fix: don't skip packages that don't contain vulns, when using --list-…

…all-pkgs flag (#2767)
aquasecurity · Aug 25, 2022 · fcccfce · fcccfce
1 parent 8bc215c
commit fcccfce
Show file tree

Hide file tree

Showing 2 changed files with 121 additions and 8 deletions.
diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go
@@ -118,9 +118,9 @@ func (s Scanner) Scan(ctx context.Context, target, artifactKey string, blobKeys
 			artifactDetail.OS.Eosl = eosl
 		}
 		// Merge package results into vulnerability results
-		s.fillPkgsInVulns(pkgResults, vulnResults)
+		mergedResults := s.fillPkgsInVulns(pkgResults, vulnResults)
 
-		results = append(results, vulnResults...)
+		results = append(results, mergedResults...)
 	} else {
 		// If vulnerability scanning is not enabled, it just adds package results.
 		results = append(results, pkgResults...)
@@ -312,15 +312,22 @@ func (s Scanner) scanLangPkgs(apps []ftypes.Application) (types.Results, error)
 	return results, nil
 }
 
-func (s Scanner) fillPkgsInVulns(pkgResults, vulnResults types.Results) {
-	// Fill vulnerability results in package results
-	for i := range vulnResults {
-		if r, found := lo.Find(pkgResults, func(r types.Result) bool {
-			return r.Class == vulnResults[i].Class && r.Target == vulnResults[i].Target
+func (s Scanner) fillPkgsInVulns(pkgResults, vulnResults types.Results) types.Results {
+	var results types.Results
+	if len(pkgResults) == 0 { // '--list-all-pkgs' == false or packages not found
+		return vulnResults
+	}
+	for _, result := range pkgResults {
+		if r, found := lo.Find(vulnResults, func(r types.Result) bool {
+			return r.Class == result.Class && r.Target == result.Target
 		}); found {
-			vulnResults[i].Packages = r.Packages
+			r.Packages = result.Packages
+			results = append(results, r)
+		} else { // when package result has no vulnerabilities we still need to add it to result(for 'list-all-pkgs')
+			results = append(results, result)
 		}
 	}
+	return results
 }
 
 func (s Scanner) misconfsToResults(misconfs []ftypes.Misconfiguration) types.Results {

diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go
@@ -291,6 +291,112 @@ func TestScanner_Scan(t *testing.T) {
 				Eosl:   true,
 			},
 		},
+		{
+			name: "happy path with list all packages and without vulnerabilities",
+			args: args{
+				target:   "alpine:latest",
+				layerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				options: types.ScanOptions{
+					VulnType:        []string{types.VulnTypeOS, types.VulnTypeLibrary},
+					SecurityChecks:  []string{types.SecurityCheckVulnerability},
+					ListAllPackages: true,
+				},
+			},
+			applyLayersExpectation: ApplierApplyLayersExpectation{
+				Args: ApplierApplyLayersArgs{
+					BlobIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				},
+				Returns: ApplierApplyLayersReturns{
+					Detail: ftypes.ArtifactDetail{
+						OS: &ftypes.OS{
+							Family: "alpine",
+							Name:   "3.11",
+						},
+						Packages: []ftypes.Package{
+							{
+								Name:       "musl",
+								Version:    "1.2.3",
+								SrcName:    "musl",
+								SrcVersion: "1.2.3",
+								Layer: ftypes.Layer{
+									DiffID: "sha256:ebf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888",
+								},
+							},
+							{
+								Name:       "ausl",
+								Version:    "1.2.3",
+								SrcName:    "ausl",
+								SrcVersion: "1.2.3",
+								Layer: ftypes.Layer{
+									DiffID: "sha256:bbf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888",
+								},
+							},
+						},
+						Applications: []ftypes.Application{
+							{
+								Type:     "bundler",
+								FilePath: "/app/Gemfile.lock",
+								Libraries: []ftypes.Package{
+									{
+										Name:    "rails",
+										Version: "4.0.2",
+										Layer: ftypes.Layer{
+											DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantResults: types.Results{
+				{
+					Target: "alpine:latest (alpine 3.11)",
+					Class:  types.ClassOSPkg,
+					Type:   fos.Alpine,
+					Packages: []ftypes.Package{
+						{
+							Name:       "ausl",
+							Version:    "1.2.3",
+							SrcName:    "ausl",
+							SrcVersion: "1.2.3",
+							Layer: ftypes.Layer{
+								DiffID: "sha256:bbf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888",
+							},
+						},
+						{
+							Name:       "musl",
+							Version:    "1.2.3",
+							SrcName:    "musl",
+							SrcVersion: "1.2.3",
+							Layer: ftypes.Layer{
+								DiffID: "sha256:ebf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888",
+							},
+						},
+					},
+				},
+				{
+					Target: "/app/Gemfile.lock",
+					Class:  types.ClassLangPkg,
+					Type:   ftypes.Bundler,
+					Packages: []ftypes.Package{
+						{
+							Name:    "rails",
+							Version: "4.0.2",
+							Layer: ftypes.Layer{
+								DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33",
+							},
+						},
+					},
+				},
+			},
+			wantOS: &ftypes.OS{
+				Family: "alpine",
+				Name:   "3.11",
+				Eosl:   true,
+			},
+		},
 		{
 			name: "happy path with empty os",
 			args: args{