feat(image): add support for passing architecture and OS (#3012)

Co-authored-by: knqyf263 <knqyf263@gmail.com>
aquasecurity · Oct 25, 2022 · 8ae4627 · varanasikalyan · Oct 27, 2022 · 8ae4627
1 parent 0501e70
commit 8ae4627
Show file tree

Hide file tree

Showing 11 changed files with 118 additions and 5 deletions.
diff --git a/docs/docs/vulnerability/examples/others.md b/docs/docs/vulnerability/examples/others.md
@@ -16,6 +16,48 @@ If your image contains lock files which are not maintained by you, you can skip
 $ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
 ```
 
+## Scan Image on a specific Architecture and OS
+
+By default, Trivy loads an image on a "linux/amd64" machine.
+To customise this, pass a `--platform` argument in the format OS/Architecture for the image:
+
+```
+$ trivy image --platform=os/architecture [YOUR_IMAGE_NAME]
+```
+
+For example:
+
+```
+$ trivy image --platform=linux/arm alpine:3.16.1
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2022-10-25T21:00:50.972+0300    INFO    Vulnerability scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    Secret scanning is enabled
+2022-10-25T21:00:50.972+0300    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
+2022-10-25T21:00:50.972+0300    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
+2022-10-25T21:00:56.190+0300    INFO    Detected OS: alpine
+2022-10-25T21:00:56.190+0300    INFO    Detecting Alpine vulnerabilities...
+2022-10-25T21:00:56.191+0300    INFO    Number of language-specific files: 0
+
+alpine:3.16.1 (alpine 3.16.1)
+=============================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+
+┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
+│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
+├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ zlib    │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
+│         │                │          │                   │               │ in inflate.c via a...                                       │
+│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
+└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
+```
+
+</details>
+
 ## File patterns
 When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
 The default file patterns are [here](../../misconfiguration/custom/index.md).

diff --git a/docs/docs/vulnerability/scanning/image.md b/docs/docs/vulnerability/scanning/image.md
@@ -88,4 +88,3 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 </details>
 
-
diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go
@@ -450,6 +450,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 		VulnType:            opts.VulnType,
 		SecurityChecks:      opts.SecurityChecks,
 		ScanRemovedPackages: opts.ScanRemovedPkgs, // this is valid only for 'image' subcommand
+		Platform:            opts.Platform,        // this is valid only for 'image' subcommand
 		ListAllPackages:     opts.ListAllPkgs,
 		LicenseCategories:   opts.LicenseCategories,
 		FilePatterns:        opts.FilePatterns,
@@ -517,6 +518,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			RepoTag:           opts.RepoTag,
 			SBOMSources:       opts.SBOMSources,
 			RekorURL:          opts.RekorURL,
+			Platform:          opts.Platform,
 
 			// For misconfiguration scanning
 			MisconfScannerOption: configScannerOptions,

diff --git a/pkg/commands/artifact/scanner.go b/pkg/commands/artifact/scanner.go
@@ -12,7 +12,7 @@ import (
 // imageStandaloneScanner initializes a container image scanner in standalone mode
 // $ trivy image alpine:3.15
 func imageStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
-	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS)
+	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS, conf.ArtifactOption.Platform)
 	if err != nil {
 		return scanner.Scanner{}, nil, err
 	}
@@ -40,7 +40,7 @@ func archiveStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.
 func imageRemoteScanner(ctx context.Context, conf ScannerConfig) (
 	scanner.Scanner, func(), error) {
 	// Scan an image in Docker Engine, Docker Registry, etc.
-	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS)
+	dockerOpt, err := types.GetDockerOption(conf.ArtifactOption.InsecureSkipTLS, conf.ArtifactOption.Platform)
 	if err != nil {
 		return scanner.Scanner{}, nil, err
 	}

diff --git a/pkg/fanal/artifact/artifact.go b/pkg/fanal/artifact/artifact.go
@@ -25,6 +25,7 @@ type Option struct {
 	RepoTag           string
 	SBOMSources       []string
 	RekorURL          string
+	Platform          string
 
 	MisconfScannerOption misconf.ScannerOption
 	SecretScannerOption  analyzer.SecretScannerOption

diff --git a/pkg/fanal/image/image_test.go b/pkg/fanal/image/image_test.go
@@ -492,3 +492,48 @@ func TestNewArchiveImage(t *testing.T) {
 		})
 	}
 }
+
+func TestDockerPlatformArguments(t *testing.T) {
+	tr := setupPrivateRegistry()
+	defer tr.Close()
+
+	serverAddr := tr.Listener.Addr().String()
+
+	type args struct {
+		option types.DockerOption
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    v1.Image
+		wantErr string
+	}{
+		{
+			name: "happy path with valid platform",
+			args: args{
+				option: types.DockerOption{
+					UserName:              "test",
+					Password:              "testpass",
+					NonSSL:                true,
+					InsecureSkipTLSVerify: true,
+					Platform:              "arm/linux",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			imageName := fmt.Sprintf("%s/library/alpine:3.10", serverAddr)
+
+			_, cleanup, err := NewContainerImage(context.Background(), imageName, tt.args.option)
+			defer cleanup()
+
+			if tt.wantErr != "" {
+				assert.NotNil(t, err)
+				assert.Contains(t, err.Error(), tt.wantErr, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/pkg/fanal/image/remote.go b/pkg/fanal/image/remote.go
@@ -25,6 +25,14 @@ func tryRemote(ctx context.Context, imageName string, ref name.Reference, option
 		remoteOpts = append(remoteOpts, remote.WithTransport(t))
 	}
 
+	if option.Platform != "" {
+		s, err := v1.ParsePlatform(option.Platform)
+		if err != nil {
+			return nil, err
+		}
+		remoteOpts = append(remoteOpts, remote.WithPlatform(*s))
+	}
+
 	domain := ref.Context().RegistryStr()
 	auth := token.GetToken(ctx, domain, option)
 

diff --git a/pkg/fanal/types/docker.go b/pkg/fanal/types/docker.go
@@ -20,4 +20,7 @@ type DockerOption struct {
 	// SSL/TLS
 	InsecureSkipTLSVerify bool
 	NonSSL                bool
+
+	// Architecture
+	Platform string
 }
diff --git a/pkg/flag/image_flags.go b/pkg/flag/image_flags.go
@@ -18,22 +18,32 @@ var (
 		Value:      "",
 		Usage:      "input file path instead of image name",
 	}
+
+	PlatformFlag = Flag{
+		Name:       "platform",
+		ConfigName: "image.platform",
+		Value:      "",
+		Usage:      "set platform in the form os/arch if image is multi-platform capable",
+	}
 )
 
 type ImageFlagGroup struct {
 	Input           *Flag // local image archive
 	ScanRemovedPkgs *Flag
+	Platform        *Flag
 }
 
 type ImageOptions struct {
 	Input           string
 	ScanRemovedPkgs bool
+	Platform        string
 }
 
 func NewImageFlagGroup() *ImageFlagGroup {
 	return &ImageFlagGroup{
 		Input:           &InputFlag,
 		ScanRemovedPkgs: &ScanRemovedPkgsFlag,
+		Platform:        &PlatformFlag,
 	}
 }
 
@@ -42,12 +52,13 @@ func (f *ImageFlagGroup) Name() string {
 }
 
 func (f *ImageFlagGroup) Flags() []*Flag {
-	return []*Flag{f.Input, f.ScanRemovedPkgs}
+	return []*Flag{f.Input, f.ScanRemovedPkgs, f.Platform}
 }
 
 func (f *ImageFlagGroup) ToOptions() ImageOptions {
 	return ImageOptions{
 		Input:           getString(f.Input),
 		ScanRemovedPkgs: getBool(f.ScanRemovedPkgs),
+		Platform:        getString(f.Platform),
 	}
 }
diff --git a/pkg/types/docker_conf.go b/pkg/types/docker_conf.go
@@ -16,7 +16,7 @@ type DockerConfig struct {
 }
 
 // GetDockerOption returns the Docker scanning options using DockerConfig
-func GetDockerOption(insecureTlsSkip bool) (types.DockerOption, error) {
+func GetDockerOption(insecureTlsSkip bool, Platform string) (types.DockerOption, error) {
 	cfg := DockerConfig{}
 	if err := env.Parse(&cfg); err != nil {
 		return types.DockerOption{}, xerrors.Errorf("unable to parse environment variables: %w", err)
@@ -28,5 +28,6 @@ func GetDockerOption(insecureTlsSkip bool) (types.DockerOption, error) {
 		RegistryToken:         cfg.RegistryToken,
 		InsecureSkipTLSVerify: insecureTlsSkip,
 		NonSSL:                cfg.NonSSL,
+		Platform:              Platform,
 	}, nil
 }
diff --git a/pkg/types/scanoptions.go b/pkg/types/scanoptions.go
@@ -9,6 +9,7 @@ type ScanOptions struct {
 	VulnType            []string
 	SecurityChecks      []string
 	ScanRemovedPackages bool
+	Platform            string
 	ListAllPackages     bool
 	LicenseCategories   map[types.LicenseCategory][]string
 	FilePatterns        []string