refactor: add config files to FS in misconf scanner

aquasecurity · Oct 4, 2023 · aaaa1e3 · aaaa1e3
1 parent 093d72a
commit aaaa1e3
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 36 deletions.
diff --git a/pkg/fanal/artifact/artifact.go b/pkg/fanal/artifact/artifact.go
@@ -2,12 +2,8 @@ package artifact
 
 import (
 	"context"
-	"os"
 	"sort"
 
-	"github.com/samber/lo"
-	"golang.org/x/xerrors"
-
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/fanal/walker"
@@ -63,31 +59,7 @@ func (o *Option) Sort() {
 	sort.Strings(o.FilePatterns)
 }
 
-func (o *Option) ConfigFiles() []string {
-	// data paths and policy paths are ignored because their own file systems are created for them
-	return lo.Flatten(
-		[][]string{
-			o.MisconfScannerOption.TerraformTFVars,
-			o.MisconfScannerOption.HelmFileValues,
-			o.MisconfScannerOption.HelmValueFiles,
-		},
-	)
-}
-
 type Artifact interface {
 	Inspect(ctx context.Context) (reference types.ArtifactReference, err error)
 	Clean(reference types.ArtifactReference) error
 }
-
-func AddConfigFilesToFS(composite *analyzer.CompositeFS, opt Option) error {
-	for _, configFile := range opt.ConfigFiles() {
-		if _, err := os.Stat(configFile); err != nil {
-			return xerrors.Errorf("config file %q not found: %w", configFile, err)
-		}
-		if err := composite.CreateLink(analyzer.TypeConfigFiles, "", configFile, configFile); err != nil {
-			return xerrors.Errorf("failed to create link: %w", err)
-		}
-	}
-
-	return nil
-}
diff --git a/pkg/fanal/artifact/image/image.go b/pkg/fanal/artifact/image/image.go
@@ -277,10 +277,6 @@ func (a Artifact) inspectLayer(ctx context.Context, layerInfo LayerInfo, disable
 	}
 	defer composite.Cleanup()
 
-	if err := artifact.AddConfigFilesToFS(composite, a.artifactOption); err != nil {
-		return types.BlobInfo{}, xerrors.Errorf("failed write config files to fs: %w", err)
-	}
-
 	// Walk a tar layer
 	opqDirs, whFiles, err := a.walker.Walk(rc, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
 		if err := a.analyzer.AnalyzeFile(ctx, &wg, limit, result, "", filePath, info, opener, disabled, opts); err != nil {

diff --git a/pkg/fanal/artifact/local/fs.go b/pkg/fanal/artifact/local/fs.go
@@ -134,10 +134,6 @@ func (a Artifact) Inspect(ctx context.Context) (types.ArtifactReference, error)
 		return types.ArtifactReference{}, xerrors.Errorf("failed to prepare filesystem for post analysis: %w", err)
 	}
 
-	if err := artifact.AddConfigFilesToFS(composite, a.artifactOption); err != nil {
-		return types.ArtifactReference{}, xerrors.Errorf("failed write config files to fs: %w", err)
-	}
-
 	err = a.walker.Walk(a.rootPath, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
 		dir := a.rootPath
 

diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go
@@ -71,6 +71,7 @@ type Scanner struct {
 	fileType       detection.FileType
 	scanner        scanners.FSScanner
 	hasFilePattern bool
+	configFiles    []string
 }
 
 func NewAzureARMScanner(filePatterns []string, opt ScannerOption) (*Scanner, error) {
@@ -108,6 +109,7 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption)
 	}
 
 	var scanner scanners.FSScanner
+	var configFiles []string
 	switch t {
 	case detection.FileTypeAzureARM:
 		scanner = arm.New(opts...)
@@ -117,10 +119,12 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption)
 		scanner = dfscanner.NewScanner(opts...)
 	case detection.FileTypeHelm:
 		scanner = helm.New(opts...)
+		configFiles = append(opt.HelmFileValues, opt.HelmValueFiles...)
 	case detection.FileTypeKubernetes:
 		scanner = k8sscanner.NewScanner(opts...)
 	case detection.FileTypeTerraform:
 		scanner = tfscanner.New(opts...)
+		configFiles = opt.TerraformTFVars
 	case detection.FileTypeTerraformPlan:
 		scanner = tfpscanner.New(opts...)
 	}
@@ -129,6 +133,7 @@ func newScanner(t detection.FileType, filePatterns []string, opt ScannerOption)
 		fileType:       t,
 		scanner:        scanner,
 		hasFilePattern: hasFilePattern(t, filePatterns),
+		configFiles:    configFiles,
 	}, nil
 }
 
@@ -141,6 +146,10 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio
 		return nil, nil
 	}
 
+	if err := addConfigFilesToFS(newfs, s.configFiles); err != nil {
+		return nil, xerrors.Errorf("failed to add config files to fs: %w", err)
+	}
+
 	log.Logger.Debugf("Scanning %s files for misconfigurations...", s.scanner.Name())
 	results, err := s.scanner.ScanFS(ctx, newfs, ".")
 	if err != nil {
@@ -165,6 +174,30 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio
 	return misconfs, nil
 }
 
+func addConfigFilesToFS(fsys fs.FS, configFiles []string) error {
+	if len(configFiles) == 0 {
+		return nil
+	}
+
+	mfs, ok := fsys.(*mapfs.FS)
+	if !ok {
+		return xerrors.Errorf("type assertion error: %T is not a *mapfs.FS", fsys)
+	}
+	for _, configFile := range configFiles {
+		if _, err := os.Stat(configFile); err != nil {
+			return xerrors.Errorf("config file %q not found: %w", configFile, err)
+		}
+		if err := mfs.MkdirAll(filepath.Dir(configFile), os.ModePerm); err != nil && !errors.Is(err, fs.ErrExist) {
+			return xerrors.Errorf("mkdir error: %w", err)
+		}
+		if err := mfs.WriteFile(configFile, configFile); err != nil {
+			return xerrors.Errorf("write file error: %w", err)
+		}
+	}
+
+	return nil
+}
+
 func (s *Scanner) filterFS(fsys fs.FS) (fs.FS, error) {
 	mfs, ok := fsys.(*mapfs.FS)
 	if !ok {