d4aaf9b888233048e0848304e5abd75667ea6f21d540d800c",
@@ -601,6 +607,7 @@ func TestArtifact_Inspect(t *testing.T) {
 					analyzer.TypeDebian, analyzer.TypeDpkg, analyzer.TypeDpkgLicense, analyzer.TypeComposer,
 					analyzer.TypeBundler, analyzer.TypeLicenseFile,
 				},
+				LicenseScannerOption: analyzer.LicenseScannerOption{Full: true},
 			},
 			missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{
 				Args: cache.ArtifactCacheMissingBlobsArgs{

diff --git a/pkg/fanal/artifact/local/fs.go b/pkg/fanal/artifact/local/fs.go
@@ -42,10 +42,11 @@ func NewArtifact(rootPath string, c cache.ArtifactCache, opt artifact.Option) (a
 	}
 
 	a, err := analyzer.NewAnalyzerGroup(analyzer.AnalyzerOptions{
-		Group:               opt.AnalyzerGroup,
-		FilePatterns:        opt.FilePatterns,
-		DisabledAnalyzers:   opt.DisabledAnalyzers,
-		SecretScannerOption: opt.SecretScannerOption,
+		Group:                opt.AnalyzerGroup,
+		FilePatterns:         opt.FilePatterns,
+		DisabledAnalyzers:    opt.DisabledAnalyzers,
+		SecretScannerOption:  opt.SecretScannerOption,
+		LicenseScannerOption: opt.LicenseScannerOption,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("analyzer group error: %w", err)