Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(flag): add error when there are no supported security checks #2713

Merged
merged 4 commits into from
Aug 16, 2022
Merged

feat(flag): add error when there are no supported security checks #2713

merged 4 commits into from
Aug 16, 2022

Conversation

DmitriyLewen
Copy link
Contributor

Description

Trivy doesn't stop scan if --security-checks flag has only unsupported values.
We need to return error when parsing the flags.

Before:

➜ trivy -d image --security-checks conf alpine:3.14.3           
2022-08-16T10:41:50.312+0600    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-08-16T10:41:50.312+0600    WARN    unknown security check: conf
2022-08-16T10:41:50.315+0600    DEBUG   cache dir:  /home/dmitriy/.cache/trivy
2022-08-16T10:41:50.316+0600    DEBUG   Module dir: /home/dmitriy/.trivy/modules
2022-08-16T10:41:52.786+0600    DEBUG   Image ID: sha256:0a97eee8041e2b6c0e65abb2700b0705d0da5525ca69060b9e0bde8a3d17afdb
2022-08-16T10:41:52.786+0600    DEBUG   Diff IDs: [sha256:1a058d5342cc722ad5439cacae4b2b4eedde51d8fe8800fcf28444302355c16d]
2022-08-16T10:41:52.786+0600    DEBUG   Base Layers: []

After:

➜  ./trivy -d image --security-checks conf alpine:3.14.3 
2022-08-16T10:42:18.065+0600    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-08-16T10:42:18.065+0600    WARN    unknown security check: conf
2022-08-16T10:42:18.065+0600    FATAL   flag error:
    github.com/aquasecurity/trivy/pkg/commands.NewImageCommand.func2
        /home/dmitriy/work/aquasecurity/trivy/pkg/commands/app.go:267
  - scan flag error:
    github.com/aquasecurity/trivy/pkg/flag.(*Flags).ToOptions
        /home/dmitriy/work/aquasecurity/trivy/pkg/flag/options.go:366
  - --security-check flag doesn't contain supported values:
    github.com/aquasecurity/trivy/pkg/flag.(*ScanFlagGroup).ToOptions
        /home/dmitriy/work/aquasecurity/trivy/pkg/flag/scan_flags.go:80
exit status 1

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen marked this pull request as ready for review August 16, 2022 05:00
knqyf263
knqyf263 reviewed Aug 16, 2022
View reviewed changes
pkg/flag/scan_flags.go Outdated
switch {
case len(securityCheck) == 0: // no checks
return nil
return nil, xerrors.New("no security checks")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-checks can be empty when generating SBOM

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't think about it. Thanks. Fixed.

pkg/flag/scan_flags.go Outdated
case len(securityCheck) == 1 && strings.Contains(securityCheck[0], ","): // get checks from flag
securityCheck = strings.Split(securityCheck[0], ",")
}

var securityChecks []string
for _, v := range securityCheck {
if !slices.Contains(types.SecurityChecks, v) {
log.Logger.Warnf("unknown security check: %s", v)
continue
return nil, xerrors.New(fmt.Sprintf("unknown security check: %s", v))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return nil, xerrors.New(fmt.Sprintf("unknown security check: %s", v))
return nil, xerrors.Errorf("unknown security check: %s", v)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@knqyf263 knqyf263 merged commit 917f388 into main Aug 16, 2022
@knqyf263 knqyf263 deleted the no_security_checks_error branch August 16, 2022 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@owenrumney owenrumney Awaiting requested review from owenrumney

@liamg liamg Awaiting requested review from liamg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@DmitriyLewen @knqyf263